# Point me in the right direction



## robert.bev (Oct 2, 2004)

Hi All
I have just run a HJ This scan & there are a few things I am worried about but I am not experienced enough to start deleting things by myself and need someone to go through it with me and point me in the right direction.
There seems to be 3: 02's (No File) 1: 03 Toolbar (No Name) and 1 017 Service\Topip\ this is the one I am worried about, and 2: 020's Win Logon Notify, these I am sure are putting the file not found warnings on my screen at startup
I have appended the HJT file below can anybody help? Best regards Robert.
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:30, on 30/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Robert\My Documents\12 Fixes & Cracks\Virus cleaning tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - (no file)
O2 - BHO: (no name) - {658917E7-529A-4C54-BA91-F843EE846A22} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {18daf02e-470d-19da-8234-e7122a93607b} - {b70639a2-217e-4328-ad91-d074e20fad81} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [383f12a8] rundll32.exe "C:\WINDOWS\system32\mxtqutdt.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2000478354-1960408961-1801674531-1003\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-21-2000478354-1960408961-1801674531-1003 Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe (User '?')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26A2F988-1760-4190-BEB2-60FF3C84BDB4}: NameServer = 212.139.132.8 212.139.132.9
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: yayaYqPg - yayaYqPg.dll (file missing)
O20 - Winlogon Notify: yaywvst - yaywvst.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7298 bytes


----------



## Cookiegal (Aug 27, 2003)

We are sorry for the delay in responding. There is a large volume of posters who need assistance and unfortunately, we can't get to them all in a timely manner.

If you still require assistance with this, please post a new HijackThis log. I will be notified of your reply by e-mail and will post with further instructions for you.


----------



## robert.bev (Oct 2, 2004)

Hi Cookiegal
Thanks for your help, I am trying to do as much as I can myself but I am very much a novice. I have found a few things I am not sure of which are 2- o2's No Name & File, One O2{18dofO2e no file, & one O4 Sys32 mxtqutdt.dll, (This is pitting a warning on my screen at startup) one O4 HKUS 1-5-18 CTFMON.EXE ?, also one O17 HKLM tsp ip (I'm worried about this), and two Win Notify yaya's file missing.
If you could look at the latest log and explain what I need to do I'd be most grateful. Regards Robert.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:45, on 06/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - (no file)
O2 - BHO: (no name) - {658917E7-529A-4C54-BA91-F843EE846A22} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {18daf02e-470d-19da-8234-e7122a93607b} - {b70639a2-217e-4328-ad91-d074e20fad81} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [383f12a8] rundll32.exe "C:\WINDOWS\system32\mxtqutdt.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2000478354-1960408961-1801674531-1003\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-21-2000478354-1960408961-1801674531-1003 Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe (User '?')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26A2F988-1760-4190-BEB2-60FF3C84BDB4}: NameServer = 212.139.132.8 212.139.132.9
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: yayaYqPg - yayaYqPg.dll (file missing)
O20 - Winlogon Notify: yaywvst - yaywvst.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7024 bytes


----------



## Cookiegal (Aug 27, 2003)

Two of the four you questioned are fine. However, there are problems in the log.

CTFMON.EXE is for the language bar.

The O17 is for your IP Tiscali in London.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

*Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.*


----------



## robert.bev (Oct 2, 2004)

Hi Cookiegal
Thanks for your help, I put the ComboFix on my desktop with the MS recovery prog, I tried the _none XP disk method_ as it seems that after putting the disk in the PC and downloading the Recovery Console the rec console wants to reboot and start itself (unless I have read the distructions wrong) I then tried to slide the rec prog icon into the ComboFix icon on the desktop and it would not stay in and kept appearing back on the desktop. whether I downloaded the prog correctly I'm not sure as the tutorial is different to the actual download process.
when I clicked onto the ComboFix to start, a warning said 1 in a hundred PC's were damaged so I clicked abort, am I doing something wrong?
Regards Robert.


----------



## Cookiegal (Aug 27, 2003)

That warning message was only put there to discourage people from running ComboFix on their own as it is a powerful tool and should only be used under supervison.

For now, skip installing the Recovery Console and go ahead and run ComboFix please.


----------



## robert.bev (Oct 2, 2004)

Hi Cookiegal
Here is the ComboFix log as requested, I hope that I have done it correctly, Regards Robert.

ComboFix 08-07-05.1 - Robert 2008-07-07 20:58:43.1 - NTFSx86

Running from: C:\Documents and Settings\Robert\Desktop\shortcuts\ComboFix.exe
* Resident AV is active

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM3b0c2134.txt
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\hwonajpc.ini
C:\WINDOWS\system32\kmllm.ini
C:\WINDOWS\system32\kmllm.ini2
C:\WINDOWS\system32\SsYccMoq.ini
C:\WINDOWS\system32\SsYccMoq.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.

2008-07-06 10:46 . 2008-07-06 10:46 d--------	C:\Program Files\Trend Micro
2008-06-23 15:42 . 2008-06-23 15:42	20,880	--a------	C:\WINDOWS\pspbrwse.jbf
2008-06-23 14:09 . 2008-06-28 09:29 d--------	C:\Program Files\ACW
2008-06-21 16:52 . 2008-06-21 16:52	224	--a------	C:\WINDOWS\system32\9B13A86D.plf
2008-06-21 15:44 . 2008-06-21 15:44 d--------	C:\Program Files\ParetoLogic
2008-06-21 15:44 . 2008-06-21 15:44 d--------	C:\Program Files\Common Files\ParetoLogic
2008-06-21 15:44 . 2008-06-21 15:44 d--------	C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-06-20 00:14 . 2008-06-20 00:14 d--------	C:\Documents and Settings\Robert\Application Data\Jasc Software Inc
2008-06-19 10:30 . 2004-03-03 06:10	31,053	--a------	C:\WINDOWS\system32\EPPICPattern131.dat
2008-06-19 10:30 . 2004-03-03 06:10	27,417	--a------	C:\WINDOWS\system32\EPPICPattern121.dat
2008-06-19 00:14 . 2008-06-28 09:33 d--------	C:\Program Files\7ZipSfx.000
2008-06-17 14:49 . 2008-06-17 14:49 d--------	C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-17 10:43 . 2008-06-17 10:43 d--------	C:\Program Files\Google
2008-06-11 17:43 . 2008-07-07 21:02 d--------	C:\Program Files\TrojanHunter 4.0
2008-06-10 11:46 . 2007-07-19 18:14	3,727,720	--a------	C:\WINDOWS\system32\d3dx9_35.dll
2008-06-10 11:45 . 2008-06-10 11:45 d--------	C:\WINDOWS\Logs
2008-06-10 11:32 . 2008-06-10 11:32 d--------	C:\NVIDIA
2008-06-10 11:32 . 2008-04-30 17:27	442,368	--a------	C:\WINDOWS\system32\NVUNINST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 04:05	---------	d-----w	C:\Documents and Settings\Robert\Application Data\MailWasherPro
2008-07-07 22:45	---------	d-----w	C:\Documents and Settings\Robert\Application Data\Skype
2008-07-07 18:34	---------	d-----w	C:\Program Files\Java
2008-07-03 02:19	---------	d-----w	C:\Documents and Settings\Robert\Application Data\uTorrent
2008-07-02 05:54	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-07-02 05:36	---------	d-----w	C:\Program Files\GameShadow
2008-07-01 19:05	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Skype
2008-07-01 19:05	---------	d-----r	C:\Program Files\Skype
2008-07-01 15:25	---------	d-----w	C:\Documents and Settings\Robert\Application Data\skypePM
2008-06-29 16:30	4,830,008	----a-w	C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-28 16:33	---------	d-----w	C:\Program Files\epson
2008-06-23 21:15	3,703,808	----a-w	C:\WINDOWS\Internet Logs\xDB5.tmp
2008-06-23 00:16	3,691,008	----a-w	C:\WINDOWS\Internet Logs\xDB6.tmp
2008-06-21 01:35	---------	d-----w	C:\Documents and Settings\All Users\Application Data\UDL
2008-06-20 07:14	---------	d-----w	C:\Program Files\Jasc Software Inc
2008-06-19 17:58	3,665,408	----a-w	C:\WINDOWS\Internet Logs\xDB4.tmp
2008-06-19 03:16	3,628,544	----a-w	C:\WINDOWS\Internet Logs\xDB7.tmp
2008-06-03 18:48	---------	d-----w	C:\Program Files\Unused fonts
2008-06-03 18:08	---------	d-----w	C:\Program Files\TomTom HOME 2
2008-06-03 18:04	---------	d-----w	C:\Program Files\Webshots
2008-05-30 23:20	22	----a-w	C:\WINDOWS\system32\drivers\adidsl.cfg
2008-05-30 23:20	---------	d-----w	C:\Program Files\SAGEM
2008-05-30 21:19	507,400	----a-w	C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 21:18	238,088	----a-w	C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 21:17	65,032	----a-w	C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 21:17	25,608	----a-w	C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 21:11	467,984	----a-w	C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 21:11	3,850,760	----a-w	C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 21:11	1,491,992	----a-w	C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-29 18:07	---------	d-----w	C:\Program Files\Free Window Registry Repair
2008-05-28 03:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\avg8
2008-05-26 20:56	---------	d-----w	C:\Program Files\JetAudio
2008-05-26 06:24	---------	d-----w	C:\Program Files\Sophos
2008-05-25 00:13	96,520	----a-w	C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-25 00:13	75,272	----a-w	C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-25 00:13	10,520	----a-w	C:\WINDOWS\system32\avgrsstx.dll
2008-05-25 00:13	---------	d-----w	C:\Program Files\AVG
2008-05-24 23:39	3,314,176	----a-w	C:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-24 21:49	---------	d-----w	C:\Program Files\Diskeeper Corporation
2008-05-24 21:49	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-05-24 17:15	---------	d-----w	C:\Documents and Settings\Robert\Application Data\Snapfish
2008-05-23 05:46	---------	d-----w	C:\Documents and Settings\Robert\Application Data\Winamp
2008-05-23 03:46	---------	d-----w	C:\Program Files\Windows Media Connect 2
2008-05-23 02:27	---------	d-----w	C:\Program Files\Winamp
2008-05-22 18:41	---------	d-----w	C:\Documents and Settings\All Users\Application Data\vsosdk
2008-05-22 06:29	87,608	----a-w	C:\Documents and Settings\Robert\Application Data\inst.exe
2008-05-22 06:29	47,360	----a-w	C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-22 06:29	47,360	----a-w	C:\Documents and Settings\Robert\Application Data\pcouffin.sys
2008-05-22 06:28	---------	d-----w	C:\Program Files\VSO
2008-05-20 05:48	---------	d-----w	C:\Program Files\Panasonic
2008-05-20 03:31	---------	d-----w	C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-15 06:01	---------	d-----w	C:\Program Files\ooVoo
2008-05-10 13:07	---------	d-----w	C:\Program Files\All Media Fixer
2008-05-08 03:01	---------	d-----w	C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-08 01:35	---------	d-----w	C:\Program Files\Common Files\Adobe AIR
2008-03-19 20:36	32	----a-w	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-03 05:54	32	----a-r	C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSGTAG"="C:\Program Files\MSGTAG\MSGTAG.exe" [2003-08-15 19:26 1315328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-24 17:13 1177368]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46 13529088]
"THGuard"="C:\Program Files\TrojanHunter 4.0\THGuard.exe" [2004-09-02 14:47 1073664]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 15:54 37376]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-03 05:46 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"nwiz"="nwiz.exe" [2008-05-03 05:46 1630208 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

C:\Documents and Settings\Robert\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe [2008-03-19 12:37:13 16667786]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe [2008-05-30 16:20:09 962667]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
--a------ 2005-04-25 14:45 36040 C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4800 Series]
--a------ 2005-02-01 21:00 98304 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIADE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-01-12 18:48 275800 C:\Program Files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 2006-12-05 16:38 707360 C:\WINDOWS\vVX3000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCPoVoo TCP port 443
"443:UDP"= 443:UDPoVoo UDP port 443
"37674:TCP"= 37674:TCPoVoo TCP port 37674
"37674:UDP"= 37674:UDPoVoo UDP port 37674
"37675:UDP"= 37675:UDPoVoo UDP port 37675

.
Contents of the 'Scheduled Tasks' folder
"2008-05-25 17:27:23 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job"
- C:\WINDOWS\vVX3000.exe
"2008-07-08 01:00:00 C:\WINDOWS\Tasks\ParetoLogic Registration.job"
- C:\WINDOWS\system32\[email protected]
"2008-07-04 07:33:00 C:\WINDOWS\Tasks\ParetoLogic Update Version2.job"
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{514A5C49-0C7D-42c3-A71B-38864A269B7A} - (no file)
BHO-{658917E7-529A-4C54-BA91-F843EE846A22} - (no file)
BHO-{b70639a2-217e-4328-ad91-d074e20fad81} - (no file)
HKLM-Run-383f12a8 - C:\WINDOWS\system32\mxtqutdt.dll
HKLM-Run-Cmaudio - cmicnfg.cpl
Notify-yayaYqPg - yayaYqPg.dll
Notify-yaywvst - yaywvst.dll
MSConfigStartUp-BM3b0c2134 - C:\WINDOWS\system32\ldfqxchm.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 21:04:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\Robert\LOCALS~1\Temp\mc22.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\3F.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\TrojanHunter 4.0\THSec.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-07 21:09:31 - machine was rebooted [Robert]
ComboFix-quarantined-files.txt 2008-07-08 04:09:24

Pre-Run: 54,739,255,296 bytes free
Post-Run: 54,677,962,752 bytes free

208	--- E O F ---	2008-05-17 16:13:27


----------



## Cookiegal (Aug 27, 2003)

Have you previously done some scans with RootKitRevealer or Sophos Anti-Rootkit?

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
*Please copy and paste the Scan Log results in your next reply.*

Click *Close* to exit the program.

Please run Kaspersky online virus scan *Kaspersky Online Scanner*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the *"Extended database" *for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

*Note:* You have to use Internet Explorer to do the online scan.

*Post a new HiJackThis log along with the results from the SuperAntiSpyware and Kaspersky scans.*


----------



## robert.bev (Oct 2, 2004)

Hi again Cookiegal
And yes, as I do my banking online I was searching for a trojan checker and I saw the Sophos prog, so I downloaded it and ran a scan, along with A.V.G.anti rootkit free.

The free Super Anti sw prog is a little different to the tutorial as some features are NA, but I picked it up at Perform Complete Scan. The Kasperski would not run on my PC as it reported that two installed progs were incompatable with it, those being A.V.G.8 & ZoneAlarm Pro. The Super Anti sw log and the HJT log are appended below.
Many thanks Robert. 
PS After running the above, my ZoneAlarm has just done its daily scan and found and Quarentined "Kazaa lite goop28 > and P2P-Worm.win32.logpole.c these must have come with the SuperAnti spyware program.

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 07/08/2008 at 10:47 AM

Application Version : 4.15.1000

Core Rules Database Version : 3499
Trace Rules Database Version: 1490

Scan type : Complete Scan
Total Scan Time : 00:16:57

Memory items scanned : 305
Memory threats detected : 0
Registry items scanned : 4550
Registry threats detected : 0
File items scanned : 12238
File threats detected : 11

Adware.Tracking Cookie
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][1].txt
C:\Documents and Settings\Robert\Cookies\[email protected][2].txt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:07, on 08/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2000478354-1960408961-1801674531-1003\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-21-2000478354-1960408961-1801674531-1003 Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe (User '?')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26A2F988-1760-4190-BEB2-60FF3C84BDB4}: NameServer = 212.139.132.8 212.139.132.9
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7332 bytes


----------



## Cookiegal (Aug 27, 2003)

SuperAntiSpyware does not come bundled with malware. Please check Zone Alarm's log and let me know the names of the files that were detected and the entire path to their location.


----------



## robert.bev (Oct 2, 2004)

Hi Cookigal
The two anomalies were " Kazaa lite goop28 " and
P2 P Worm.Win32.logpole.C 
I'm not sure about path as ZA does not keep a logfile, it just puts em into quarantine, ZA calls them trojans although I have never heard of them, I wonder if its something that ZA dose not understand and gives them a trojan lable? sometimes ZA does that
Regards Robert


----------



## Cookiegal (Aug 27, 2003)

It's probably from Kazaa as I've seen other posts on the Internet with these detections of registry keys.

Is your version of ZoneAlarm an anti-virus in additional to firewall?


----------



## robert.bev (Oct 2, 2004)

Hi Cookiegal
Yes the ZoneAlarm is a virus prog as well as a Firewall, althougth it scans daily I only use it as a firewall, I use the A.V.G. as the Virus prog.
In the ZA quarantine at the moment is....
Win32.Application.Binder.B (49 days)
Win32.Trojan.MulDrop.6459 (30 days)
Kazaa lite goop (1 day)
and P2P-Worm.Win32logpole.c (1 day)
the first three are listed as (medium) and the last one (High) as ZA says it can take screen shots and log keystrokes, Like many users I am not sure if I can delete these from quarantine, or just leave them. I am wondering how they get on my PC as the A.V.G (with email scanner) is supposed to be one of the best at picking up the nasties,
Regards Robert.


----------



## Cookiegal (Aug 27, 2003)

Once again I must comment on your set-up. Since Zone Alarm has anti-virus, even though you're not running it as such, you have two anti-virus programs installed and that can cause problems. Why don't you just go with the ZoneAlarm Firewall and anti-virus?

AVG, although good for a free program, is far from the best protection.

The Zone Alarm log should show what it's detecting, whether it's a file or a registry key or value.

If you can't find it, try this on-line scanner from ZoneLabs and save the report and paste it here please.

http://download.zonelabs.com/bin/free/cm/index4.html

Also, please open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## robert.bev (Oct 2, 2004)

Hi Cookiegal
I guess you are right about ZA & AVG, it's just that I had been told that the AVG scanner was better than the ZA virus scanner.
The Trojan Hunter Guard on my PC, is a 30 day free trial that runs out tomorrow, so I will be looking for a free one that will update as the AVG Anti root Kit free doesn't,
Regards Robert.
PS I tried the link you sent and I got a ZA page saying "We're Sorry" the page you requested is not available. 

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
All Media Fixer 9.03
AVG Anti-Rootkit Free
AVG Free 8.0
Belarc Advisor 7.2
C-Media WDM Audio Driver
ConvertXtoDVD 3.0.0.9c
COWON Media Center - jetAudio Basic
Diskeeper 2008 Pro Premier
eCleaner 2.01
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Image Clip Palette
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESDX4800_4200 User's Guide
Free Window Registry Repair
GameShadow
getPlus(R)_ocx
Google Earth
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
Java(TM) 6 Update 5
Java(TM) 6 Update 6
MailWasher Pro
McFunSoft DVD Creator Trial Version (English) 7.2
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft LifeCam
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0)
MSGTAG
MSXML 4.0 SP2 (KB936181)
Nero OEM
NVIDIA Drivers
ooVoo
Paint Shop Pro 7
PC Inspector smart recovery
SAGEM [email protected] 800-840
SDFormatter
Security Update for Windows XP (KB923789)
Silent Hunter III
Skype&#8482; Beta 4.0
Sophos Anti-Rootkit 1.3.1
Spelling Dictionaries Support For Adobe Reader 8
SUPERAntiSpyware Free Edition
TomTom HOME
TrojanHunter 4.0
Webshots Desktop
Winamp
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
Xilisoft DVD Creator
ZoneAlarm Pro


----------



## Cookiegal (Aug 27, 2003)

The Zone Alarm link works for me. Please try again. It may have been down for a short period.

Go to Control Panel - Add/Remove programs and remove:

*Java(TM) 6 Update 5*

You should also remove one of the anti-rootkit scanners as you don't need two of them. You don't really need either of them as you can always download one if you suspect you have a rootkit.

Let me know if you can do the ZoneAlarm on-line scan.


----------



## robert.bev (Oct 2, 2004)

Hi again
Java update5 cleared, had to swap back from FireFox to IE to use the ZA scanner, it only took a second and reported no threats and it doesn't make a log.
I then scanned again with SuperAnti spyware and that found 4 trackers.
I have disabled A.V.G/8 although that has a trojan scan built in, for the moment I'll go with ZA but the fault with the latest ZA is if it dosent understand anything it lables it as a trojan, and half a day is lost trying to find out what it is, the favourite is Trojan HeurB, I've forgotten what it is, but its not a trojan. I must say that Super A is quite good.
Best regards Robert..


----------



## Cookiegal (Aug 27, 2003)

Is everything fine now then?


----------



## robert.bev (Oct 2, 2004)

Hi Cookiegal
Yes things seem to be ok, the strings that I was unsure about have gone, and the one I was woried about you said was my ISP so thats ok, the two rundll warnings at startup have gone as have the Win logon Notify yaya strings, were they producing the warnings? just one warning left on startup now I think its something left over from a prog called Spyware Terminator that I got rid of, it produces a warning at startup of C:\ docs 1 \Alluse~1 \Application\sp-rsdl\ program could not be found, but I cannot find what is producing it in order to zap it.
Many thanks Robert.


----------



## Cookiegal (Aug 27, 2003)

Is this a directory that you created? 

C:\ *docs 1*


----------



## robert.bev (Oct 2, 2004)

Good Morning Cookiegal
Sorry for being unclear, it was late at night and my eyes had gone blurred and square from to many hrs on the PC.
The warning still present at start-up now only flashes on for a few seconds and I think refers to a prog called Spyware Terminator that I uninstalled some weeks ago, although its only on for a few sec's this time I think I have got it right, the warning is C:\docume~1\ alluse~1\ applic~1\spyware~1\sp_rsde1.exe program not found ski_pping Autocheck
Regards Robert,


----------



## Cookiegal (Aug 27, 2003)

Download *OTScanIt.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *OTScanIt* on your desktop.

Close any open browsers.
Disconnect from the Internet.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of OTScanIt.
Open the *OTScanIt* folder and double-click on OTScanIt.exe to start the program.
Check the box that says *Scan All User Accounts*
Under Drivers select the radio button for *All*
Check the Radio buttons for Files/Folders Created Within *90 Days* and Files/Folders Modified Within *90 Days* 
Under Additional Scans check the following:
Reg - Disabled MS Config Items
Reg - Security Settings
Reg - Session Manager Settings
Reg - Software Policy Settings
Reg - Uninstall List

Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it automatically.
Save that Notepad file. Click the *Format* menu and make sure that *Word wrap* is not checked. If it is then click on it to uncheck it.
Use the *Reply* button and upload Notepad file here as an attachment please.


----------



## robert.bev (Oct 2, 2004)

HI again Cookiegal
I'm sorry the file will not send as it is to big by a good lump, are there any parts of the scan that you will not need or I can delete? or can I be more selective in another scan.

Again I am sorry to be a pain, but another intermittent prob came back this morning. When I start Internet Ex I get a warning with a red spot X " Internet Ex cannot open the internet site http://www.tiscali.co.uk/index.html " Operation Aborted, this is my ISP and can be accessed ok, its just putting up a warning for some reason.
Best regards Robert.


----------



## Cookiegal (Aug 27, 2003)

Please zip the file and then upload it or split it into two attachments.


----------



## robert.bev (Oct 2, 2004)

Hi Cookiegal
I have tried splitting the file & its still to big, so I have figured out how to put it in a compressed file in my doc's, but as It does not seem to want to copy and paste, I am not yet sure how to transfer the file and put the file in with this text once I have figured it out you shall have it.

Regards Robert.


----------



## Cookiegal (Aug 27, 2003)

You can't copy and paste a compressed file. You can upload the file from your computer as an attachment and I will unzip it to extract the contents.

To do that, below the reply dialogue box, click on "Manage Attachments" then "Browse" to locate the file on your computer and click to Open that file and then click on "Upload" to upload it. Finally, submit your reply.


----------



## robert.bev (Oct 2, 2004)

Hi Cookiegal
Hope this works, I clicked upload and it went, I don't know where but it went.
Regards Robert


----------



## Cookiegal (Aug 27, 2003)

There is nothing attached.


----------



## robert.bev (Oct 2, 2004)

Hi
Sorry for that, I must be missing something, after browsing to and selecting the ziped up file by a double click, the file path which is my doc's appears in " Upload Files From your Computer " after clicking Upload the file appears in " Current Attachments at 45.3 Kb's " with a remove button at the side, if I then click upload I get a message select a file to attach.
I feel like I am wasting your time, although I havent uploaded a zip file before, and we silver serfers are a bit slower on the uptake.
Regards Robert,


----------



## robert.bev (Oct 2, 2004)

Whooop's it looksd like its done it, don't know how but end result good.


----------



## Cookiegal (Aug 27, 2003)

Start *OTScanIt*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 1 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &Webshots Photo Search -> %ProgramFiles%\Webshots\WSToolbar4IE.dll
[Files/Folders - Created Within 90 days]
NY -> 9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> BM3b0c2134.xml -> %SystemRoot%\BM3b0c2134.xml
NY -> 9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 90 days]
NY -> 9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> tdtuqtxm.ini -> %SystemRoot%\System32\tdtuqtxm.ini
NY -> 9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 25 C:\Documents and Settings\Robert\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Robert\Local Settings\Temp\*.tmp
NY -> 3 C:\Documents and Settings\Robert\Local Settings\Temp\07110892014\*.tmp files -> C:\Documents and Settings\Robert\Local Settings\Temp\07110892014\*.tmp
NY -> C:\Documents and Settings\Robert\Local Settings\Temp\07110892228\ -> C:\Documents and Settings\Robert\Local Settings\Temp\07110892228
NY -> 8 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
Also, I don't know if this is a file or a folder but it seems it was created at the same time as other infected files. Can you locate it and if it's a folder, let me know what files it contains please.

C:\Windows\System32\*383f0026*

I also need you to export a registry key.

Go to Start - Run - copy and paste the followoing line and press Enter.

*regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager"*

Then go to C:\Look.txt and open that file for the report and copy and paste the contents here please.


----------



## robert.bev (Oct 2, 2004)

Hi Cookiegal, my last two posts are not showing on the site, something is wrong as I am only seeing half the site and a lot of RedX's
Robert.


----------



## Cookiegal (Aug 27, 2003)

Are you still having that problem? It may have just been a glitch with the site.

If you still have the problem, please let us know what server you're on (you will see that at the bottom left side of your screen) and also what browser you're using.


----------



## robert.bev (Oct 2, 2004)

Hi Again
My last two posts are still not showing on the site the ones about the OTscanit & the reg key, did you get them? all I am seeing on the site is lots of white space blue text and many redX's in square boxes, and no buttons. (its like safe mode!!)
My browser is Internet Explorer, not sure what you mean by server??
Robert.


----------



## Cookiegal (Aug 27, 2003)

What browser are you using?

The server refers to the TSG server as we have several. You will see at the bottom left it says: You are using: Server #

Can you post here now? Try posting something without any attachments.

Then try reposting the attachment please.


----------



## robert.bev (Oct 2, 2004)

Hi Cookigal, The site seems ok today colour and buttons are back (Gremlins?)
Nothing at bottom Left except Start bitton and Icons accross screen bottom, on Belarc Adviser I found Servers (Dns) 212.139.132.8 and 212.139.132.9 then in > Internet ADSL status box Servers IP Address was 212.74.102.13. not sure if this helps? now my PC will not go on line automatically, I have to click > Connect To > and when I go to Internet ADSL Status, Advanced Tab, I get > Windows cannot display the properties of this connection, the Windows Management Information(WMI) might be corrupted, restore to an earlier time.
Sorry, this seems to be another prob, I will go back to the OTScanIT fix and try again step by step.
Robert.


----------



## robert.bev (Oct 2, 2004)

383f0026 is a file modified on 24-5-2008

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Webshots Photo Search\ not found.
[Files/Folders - Created Within 90 days]
File C:\WINDOWS\BM3b0c2134.xml not found!
[Files/Folders - Modified Within 90 days]
File C:\WINDOWS\System32\tdtuqtxm.ini not found!
File delete failed. C:\Documents and Settings\Robert\Local Settings\Temp\~DF2E8.tmp scheduled to be deleted on reboot.
File C:\Documents and Settings\Robert\Local Settings\Temp\07110892228 not found!
File delete failed. C:\WINDOWS\Temp\ZLT06edd.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\ZLT06ee0.TMP scheduled to be deleted on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Robert\Local Settings\Temp\~DF2E8.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_d0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT06edd.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT06ee0.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 07212008_102251

Files moved on Reboot...
C:\Documents and Settings\Robert\Local Settings\Temp\~DF2E8.tmp moved successfully.
C:\WINDOWS\Temp\ZLT06edd.TMP moved successfully.
C:\WINDOWS\Temp\ZLT06ee0.TMP moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_d0.dat not found!


----------



## robert.bev (Oct 2, 2004)

I have found a Look file and managed to zip it up, as it will not send uncompressed, but I am lost after putting it in Current Attachments, latest HJT below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:06, on 21/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ooVoo\ooVoo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - I:\SZSG.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - I:\SZIEBHO.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - I:\SZSG.dll (file missing)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2000478354-1960408961-1801674531-1003\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-21-2000478354-1960408961-1801674531-1003 Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe (User '?')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O15 - Trusted Zone: http://www.batraveltrade.com
O15 - Trusted Zone: http://forums.techguy.org
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26A2F988-1760-4190-BEB2-60FF3C84BDB4}: NameServer = 212.139.132.8 212.139.132.9
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7392 bytes


----------



## Cookiegal (Aug 27, 2003)

Since you don't recognize this file, please go ahead and delete it:

C:\Windows\System32\*383f0026*

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - I:\SZIEBHO.dll (file missing)
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - I:\SZSG.dll (file missing)*

Now, we need to backup your registry:

Please go to *Start *- *Run *and copy and paste the following and then click OK:

*regedit /e c:\registrybackup.reg*

It won't appear to be doing anything and that's normal. Your mouse pointer may turn to an hour glass for a minute.

When it no longer has the hour glass, check in your C drive to be sure you have a file called* registrybackup.reg *before continuing. If you do not see that file, please let me know before doing anything else beyond this point. If you have that file, then please continue.

I'm attaching a FixRobert.zip file. Save it to your desktop. Unzip it and double-click the FixRobert.reg file and allow it to enter into the registry.

Reboot and let me know how things are. This should have stopped the error messages you're getting about Autochk.


----------



## robert.bev (Oct 2, 2004)

Hi Cookiegal
I zapped the strings and ran the Fix Robert and did a reg backup, and on the reboot the warning ( C:\Docume~1\Alluse~1\Applic~1\spywar~1\sp_rsdl.exe program cannot be found ) was still there, as was the warning in the Internet ADSL Properties box Advanced tab, WMI information might be corrupted, although this might not be part of our prob.
I am sure that I saw the string we are looking for when I was sending one of the logs to you, and for the last hour I have searched the logs on the site but have not found it, I wonder where the log went.
I am sorry for the prob's I am causing you, I do appreciate your help and I am learning a little also.
Regards Robert.


----------



## Cookiegal (Aug 27, 2003)

Please do a new export of this registry key as you did before and post the results:

Go to *Start *- *Run *- copy and paste the followoing line and press Enter.

*regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager"*

Allow it to override the previous C:\Look.txt file and then open that file for the report and copy and paste the contents here please.


----------



## robert.bev (Oct 2, 2004)

Hi, As before when I paste the link nothing happens, if I delete the e after regedit/(e) and and then paste I get the message "Are you sure you want to add the info in C:\Look.txt to the registry" if I click >NO I get "Are you sure you want to add the info HKEY_Local_Machine\System\Current Control Set\Control\Session Manager to the registry"
Is this as you anticipate, regards Robert.
Ps The last Look.txt file I sent I found amongst the folders in local disk C


----------



## Cookiegal (Aug 27, 2003)

You won't see anything happening when you run the command. The report is found in C:\Look.txt. The new one should override the previous one but to be sure you could delete the C:\Look.txt file before running the command again.

Please run the command again as written and then post the C:\Look.txt file.


----------



## robert.bev (Oct 2, 2004)

Hi, Hope this one is ok


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a new FixRobert.zip file. Please remove the previous one and save this one to your desktop. Unzip it and double-click the FixRobert.reg file and allow it to enter into the registry.

Reboot and let me know if those autochk messages still appear.


----------



## robert.bev (Oct 2, 2004)

Hi again CG, I ran the fix and rebooted the PC, unfortunately the autock warning was still there, it appears after the windows logo, on a green screen with a two inch black border and the border also has a Windows logo on it. Regards Robert.


----------



## Cookiegal (Aug 27, 2003)

What is the exact message? Can you get a screen shot of it?


----------



## robert.bev (Oct 2, 2004)

Hi Don't know how to take screen shots, but full message is " C:\Docume~1\Alluse~1\Applic~1\spywar~1\sp_rsde 1.exe program cannot be found ski_pping Autocheck "

It looks like Windows is putting up the warning? that the prog is not there, as I uninstalled it some weeks ago, do you think it will be easier to find the program and re-install it again, and then do another uninstall?
Regards Bob.


----------



## Cookiegal (Aug 27, 2003)

I know what the problem is but the regfix should fix it. When you ran the fix, did you get a message saying it was merged in the registry?


----------



## robert.bev (Oct 2, 2004)

Hi CG, yes I got the message both times, sorry I'm off to bed now, I've got square eyes again.
Regards Robert.


----------



## Cookiegal (Aug 27, 2003)

Something may be blocking the changes, possibly StopZilla.

Please try running the regfix again but in safe mode.


----------



## robert.bev (Oct 2, 2004)

Hi CG, I presume you ment the OTscannit prog which I ran again in S/Mode using and pasting the text that I had used previously, when the prog had finished it did a reboot back to normal mode but did not save a log, unfortunately on reboot the warning was still there, I did another HJT log if that is of any use. A.T.B. Robert.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:24:49, on 25/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Innovative Solutions DriverMax\DriverMax\devices.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions DriverMax\DriverMax\devices.exe" -agent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2000478354-1960408961-1801674531-1003\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-21-2000478354-1960408961-1801674531-1003 Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe (User '?')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O15 - Trusted Zone: http://www.batraveltrade.com
O15 - Trusted Zone: http://forums.techguy.org
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26A2F988-1760-4190-BEB2-60FF3C84BDB4}: NameServer = 212.139.132.8 212.139.132.9
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6770 bytes


----------



## Cookiegal (Aug 27, 2003)

No, that's not what I meant. Please run the attachment in post no. 45 again but thsi time do it in safe mode.


----------



## robert.bev (Oct 2, 2004)

Hi CG, I used the fix from post 45, and installed it to the reg in safe mode as suggested, and rebooted twice, and the warning is still there on boot up.
A.T.B. Robert.


----------



## Cookiegal (Aug 27, 2003)

It looks like we're going to have to edit the registry manually. Are you familiar at all with the registry? Are you comfortable editing it?


----------



## robert.bev (Oct 2, 2004)

Yes ok CG, as long as its written step > by > step, so that this dim silver surfer can follow, I have traced values and changed strings eg (0) to (1) etc on previous occasions under guidance, so lets go for it.
Regards Robert.


----------



## Cookiegal (Aug 27, 2003)

OK. First, I just want you to just look and not change anything.

Navigate to this key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\*Session Manager*

To do that, go to *Start *- *Run *- type in *regedit *and click OK to open the registry editor. Now Click on the + that you see to the left of each one, i.e.

+HKEY_LOCAL_MACHINE
+SYSTEM
+CurrentControlSet
+Control
+Session Manager

Left-click once on *Session Manager *and you should see a long list of items open up in the right-hand pane.

In the right-hand pane, double-click on *BootExecute*. This will open up a box that says "Edit Multi-String". I don't want you to edit or change anything yet. Be very careful that you don't accidentally delete the text that's there. Please copy and paste the text that you see there in the *Value Data: box* in your next reply.

It should look something like this:

*autocheck autochk *
autocheck C:\DOCUME~1\ALLUE~1\APPLIC~1\SPYWAR~1\sp_rsdel.exe "\??\C:\DOCUME~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.dat*


----------



## robert.bev (Oct 2, 2004)

autocheck autochk *
autocheck C:\DOCUME~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.exe "\??\C:\DOCUME~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.dat
Hi CG, This looks like the irritating bugger!!! A.T.B. Robert.


----------



## Cookiegal (Aug 27, 2003)

First, let's create a new back up of the entire registry:

Please go to *Start *- *Run *and copy and paste the following and then click OK:

*regedit /e c:\registrybackup2.reg*

It won't appear to be doing anything and that's normal. Your mouse pointer may turn to an hour glass for a minute.

When it no longer has the hour glass, check in your C drive to be sure you have a file called* registrybackup2.reg *before continuing. *If you do not see that file, please let me know before doing anything else beyond this point.*

If you have that back up file created, then continue as follows :

Navigate back to the same registry value and click on BootExecute to open up the box where you saw:

autocheck autochk * ---> Do not delete this line
autocheck C:\DOCUME~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.exe "\??\C:\DOCUME~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.dat

Now, highlight *ONLY* the second line that reads as follows:

*autocheck C:\DOCUME~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.exe "\??\C:\DOCUME~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.dat*

Caution: Do *NOT* highlight the first line that reads as follows. This is the default value for this entry and must remain.

*autocheck autochk **

Now, right-click on the text you have highlighted and select "delete" from the menu. Be sure that the following text remains in the box:

*autocheck autochk **

If you selected all the text by mistake and haven't click OK yet, you can click "cancel" and then start over.

Then click OK to complete the deletion and close the registry editor.

Reboot the computer and let me know if the autochk error message you were getting is now gone.


----------



## robert.bev (Oct 2, 2004)

SUCCESS you did point me in the right direction, well done and many thanks, Robert.


----------



## Cookiegal (Aug 27, 2003)

Good job! :up:

Would you please post a new HijackThis log and let me know if there are any other problems remaining.


----------



## robert.bev (Oct 2, 2004)

Hi CG, Sorry, just one prob left, my PC will not now go on line automatically and I have to click manually on _connect to_, when I look in the Internet ADSL Properties > Advanced tab there is a message saying "Windows cannot display the properties of this connection, The Windows Management Instromentation (WMI) might be corrupted" to correct this use system restore.
If I use System restore will the problem you have just cured come back?? Regards Robert.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32:39, on 28/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Innovative Solutions DriverMax\DriverMax\devices.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions DriverMax\DriverMax\devices.exe" -agent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2000478354-1960408961-1801674531-1003\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-21-2000478354-1960408961-1801674531-1003 Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe (User '?')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O15 - Trusted Zone: http://www.batraveltrade.com
O15 - Trusted Zone: http://forums.techguy.org
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.piclens.com/shared/plinstll.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26A2F988-1760-4190-BEB2-60FF3C84BDB4}: NameServer = 212.139.132.8 212.139.132.9
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7030 bytes


----------



## Cookiegal (Aug 27, 2003)

It likely will, depending on when your last restore point was created.

When did this start happening? Was it just after the last procedure?


----------



## robert.bev (Oct 2, 2004)

Hi CG, It started about two or three weeks ago, but I wanted to concentrate on the autock warning as that was irritating, I am very pleased you have sorted that, many thanks. A.T.B. Bob.


----------



## Cookiegal (Aug 27, 2003)

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## robert.bev (Oct 2, 2004)

Good morning CG. This is the bit I struggle with, attaching the rar file after uploading it, there's nothing to show its attached to the mail? anyway I think I'v cracked it now(told you, I'm a slow learner_!!_)


----------



## Cookiegal (Aug 27, 2003)

Do you have your XP CD?

I asked someone else for assistance as it looks like you're missing the Windows Management Instromentation service and I'm not sure how to fix that.


----------



## Rollin' Rog (Dec 9, 2000)

You should be seeing this in the startup list and it's not there:

_Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)_

Usually when a service like this is missing the registry key for it is either missing or damaged.

The key for this is

_HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt_

You can run *regedit* and verify whether it is present, but even if it is, without close analysis you can't tell whether it is damaged.

Since I believe the data in this key is pretty much default, I'm going to export and zip mine and upload it here as an attachment.

Download and unzip the the attachment and then run the registry file it contains and confirm the merge. Reboot the computer and then run *services.msc* and confirm whether Windows Management Instrumentation is in the services list, started with a mode of "automatic".


----------



## robert.bev (Oct 2, 2004)

Hi CG, & RR Sorry for the delay, I tried last night but the site link would not work and just gave me an empty page (it does that sometimes as my links don't always work)
I looked for the reg key in HKLM & it was missing, so I installed the file you sent & the string appeared in HKLM alongside ImagePath, the Default was still the same at, REG_SZ (value not set) and in services.msc there are two Win Man functions the first Win Man Instrumentation does show as automatic, the Win Man Driver Inst shows as Manual.
I rebooted twice and the (WMI) warning in the ADSL properties Advanced tab is still there.
Regards Robert.


----------



## Cookiegal (Aug 27, 2003)

Just a thought. Even though the Windows Management Instrument Service now appears and shows as automatic, is the service in fact showing its status as started?


----------



## Rollin' Rog (Dec 9, 2000)

Unfortunately Microsoft offers only two methods of resolving that message -- system restore and reinstall.

There might be another method however, per the article below. And that is to open a command prompt (start > run *cmd*) and at the prompt enter:

*rundll32 wbemupgd, UpgradeRepository*

http://windowsxp.mvps.org/repairwmi.htm

There is also a "comprehensive rebuild" possiblility explained at the end of the article if you have an XP CD.


----------



## robert.bev (Oct 2, 2004)

Hi, I checked the services(Local) and as you suggest that although it was on Auto it was not started, I duly started it and did a reboot and the (WMI) warning is still showing.
I checked some of the others in Services that had blank spaces and Auto Updates is showing error 1083, Could not start auto updates, (The executable program that this service is configured to run in does not impement the service) & the Windows Driver Foundation is showing error 31 (A device attached to the system is not working) if that is of any help.
I do have my XP SP2 disk if you want to try something else, or there's the cmd prompt suggested by RR
Regards Bob.


----------



## Rollin' Rog (Dec 9, 2000)

Does WMI remain started after a reboot?

The WMI service evidently has a couple of dependencies. One is RPC (I'm going to assume you have no problem with this as I think you would have other issues as well if it were disabled), the other is the Event Log.

Can you run *eventvwr.msc* and access the System log and note any recent repeating errors?

Also verify that the Event Log service is present in the services profile and set to automatic startup. If you are missing that, we can also provide a patch.

The Windows firewall and the Security center depend on WMI -- do you have any problems there?

If you have any problem with the Security Center, Ramesh provides some very reliable information and fixes, have a look at this one and give it a shot:

http://windowsxp.mvps.org/wscsvcfix.htm

In theory Automatic Updates has no depenencies, but the BITS service should be present and on manual (Background Intelligent Transfer Service)

See this article with the following steps:

http://support.microsoft.com/kb/910337



> Troubleshooting steps
> Error 1083: The executable program that this service is configured to run in does not implement the service. (0x8007043B)
> If you receive this error message, follow these steps:1.	Click Start, click Run, type Regsvr32 %windir%\system32\qmgr.dll, and then click OK.
> 2.	Click Start, click Run, type regsvr32 %windir%\system32\qmgrprxy.dll, and then click OK.
> ...


----------



## robert.bev (Oct 2, 2004)

Hi RR
Yes the WMI is running, I have looked at eventvwr,msc and in the L/H pane is Application, Security, & System.
In Application there are 29 Application 1000 errors > 11 MsiInstaller errors > 8 Application Hang errors, > 7 Disckeeper errors, > 5 Security Centre errors .1 SceCli error and 1 VSS.
Nothing at all Security and in System many many repeated ServiceControl M errors > DCOM errors . ups errors > Cdrom errors and > Disk errors, I couldn't find anything saying Auto.
The Windows firewall is turned off as I have ZA and AVG.
Last time I tried Windows Update, it woulden't work, can't remember why, I'll check
Regards Robert.


----------



## Rollin' Rog (Dec 9, 2000)

We would be most concerned about the "Disk" erros in the System log.

Can you double click one or two of those, select the "copy" icon (double-paper) to copy it to the clipboard and paste it here.

If any of the MSI errors in the Applications log are recent -- last few days -- post those as well.

Review the posted link regarding Windows Update issues. >>



> You may receive an error message that contains the "0x8DDD0018" code or the "0x80246008" code when you try to download updates from the Microsoft Windows Update Web site or from the Microsoft Update Web site





> Error 1083: The executable program that this service is configured to run in does not implement the service. (0x8007043B)


http://support.microsoft.com/kb/910337


----------



## robert.bev (Oct 2, 2004)

Sorry RR, when I R click on the latest Application MSI errors all I get is a menu with Refresh> Properties> Help, on it, there does not seem to be a copy + paste option, and if I double click, I get an Events Properties box with a link to M'soft (go. microsoft.com/fwlink/events) Just the same with the system errors.
Regards Robert.


----------



## Rollin' Rog (Dec 9, 2000)

Either double click or select "Properties" from the right click menu and you will see the description window. And the double paper icon is there. The cursor is pointing at it in this screenshot.


----------



## robert.bev (Oct 2, 2004)

Ha' yes, I didn't realize it was a button in the properties box, (we silver serfers are a bit slow) well I selected some errors and clicked the copy Icon and then Ok'd it, and nothing seemed to happen, right clicking the copy button tells me that the text is placed on the clip board, unfortunately I can't find any clipboard to copy the text from. Regards Robert.


----------



## Rollin' Rog (Dec 9, 2000)

You don't need to. Once it's placed on the clipboard you just right click on any message box and select "paste" from the right click menu.

You can only select one at a time though. What is pasted will always be the last copied text.

However for what it's worth, the path to the clipboard is

C:\WINDOWS\SYSTEM32\CLIPBRD.EXE

You can navigate there, right click on it and select "Send TO" > Desktop as shortcut.

I keep the shortcut on my quicklaunch bar so I can see what is currently in the clipboard if I have any doubts.


----------



## robert.bev (Oct 2, 2004)

N0 1


----------



## robert.bev (Oct 2, 2004)

Event Type:	Error
Event Source:	Disk
Event Category:	None
Event ID:	7
Date: 09/06/2008
Time: 16:49:56
User: N/A
Computer:	BLACKBESS
Description:
The device, \Device\Harddisk0\D, has a bad block.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 07 00 04 c0 .......À
0010: 00 01 00 00 9c 00 00 c0 ....&#156;..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 2e 59 c5 05 00 00 00 ..YÅ....
0028: da 74 1e 00 00 00 00 00 Út......
0030: ff ff ff ff 00 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @..&#132;....
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 f0 84 89 e8 8b 82 88 .ð&#132;&#137;è&#139;&#130;&#136;
0058: 00 00 00 00 70 89 82 88 ....p&#137;&#130;&#136;
0060: 02 00 00 00 97 ac e2 02 ....&#151;¬â.
0068: 28 00 02 e2 ac 97 00 00 (..â¬&#151;..
0070: 78 00 00 00 00 00 00 00 x.......
0078: f0 00 03 00 00 00 00 0b ð.......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type:	Error
Event Source:	Disk
Event Category:	None
Event ID:	7
Date: 09/06/2008
Time: 16:49:56
User: N/A
Computer:	BLACKBESS
Description:
The device, \Device\Harddisk0\D, has a bad block.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 07 00 04 c0 .......À
0010: 00 01 00 00 9c 00 00 c0 ....&#156;..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 2e 59 c5 05 00 00 00 ..YÅ....
0028: da 74 1e 00 00 00 00 00 Út......
0030: ff ff ff ff 00 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @..&#132;....
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 f0 84 89 e8 8b 82 88 .ð&#132;&#137;è&#139;&#130;&#136;
0058: 00 00 00 00 70 89 82 88 ....p&#137;&#130;&#136;
0060: 02 00 00 00 97 ac e2 02 ....&#151;¬â.
0068: 28 00 02 e2 ac 97 00 00 (..â¬&#151;..
0070: 78 00 00 00 00 00 00 00 x.......
0078: f0 00 03 00 00 00 00 0b ð.......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type:	Error
Event Source:	Disk
Event Category:	None
Event ID:	7
Date: 09/06/2008
Time: 16:49:56
User: N/A
Computer:	BLACKBESS
Description:
The device, \Device\Harddisk0\D, has a bad block.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 07 00 04 c0 .......À
0010: 00 01 00 00 9c 00 00 c0 ....&#156;..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 2e 59 c5 05 00 00 00 ..YÅ....
0028: da 74 1e 00 00 00 00 00 Út......
0030: ff ff ff ff 00 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @..&#132;....
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00  ........
0050: 00 f0 84 89 e8 8b 82 88 .ð&#132;&#137;è&#139;&#130;&#136;
0058: 00 00 00 00 70 89 82 88 ....p&#137;&#130;&#136;
0060: 02 00 00 00 97 ac e2 02 ....&#151;¬â.
0068: 28 00 02 e2 ac 97 00 00 (..â¬&#151;..
0070: 78 00 00 00 00 00 00 00 x.......
0078: f0 00 03 00 00 00 00 0b ð.......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........


----------



## Rollin' Rog (Dec 9, 2000)

1 > Well we need to run chkdsk on that drive if it is a data or disk drive. It's not going to fix your other problem -- but let's get it out of the way.

I am not sure whether this is referring to the system drive or not. We can tell with this command.

Open a command prompt (start > run:*cmd*) and enter

*fsutil dirty query c:*

If it returns "dirty" then 'C' is actually the dirty drive that needs chkdsk run on it. If you enter *fsutil dirty query D:* and that returns "dirty" -- then run chkdsk on the 'D' Drive (if there is one that is not an optical drive). Unfortunately you cannot translate that error message directly into the correct drive.

Instructions for running chkdsk are here:

http://www.housing.hawaii.edu/resources/support/chkdsk.htm

Once chkdsk has completed and the computer rebooted you will find the log avalable in the Event Viewer > Applications > Winlogon entry.

You can copy/paste that here as you did the others.

2 > Follow the instructions in the Microsoft article I linked to previously and let's see if you still get the same "1083" errors or problems with Windows update.

3 > If you continue to have the WMI problem after that -- try the instructions in the rebuild/reinstall article I posted in post 71


----------



## robert.bev (Oct 2, 2004)

Hi RR, Better put you in the picture, I have three Hdd's main 80gb C:\ drive an 80gb storage drive E, and a 40gb games drive for games only. I opened diskmgnt.msc and all the drives were shown and, D:\ drive is the dvd/cd drive and is showing as SH3 (D 1.67 UDF Healthy,
SH3 is my Silent Hunter sub game that is usualy left in the tray.
I ran the cmd and neither c or d came back as dirty
Regards Robert.


----------



## Rollin' Rog (Dec 9, 2000)

Is your date set correctly or is your configuraiton of months - days reversed from our usual day - month format?

Date: 09/06/2008

If 6 is the month then those are old disk errors; if 9 is the month, then your date is incorrect and this could be an issue.

Try running HDTune on the c: drive -- it is faster than chkdsk and will discover any bad blocks but won't fix anything.

http://www.hdtune.com/

Go ahead with the rest of the instructions anyway.


----------



## robert.bev (Oct 2, 2004)

Hi RR, I sorry for the delay I was out all day yesterday, just done the HD tune and it showed just 4 red blocks 0.2% on the C: drive, everything on the health tab all was OK. I am now getting another warning, I pointed out previously that links do not open sometimes, now quite often when I click a link I get a message "Internet Explorer connot open the internet site " ********.com" etc etc, then a " This page cannot be displayed " appears, when I click it off the page that I want is usualy behind it.
I have had a look at the M'soft link you sent and it could be on the right track as I can't get M'soft updates, do you think I should follow the article and run the regsvr32.
A.T.B. Robert.


----------



## robert.bev (Oct 2, 2004)

Hi again, I have tried the action in the support article and after setting BITS to Manual and rebooting and then changing to Auto, the service was still shown as stopped, on clicking Start " Could not start BITS service Error1083.
I next ran regsvr32% windr%\system32qmgr.dll and got "Load library C:\windows\system32\qmgr.dll failed, specified module could not be found. Regards Robert.


----------



## Rollin' Rog (Dec 9, 2000)

You should not get that error if you typed the command correctly. Could you try copy/pasting directly from the article?

If you still get it, navigate to the location where it should be and manually verify if it and the other file mentioned are present.

If they are verify the version number by right clicking on the file and selecting Properties > Version.

6.7.2600.5512

This is the version I have.

If you are missing the files, I am zipping and uploading them here. Unzip them and copy them to the system32 directory and try the regsvr32 commands again.


>> Also, follow the instructions previously to run chkdsk on the drive. I think it will lock out any bad blocks.

But it sounds like this drive may need to be replaced. Upload the chkdsk log found in the Applications > Winlogon entry after a reboot.

>> When you get the "page cannot be displayed" error -- does a refresh usually get you there? (For what it's worth I believe there is a current problem on this site -- since I am experiencing the same problem here, right now.)

Open Internet Options (on the IE Tools tab or found in the Control Panel)

On the General page, choose the LAN settings (if you are on broadband) and make sure "automatically detect settings" is selected. If a proxy server is in use -- disable that.


----------



## robert.bev (Oct 2, 2004)

Hi RR, I did the copy & Paste that went ok & was accepted, when I tried to start the service I got a similar message to the (WMI) "The .exe prog that the service is configured to run does not impliment the service". I didn't know where to look to manualy varify, the only winlogon I could find is in the system32 folder and it would not open for me.
I next did the Chk disk and that only took about 30secs & after reboot I could'nt find where it put the log, I also had trouble with this site last weekend, it just would not work (very slow) And I still get the "Page cannot be displayed warning" usualy when I click a blue link, lets say in the Carnival web page, when I click the warning off, the page I want is usualy behind the it. Or if I enter 
"Windows Updates" in the google bar I get, a box with a red X & Internet Explorer cannot open the internet site http:// Tiscali (my ISP) etc etc, when I click the warning box off, the this page cannot be displayed warning is shown, & after clicking that off, the search results are behind the warning. My ADSL settings on the Gen tab are ok.
A.T.B. Robert.


----------



## Rollin' Rog (Dec 9, 2000)

When you attempted to run the regsvr32 commands previously -- the response you got was that the file was not found. Did you re run those commands and get a successful regsvr for both the files before attempting to start the service?

If not -- you must do that. >> http://support.microsoft.com/kb/910337



> Troubleshooting steps
> Error 1083: The executable program that this service is configured to run in does not implement the service. (0x8007043B)
> If you receive this error message, follow these steps:1.	Click Start, click Run, type *Regsvr32 %windir%\system32\qmgr.dll* and then click OK.
> 2.	Click Start, click Run, type r*egsvr32 %windir%\system32\qmgrprxy.dll* and then click OK.
> ...


As for "winlogon" I was referring to the Event Log to be found in the Event Viewer (run: *eventvwr.msc*) > Applications log AFTER running chkdsk, per the instructions here >>

http://www.housing.hawaii.edu/resources/support/chkdsk.htm

If This is the only site on which you are having persistent connection issues -- don't worry -- the problem is with the servers here and will get worked out eventually -- they always are.


----------



## robert.bev (Oct 2, 2004)

Hi RR, I entered the 2 commands again ok, and after reading a M'soft help article I did a cmd and copy'd + pasted a load of numbers etc which was a success, I then went through the process again with the regsvr's and the BITS started and now shows Automatic & Started, but unfortunately the (WMI) is still stopped.
Next I tried to download windows updates and got the same box and red X The auto update failed etc, the .exe prog that this service is configured to run does not impiment the service Error 0x8007043B.
I opened the eventvwr.msc & in system are a lot of DCOM & service control management errors, and in Application there are a few security centre, & application hang errors, but they would not copy for me to send them to you.
A.T.B. Robert.


----------



## Rollin' Rog (Dec 9, 2000)

Previously I believe you said that WMI was on automatic and started.



> Hi RR
> Yes the WMI is running


Is it still on Automatic, and if you manually try to start it, does it start and remain started?

Can you post 1 of each type of DCOM and Service Control Manager errors?

Post only those that are of the last day or two.

When you ran the regsvr32 commands, did each response say that it had completed successfully?

You can run those commands from the run box

See attachment for what you should be getting.


----------



## robert.bev (Oct 2, 2004)

Sorry RR I must have screwed up somewhere, I must be a little mixed up on how to check the (WMI) I'm going off the message in the ADSL properties box stating that (WMI) might be corrupt, although I'm sure I have seen WMI somewher else I just can't remember how I found it.
You also asked me to verify (?) the event log service and if the profile is set to auto, I presumed this was where I typed eventvwr.msc, when I do that the event viewer opens with three profiles > Application >Security> System, application contains a log, security is empty, and system also contains a log showing recent errors but when I R/click on them there is no copy function in the menu, just refresh properties and help.
Also when I entered the regsvr32 commands both were shown as successful.
And sorry again, we will soon have to have a recess, tomorrow wll be our last day conversing for a couple of weeks, as I go on holiday from the 6th of August to the 22nd.
Best regards Robert.


----------



## Rollin' Rog (Dec 9, 2000)

Run *services.msc* and look for the Windows Management Instrumentation service there. Right click and select Properties.

That will tell you whether it is running, on automatic startup, and whether you can manually start it there.

If it cannot be started, then we need to go back to the instructions I included in this post and try those:

http://forums.techguy.org/6026272-post71.html

We may need to do that anyway if the error persists.


----------



## robert.bev (Oct 2, 2004)

Hi RR, The Win management Instrumentation service is now showing Auto and running, the BITS is also showing Auto and running, my appologies for confusing you, although I still get error 0x8007043B when I try to get updates.
A.T.B. Bob.


----------



## Rollin' Rog (Dec 9, 2000)

Ok, are you still also having this issue? >



> my PC will not now go on line automatically and I have to click manually on connect to, when I look in the Internet ADSL Properties > Advanced tab there is a message saying "Windows cannot display the properties of this connection, The Windows Management Instromentation (WMI) might be corrupted" to correct this use system restore.


Let's follow the suggestions here >>

http://www.updatexp.com/0x8007043b.html

For Part 1, I've created the VBS file for you; just download the attachment, unzip it and run it. If it is intercepted by a script blocker, give it permission.

It should respond "Done" immediately.

The second part you will have to carry out yourself.



> Click Start, select Run and type (pressing enter after each one and wait for the
> success message):
> 
> net.exe stop wuauserv
> ...


Reboot the computer and test after this.


----------



## robert.bev (Oct 2, 2004)

Hi RR, The PC will now go online automaticaly, a box that I hadn't seen for some time came back with connect or go on line automaticaly, so I checked the box and the PC goes on line at startup, but the message in the ADSL prop box about the (WMI) being corrupt is still there.

I downloaded the VBS file to a folder in my doc's & clicked extract here but it would not open, I got a "Windows Script Host" warning, with a redX, script C:\DOCUME~1\Robert\Locals~\Temp\Rar$d100 282\NetSVCSwucH.VBS
Same when I tried to open from the desktop.
A.T.B Robert.


----------



## Rollin' Rog (Dec 9, 2000)

The script host warning is not an Operating System default but must be somthing configured within Trend or one of your other security tools. If Cookiegal is monitoring she will probably be able to point you in the right direction there.

Usually when these warnings pop-up there is an option to override them -- I take it you saw none?

Nonetheless do complete the WMI "upgrade repository" instructions here, reboot and test.

If no luck, try to follow the instructions to do a fresh rebuild of it, described at the bottom of the article I linked to.

http://forums.techguy.org/6026272-post71.html


----------



## robert.bev (Oct 2, 2004)

Good Morning RR
I didn't see any overide options in the warning, and I have run the WMI upgrade for XP SP2 & there is a log in wbem/logs/setup, if you want it.
After reboot I again typed M'soft win updates in my search bar and got the message I.E cannot open the internet site www.tiscali.co.uk/search/results.php, I clicked it off and the this page cannot be displayed was there, I clicked that off and the search results were shown, I next clicked a link to the windows updates and the page appeared after some time, on clicking the Express button I got another red X and " The website encounted a problem & cannot display the page etc error 0x08007043B.
A.T.B. Robert.


----------



## Rollin' Rog (Dec 9, 2000)

I'll have to wait for Cookiegal to suggest what might be doing your script blocking. In the meantime do continue and run the regsvr32 commands included in the second part of the instructions.

You can also try running the VBS file again from Safe Mode.


----------



## robert.bev (Oct 2, 2004)

Hi RR, I ran the xp rebuild from ramesh as sugegsted and entered the comand > rundll32.exe setupapi,InstallHinfSection WBEM 132 %windir%\inf\wbemoc.inf, then put in the XP SP2 disk as requested, but for some reason it kept saying (file not found) so I ran the VBS file again in safe mode and Halleluiah !!! the update icon appeared in the system tray and I proceded to download and install SP3, and thereafter 11 more updates, so it looks like everything is looking good at the moment.
I won't be able to give you a progress report for some time as I go on hol in the morning, returning on the 22nd, so many many thanks to yourself and CG for your invaluable help and I will endever to give you a progress report at a later date.
Best of regards Bob.


----------



## Rollin' Rog (Dec 9, 2000)

I'm sure glad to hear that. When you do feel all is well you can mark the thread Solved -- but it is probably best to wait for a last checkup from Cookiegal.

If and when you do need to return to any issue in this thread for which I may be helpful -- it would probably be best to send me a PM as I may not check its status regularly but I will look into it after your return, if I don't forget.

SP3 was a good choice -- it may well fix any remaining issues with previous missing or corrupt files or registry entries.


----------



## Cookiegal (Aug 27, 2003)

Sorry, I new Rog was replying so I hadn't read through all the posts.

When you get back, please post a new HijackThis log so I can check to be sure all is fine there.

I take it you're no longer getting those script errors either.


----------



## robert.bev (Oct 2, 2004)

Hi CG, been home 5 days & things seem stable!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:15, on 28/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Innovative Solutions\DriverMax\devices.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.batraveltrade.com
O15 - Trusted Zone: http://forums.techguy.org
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.piclens.com/shared/plinstll.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26A2F988-1760-4190-BEB2-60FF3C84BDB4}: NameServer = 212.139.132.4 212.139.132.5
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7295 b
Hope it looks ok, regards Bob.


----------



## robert.bev (Oct 2, 2004)

PS, _For your informtion_, when I got home and started up my PC I received a "_Microsoft Update_" when I installed the update I lost my Desk Top & photo wallpaper, I opened Display to reinsert the photo & the Desktop & Screensaver tabs were missing, as was all the system restore points, my pal has had the same prob & advised me to use Malware Bytes free scan so I did and wow! its good, it found the nasties and zapped them and my lost tabs came back, so if you come accross the same prob I hope this helps.
Bob.


----------



## Cookiegal (Aug 27, 2003)

The HijackThis log looks good. Would you please post the log from your MalwareBytes scan?


----------



## Rollin' Rog (Dec 9, 2000)

Where did this "Microsoft Update" come from?

MS sends nothing by Email, and this would not have come through Windows Update


----------



## robert.bev (Oct 2, 2004)

Hi CG.
Things seem much better than they were, but last night I tried to delete a program I don't use (Cowon media, jet audio) from Add & Remove progs and I got a refusal to delete and a error 6003.
Apart from that and a time delay when I click a button things seem to run, below is Malware Bytes log 
Malwarebytes' Anti-Malware 1.25
Database version: 1088
Windows 5.1.2600 Service Pack 3

11:02:00 27/08/2008
mbam-log-08-27-2008 (11-02-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 145991
Time elapsed: 1 hour(s), 3 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
A.T.B. Robert.


----------



## robert.bev (Oct 2, 2004)

Hi Rog, Ive had a look for the mail and I must have deleted it, it was just one of 580 that was in the queue 2/3rds of it rubish, I must not have been concentrating when I clicked on it, it must have looked ok for me to try to install, and my security ZA & AVG didn't shout, it so I will be wary in the future as I do got M'soft updates from time to time.
A.T.B. Robert.


----------



## Rollin' Rog (Dec 9, 2000)

Lol, yeah, big mistake.

First, I recommend never even opening Emails you are not expecting, even distrust those from friends.

But never allow anything to be installed that comes in an email -- and don't open attachments you are not expecting either.

All the obvious rubbish should be tagged as "spam", not just deleted normally.


----------



## Cookiegal (Aug 27, 2003)

Sorry. I didn't understand that it was an e-mail your received. 

Do the following to uninstall ComboFix and then get the latest version and run a new scan please.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.


----------



## robert.bev (Oct 2, 2004)

Hi CG
HJ Log to follow

ComboFix 08-08-30.03 - Robert 2008-08-31 10:56:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.989 [GMT -7:00]
Running from: C:\Documents and Settings\Robert\Desktop\Combo-Fix.exe
* Created a new restore point
* Resident AV is active

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Robert\Application Data\inst.exe
C:\WINDOWS\system32\REGOBJ.DLL

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-31 )))))))))))))))))))))))))))))))
.

2008-08-30 15:36 . 2008-08-30 15:36 d--------	C:\Program Files\Avira
2008-08-30 15:36 . 2008-08-30 15:36 d--------	C:\Documents and Settings\All Users\Application Data\Avira
2008-08-30 14:42 . 2008-08-30 14:42 d--------	C:\Documents and Settings\Robert\Application Data\Vso
2008-08-28 16:50 . 2008-08-28 16:55 d--------	C:\Program Files\Microsoft LifeCam
2008-08-27 09:52 . 2008-08-27 09:52 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 09:52 . 2008-08-27 09:52 d--------	C:\Documents and Settings\Robert\Application Data\Malwarebytes
2008-08-27 09:52 . 2008-08-27 09:52 d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 09:52 . 2008-08-17 15:01	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 09:52 . 2008-08-17 15:01	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-26 14:05 . 2006-11-02 00:21	319,456	--a------	C:\WINDOWS\system32\difxapi.dll
2008-08-26 14:05 . 2006-10-27 09:26	69,632	--a------	C:\WINDOWS\system32\vuins32.dll
2008-08-26 14:05 . 2008-01-02 03:12	43,520	--a------	C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-08-26 13:57 . 2007-09-21 17:49	9,216	--a------	C:\WINDOWS\system32\drivers\videX32.sys
2008-08-26 13:47 . 2008-08-26 13:47 d--------	C:\Program Files\Innovative Solutions
2008-08-22 17:26 . 2008-08-22 17:26 d--------	C:\Program Files\Common Files\IXLA Limited
2008-08-22 08:55 . 2008-04-11 12:04	691,712	-----c---	C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-22 08:55 . 2008-05-01 07:33	331,776	-----c---	C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-05 17:45 . 2008-05-08 07:02	203,136	-----c---	C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-05 17:36 . 2008-08-05 17:36 d--------	C:\WINDOWS\system32\scripting
2008-08-05 17:36 . 2008-08-05 17:36 d--------	C:\WINDOWS\system32\en
2008-08-05 17:36 . 2008-08-05 17:36 d--------	C:\WINDOWS\system32\bits
2008-08-05 17:36 . 2008-08-05 17:36 d--------	C:\WINDOWS\l2schemas
2008-08-05 17:32 . 2008-08-05 17:36 d--------	C:\WINDOWS\ServicePackFiles
2008-08-05 17:17 . 2008-04-13 17:12	69,120	---------	C:\WINDOWS\system32\wlanapi.dll
2008-08-05 17:15 . 2008-04-13 17:11	1,888,992	---------	C:\WINDOWS\system32\ati3duag.dll
2008-08-05 14:18 . 2008-06-13 04:05	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-02 15:12 . 2008-08-03 09:49 d--------	C:\Program Files\HD Tune
2008-07-28 18:51 . 2008-07-28 18:51	59,378,786	--a------	C:\registrybackup2.reg
2008-07-22 10:21 . 2008-07-22 10:21	59,825,252	--a------	C:\registrybackup.reg
2008-07-20 08:03 . 2004-03-29 16:23	90,112	--a------	C:\WINDOWS\unvise32.exe
2008-07-18 08:52 . 2008-07-18 08:52 d--------	C:\ComboFix
2008-07-17 20:35 . 2008-07-17 20:35 d--------	C:\Program Files\Innovative Solutions DriverMax
2008-07-17 09:15 . 2008-07-18 15:11 d--------	C:\Documents and Settings\All Users\Application Data\SITEguard
2008-07-17 09:14 . 2008-07-17 09:14 d--------	C:\Program Files\Common Files\iS3
2008-07-17 09:14 . 2008-07-29 11:11 d--------	C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-07-14 20:54 . 2008-07-14 20:54 d--------	C:\Program Files\Photosynth
2008-07-14 15:28 . 2008-07-22 16:46	32	--a------	C:\WINDOWS\thxcfg.ini
2008-07-11 09:22 . 2008-07-09 09:05	1,086,952	--a------	C:\WINDOWS\system32\zpeng24.dll
2008-07-08 11:20 . 2008-07-08 11:20 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-08 10:03 . 2008-07-08 10:03 d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-08 10:02 . 2008-08-26 08:58 d--------	C:\Program Files\SUPERAntiSpyware
2008-07-08 10:02 . 2008-07-08 10:02 d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 10:02 . 2008-07-08 10:02 d--------	C:\Documents and Settings\Robert\Application Data\SUPERAntiSpyware.com
2008-07-07 13:26 . 2008-07-07 13:26	253,952	-----c---	C:\WINDOWS\system32\dllcache\es.dll
2008-07-06 10:46 . 2008-07-06 10:46 d--------	C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 17:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\avg8
2008-08-31 16:39	---------	d-----w	C:\Documents and Settings\Robert\Application Data\MailWasherPro
2008-08-30 21:43	---------	d-----w	C:\Program Files\VSO
2008-08-30 21:42	47,360	----a-w	C:\Documents and Settings\Robert\Application Data\pcouffin.sys
2008-08-30 19:23	---------	d-----w	C:\Documents and Settings\Robert\Application Data\Skype
2008-08-28 23:47	---------	d-----w	C:\Program Files\Java
2008-08-06 02:07	---------	d-----w	C:\Program Files\MSN Messenger
2008-08-03 00:04	7,131,180	----a-w	C:\WINDOWS\Internet Logs\tvDebug.zip
2008-07-29 18:29	---------	d-----w	C:\Program Files\TrojanHunter 4.0
2008-07-21 05:36	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-07-20 15:36	---------	d-----w	C:\Program Files\TomTom HOME 2
2008-07-16 17:04	3,870,208	----a-w	C:\WINDOWS\Internet Logs\xDBC.tmp
2008-07-12 17:07	35,840	----a-w	C:\WINDOWS\Internet Logs\xDBA.tmp
2008-07-12 17:07	3,845,120	----a-w	C:\WINDOWS\Internet Logs\xDBB.tmp
2008-07-12 17:04	3,845,120	----a-w	C:\WINDOWS\Internet Logs\xDB9.tmp
2008-07-12 17:04	3,066,880	----a-w	C:\WINDOWS\Internet Logs\xDB8.tmp
2008-07-09 02:51	---------	d-----w	C:\Program Files\ACW
2008-07-07 20:26	253,952	----a-w	C:\WINDOWS\system32\es.dll
2008-07-03 02:19	---------	d-----w	C:\Documents and Settings\Robert\Application Data\uTorrent
2008-07-02 05:36	---------	d-----w	C:\Program Files\GameShadow
2008-07-01 19:05	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Skype
2008-07-01 19:05	---------	d-----r	C:\Program Files\Skype
2008-07-01 15:25	---------	d-----w	C:\Documents and Settings\Robert\Application Data\skypePM
2008-06-28 16:33	---------	d-----w	C:\Program Files\epson
2008-06-28 16:33	---------	d-----w	C:\Program Files\7ZipSfx.000
2008-06-24 18:02	245,408	----a-w	C:\WINDOWS\system32\unicows.dll
2008-06-24 16:43	74,240	----a-w	C:\WINDOWS\system32\mscms.dll
2008-06-23 21:15	3,703,808	----a-w	C:\WINDOWS\Internet Logs\xDB5.tmp
2008-06-23 15:09	666,112	----a-w	C:\WINDOWS\system32\wininet.dll
2008-06-23 00:16	3,691,008	----a-w	C:\WINDOWS\Internet Logs\xDB6.tmp
2008-06-20 17:46	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-19 17:58	3,665,408	----a-w	C:\WINDOWS\Internet Logs\xDB4.tmp
2008-06-19 03:16	3,628,544	----a-w	C:\WINDOWS\Internet Logs\xDB7.tmp
2008-05-30 21:19	507,400	----a-w	C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 21:18	238,088	----a-w	C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 21:17	65,032	----a-w	C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 21:17	25,608	----a-w	C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 21:11	467,984	----a-w	C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 21:11	3,850,760	----a-w	C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 21:11	1,491,992	----a-w	C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-25 00:13	10,520	----a-w	C:\WINDOWS\system32\avgrsstx.dll
2008-05-24 23:39	3,314,176	----a-w	C:\WINDOWS\Internet Logs\xDB3.tmp
2008-05-09 10:53	90,112	----a-w	C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53	430,080	----a-w	C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53	180,224	----a-w	C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53	172,032	----a-w	C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24	155,648	----a-w	C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07	135,168	----a-w	C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12	1,288,192	----a-w	C:\WINDOWS\system32\quartz.dll
2008-05-01 00:27	442,368	----a-w	C:\WINDOWS\system32\NVUNINST.EXE
2008-03-19 20:36	32	----a-w	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-03 05:54	32	----a-r	C:\Documents and Settings\All Users\hash.dat
.

------- Sigcheck -------

2008-04-13 17:12 111104 ed7262e52c31cf1625b65039102bc16c	C:\WINDOWS\ServicePackFiles\i386\wuauclt.exe
2007-07-30 19:19 53080 f3e9065eb617a7e3a832a7976bfa021b	C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 f3e9065eb617a7e3a832a7976bfa021b	C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSGTAG"="C:\Program Files\MSGTAG\MSGTAG.exe" [2003-08-15 19:26 1315328]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-26 08:58 1576176]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 14:45 36040]
"DriverMax"="C:\Program Files\Innovative Solutions\DriverMax\devices.exe" [2008-07-25 11:58 5057368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-24 17:13 1177368]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 15:54 37376]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-12-05 16:38 707360]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 18:48 275800]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"nwiz"="nwiz.exe" [2008-05-03 05:46 1630208 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe [2008-05-30 16:20:09 962667]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 08:58 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4800 Series]
--a------ 2005-02-01 21:00 98304 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIADE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"szserver"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCPoVoo TCP port 443
"443:UDP"= 443:UDPoVoo UDP port 443
"37674:TCP"= 37674:TCPoVoo TCP port 37674
"37674:UDP"= 37674:UDPoVoo UDP port 37674
"37675:UDP"= 37675:UDPoVoo UDP port 37675

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 17:49]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-24 17:13]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-24 17:13]
R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-01-04 15:13]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 03:12]
R4 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-24 17:13]
R4 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-24 17:13]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\3F.tmp []

*Newly Created Service* - CATCHME
*Newly Created Service* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder

2008-08-31 C:\WINDOWS\Tasks\ParetoLogic Registration.job
- C:\WINDOWS\system32\rundll32.exe [2008-04-13 17:12]

2008-08-30 C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe []

2008-08-31 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe []

2008-08-30 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe []
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-Run-THGuard - C:\Program Files\TrojanHunter 4.0\THGuard.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\0g0gipxt.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.tiscali.co.uk/index.html|http://www.tiscali.co.uk/index.html
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 11:01:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\3F.tmp"
.
Completion time: 2008-08-31 11:04:21
ComboFix-quarantined-files.txt 2008-08-31 18:04:15
ComboFix2.txt 2008-07-08 04:09:33

Pre-Run: 50,665,299,968 bytes free
Post-Run: 50,646,437,888 bytes free

231	--- E O F ---	2008-08-22 21:33:27


----------



## robert.bev (Oct 2, 2004)

Hi Again CG
Yes I got the latest nasties in a email just one of 580 when I returned from Hol, it just said Microsoft Update and must have looked ok for me to install it, I wasn't thinking fast enough as M'soft don't do updates by email. And sorry I wasn't thinking again as AVG did not shout I am in the process of disabling it, and have installed AntiVir.
Regards Robert.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:50, on 31/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Innovative Solutions\DriverMax\devices.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.batraveltrade.com
O15 - Trusted Zone: http://forums.techguy.org
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.piclens.com/shared/plinstll.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26A2F988-1760-4190-BEB2-60FF3C84BDB4}: NameServer = 212.139.132.8 212.139.132.9
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7640 bytes


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

*RegCure*

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\thxcfg.ini
C:\WINDOWS\Tasks\RegCure Program Check.job
C:\WINDOWS\Tasks\RegCure.job

Driver::
MEMSWEEP2

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## robert.bev (Oct 2, 2004)

Sorry CG, whilst looking for a .dll file for my pal I downloaded Reg Cure & its a con, so I got rid of it by clicking H_K_L_M > Software & deleting the Reg Cure folder and its contents. This morning I got the warning again "Internet Ex cannot open the site ****etc" when I clicked the warning off, the page was there. And sorry again I can't find Note Pad or Clip Board, are they the same thing? I'm wondering if I've deleted or stopped them from running in the past.
And after I had done the combo fix and HJT logs, Zone Alarm did its afternoon scan and found and quarentined 2 nasties that I have had previously called "Kaza Lite goop28" and "p2p worm.win32 logpole.c" there are more of these in the ZA quarentine, amongst some others.
Regards Robert.


----------



## Cookiegal (Aug 27, 2003)

You should find Notepad under Start - All Programs - Accessories. It's not the same as the clipboard.


----------



## robert.bev (Oct 2, 2004)

Hi CG, HTJ to follow, never thought to look in accessories, just needed pointing in the right direction.

ComboFix 08-08-30.03 - Robert 2008-09-01 8:56:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1078 [GMT -7:00]
Running from: C:\Documents and Settings\Robert\Desktop\shortcuts\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Robert\Desktop\CFScript.txt
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks\RegCure Program Check.job
C:\WINDOWS\Tasks\RegCure.job
C:\WINDOWS\thxcfg.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2

((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-08-31 11:45 . 2008-08-31 11:45 d--------	C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-30 15:36 . 2008-08-30 15:36 d--------	C:\Program Files\Avira
2008-08-30 15:36 . 2008-08-30 15:36 d--------	C:\Documents and Settings\All Users\Application Data\Avira
2008-08-30 14:42 . 2008-08-30 14:42 d--------	C:\Documents and Settings\Robert\Application Data\Vso
2008-08-28 16:50 . 2008-08-28 16:55 d--------	C:\Program Files\Microsoft LifeCam
2008-08-27 09:52 . 2008-08-27 09:52 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 09:52 . 2008-08-27 09:52 d--------	C:\Documents and Settings\Robert\Application Data\Malwarebytes
2008-08-27 09:52 . 2008-08-27 09:52 d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 09:52 . 2008-08-17 15:01	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 09:52 . 2008-08-17 15:01	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-26 14:05 . 2006-11-02 00:21	319,456	--a------	C:\WINDOWS\system32\difxapi.dll
2008-08-26 14:05 . 2006-10-27 09:26	69,632	--a------	C:\WINDOWS\system32\vuins32.dll
2008-08-26 14:05 . 2008-01-02 03:12	43,520	--a------	C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-08-26 13:57 . 2007-09-21 17:49	9,216	--a------	C:\WINDOWS\system32\drivers\videX32.sys
2008-08-26 13:47 . 2008-08-26 13:47 d--------	C:\Program Files\Innovative Solutions
2008-08-22 17:26 . 2008-08-22 17:26 d--------	C:\Program Files\Common Files\IXLA Limited
2008-08-22 08:55 . 2008-04-11 12:04	691,712	-----c---	C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-22 08:55 . 2008-05-01 07:33	331,776	-----c---	C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-05 17:45 . 2008-05-08 07:02	203,136	-----c---	C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-05 17:36 . 2008-08-05 17:36 d--------	C:\WINDOWS\system32\scripting
2008-08-05 17:36 . 2008-08-05 17:36 d--------	C:\WINDOWS\system32\en
2008-08-05 17:36 . 2008-08-05 17:36 d--------	C:\WINDOWS\system32\bits
2008-08-05 17:36 . 2008-08-05 17:36 d--------	C:\WINDOWS\l2schemas
2008-08-05 17:32 . 2008-08-05 17:36 d--------	C:\WINDOWS\ServicePackFiles
2008-08-05 17:17 . 2008-04-13 17:12	69,120	---------	C:\WINDOWS\system32\wlanapi.dll
2008-08-05 17:15 . 2008-04-13 17:11	1,888,992	---------	C:\WINDOWS\system32\ati3duag.dll
2008-08-05 14:18 . 2008-06-13 04:05	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-02 15:12 . 2008-08-03 09:49 d--------	C:\Program Files\HD Tune

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 15:44	---------	d-----w	C:\Documents and Settings\Robert\Application Data\MailWasherPro
2008-08-31 20:59	---------	d-----w	C:\Documents and Settings\Robert\Application Data\Skype
2008-08-31 18:47	8,365,002	----a-w	C:\WINDOWS\Internet Logs\tvDebug.zip
2008-08-30 21:43	---------	d-----w	C:\Program Files\VSO
2008-08-30 21:42	47,360	----a-w	C:\Documents and Settings\Robert\Application Data\pcouffin.sys
2008-08-28 23:47	---------	d-----w	C:\Program Files\Java
2008-08-26 15:58	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-08-06 02:07	---------	d-----w	C:\Program Files\MSN Messenger
2008-07-29 18:29	---------	d-----w	C:\Program Files\TrojanHunter 4.0
2008-07-29 18:11	---------	d-----w	C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-07-29 01:51	59,378,786	----a-w	C:\registrybackup2.reg
2008-07-22 17:21	59,825,252	----a-w	C:\registrybackup.reg
2008-07-21 05:36	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-07-20 15:36	---------	d-----w	C:\Program Files\TomTom HOME 2
2008-07-18 22:11	---------	d-----w	C:\Documents and Settings\All Users\Application Data\SITEguard
2008-07-18 03:35	---------	d-----w	C:\Program Files\Innovative Solutions DriverMax
2008-07-17 16:14	---------	d-----w	C:\Program Files\Common Files\iS3
2008-07-16 17:04	3,870,208	----a-w	C:\WINDOWS\Internet Logs\xDBC.tmp
2008-07-15 03:54	---------	d-----w	C:\Program Files\Photosynth
2008-07-12 17:07	35,840	----a-w	C:\WINDOWS\Internet Logs\xDBA.tmp
2008-07-12 17:07	3,845,120	----a-w	C:\WINDOWS\Internet Logs\xDBB.tmp
2008-07-12 17:04	3,845,120	----a-w	C:\WINDOWS\Internet Logs\xDB9.tmp
2008-07-12 17:04	3,066,880	----a-w	C:\WINDOWS\Internet Logs\xDB8.tmp
2008-07-09 16:05	1,086,952	----a-w	C:\WINDOWS\system32\zpeng24.dll
2008-07-09 02:51	---------	d-----w	C:\Program Files\ACW
2008-07-08 18:20	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-08 17:03	---------	d-----w	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-08 17:02	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 17:02	---------	d-----w	C:\Documents and Settings\Robert\Application Data\SUPERAntiSpyware.com
2008-07-07 20:26	253,952	----a-w	C:\WINDOWS\system32\es.dll
2008-07-06 17:46	---------	d-----w	C:\Program Files\Trend Micro
2008-07-03 02:19	---------	d-----w	C:\Documents and Settings\Robert\Application Data\uTorrent
2008-07-02 05:36	---------	d-----w	C:\Program Files\GameShadow
2008-07-01 19:05	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Skype
2008-07-01 19:05	---------	d-----r	C:\Program Files\Skype
2008-07-01 15:25	---------	d-----w	C:\Documents and Settings\Robert\Application Data\skypePM
2008-06-24 18:02	245,408	----a-w	C:\WINDOWS\system32\unicows.dll
2008-06-24 16:43	74,240	----a-w	C:\WINDOWS\system32\mscms.dll
2008-06-23 21:15	3,703,808	----a-w	C:\WINDOWS\Internet Logs\xDB5.tmp
2008-06-23 15:09	666,112	----a-w	C:\WINDOWS\system32\wininet.dll
2008-06-23 00:16	3,691,008	----a-w	C:\WINDOWS\Internet Logs\xDB6.tmp
2008-06-20 17:46	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-19 17:58	3,665,408	----a-w	C:\WINDOWS\Internet Logs\xDB4.tmp
2008-06-19 03:16	3,628,544	----a-w	C:\WINDOWS\Internet Logs\xDB7.tmp
2008-03-19 20:36	32	----a-w	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-03 05:54	32	----a-r	C:\Documents and Settings\All Users\hash.dat
.

------- Sigcheck -------

2008-04-13 17:12 111104 ed7262e52c31cf1625b65039102bc16c	C:\WINDOWS\ServicePackFiles\i386\wuauclt.exe
2007-07-30 19:19 53080 f3e9065eb617a7e3a832a7976bfa021b	C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 f3e9065eb617a7e3a832a7976bfa021b	C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((( [email protected]_11.03.06.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-08 20:28:44	5,929,472	----a-w	C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-08-31 21:06:45	5,949,952	----a-w	C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2008-09-01 16:04:40	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSGTAG"="C:\Program Files\MSGTAG\MSGTAG.exe" [2003-08-15 19:26 1315328]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-26 08:58 1576176]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 14:45 36040]
"DriverMax"="C:\Program Files\Innovative Solutions\DriverMax\devices.exe" [2008-07-25 11:58 5057368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 15:54 37376]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-12-05 16:38 707360]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 18:48 275800]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"nwiz"="nwiz.exe" [2008-05-03 05:46 1630208 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]

C:\Documents and Settings\Robert\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe [2008-03-19 12:37:13 16667786]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe [2008-05-30 16:20:09 962667]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-08-26 08:58 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4800 Series]
--a------ 2005-02-01 21:00 98304 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIADE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"szserver"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCPoVoo TCP port 443
"443:UDP"= 443:UDPoVoo UDP port 443
"37674:TCP"= 37674:TCPoVoo TCP port 37674
"37674:UDP"= 37674:UDPoVoo UDP port 37674
"37675:UDP"= 37675:UDPoVoo UDP port 37675

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 17:49]
R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-01-04 15:13]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 03:12]
.
Contents of the 'Scheduled Tasks' folder

2008-08-31 C:\WINDOWS\Tasks\ParetoLogic Registration.job
- C:\WINDOWS\system32\rundll32.exe [2008-04-13 17:12]

2008-08-30 C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
- C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe []
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 09:03:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-09-01 9:11:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-01 16:11:44
ComboFix2.txt 2008-08-31 18:04:33
ComboFix3.txt 2008-07-08 04:09:33

Pre-Run: 50,818,535,424 bytes free
Post-Run: 50,825,084,928 bytes free

206	--- E O F ---	2008-08-22 21:33:27

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:32:54, on 01/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Innovative Solutions\DriverMax\devices.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.batraveltrade.com
O15 - Trusted Zone: http://forums.techguy.org
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.piclens.com/shared/plinstll.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26A2F988-1760-4190-BEB2-60FF3C84BDB4}: NameServer = 212.139.132.8 212.139.132.9
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7209 bytes


----------



## robert.bev (Oct 2, 2004)

Hi CG, just a thought, should I have stopped system restore before the scan? I believe that some scans cannot find viruses in system restore.
Regards Robert,


----------



## Cookiegal (Aug 27, 2003)

No, do no turn off system restore. It's always good to have a restore point to go back to when doing fixes as a back up, even if the restore point is an infected one as we can deal with that.

In start > run, copy and paste:

*regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders"*

You won't see anything happen and it will only take a second but there will be a report in C:\look.txt. Please open it and copy and paste the contents here.


----------



## robert.bev (Oct 2, 2004)

Hi CG
Sorry for the delay, log below.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dllschannel.dlldigest.dllmsnsspc.dll"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SaslProfiles]
"GSSAPI"="Kerberos"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\DES 56/56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\NULL]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 128/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 40/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 56/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 128/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 40/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 56/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\Triple DES 168/168]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes\MD5]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes\SHA]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\WDigest]
"Lifetime"=dword:00008ca0
"Negotiate"=dword:00000000
"UTF8HTTP"=dword:00000001
"UTF8SASL"=dword:00000001


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a FixRob.zip file to this post. Save it to your desktop. Unzip it and double-click the FixRob.reg file and allow it to merge into the registry.

Then reboot and export that same registry key again and post it here please.


----------



## robert.bev (Oct 2, 2004)

Hi CG
Sorry I can't find any zip file.

And by exporting the same key again do you mean do the regedit /e C:look.txt again?

This morning I had the warning " IE cannot find the web page www.tiscali.co.uk again, when I clicked it off my hompage is underneath it, it seems to come on my home page more than others.

Regards Robert.


----------



## Cookiegal (Aug 27, 2003)

Sorry, I thought I did attach it but I guess I forgot.

Here it is.

Yes, export by running the command as you did previously please.


----------



## robert.bev (Oct 2, 2004)

Hi CG, Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SaslProfiles]
"GSSAPI"="Kerberos"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\DES 56/56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\NULL]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 128/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 40/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC2 56/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 128/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 40/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\RC4 56/128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Ciphers\Triple DES 168/168]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes\MD5]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Hashes\SHA]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\PCT 1.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 2.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\SSL 3.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0\Client]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL\Protocols\TLS 1.0\Server]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\WDigest]
"Lifetime"=dword:00008ca0
"Negotiate"=dword:00000000
"UTF8HTTP"=dword:00000001
"UTF8SASL"=dword:00000001

Lets hope this is ok


----------



## Cookiegal (Aug 27, 2003)

OK, that's fine.

Please post a new HijackThis log.


----------



## robert.bev (Oct 2, 2004)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:05:08, on 03/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Innovative Solutions\DriverMax\devices.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.batraveltrade.com
O15 - Trusted Zone: http://forums.techguy.org
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.piclens.com/shared/plinstll.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26A2F988-1760-4190-BEB2-60FF3C84BDB4}: NameServer = 212.139.132.8 212.139.132.9
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7274 bytes


----------



## Cookiegal (Aug 27, 2003)

How are things now? Are you still having problems accessing the Tiscali page?


----------



## robert.bev (Oct 2, 2004)

Hi CG 
I have no prob's accessing my hompage, its just the message that has come back " Internet Ex cannot access the web page www.tiscali,co.uk " Operation Aborted. when I click it off all is ok, this message started after we used one of the tools and showed on other web pages also, but since it came back its just been on my homepage usualy when I try access it after boot up.

The PC runs slower now and takes more time to change pages, & by the sound of the Fan its working harder although the prob's and nasties I origionally had are gone and the PC is quite usable.
You have been most patient and kind in solving my problems and I thank both yourself and Rog, you have spent weeks on my prob's and if you would like to call it solved thats ok, I can't expect much more of your time.
Regards Bob.


----------



## Cookiegal (Aug 27, 2003)

Please check the Event Viewer again for any new errors over the last 24-48 hours under both Application and System and copy and paste them here.

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## robert.bev (Oct 2, 2004)

Hi CG most errors were event 7000 & 7023 I didn't put them all on because I didn't know if I was doing it right.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 04/09/2008
Time: 19:01:22
User: N/A
Computer:	BLACKBESS
Description:
The General Purpose USB Driver (adildr.sys) service failed to start due to the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 04/09/2008
Time: 22:23:42
User: N/A
Computer:	BLACKBESS
Description:
The SASDIFSV service failed to start due to the following error: 
Cannot create a file when that file already exists.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 04/09/2008
Time: 22:21:38
User: N/A
Computer:	BLACKBESS
Description:
The Windows Driver Foundation - User-mode Driver Framework service terminated with the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 04/09/2008
Time: 22:21:38
User: N/A
Computer:	BLACKBESS
Description:
The General Purpose USB Driver (adildr.sys) service failed to start due to the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 04/09/2008
Time: 19:01:22
User: N/A
Computer:	BLACKBESS
Description:
The Portable Media Serial Number Service service failed to start due to the following error: 
The executable program that this service is configured to run in does not implement the service.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7023
Date: 04/09/2008
Time: 19:01:22
User: N/A
Computer:	BLACKBESS
Description:
The Windows Driver Foundation - User-mode Driver Framework service terminated with the following error: 
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 04/09/2008
Time: 19:01:22
User: N/A
Computer:	BLACKBESS
Description:
The General Purpose USB Driver (adildr.sys) service failed to start due to the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Disk
Event Category:	None
Event ID:	7
Date: 03/09/2008
Time: 08:28:13
User: N/A
Computer:	BLACKBESS
Description:
The device, \Device\Harddisk0\D, has a bad block.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 07 00 04 c0 .......À
0010: 00 01 00 00 9c 00 00 c0 ....&#156;..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 ce e9 c0 00 00 00 00 .ÎéÀ....
0028: e4 3c 00 00 00 00 00 00 ä<......
0030: ff ff ff ff 00 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @..&#132;....
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 40 6f 02 f0 a8 85 89 [email protected]ð¨&#133;&#137;
0058: 00 00 00 00 c0 a6 85 89 ....À¦&#133;&#137;
0060: 02 00 00 00 e7 74 60 00 ....çt`.
0068: 28 00 00 60 74 e7 00 00 (..`tç..
0070: 80 00 00 00 00 00 00 00 &#128;.......
0078: f0 00 03 00 00 00 00 0b ð.......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........
Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 04/09/2008
Time: 11:25:00
User: N/A
Computer:	BLACKBESS
Description:
Hanging application iexplore.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 36 re.exe 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 35 35 31 32 20 69 6e 20 5512 in 
0030: 68 75 6e 67 61 70 70 20 hungapp 
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00 
Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1517
Date: 04/09/2008
Time: 17:27:38
User: NT AUTHORITY\SYSTEM
Computer:	BLACKBESS
Description:
Windows saved user BLACKBESS\Robert registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Warning
Event Source:	Avira AntiVir
Event Category:	Infection 
Event ID:	4113
Date: 01/09/2008
Time: 08:56:36
User: NT AUTHORITY\SYSTEM
Computer:	BLACKBESS
Description:
The description for Event ID ( 4113 ) in Source ( Avira AntiVir ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Eicar-Test-Signature, C:\Combo-Fix\null2, , .
Hope this is what you want


----------



## Cookiegal (Aug 27, 2003)

Hmmmm.....you've still got that BadBlock error. If Rog is still following this thread, I hope he has some ideas on that one. I'll send him a request to look just in case he's no longer subscribed.


----------



## Rollin' Rog (Dec 9, 2000)

In addition to the "bad block" error I'm also seeing this >>



> Event Type: Warning
> Event Source: Userenv
> Event Category: None
> Event ID: 1517
> ...


To resolve this, install the User Profile Hive Cleanup utility >>

http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en

As for the "Bad Block" error, run the HD Tune check and see how many it finds >>

http://www.hdtune.com/

If there is more than one drive on the system, run it on all. If you had an external drive attached at the time of that error -- that would be a possiblity for it -- we can't tell from the event viewer description just what drive is being referred to.

If more than a couple, before running chkdsk /r again, backup your vitals.

Then run chkdsk on the drive and monitor the Event Viewer every day to see if any more "disk" or "bad block" errors occur. Also run HD Tune again after chkdsk.

If these continue, and the drive is less than 3yrs old, it should be replaceable under warranty. But that would be your call.

And for what it's worth, this one appears associated with a USB DSL Modem -- which I guess was not attached to the system >>

_Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 04/09/2008
Time: 22:21:38
User: N/A
Computer: BLACKBESS
Description:
The General Purpose USB Driver (adildr.sys) service failed to start due to the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it._


----------



## robert.bev (Oct 2, 2004)

Hi Rog
Sorry for the long delay in responding, I didn't get a mail telling me that you had responded and I thought that we were waiting for you to respond to Cookie Gall.
Many thanks for your input and I will do as you suggest and report back in a little while, until then Regards Robert.


----------



## robert.bev (Oct 2, 2004)

Hi again Rog
I downloaded UPHC & installed it : it did not put an icon on the D top, so I found the folder and opened it, and all there was : was a black square with a blinking cursor and no instructions.
And sorry I couldn't find the Chkdsk prog, I cant remember ever downloading it, although I have the HD Tune prog in my folder.
Regards Robert.


----------



## Rollin' Rog (Dec 9, 2000)

The User Profile Hive cleanup program is not one that you run manually. If it installed, it is running as a process after a reboot and will do that automatically. You should see it in the Task Manager Process list.

Chkdsk is a built-in program. If you haven't run it before here are good directions:

http://www.housing.hawaii.edu/resources/support/chkdsk.htm

After you reboot, there should be a log in the Event Viewer (run: eventvwr.msc) > Applications Log > Winlogon entry. Double click that and use the copy icon to copy the text to a clipboard. You can paste it here or upload it as a notepad attachment.

But I would run HDTune first and see if it reports any bad blocks.


----------



## robert.bev (Oct 2, 2004)

Hi Rog
here is the chckdsk log. I did a HD tune and I coldn't find a HD log but as it ran I noted the results i.e Transfer rate5.4mb, Max 57.0, Av44.1, Access time41.8ms, Burst rate 80.9mb/s, CP Usage23.5%, I also ran the Error Scan & there were 4 red squares.

Event Type:	Information
Event Source:	Winlogon
Event Category:	None
Event ID:	1001
Date: 14/09/2008
Time: 11:58:07
User: N/A
Computer:	BLACKBESS
Description:
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk. 
Cleaning up minor inconsistencies on the drive.
Cleaning up 188 unused index entries from index $SII of file 0x9.
Cleaning up 188 unused index entries from index $SDH of file 0x9.
Cleaning up 188 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
Read failure with status 0xc000009c at offset 0x5c575c000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x5c5760000 for 0x1000 bytes.
Windows replaced bad clusters in file 38714
of name \DOCUME~1\Robert\MYDOCU~1\15DN'D~1\TESTDI~1.9\win\016POW~1\PROFES~1.PPS.
Read failure with status 0xc000009c at offset 0x5c558b000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x5c5595000 for 0x1000 bytes.
Read failure with status 0xc000009c at offset 0x5c5596000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x5c5596000 for 0x1000 bytes.
Windows replaced bad clusters in file 38718
of name \DOCUME~1\Robert\MYDOCU~1\15DN'D~1\TESTDI~1.9\win\016POW~1\SCULPT~1.PPS.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
Adding 5 bad clusters to the Bad Clusters File.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

80027765 KB total disk space.
29246808 KB in 112355 files.
43180 KB in 5651 indexes.
28 KB in bad sectors.
308285 KB in use by the system.
65536 KB occupied by the log file.
50429464 KB available on disk.

4096 bytes in each allocation unit.
20006941 total allocation units on disk.
12607366 allocation units available on disk.

Internal Info:
a0 12 02 00 02 cd 01 00 1a c8 02 00 00 00 00 00 ................
cd 17 00 00 00 00 00 00 b9 05 00 00 00 00 00 00 ................
9c 3e 09 03 00 00 00 00 fa 40 e0 48 00 00 00 00 .>[email protected]
2c 14 f7 09 00 00 00 00 7e 15 c3 f0 03 00 00 00 ,.......~.......
dc 66 64 ec 02 00 00 00 ea 61 73 43 07 00 00 00 .fd......asC....
99 9e 36 00 00 00 00 00 b0 3a 07 00 e3 b6 01 00 ..6......:......
00 00 00 00 00 60 15 f9 06 00 00 00 13 16 00 00 .....`..........

Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## robert.bev (Oct 2, 2004)

Hi Rog
This is the HD Tune log after running Chkdsk
HD Tune: Maxtor 6Y080L0 Benchmark

Transfer Rate Minimum : 6.3 MB/sec
Transfer Rate Maximum : 57.0 MB/sec
Transfer Rate Average : 43.3 MB/sec
Access Time : 19.5 ms
Burst Rate : 65.4 MB/sec
CPU Usage : 57.4%

And this is the storage drive E:

HD Tune: Maxtor 6L080L0 Benchmark

Transfer Rate Minimum : 24.0 MB/sec
Transfer Rate Maximum : 29.3 MB/sec
Transfer Rate Average : 25.5 MB/sec
Access Time : 15.8 ms
Burst Rate : 28.1 MB/sec
CPU Usage : 26.7%


----------



## Rollin' Rog (Dec 9, 2000)

The chkdsk log does indicate some drive corruption that could have been causing issues.



> I also ran the Error Scan & there were 4 red squares


This indicates bad blocks. Run it again now that chkdsk has completed and see if they are still there.

Continue to monitor the Event Viewer for possible new "disk" errors.

Let us know what issues are recurring after the chkdsk run.

And post another HijackThis scanlog.


----------



## robert.bev (Oct 2, 2004)

Hi Rog
Here is another Chkdsk scan log, I ran a HD Tune error scan & the 4red blocks are still there, also another HJ log is appended. In the Chkdsk log below file 38718 it mentions \TESTDI~1\win\ etc, I wonder if this is the Test Disk prog I downloaded some time ago? I don't use it and it can be deleted.
Also I am trying to remove a prog called Cowon media Jet Audio, when I try Add & Remove progs I get an error 6003 ? and when I try to remove the folder from prog files I get "Access denied" make sure the disk is not full or write protected, or the file is not in use.
Now my PC will not shut down at all, & sticks on "Saving your Files" I have to use the power switch to close down, I wonder if the above is part of the problem.

Event Type:	Information
Event Source:	Winlogon
Event Category:	None
Event ID:	1001
Date: 15/09/2008
Time: 15:11:23
User: N/A
Computer:	BLACKBESS
Description:
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk. 
Cleaning up 2 unused index entries from index $SII of file 0x9.
Cleaning up 2 unused index entries from index $SDH of file 0x9.
Cleaning up 2 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
Read failure with status 0xc000009c at offset 0x5c5597000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x5c5597000 for 0x1000 bytes.
Windows replaced bad clusters in file 38718
of name \DOCUME~1\Robert\MYDOCU~1\15DN'D~1\TESTDI~1.9\win\016POW~1\SCULPT~1.PPS.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
Adding 1 bad clusters to the Bad Clusters File.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

80027765 KB total disk space.
29305548 KB in 112189 files.
43728 KB in 5659 indexes.
32 KB in bad sectors.
308029 KB in use by the system.
65536 KB occupied by the log file.
50370428 KB available on disk.

4096 bytes in each allocation unit.
20006941 total allocation units on disk.
12592607 allocation units available on disk.

Internal Info:
a0 12 02 00 64 cc 01 00 84 c6 02 00 00 00 00 00 ....d...........
d0 17 00 00 00 00 00 00 02 05 00 00 00 00 00 00 ................
8e 17 02 03 00 00 00 00 e2 8d b3 4a 00 00 00 00 ...........J....
10 99 b7 08 00 00 00 00 fe 5f 20 f6 03 00 00 00 ........._ .....
d4 f5 48 e0 02 00 00 00 9e 18 51 3c 07 00 00 00 ..H.......Q<....
99 9e 36 00 00 00 00 00 b0 3a 07 00 3d b6 01 00 ..6......:..=...
00 00 00 00 00 30 ab fc 06 00 00 00 1b 16 00 00 .....0..........

Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:26:15, on 15/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Innovative Solutions\DriverMax\devices.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HD Tune\HDTune.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [DriverMax] "C:\Program Files\Innovative Solutions\DriverMax\devices.exe" -agent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.batraveltrade.com
O15 - Trusted Zone: http://forums.techguy.org
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.piclens.com/shared/plinstll.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26A2F988-1760-4190-BEB2-60FF3C84BDB4}: NameServer = 212.139.132.8 212.139.132.9
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7286 bytes


----------



## Rollin' Rog (Dec 9, 2000)

It looks like those "bad block" issues are not going to get entirely fixed.

I'm not sure if this is going to cause future problems or not -- as they may be locked out as far as being used in the future.

But you should be thinking about replacing the drive, it is definitely unhealthy. If it is less than 3 years old it is under warranty from the drive vendor.

And I would certainly take steps to backup all critical data.

I do see that UPHClean is successfully installed and running and this may help with some issues >>

C:\Program Files\UPHClean\uphclean.exe

>> The "Access Denied" issue may be related to the drive corruption and the installation, uninstallation files for the program in question being damaged.

If it is a legitimate program you could try reinstalling then uninstalling it if you really need it out of there.

>> Can you boot up and shut down from Safe Mode without a problem?

If so, try testing using Clean Boot methods.

CLEAN BOOT TROUBLESHOOTING technique

First, restart in Safe Mode if necessary -- (tap the f8 key promptly on startup and choose the Safe Mode option from the boot menu) or Normal mode

Then:

Run *msconfig* and select the "Services" tab. *Check "Hide Microsoft Services"* and then disable the rest. Also uncheck "load startup group" on the general page.

See one or both of these links for detailed information. The second is for Vista -- but it is actually the best written and applies equally.

http://support.microsoft.com/kb/929135 << written for Vista, but applies equally well to XP

Now restart and test the issue at hand

If no problems, run *msconfig* and recheck half the disabled items on the Services tab. Test again. If the problem recurs, UNcheck half the items you just checked to narrow down the culprit.

If the problem didn't occur, check the other half, so all the Services are enabled -- proceed to do this on the startup tab as well.

Get the idea? You want to isolate the problem to a specific startup if possible.

Note: if you already have items unchecked under msconfig > startups and are in "selective" startup mode - you should note what these are before beginning. They will need to be de-selected again.


----------



## robert.bev (Oct 2, 2004)

Hi Rog
I have run the clean boot elimination process this afternoon, and couldn't get the PC to replicate the prob or any probs, which is odd as this morning it was 2 to 1, I had to stop the PC with the power button twice and it shut down normaly once.
One thing I forgot to mention that might give you an idea is after I have booted up the PC and all the icons have loaded onto the task bar about thirty seconds later there is a loud sqeek, like as if I had stepped on a mouse _!!!_ not that I make a habit of flattening mousy type critters.
Its begining to look as you suspect that the HDD might be at fault, I'll have a word with the chap that built it for me about another one as its a little less than three years old, although for items over here we usualy only get a one year warranty.
Anyway thanks so much for your help.


----------



## Rollin' Rog (Dec 9, 2000)

You're welcome, that does sound like it must be the drive.

When you got no problems in Clean boot -- I assume that included the entire procedure in which you re-enabled and disabled by halves?


----------



## robert.bev (Oct 2, 2004)

Hi Rog
Yes I followed the distructions ok, and tried eliminating by halves & I couldn't get the prob to repeate itself, although I have had the message "Windows cannot open" etc etc, a few times today and the PC has refused to shut down twice it hangs in the " Saving your settings" screen, it looks like one of the progs won't terminate.

Anyway I've decided on another HDD the price of PC bits has dropped a lot and 250Gb Maxtor or 250Gb Samsung are only £43 & £39 respectively, that's about $80 ish, (is that comparable with your prices) so I will reload Windows on the spare 80Gb that I use for storing my photos on at the moment, and make the new 250gb the storage drive, and that should solve a few problems I think (hope)
Regards Bob.


----------



## Rollin' Rog (Dec 9, 2000)

I would use msconfig to simplify the startups under the startup tab as much as possible. You can certainly experiment.

About the onlly things I see there that I think would be vital would be your antivirus and firewall programs. And ZA could be replaced by the Windows firewall at that.


----------



## robert.bev (Oct 2, 2004)

Hi Rog
Sorry for the delay in responding, I think a new drive and a reload of Windows will solve the few probs I have left, so I will call this thread closed.
And I would like to thank yourself and Cookie Gall for all the help and advice that you have both given me in sorting out my PC.
It's nice to know there are good guys out there riding to the rescue, so once again many many thanks.
Kind regards Robert.


----------



## Cookiegal (Aug 27, 2003)

You're welcome. 

If you haven't already you should see about backing up any important data, photos, music, etc. in the event your hard drive fails. You don't want to lose anything.

For now you should do this:

Here are some final instructions for you.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.


----------



## Rollin' Rog (Dec 9, 2000)

You're certainly welcome on my part as well. Good luck with the new drive.


----------



## robert.bev (Oct 2, 2004)

Hi CG
I have uninstalled Combofix as advised and installed SpywareBlaster it looks a good prog, but there's no icon for the task bar, does it run in the background?
I am in the process of backing up everything and once completed I'll go and get the replacement drive.
Regards Bob.


----------



## Cookiegal (Aug 27, 2003)

SpywareBlaster doesn't actually "run" in the background but it does protect you from various unwanted sites and ActiveX controls. There should be an icon on your desktop but not in the system tray. You just need to remember to update it regular and it will do the rest.


----------

