Need help to remove "square symbols" from msconfig

batman321 · 07-18-2007, 02:07 AM

Hi there,

When I go to MSConfig > Startup, there are square symbols in two of the startup items. I don't know how to get rid of it. I will do a hijack log and post the results below:

-----------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 20:06, on 07-07-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Applications\Hijack This\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applications\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\APPLIC~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Applications\Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Applications\Roboform\roboform.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Applications\Zone Alarm\Zone Alarm Update\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Applications\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Applications\MPEG Joiner\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Applications\MPEG Joiner\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Applications\MPEG Joiner\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Applications\MPEG Joiner\dllink.htm
O8 - Extra context menu item: Fill Forms - file://C:\Applications\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

----------------------------------------------------------------

Thanks

Bruce Wayne

Ried · 07-18-2007, 08:10 AM

Hello batman321,

A more comprehensive log would be more helpful to us. As noted in our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log...

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review.
DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt

batman321 · 07-18-2007, 06:11 PM

Deckard's System Scanner v20070711.54
Run by simon on 2007-07-19 at 12:05:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
37: 2007-07-19 00:05:39 UTC - RP307 - Deckard's System Scanner Restore Point
36: 2007-07-19 00:05:19 UTC - RP306 - Before using DSS
35: 2007-07-18 08:08:15 UTC - RP305 - Software Distribution Service 3.0
34: 2007-07-18 01:21:32 UTC - RP304 - System Checkpoint
33: 2007-07-17 00:28:47 UTC - RP303 - Restore Operation

-- First Restore Point --
1: 2007-06-15 09:46:53 UTC - RP271 - Before applying Age of Empires 3 Patch

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as simon.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:06, on 07-07-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\simon\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\APPLIC~1\HIJACK~1\simon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applications\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\APPLIC~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Applications\Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Applications\Roboform\roboform.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Applications\Zone Alarm\Zone Alarm Update\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Applications\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Applications\MPEG Joiner\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Applications\MPEG Joiner\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Applications\MPEG Joiner\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Applications\MPEG Joiner\dllink.htm
O8 - Extra context menu item: Fill Forms - file://C:\Applications\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-- HijackThis Fixed Entries (C:\APPLIC~1\HIJACK~1\backups\) --------------------

backup-20060921-162306-174 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20060921-162306-235 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20060921-162306-246 O2 - BHO: (no name) - {97A7E50D-063B-49AF-8A83-37ADE5620F9C} - blank (file missing)
backup-20060921-162306-329 O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
backup-20060921-162306-421 O2 - BHO: XBTBPos00 - {E552EEFC-DE97-45D4-BA1A-F534A1B4A579} - (no file)
backup-20060924-125919-350 O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - blank (file missing)

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Applications\Macromedia Dreamweaver MX\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Applications\Macromedia Dreamweaver MX\Dreamweaver MX\Dreamweaver.exe" "%1"
.txt - txtfile - shell\open\command - Notepad.exe %1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R2 EIO - c:\windows\system32\drivers\eio.sys <Not Verified; ASUSTeK Computer Inc.; ASUS Kernel Mode Driver for NT>
R3 CnxTgN (XH1137 DSE PCI ADSL WAN Adapter Driver) - c:\windows\system32\drivers\cnxtgn.sys <Not Verified; Conexant Systems Inc.; Conexant AccessRunner ADSL>
R3 CnxTgP (XH1137 DSE PCI ADSL WAN Adapter Filter Driver) - c:\windows\system32\drivers\cnxtgp.sys <Not Verified; Conexant Systems Inc.; Conexant AccessRunner PCI Controller>
R3 CnxTgR (XH1137 DSE PCI Arbitration Device Driver) - c:\windows\system32\drivers\cnxtgr.sys <Not Verified; Conexant Systems Inc.; Conexant AccessRunner PCI Controller>

S3 FreshIO - c:\applications\diagnose\freshio.sys
S3 GVCplDrv - c:\windows\system32\drivers\gvcpldrv.sys
S3 GVTDrv - c:\windows\system32\drivers\gvtdrv.sys
S3 KLIF - c:\applic~1\pctool~1.0\klif.sys (file missing)
S3 Maplom - c:\windows\system32\drivers\maplom.sys <Not Verified; Jacal Consulting; Game Jackal>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 AresChatServer (Ares Chatroom server) - c:\applications\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S4 Avg7Alrt (AVG7 Alert Manager Server) - c:\progra~1\avg\avgamsvr.exe (file missing)
S4 Avg7UpdSvc (AVG7 Update Service) - c:\progra~1\avg\avgupsvc.exe (file missing)
S4 AVGEMS (AVG E-mail Scanner) - c:\progra~1\avg\avgemc.exe (file missing)

-- Scheduled Tasks -------------------------------------------------------------

2007-07-13 17:15:00 394 --a----c- C:\WINDOWS\Tasks\1-Click Maintenance.job
2007-07-12 11:58:13 252 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2007-07-12 11:58:12 314 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job
2007-07-12 11:50:50 254 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-07-12 11:50:47 360 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job

-- Files created between 2007-06-19 and 2007-07-19 -----------------------------

2007-07-19 11:28:31 0 d-------- C:\WINDOWS\LastGood
2007-07-18 20:14:51 0 d-------- C:\Program Files\MSXML 6.0
2007-07-18 20:14:10 0 d-------- C:\Program Files\MSBuild
2007-07-18 20:10:46 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-07-18 20:10:07 0 d-------- C:\Program Files\Reference Assemblies
2007-07-18 20:09:14 0 d-------- C:\94507354af2ddac31214ad6805
2007-07-16 15:53:59 3534848 --a------ C:\Documents and Settings\Cathy.WAYNE\ntuser.dat
2007-07-15 15:58:08 0 dr------- C:\Documents and Settings\simon\My Documents
2007-07-13 15:09:43 280 --a------ C:\WINDOWS\system32\PDBootState
2007-07-13 13:57:01 0 d-------- C:\Program Files\Common Files\Raxco
2007-07-12 15:56:20 0 d-------- C:\Program Files\NewDotNet
2007-07-12 11:41:37 0 d-------- C:\Program Files\Raxco
2007-07-12 11:41:30 4980736 --a------ C:\Documents and Settings\simon\ntuser.dat
2007-07-07 19:22:46 3532 --a------ C:\drmHeader.bin
2007-07-03 20:16:21 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-06-30 16:03:14 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe <Not Verified; Sysinternals - www.sysinternals.com; Page File Defragmenter>
2007-06-30 15:20:18 0 d-------- C:\Program Files\Common Files\xing shared

-- Find3M Report ---------------------------------------------------------------

2007-07-13 12:42:35 0 d-------- C:\Documents and Settings\simon\Application Data\Macromedia
2007-06-30 15:20:10 0 d-------- C:\Program Files\Common Files\Real
2007-06-15 22:19:16 0 d-------- C:\Program Files\FILESU~1
2007-06-10 12:58:13 0 d-------- C:\Program Files\MSXML 4.0
2007-06-09 20:58:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-09 14:00:31 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-09 10:23:58 0 dr-h----- C:\Documents and Settings\simon\Application Data\SecuROM
2007-06-09 10:13:08 0 d-------- C:\Documents and Settings\simon\Application Data\InstallShield
2007-04-19 13:26:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-04-19 13:26:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-04-19 13:26:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-19 13:26:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-04-19 13:26:00 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 13:26:00 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-04-19 13:26:00 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 13:26:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-04-19 13:26:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-04-19 13:26:00 212992 --a------ C:\WINDOWS\system32\nvapi.dll
2007-04-19 13:26:00 425984 --a------ C:\WINDOWS\system32\keystone.exe

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\Applications\Spybot\SDHelper.dll
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} C:\APPLIC~1\SPYWAR~1\tools\iesdsg.dll
{69A87B7D-DE56-4136-9655-716BA50C19C7} C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
{724d43a9-0d85-11d4-9908-00400523e39a} C:\Applications\Roboform\roboform.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{B56A7D7D-6927-48C8-A975-17DF180C71AC} C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Zone Labs Client"="\"C:\\Applications\\Zone Alarm\\Zone Alarm Update\\zlclient.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\AVG\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoViewContextMenu"=dword:00000000
"NoWinKeys"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoFileAssociate"=dword:00000000
"NoFileMenu"=dword:00000000
"NoFolderOptions"=dword:00000000
"NoFind"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoCommonGroups"=dword:00000000
"NoRecentDocsHistory"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000000
"NoSimpleStartMenu"=dword:00000000
"HideClock"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoTrayItemsDisplay"=dword:00000000
"StartMenuLogoff"=dword:00000000
"NoSMHelp"=dword:00000000
"NoTrayContextMenu"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\APPLIC~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI1933~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\APPLIC~1\\WINZIP~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"command"="C:\\APPLIC~1\\Avast\\ashDisp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R210 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I3H2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3H2.EXE /P30 \"EPSON Stylus Photo R210 Series\" /O6 \"USB001\" /M \"Stylus Photo R210\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImInstaller_IncrediMail]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="incredimail_install[1]"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???
?"
"hkey"="HKCU"
"command"="???
?"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDLL32"
"hkey"="HKLM"
"command"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRTCLK]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVRTClk"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NVRTCLK\\NVRTClk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCTAV"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RoboTaskBarIcon"
"hkey"="HKCU"
"command"="\"C:\\Applications\\Roboform\\RoboTaskBarIcon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???
?"
"hkey"="HKCU"
"command"="???
?"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpamMonitor"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UnlockerAssistant"
"hkey"="HKLM"
"command"="\"C:\\Applications\\Unlocker\\UnlockerAssistant.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002
"AVGEMS"=dword:00000002
"Macromedia Licensing Service"=dword:00000003
"Adobe LM Service"=dword:00000003
"SDhelper"=dword:00000002
"Diskeeper"=dword:00000002
"WMPNetworkSvc"=dword:00000003
"vsmon"=dword:00000002
"NVSvc"=dword:00000002
"avast! Web Scanner"=dword:00000003
"avast! Mail Scanner"=dword:00000003
"avast! Antivirus"=dword:00000002
"aswUpdSv"=dword:00000002
"AresChatServer"=dword:00000003
"IDriverT"=dword:00000003
"BITS"=dword:00000002
"PDEngine"=dword:00000003
"PDAgent"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-07-19 at 12

51 ---------

Ried · 07-18-2007, 11:19 PM

Thank you, that's what I needed.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entry:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Please ensure Hidden files and folders are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the followingFolder[/color]

C:\Program Files\ NewDotNet

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK.

Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Reboot your system.

--------------------------------------------------------------------

Due to the presence of those entries, I highly recommend performing an online scan to search for any remnants that may be lurking.

Use Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with dss.exe.

--------------------------------------------------------------------

Please include the following in your next reply:

Panda results
main.txt

Ried · 07-18-2007, 11:21 PM

Thank you, that's what I needed.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entry:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Please ensure Hidden files and folders are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Folder

C:\Program Files\ NewDotNet

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK.

Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Reboot your system.

--------------------------------------------------------------------

Due to the presence of those entries, I highly recommend performing an online scan to search for any remnants that may be lurking.

Use Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with dss.exe.

--------------------------------------------------------------------

Please include the following in your next reply:

Panda results
main.txt

batman321 · 07-19-2007, 03:28 AM

Hi there,

The square symbols are not showing under 'msconfig > startup item'. I guess it's fixed. The only thing I haven't fully completed was the Panda scan. I did manager to scan 30% of 'my computer' and save the report. I will continue the scan tomorrow and hopefully complete a 100% scan.

Please see the attachment files. Activescan.txt is the panda scan results and main.txt is the dss.exe results.

Thank you

Bruce Wayne

Deckard's System Scanner v20070711.54
Run by simon on 2007-07-19 at 21:22:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as simon.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 21:22, on 07-07-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Applications\Zone Alarm\Zone Alarm Update\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\simon\Desktop\dss.exe
C:\APPLIC~1\HIJACK~1\simon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applications\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\APPLIC~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Applications\Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Applications\Roboform\roboform.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Applications\Zone Alarm\Zone Alarm Update\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Applications\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Applications\MPEG Joiner\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Applications\MPEG Joiner\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Applications\MPEG Joiner\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Applications\MPEG Joiner\dllink.htm
O8 - Extra context menu item: Fill Forms - file://C:\Applications\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-- Files created between 2007-06-19 and 2007-07-19 -----------------------------

2007-07-19 20:23:33 8576 --a------ C:\WINDOWS\system32\drivers\pdjqybctuvii.sys <Not Verified; Panda Software International; RKPavProc Driver>
2007-07-19 20:14:39 0 d-------- C:\WINDOWS\LastGood
2007-07-18 20:14:51 0 d-------- C:\Program Files\MSXML 6.0
2007-07-18 20:14:10 0 d-------- C:\Program Files\MSBuild
2007-07-18 20:10:46 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-07-18 20:10:07 0 d-------- C:\Program Files\Reference Assemblies
2007-07-18 20:09:14 0 d-------- C:\94507354af2ddac31214ad6805
2007-07-16 15:53:59 3534848 --a------ C:\Documents and Settings\Cathy.WAYNE\ntuser.dat
2007-07-15 15:58:08 0 dr------- C:\Documents and Settings\simon\My Documents
2007-07-13 15:09:43 280 --a------ C:\WINDOWS\system32\PDBootState
2007-07-13 13:57:01 0 d-------- C:\Program Files\Common Files\Raxco
2007-07-12 11:41:37 0 d-------- C:\Program Files\Raxco
2007-07-12 11:41:30 4980736 --a------ C:\Documents and Settings\simon\ntuser.dat
2007-07-07 19:22:46 3532 --a------ C:\drmHeader.bin
2007-07-03 20:16:21 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-06-30 16:03:14 25992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe <Not Verified; Sysinternals - www.sysinternals.com; Page File Defragmenter>
2007-06-30 15:20:18 0 d-------- C:\Program Files\Common Files\xing shared

-- Find3M Report ---------------------------------------------------------------

2007-07-13 12:42:35 0 d-------- C:\Documents and Settings\simon\Application Data\Macromedia
2007-06-30 15:20:10 0 d-------- C:\Program Files\Common Files\Real
2007-06-15 22:19:16 0 d-------- C:\Program Files\FILESU~1
2007-06-10 12:58:13 0 d-------- C:\Program Files\MSXML 4.0
2007-06-09 20:58:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-06-09 14:00:31 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-09 10:23:58 0 dr-h----- C:\Documents and Settings\simon\Application Data\SecuROM
2007-06-09 10:13:08 0 d-------- C:\Documents and Settings\simon\Application Data\InstallShield
2007-04-19 13:26:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-04-19 13:26:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-04-19 13:26:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-19 13:26:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-04-19 13:26:00 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-19 13:26:00 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-04-19 13:26:00 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2007-04-19 13:26:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-04-19 13:26:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-04-19 13:26:00 212992 --a------ C:\WINDOWS\system32\nvapi.dll
2007-04-19 13:26:00 425984 --a------ C:\WINDOWS\system32\keystone.exe

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\Applications\Spybot\SDHelper.dll
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} C:\APPLIC~1\SPYWAR~1\tools\iesdsg.dll
{69A87B7D-DE56-4136-9655-716BA50C19C7} C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
{724d43a9-0d85-11d4-9908-00400523e39a} C:\Applications\Roboform\roboform.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{B56A7D7D-6927-48C8-A975-17DF180C71AC} C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Zone Labs Client"="\"C:\\Applications\\Zone Alarm\\Zone Alarm Update\\zlclient.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\AVG\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoViewContextMenu"=dword:00000000
"NoWinKeys"=dword:00000000
"NoShellSearchButton"=dword:00000000
"NoFileAssociate"=dword:00000000
"NoFileMenu"=dword:00000000
"NoFolderOptions"=dword:00000000
"NoFind"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoCommonGroups"=dword:00000000
"NoRecentDocsHistory"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000000
"NoSimpleStartMenu"=dword:00000000
"HideClock"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoTrayItemsDisplay"=dword:00000000
"StartMenuLogoff"=dword:00000000
"NoSMHelp"=dword:00000000
"NoTrayContextMenu"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\APPLIC~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI1933~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\APPLIC~1\\WINZIP~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"command"="C:\\APPLIC~1\\Avast\\ashDisp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R210 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I3H2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3H2.EXE /P30 \"EPSON Stylus Photo R210 Series\" /O6 \"USB001\" /M \"Stylus Photo R210\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImInstaller_IncrediMail]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="incredimail_install[1]"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDLL32"
"hkey"="HKLM"
"command"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRTCLK]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVRTClk"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NVRTCLK\\NVRTClk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCTAV"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RoboTaskBarIcon"
"hkey"="HKCU"
"command"="\"C:\\Applications\\Roboform\\RoboTaskBarIcon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spam Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpamMonitor"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UnlockerAssistant"
"hkey"="HKLM"
"command"="\"C:\\Applications\\Unlocker\\UnlockerAssistant.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002
"AVGEMS"=dword:00000002
"Macromedia Licensing Service"=dword:00000003
"Adobe LM Service"=dword:00000003
"SDhelper"=dword:00000002
"Diskeeper"=dword:00000002
"WMPNetworkSvc"=dword:00000003
"vsmon"=dword:00000002
"NVSvc"=dword:00000002
"avast! Web Scanner"=dword:00000003
"avast! Mail Scanner"=dword:00000003
"avast! Antivirus"=dword:00000002
"aswUpdSv"=dword:00000002
"AresChatServer"=dword:00000003
"IDriverT"=dword:00000003
"BITS"=dword:00000002
"PDEngine"=dword:00000003
"PDAgent"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_PDJQYBCTUVII
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_RKPAVPROC
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SDTHOOK

-- End of Deckard's System Scanner: finished at 2007-07-19 at 21:22:35 ---------

Incident Status Location

Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\simon\Application Data\Registry Cleaner
Possible Virus. Not disinfected C:\Applications\Driver Cleaner\DCleaner.exe
Possible Virus. Not disinfected C:\Applications\Driver Cleaner\DCProSetup_15.zip[DCProSetup.exe][DCleaner.exe]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.ehg-ubisoft.hitbox.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.ehg-idg.hitbox.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.belnk.com/]

Ried · 07-19-2007, 10:56 AM

Hi,

From what I see so far in Panda, please do the following:

Please ensure Hidden files and folders are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following:

C:\Documents and Settings\simon\Application Data\Registry Cleaner
C:\Applications\Driver Cleaner

--------------------------------------------------------------------

Clear Mozilla Firefox cookies:

Open the Mozilla Browser>Tools>Options>Privacy>Cookies>Clear

--------------------------------------------------------------------

Looking forward to seeing a full scan, Bruce.

batman321 · 07-20-2007, 02:31 AM

The Panda scan takes forever to complete. I run the pandas scan PC on my computer while I'm away and when I return to it, the panda scan window has closed. I don't think I will be able to complete the scan.

Thanks

Bruce Wayne

Ried · 07-20-2007, 07:48 AM

You do not have to remain online while it's scanning. Once it has completed, re-connect to the internet to get the report.

-or-

Try this online scanner:

perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note for Internet Explorer 7 users**

If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

batman321 · 07-20-2007, 06:53 PM

Hi there,

I have attached a Kaspersky report (.rar file) to this thread. I had to compress the .txt file because it was almost 4MB.

Regards,

Bruce Wayne

Ried · 07-21-2007, 07:29 AM

Hiya,

The good news is:

Quote:

Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Ensure Windows Auto Update is Enabled
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will flush out previous restore points and create a new restore point. Doing so will prevent reinfection from previous restore points.

**************************************************************************************

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Spyware Guard to catch and block spyware before it can execute.

IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)

Now navigate to C:\ie-spyad. Double click to open it.
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

batman321 · 07-21-2007, 06:34 PM

Hi there,

Thank you for your professional help! I just wanted to ask for future reference. If I encounter the same problem (i.e. square symbols in msconfig startup entry) can I follow the steps your provided to solve the problem?

***************************************************

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below:

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entry:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Please ensure Hidden files and folders are viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the followingFolder[/color]

C:\Program Files\NewDotNet

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK.

Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4)

Quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Reboot your system.

********************************************************

I would like to learn how to use 'hijackthis' and know which entries to "fix". You instructed me to fix entry:

"F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe"

Does this mean all 'F2' entries are threats?

Regards,

Bruce Wayne

Ried · 07-21-2007, 08:15 PM

Hiya,

It takes many, many months of specialized, in-depth training to learn all this. Please don't try fixing any entries in HijackThis, or your registry without proper, training in these areas. Irrepairable damage to your system can occur.

NewdotNet is known malware--it needed to go. Had it been in your Add/Remove programs list, I'd have had you ininstall it before deleting that folder.

Those reg entries in your misconfig were created by an infection that was on your system, that one of your onboard anti malware tools 'cleaned' by disabling it from running at startup. I can't say exactly which one it was, as there are so many that use cyrillic characters. (what you saw as odd squares and ??)

batman321 · 07-26-2007, 01:26 AM

Hi there,

My PC still has spyware. "Active Scan" found 21 "Spyware" and 1 "hacking tool and rootkits" while searching through 110K worth of files. I estimate I have 400k worth of files that still need to be scanned. I am unable to do a full scan at present because I do not live where the PC is kept (i.e. the PC disturbs the occupants of the house when I'm not on it).

Cheers

Bruce Wayne

batman321 · 07-26-2007, 01:31 AM

Hi,

I managed to save the Panda Activescan report for the malware found on my PC. Please note, this is not a full scan report, only a 20% scan. Please see the attached file.

Cheers

Bruce Wayne

Incident Status Location

Potentially unwanted tool:application/regclean32 Not disinfected hkey_current_user\software\Registry Cleaner
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.ehg-ubisoft.hitbox.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.ehg-idg.hitbox.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\x282dw5x.default\cookies.txt[.belnk.com/]

Ried · 07-26-2007, 07:14 PM

Hello Bruce Wayne,

If you look closely at the Panda results, you'll see that most of what it is reporting so far are undesirable cookies in Firefox. You can clear those via the Firefox.

Open the Mozilla Browser>Tools>Options>Privacy>Cookies>Clear

I would also suggest adding this tool to the system. Run it first and see if that helps speed up Panda a bit:

Download AVG Anti Spyware

Install AVG Anti Spyware

Double-click the icon on Desktop to launch AVG
On the main Status screen, under Your Computer's Security, click Resident Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Do Not Automatically generate report after every scan"

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Post those results here.

batman321 · 07-27-2007, 12:57 AM

Hi there,

I did everything you instructed. Please see the AVG scan report (see attachment). AVG found 28 malware, mainly cookies and 1 adware. I noticed my web surfing and outlook express (i.e. downloading messages) has been slower lately, do you think it's because of the spyware? Now that the spyware has been cleaned, my web-surfing experience should return to normal.

Regards,

Bruce Wayne

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:48 07-07-27

+ Scan result:

C:\Program Files\Microsoft AntiSpyware\Quarantine\D67C09B8-B88A-4D55-A423-7595F7\0C2D4E44-9B03-4338-8FC2-E7A545 -> Adware.Ucmore : Cleaned.
C:\Program Files\Microsoft AntiSpyware\Quarantine\D67C09B8-B88A-4D55-A423-7595F7\9FA806BA-E6CB-44B1-97A7-EE8300 -> Adware.Ucmore : Cleaned.
:mozilla.14:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.28:C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.29:C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.30:C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.31:C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.40:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.10:C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.8:C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.9:C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.7:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.50:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.6:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.8:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.53:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.54:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.39:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.41:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.42:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.19:C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.32:C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.33:C:\Documents and Settings\Cathy\Application Data\Mozilla\Firefox\Profiles\zchzzgjn.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.35:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.36:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.37:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.38:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.51:C:\Documents and Settings\Cathy.WAYNE\Application Data\Mozilla\Firefox\Profiles\piu7mmob.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

::Report end

Ried · 07-27-2007, 07:20 PM

Hiya,

AVG A-S removed undesirable tracking cookies and cleared the Microsoft AntiSpyware Quarantine folder.

I'm not finding any other malware here, how is the browsing and outlook express downloading?

batman321 · 07-28-2007, 01:58 AM

Hi,

Outlook Express 6 is painfully slow a the moment. It takes ages to download messages. I know I need to edit the registry. My browsing experience is not what it use to be. Mozilla takes ages to launch as well. My online experience use to be fast. I have tweaked broadband using TCP optimizer. Do you think my PC has a virus? Which virus checker do you recommend? I use Avast. Avast detected some viruses recently, I should do a full scan soon.

Regards,

Bruce Wayne

Ried · 07-28-2007, 01:41 PM

Your logs had come up clean. Did this slowness occur after you did some tweaking with TCP optimizer?

I'll take another look as well. Run a new scan with dss.exe and post the main.txt

07-18-2007, 02:07 AM	#1 (permalink)
batman321 Registered User Join Date: Sep 2006 Posts: 47 OS: XP	Need help to remove "square symbols" from msconfig Hi there, When I go to MSConfig > Startup, there are square symbols in two of the startup items. I don't know how to get rid of it. I will do a hijack log and post the results below: ----------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 20:06, on 07-07-18 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe C:\Applications\Hijack This\HJT.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applications\Spybot\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\APPLIC~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Applications\Roboform\roboform.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Applications\Roboform\roboform.dll O4 - HKLM\..\Run: [Zone Labs Client] "C:\Applications\Zone Alarm\Zone Alarm Update\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Customize Menu - file://C:\Applications\Roboform\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Applications\MPEG Joiner\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Applications\MPEG Joiner\dlselected.htm O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Applications\MPEG Joiner\dlpage.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Applications\MPEG Joiner\dllink.htm O8 - Extra context menu item: Fill Forms - file://C:\Applications\Roboform\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Applications\Roboform\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Applications\Roboform\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\APPLIC~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Applications\Roboform\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Applications\Roboform\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Applications\Roboform\RoboFormComShowToolbar.html O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ---------------------------------------------------------------- Thanks Bruce Wayne

07-18-2007, 08:10 AM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,976 OS: WinXP and Vista	Re: Need help to remove "square symbols" from msconfig Hello batman321, A more comprehensive log would be more helpful to us. As noted in our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log... Download Deckard's System Scanner (DSS) to your Desktop. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. Please include the following in your next reply: main.txt an attached extra.txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-19-2007, 10:56 AM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,976 OS: WinXP and Vista	Re: Need help to remove "square symbols" from msconfig Hi, From what I see so far in Panda, please do the following: Please ensure Hidden files and folders are viewable: Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the following: C:\Documents and Settings\simon\Application Data\Registry Cleaner C:\Applications\Driver Cleaner -------------------------------------------------------------------- Clear Mozilla Firefox cookies: Open the Mozilla Browser>Tools>Options>Privacy>Cookies>Clear -------------------------------------------------------------------- Looking forward to seeing a full scan, Bruce. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-20-2007, 02:31 AM	#8 (permalink)
batman321 Registered User Join Date: Sep 2006 Posts: 47 OS: XP	update The Panda scan takes forever to complete. I run the pandas scan PC on my computer while I'm away and when I return to it, the panda scan window has closed. I don't think I will be able to complete the scan. Thanks Bruce Wayne

07-20-2007, 07:48 AM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,976 OS: WinXP and Vista	Re: Need help to remove "square symbols" from msconfig You do not have to remain online while it's scanning. Once it has completed, re-connect to the internet to get the report. -or- Try this online scanner: perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply Note for Internet Explorer 7 users If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-21-2007, 06:34 PM	#12 (permalink)
batman321 Registered User Join Date: Sep 2006 Posts: 47 OS: XP	Update Hi there, Thank you for your professional help! I just wanted to ask for future reference. If I encounter the same problem (i.e. square symbols in msconfig startup entry) can I follow the steps your provided to solve the problem? *************************************************** Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below: Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entry: F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Please ensure Hidden files and folders are viewable: Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. -------------------------------------------------------------------- Using 'My Computer', navigate to and delete the followingFolder[/color] C:\Program Files\NewDotNet -------------------------------------------------------------------- Go to Start->Run and type in regedit and hit OK. Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4) Quote: REGEDIT4 [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run] Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files" It should look like this: Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. -------------------------------------------------------------------- Reboot your system. ******************************************************** I would like to learn how to use 'hijackthis' and know which entries to "fix". You instructed me to fix entry: "F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe" Does this mean all 'F2' entries are threats? Regards, Bruce Wayne

07-21-2007, 08:15 PM	#13 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,976 OS: WinXP and Vista	Re: Need help to remove "square symbols" from msconfig Hiya, It takes many, many months of specialized, in-depth training to learn all this. Please don't try fixing any entries in HijackThis, or your registry without proper, training in these areas. Irrepairable damage to your system can occur. NewdotNet is known malware--it needed to go. Had it been in your Add/Remove programs list, I'd have had you ininstall it before deleting that folder. Those reg entries in your misconfig were created by an infection that was on your system, that one of your onboard anti malware tools 'cleaned' by disabling it from running at startup. I can't say exactly which one it was, as there are so many that use cyrillic characters. (what you saw as odd squares and ??) __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-26-2007, 01:26 AM	#14 (permalink)
batman321 Registered User Join Date: Sep 2006 Posts: 47 OS: XP	Spyware Update... Hi there, My PC still has spyware. "Active Scan" found 21 "Spyware" and 1 "hacking tool and rootkits" while searching through 110K worth of files. I estimate I have 400k worth of files that still need to be scanned. I am unable to do a full scan at present because I do not live where the PC is kept (i.e. the PC disturbs the occupants of the house when I'm not on it). Cheers Bruce Wayne

07-26-2007, 07:14 PM	#16 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,976 OS: WinXP and Vista	Re: Need help to remove "square symbols" from msconfig Hello Bruce Wayne, If you look closely at the Panda results, you'll see that most of what it is reporting so far are undesirable cookies in Firefox. You can clear those via the Firefox. Open the Mozilla Browser>Tools>Options>Privacy>Cookies>Clear I would also suggest adding this tool to the system. Run it first and see if that helps speed up Panda a bit: Download AVG Anti Spyware Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the main Status screen, under Your Computer's Security, click Resident Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Do Not Automatically generate report after every scan" Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Post those results here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-27-2007, 07:20 PM	#18 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,976 OS: WinXP and Vista	Re: Need help to remove "square symbols" from msconfig Hiya, AVG A-S removed undesirable tracking cookies and cleared the Microsoft AntiSpyware Quarantine folder. I'm not finding any other malware here, how is the browsing and outlook express downloading? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

07-28-2007, 01:58 AM	#19 (permalink)
batman321 Registered User Join Date: Sep 2006 Posts: 47 OS: XP	Update... Hi, Outlook Express 6 is painfully slow a the moment. It takes ages to download messages. I know I need to edit the registry. My browsing experience is not what it use to be. Mozilla takes ages to launch as well. My online experience use to be fast. I have tweaked broadband using TCP optimizer. Do you think my PC has a virus? Which virus checker do you recommend? I use Avast. Avast detected some viruses recently, I should do a full scan soon. Regards, Bruce Wayne

07-28-2007, 01:41 PM	#20 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,976 OS: WinXP and Vista	Re: Need help to remove "square symbols" from msconfig Your logs had come up clean. Did this slowness occur after you did some tweaking with TCP optimizer? I'll take another look as well. Run a new scan with dss.exe and post the main.txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."