# Unable To Install Antivirus Software(some Virus Problem May Be)



## s.roopam (Sep 28, 2006)

*SYSTEM SPECIFICATIONS:*
*******************
IBM Notebook,Intel Pentium- Centrino, R52, 512 Mb RAM, 60 GB Harddisk

*OPERATING SYSTEM*
=============

Windows XP Professional

==========================================================
*Problems:*

SECURITY

1) By mistake i uninstalled the AVG free Antivirus Installed at my system, Since than i am unable to re-install it. Every time I try it, it shows an error report:
Local machine: installation failed
Installation:
Error: Action failed for file avg7dos.lng: creating file....
Changing language to 67698688 failed.
General failure.

please help: hope its not some virus problem

OPERATING SYSTEM

2) Since I uninstalled Antivirus from my system, The "Search" facility provided by the operating system at the start menu has stopped working. Whenever I try to search some document using windows "Search" , CPU shows 100% usage, system hangs, no program runs ...and system requires restart for normal functioning.

please help.....!!!!!


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

If you have taken anything out of startups via msconfig please go to *Start*  *Run*  type in *msconfig*  click OK and click on the Startup tab. Click on *Enable All* then *Apply* and OK. Then please do the following:

*Click here* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## s.roopam (Sep 28, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 11:32:22 AM, on 9/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Documents and Settings\Roopam S\Desktop\QuickTime\qttask.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
E:\programs\Winamp\winampa.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
E:\programs\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
E:\programs\BTNtService.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.4:3128
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load= E:\TCWIN45\PIPELINE\remind.exe C:\TCWIN45\PIPELINE\remind.exe
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\Roopam S\Desktop\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] E:\programs\Winamp\winampa.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "E:\programs\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\programs\BTNtService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## Cookiegal (Aug 27, 2003)

Download the trial version of *Ewido Anti-spyware* from *HERE* and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.


Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run Ewido and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*"
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.


Reboot your computer into *Safe Mode* now. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
*IMPORTANT:* Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
Ewido will now begin the scanning process. Be patient this may take a little time.
*Once the scan is complete do the following:*
If you have any infections you will prompted, then select "*Apply all actions*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close Ewido and reboot your system back into Normal Mode.

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.*


----------



## s.roopam (Sep 28, 2006)

Installed ewido-Antispyware....bt unable to update it....showing errors
Error:Wrong Answer:HTTP/1.0 400 Bad Request


----------



## s.roopam (Sep 28, 2006)

HAD 15 ERRORS WHEN SCANNED USING THE *UN-UPDATED *VERSION OF EWIDA ANTISPYWARE

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at:	12:55:42 AM 10/1/2006

+ Scan result:

C:\Documents and Settings\Roopam S\Application Data\Starware -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Application Data\Starware\Manager -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Application Data\Starware\Manager\ManagerOptions.xml -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Application Data\Starware\Manager\ManagerOptions.xml.backup -> Adware.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][1].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][1].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

::Report end


----------



## Cookiegal (Aug 27, 2003)

Go to the following link and download the "full database" for Ewido:

http://www.ewido.net/en/download/updates/

Then do another scan and post the results please.

Did you run the Panda scan?


----------



## s.roopam (Sep 28, 2006)

Incident Status Location

Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Roopam S\Application Data\Registry Cleaner 
Adware:adware/comet Not disinfected Windows Registry 
Spyware:Cookie/Statcounter Not disinfected  C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][1].txt 
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\Roopam S\Desktop\ip\sem\Costing\Costar 7 Demo\desktop.ini 
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\Roopam S\Desktop\ip\sem\Costing\Costar 7 Demo\Temp.Htt 
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\Roopam S\Desktop\ip\sem\Costing\desktop.ini 
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\Roopam S\Desktop\ip\sem\Costing\Temp.Htt


----------



## Cookiegal (Aug 27, 2003)

Were you able to update Ewido?


Please Download *Blackmail Removal Tool* from *here.*

Save the file to a convenient location, such as your Windows desktop.

Double-click *Antinyxem-EN.exe* to start the removal tool.

The program will scan all running processes, and then you will be able to click the *Scan* button.

Click *Scan* to begin the tool, and then allow it to run.

Reboot and post a new HijackThis log please.


----------



## s.roopam (Sep 28, 2006)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at:	10:26:41 AM 10/1/2006

+ Scan result:

C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Roopam S\Cookies\roopam [email protected][2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).

::Report end


----------



## s.roopam (Sep 28, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 11:53:39 AM, on 10/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Documents and Settings\Roopam S\Desktop\QuickTime\qttask.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
E:\programs\Winamp\winampa.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
E:\programs\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
E:\programs\BTNtService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.4:3128
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load= E:\TCWIN45\PIPELINE\remind.exe C:\TCWIN45\PIPELINE\remind.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\Roopam S\Desktop\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] E:\programs\Winamp\winampa.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "E:\programs\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\programs\BTNtService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## s.roopam (Sep 28, 2006)

another problem.....since last few hours i m unable to access college LAN ..intranet etc. though internet is working fine.........and i guess its some trojan virus attack, because many ppl are facing the same problem.....at campus
plz plz plz help....


----------



## s.roopam (Sep 28, 2006)

Was able to successfully install an antivirus-AntiVir PE Classic
and ran the scan in safe mode....it showed 19 warnings and 1 detections....
I quarantined the detection.......and nw i m able to access my intranet.......
posting here the scan report of AntiVir PE Classic

AntiVir PersonalEdition Classic
Report file date: Sunday, October 01, 2006 18:49

Scanning for 397237 virus strains and unwanted programs.

Licensed to: AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Roopam S
Computer name: ROOPAMSAXENA

Version informations:
AVSCAN.EXE : 7.0.0.42 557096 9/28/2006 12:35:44
AVSCAN.DLL : 7.0.0.42 53288 9/28/2006 12:35:44
LUKE.DLL : 7.0.0.42 118824 9/28/2006 12:35:44
LUKERES.DLL : 7.0.0.42 25640 9/28/2006 12:35:44
ANTIVIR0.VDF : 6.35.0.1 7371264 9/28/2006 12:35:42
ANTIVIR1.VDF : 6.35.0.4 2048 9/28/2006 12:35:43
ANTIVIR2.VDF : 6.35.0.5 2048 9/28/2006 12:35:43
ANTIVIR3.VDF : 6.35.0.6 2048 9/28/2006 12:35:43
AVEWIN32.DLL : 7.1.0.10 1511936 9/28/2006 12:35:43
AVPREF.DLL : 7.0.0.1 49192 9/28/2006 12:35:43
AVREP.DLL : 6.35.0.1 643112 9/28/2006 12:35:44
AVRPBASE.DLL : 7.0.0.0 2162728 9/28/2006 12:35:44
AVPACK32.DLL : 7.1.0.1 335912 9/28/2006 12:35:43
AVREG.DLL : 6.31.0.90 27688 9/28/2006 12:35:44
NETNT.DLL : 6.32.0.0 6696 9/28/2006 12:35:45
NETNW.DLL : 6.32.0.0 9768 9/28/2006 12:35:45
RCIMAGE.DLL : 7.0.0.71 1642536 9/28/2006 12:35:47
RCTEXT.DLL : 7.0.0.75 77864 9/28/2006 12:35:47

Configuration settings for the scan:
Jobname: '%s'.................: ShlExt
Configuration file............: C:\DOCUME~1\ROOPAM~1\LOCALS~1\Temp\b549e213.avp
Boot sectors..................: C
Scan memory...................: 1
Process scan..................: 0
Scan all files................: 2
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Macro heuristic...............: 1
File heuristic................: -1
Primary action................: 1
Secondary action..............: 0

Start of the scan: Sunday, October 01, 2006 18:49

Start scanning boot sectors:

Boot sector 'C:\'
[NOTE] No virus was found!

Starting the file scan:

C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Roopam S\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\Roopam S\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Roopam S\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Roopam S\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\ActiveScan\pskavs.dll
[DETECTION] Contains signature of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '458aca9b.qua'!
C:\WINDOWS\system32\config\DEFAULT
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SOFTWARE
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SYSTEM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system.LOG
[WARNING] The file could not be opened!

End of the scan: Sunday, October 01, 2006 19:31
Used time: 42:28 min

The scan has been done completely.

4049 Scanning directories
281155 Files were scanned
1 viruses and/or unwanted programs was found
0 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
7196 Archives were scanned
19 Warnings
4 Notes


----------



## Cookiegal (Aug 27, 2003)

The file it found is a false positive. It belongs to Panda anti-virus.

How are things running now?

We can tidy up the log a bit:

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O4 - HKLM\..\Run: [EarthLink Installer] " /C

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k*

You also need to replace your Sun java with newest version. There are more vulnerabilities in the older versions that can be exploited.

Go to Add/Remove programs and uninstall this:

*Java 2 Runtime Environment, SE v1.4.2*

Now go *here* and install the latest version of Java.


----------



## s.roopam (Sep 28, 2006)

The request is too big and the system Administrator of my college has banned the site...
can u suggest any other way to get the installer for Sun Java new version....


----------



## s.roopam (Sep 28, 2006)

Did a scan again after the above mentioned error and this is the log

Log of HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 8:27:19 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Roopam S\Desktop\QuickTime\qttask.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
E:\programs\Winamp\winampa.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
E:\programs\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
E:\programs\BTNtService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.4:3128
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load= E:\TCWIN45\PIPELINE\remind.exe C:\TCWIN45\PIPELINE\remind.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\Roopam S\Desktop\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] E:\programs\Winamp\winampa.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "E:\programs\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\programs\BTNtService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## s.roopam (Sep 28, 2006)

Wow !!!Thanx a lot... Windows "Search" working absolutely fine now....
Right now hav ANTIVIR PE CLASSIC antivirus software installed at my system.....
please suggest a good anti-virus software and also tell that shud i keep Ewido, Panda and HijackThis installed??

Again a BIG THANX for the time,effort and patience with which u helped me out, in curing my system.


----------



## Cookiegal (Aug 27, 2003)

It looks like they don't want Java at all but having the older version of Java is leaving the computer open to infection. You should take that up with the administrators.


The log looks good. I take it all is fine now?


----------



## s.roopam (Sep 28, 2006)

As of now everything is fine....need Sun java...else most of the sites dont open properly without it....also another problem i m facing is tht 
1)i m unable to update the virus definitions of any antivirus program installed on my system....
2)also i m unable to make bridge connections from my system....(internet bridge)


----------



## Cookiegal (Aug 27, 2003)

Download *The Hoster* from *here* UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

Then let me know if you can update those programs.


----------



## s.roopam (Sep 28, 2006)

1)still unable to update...

2) Information: also this is smthng which i m ignoring since last few months...since it created no problem in the normal working of my laptop...
whenevr i switch on my laptop the first window tht appears is an error kind of window ...which reads "Cant run 16 bit windows program
Insufficient to run this application. Quit one or more Wndows applications and then try again."

i cross tht window normally and my laptop works normal...thot i shud bring it to ur notice....

infromation 2: i hav also partitioned my hard disk from original 60GB c: drive to three partitions....using "Partition Magic" software....

hope its not the cause

plz comment...
Thnx..


----------



## Cookiegal (Aug 27, 2003)

That could be why you're having problems.

Download the file and save it to your desktop. Double click on the file to run it once its downloaded.

http://www.visualtour.com/downloads/

Then see if those programs will update.


----------



## s.roopam (Sep 28, 2006)

which one.....VT STUDIO 5.1...????


----------



## s.roopam (Sep 28, 2006)

it also needs a login password.......do i need to register here??


----------



## Cookiegal (Aug 27, 2003)

It's the fourth one down. No, you do not need to register.


----------



## s.roopam (Sep 28, 2006)

done.......still nt updating..


----------



## Cookiegal (Aug 27, 2003)

Please print these directions before continuing since we will be rebooting the computer into Safe Mode and these instructions will not be available.

Download *WinPFind.exe* to your desktop and double click on it to extract the files. This will create a folder named *WinPFind* on your desktop.

*Start in Safe Mode Using the F8 method:*


Restart the computer.
As soon as the BIOS is loaded begin tapping the *F8* key until the boot menu appears.
Use the arrow keys to select the *Safe Mode* menu item.
Press the *Enter* key.

Double click on the WinPFind folder on your desktop to open it and then double click on the *WinPFind.exe* file to start the program.


Click Configure scan options
Under Run AdOns select the following:
Policies.def
Security.def

Click apply
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

When the scan is complete reboot normally and post the *WinPFind.txt* file (located in the WinPFind folder) back here along with a new HijackThis log.


----------



## s.roopam (Sep 28, 2006)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 10/8/2006 4:01:35 AM
WinPFind v1.5.0	Folder = C:\Documents and Settings\Roopam S\Desktop\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 9/14/2006 2:59:30 AM 526925824 C:\WINDOWS\MEMORY.DMP ()
qoologic 9/14/2006 2:59:30 AM 526925824 C:\WINDOWS\MEMORY.DMP ()
aspack 9/14/2006 2:59:30 AM 526925824 C:\WINDOWS\MEMORY.DMP ()
PTech 9/14/2006 2:59:30 AM 526925824 C:\WINDOWS\MEMORY.DMP ()
WSUD 9/14/2006 2:59:30 AM 526925824 C:\WINDOWS\MEMORY.DMP ()

Checking %System% folder...
PEC2 8/4/2004 5:30:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
PTech 12/16/2004 3:34:44 PM 184320 C:\WINDOWS\SYSTEM32\IbmEgath.dll (IBM Corporation)
PECompact2 2/14/2006 3:23:42 PM 4510560 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 2/14/2006 3:23:42 PM 4510560 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 8/4/2004 5:30:00 PM 1200128 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
aspack 8/4/2004 5:30:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/4/2004 5:30:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/4/2004 5:30:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync 8/4/2004 5:30:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
WSUD 5/10/2006 10:56:34 AM 7706112 C:\WINDOWS\SYSTEM32\wmploc.dll (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
UPX! 9/12/2006 12:49:40 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys.install_backup (GRISOFT, s.r.o.)
FSG! 9/12/2006 12:49:40 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys.install_backup (GRISOFT, s.r.o.)
PEC2 9/12/2006 12:49:40 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys.install_backup (GRISOFT, s.r.o.)
aspack 9/12/2006 12:49:40 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys.install_backup (GRISOFT, s.r.o.)
PEC2 3/26/2005 5:48:48 AM 82148 C:\WINDOWS\SYSTEM32\drivers\VcommMgr.sys (IVT Corporation)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/8/2006 4:00:06 AM S 2048 C:\WINDOWS\bootstat.dat ()
10/8/2006 3:59:56 AM H 8192 C:\WINDOWS\system32\config\default.LOG ()
10/8/2006 4:00:22 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
10/8/2006 4:00:08 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
10/8/2006 4:00:10 AM H 77824 C:\WINDOWS\system32\config\software.LOG ()
10/8/2006 4:00:12 AM H 1130496 C:\WINDOWS\system32\config\system.LOG ()
9/5/2006 2:56:42 PM H 0 C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf ()
10/8/2006 3:59:02 AM H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
5/25/2004 7:36:58 PM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl ()
8/4/2004 5:30:00 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
9/26/2004 5:49:38 PM 61440 C:\WINDOWS\SYSTEM32\IBMJavaPlugin142.cpl (IBM)
12/14/2004 3:11:02 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl (Intel Corporation)
8/4/2004 5:30:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/4/2004 5:30:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
11/12/2004 1:37:00 PM 49152 C:\WINDOWS\SYSTEM32\tp4ex.cpl (IBM Corporation)
1/21/2005 2:10:00 PM 34816 C:\WINDOWS\SYSTEM32\TP98.CPL (IBM Corp.)
1/24/2005 11:55:00 PM 118784 C:\WINDOWS\SYSTEM32\TpShCPL.cpl (IBM Corp.)
8/4/2004 5:30:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 162304 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/4/2003 11:35:14 AM R 73728 C:\WINDOWS\SYSTEM32\drivers\SCBaud.cpl (Socket Communications Inc.)

Checking for Downloaded Program Files...
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - Java Plug-in 1.4.2 - CodeBase = http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - Java Plug-in 1.5.0 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab


----------



## s.roopam (Sep 28, 2006)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 10/8/2006 4:01:35 AM
WinPFind v1.5.0	Folder = C:\Documents and Settings\Roopam S\Desktop\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 9/14/2006 2:59:30 AM 526925824 C:\WINDOWS\MEMORY.DMP ()
qoologic 9/14/2006 2:59:30 AM 526925824 C:\WINDOWS\MEMORY.DMP ()
aspack 9/14/2006 2:59:30 AM 526925824 C:\WINDOWS\MEMORY.DMP ()
PTech 9/14/2006 2:59:30 AM 526925824 C:\WINDOWS\MEMORY.DMP ()
WSUD 9/14/2006 2:59:30 AM 526925824 C:\WINDOWS\MEMORY.DMP ()

Checking %System% folder...
PEC2 8/4/2004 5:30:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
PTech 12/16/2004 3:34:44 PM 184320 C:\WINDOWS\SYSTEM32\IbmEgath.dll (IBM Corporation)
PECompact2 2/14/2006 3:23:42 PM 4510560 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 2/14/2006 3:23:42 PM 4510560 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 8/4/2004 5:30:00 PM 1200128 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
aspack 8/4/2004 5:30:00 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/4/2004 5:30:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/4/2004 5:30:00 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync 8/4/2004 5:30:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
WSUD 5/10/2006 10:56:34 AM 7706112 C:\WINDOWS\SYSTEM32\wmploc.dll (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
UPX! 9/12/2006 12:49:40 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys.install_backup (GRISOFT, s.r.o.)
FSG! 9/12/2006 12:49:40 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys.install_backup (GRISOFT, s.r.o.)
PEC2 9/12/2006 12:49:40 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys.install_backup (GRISOFT, s.r.o.)
aspack 9/12/2006 12:49:40 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys.install_backup (GRISOFT, s.r.o.)
PEC2 3/26/2005 5:48:48 AM 82148 C:\WINDOWS\SYSTEM32\drivers\VcommMgr.sys (IVT Corporation)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/8/2006 4:00:06 AM S 2048 C:\WINDOWS\bootstat.dat ()
10/8/2006 3:59:56 AM H 8192 C:\WINDOWS\system32\config\default.LOG ()
10/8/2006 4:00:22 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
10/8/2006 4:00:08 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG ()
10/8/2006 4:00:10 AM H 77824 C:\WINDOWS\system32\config\software.LOG ()
10/8/2006 4:00:12 AM H 1130496 C:\WINDOWS\system32\config\system.LOG ()
9/5/2006 2:56:42 PM H 0 C:\WINDOWS\system32\drivers\umdf\MsftWdf_user_01_00_00.Wdf ()
10/8/2006 3:59:02 AM H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
5/25/2004 7:36:58 PM 417792 C:\WINDOWS\SYSTEM32\ac3filter.cpl ()
8/4/2004 5:30:00 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
9/26/2004 5:49:38 PM 61440 C:\WINDOWS\SYSTEM32\IBMJavaPlugin142.cpl (IBM)
12/14/2004 3:11:02 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl (Intel Corporation)
8/4/2004 5:30:00 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
8/4/2004 5:30:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
11/12/2004 1:37:00 PM 49152 C:\WINDOWS\SYSTEM32\tp4ex.cpl (IBM Corporation)
1/21/2005 2:10:00 PM 34816 C:\WINDOWS\SYSTEM32\TP98.CPL (IBM Corp.)
1/24/2005 11:55:00 PM 118784 C:\WINDOWS\SYSTEM32\TpShCPL.cpl (IBM Corp.)
8/4/2004 5:30:00 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
8/4/2004 5:30:00 PM 162304 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/4/2003 11:35:14 AM R 73728 C:\WINDOWS\SYSTEM32\drivers\SCBaud.cpl (Socket Communications Inc.)

Checking for Downloaded Program Files...
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - Java Plug-in 1.4.2 - CodeBase = http://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - Java Plug-in 1.5.0 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab


----------



## s.roopam (Sep 28, 2006)

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
7/5/2006 2:14:52 PM 997 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk ()
10/7/2006 1:17:06 PM 1768 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ()
3/21/2006 12:48:32 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
10/26/2005 2:55:10 AM 493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
3/21/2006 12:37:36 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()

Checking files in %USERPROFILE%\Startup folder...
8/10/2004 1:56:58 AM HS 84 C:\Documents and Settings\Roopam S\Start Menu\Programs\Startup\desktop.ini ()
8/31/2006 5:26:34 AM 661 C:\Documents and Settings\Roopam S\Start Menu\Programs\Startup\IPMSG for Win32.lnk ()
11/8/2005 11:29:48 AM 884 C:\Documents and Settings\Roopam S\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk ()

Checking files in %USERPROFILE%\Application Data folder...
8/10/2004 1:47:54 AM HS 62 C:\Documents and Settings\Roopam S\Application Data\desktop.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.yahoo.com/
\\Search Bar - http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
\\Search Page - 
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - about:blank
\\Search Bar - http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - C:\WINDOWS\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Toolbar = ()

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
\{5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - = ()
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{30D02401-6A81-11D0-8274-00C04FD5AE38} - Search Band = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - = ()
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - = ()
\ShellBrowser\\{D49E9D35-254C-4C6A-9D17-95018D228FF5} - = ()
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Toolbar = ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8192 = Sun Java Console
\\NEXTID - 8196
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8193 = 
\\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - 8194 = Yahoo! Messenger
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8195 = Windows Messenger

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)
\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = 
\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - ButtonText: Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{DEE12703-6333-4D4E-8F34-738C4DCC2E04} - RecordNow! SendToExt = C:\Program Files\IBM RecordNow!\shlext.dll ()
\\{5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
\\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = E:\PROGRAMS\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = E:\PROGRAMS\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = E:\PROGRAMS\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79307-84BE-11CE-9641-444553540000} - WinZip = E:\PROGRAMS\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = E:\Program Files\rpshell.dll (RealNetworks, Inc.)
\\{5464D816-CF16-4784-B9F3-75C0DB52B499} - Yahoo! Mail = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll (Yahoo! Inc.)
\\{45AC2688-0253-4ED8-97DE-B5370FA7D48A} - Shell Extension for Malware scanning = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH)
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = E:\PROGRAMS\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\Yahoo! Mail - {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll (Yahoo! Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = E:\PROGRAMS\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
\igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINDOWS\system32\igfxpph.dll (Intel Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\Shell Extension for Malware scanning - {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll (H+BEDV Datentechnik GmbH)
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = E:\PROGRAMS\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SynTPLpr - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
SynTPEnh - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
IgfxTray - C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
HotKeysCmds - C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
TPKMAPHELPER - C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (IBM Corp.)
TpShocks - C:\WINDOWS\SYSTEM32\TpShocks.exe (IBM Corp.)
TPHOTKEY - C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
TP4EX - C:\WINDOWS\SYSTEM32\tp4ex.exe (IBM Corporation)
EZEJMNAP - C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe (IBM Corp.)
UC_Start - C:\Program Files\IBM\Updater\ucstartup.exe ()
UC_SMB - Reg Data missing or invalid ()
dla - C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
- Reg Data missing or invalid ()
IBMPRC - C:\IBMTOOLS\UTILS\ibmprc.exe (IBM Corp.)
QCWLICON - C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (IBM Corp.)
PWRMGRTR - rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL ()
DXM6Patch_981116 - C:\WINDOWS\p_981116.exe (Microsoft Corporation)
LVCOMS - C:\WINDOWS\system32\LVCOMS.EXE ()
NeroCheck - C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
QuickTime Task - C:\Documents and Settings\Roopam S\Desktop\QuickTime\qttask.exe (Apple Computer, Inc.)
avgnt - C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
WinampAgent - E:\programs\Winamp\winampa.exe ()
ibmmessages - C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)
!ewido - C:\Program Files\ewido anti-spyware 4.0\ewido.exe (Anti-Malware Development a.s.)
SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
KernelFaultCheck - ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL	Installed = 1
MAPI	Installed = 1
MSFS	Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
googletalk - C:\Program Files\Google\Google Talk\googletalk.exe (Google)
ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
Yahoo! Pager - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE (Yahoo! Inc.)
Skype - E:\programs\Phone\Skype.exe ()
ibmmessages - C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)
updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Roopam S\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\Roopam S\Start Menu\Programs\Startup\IPMSG for Win32.lnk - C:\Program Files\IPMsg\ipmsg.exe (H.Shirouzu)
C:\Documents and Settings\Roopam S\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (Microsoft Corporation)

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	0

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\Avant Browser - IEAK

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
\\WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} = C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\igfxcui - igfxsrvc.dll = (Intel Corporation)
\QConGina - QConGina.dll = (IBM Corp.)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\tphotkey - tphklock.dll = ()
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{9B1F6EE7-E4CA-46B1-9797-9EE3A170F987} - (Intel(R) PRO/Wireless 2200BG Network Connection)
{9D8685AB-BD74-43B2-A2EC-0AFEBCB8CDF6} - ()
{AD75BA91-895E-4EC8-9FC2-48822D45CD37} - (Broadcom NetXtreme Gigabit Ethernet)
{C676788F-D438-43B7-A845-A319E3811205} - (1394 Net Adapter)
{EB4A64C0-1A38-453B-A388-65E81853E8DF} - ()

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000016\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000017\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000018\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000019\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000020\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

>>>>Output for AddOn file Policies.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption - 
policies\system\\legalnoticetext - 
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\Explorer\\NoDriveTypeAutoRun - FF 00 00 00 
policies\System\\DisableRegistryTools - 0


----------



## s.roopam (Sep 28, 2006)

>>>>Output for AddOn file Security.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
Security Center\\FirstRunDisabled - 1
Security Center\\AntiVirusDisableNotify - 1
Security Center\\FirewallDisableNotify - 0
Security Center\\UpdatesDisableNotify - 0
Security Center\\AntiVirusOverride - 0
Security Center\\FirewallOverride - 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
BITS\\Type - 32
BITS\\Start - 3
BITS\\ErrorControl - 1
BITS\\ImagePath - %SystemRoot%\system32\svchost.exe -k netsvcs
BITS\\DisplayName - Background Intelligent Transfer Service
BITS\\DependOnService - RpcSs;
BITS\\DependOnGroup - 
BITS\\ObjectName - LocalSystem
BITS\\Description - Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.
BITS\\FailureActions - 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 
BITS\Parameters\\ServiceDll - C:\WINDOWS\system32\qmgr.dll
BITS\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
BITS\Enum\\0 - Root\LEGACY_BITS\0000
BITS\Enum\\Count - 1
BITS\Enum\\NextInstance - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
SharedAccess\\DependOnGroup - 
SharedAccess\\DependOnService - Netman;WinMgmt;
SharedAccess\\Description - Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
SharedAccess\\DisplayName - Windows Firewall/Internet Connection Sharing (ICS)
SharedAccess\\ErrorControl - 1
SharedAccess\\ImagePath - %SystemRoot%\system32\svchost.exe -k netsvcs
SharedAccess\\ObjectName - LocalSystem
SharedAccess\\Start - 2
SharedAccess\\Type - 32
SharedAccess\Epoch\\Epoch - 52664
SharedAccess\Parameters\\ServiceDll - %SystemRoot%\System32\ipnathlp.dll
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\IBM\Updater\jre\bin\java.exe - C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\IBM\Updater\jre\bin\javaw.exe - C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector
SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\IBM\Updater\ucsmb.exe - C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\1900:UDP - 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\2869:TCP - 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall - 1
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions - 0
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe - %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IBM\Updater\jre\bin\java.exe - C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IBM\Updater\jre\bin\javaw.exe - C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IBM\Updater\ucsmb.exe - C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YPager.exe - C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YServer.exe - C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Google\Google Talk\googletalk.exe - C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Microsoft Office\OFFICE11\ONENOTE.EXE - C:\Program Files\Microsoft Office\OFFICE11\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\IPMsg\ipmsg.exe - C:\Program Files\IPMsg\ipmsg.exe:*:Enabled:IPMsg English
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\programs\Flash MX\Flash.exe - E:\programs\Flash MX\Flash.exe:*:Enabled:Flash 6.0 r25
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\programs\BlueSoleil.exe - E:\programs\BlueSoleil.exe:*:Enabled:Bluetooth Application
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Program Files\TVU Player\TVUPlayer.exe - E:\Program Files\TVU Player\TVUPlayer.exe:*:Enabled:TVUPlayer
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\\\capitaline\clineplus\capitalineplus.exe - \\capitaline\clineplus\capitalineplus.exe:*:Enabled:capitalineplus.exe
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\NetMeeting\conf.exe - C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\GameHouse\TextTwist\TextTwist.exe - C:\Program Files\GameHouse\TextTwist\TextTwist.exe:*:Enabled:Super TextTwist
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\programs\Phone\Skype.exe - E:\programs\Phone\Skype.exe:*:Enabled:Skype
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP - 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP - 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
SharedAccess\Setup\\ServiceUpgrade - 1
SharedAccess\Enum\\0 - Root\LEGACY_SHAREDACCESS\0000
SharedAccess\Enum\\Count - 1
SharedAccess\Enum\\NextInstance - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
wuauserv\\Type - 32
wuauserv\\Start - 2
wuauserv\\ErrorControl - 1
wuauserv\\ImagePath - %systemroot%\system32\svchost.exe -k netsvcs
wuauserv\\DisplayName - Automatic Updates
wuauserv\\ObjectName - LocalSystem
wuauserv\\Description - Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
wuauserv\Parameters\\ServiceDll - C:\WINDOWS\system32\wuauserv.dll
wuauserv\Security\\Security - 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 
wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
wuauserv\Enum\\Count - 1
wuauserv\Enum\\NextInstance - 1

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


----------



## s.roopam (Sep 28, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 11:50:36 AM, on 10/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
E:\programs\BTNtService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Roopam S\Desktop\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
E:\programs\Winamp\winampa.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
E:\programs\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.4:3128
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load= E:\TCWIN45\PIPELINE\remind.exe C:\TCWIN45\PIPELINE\remind.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\Roopam S\Desktop\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] E:\programs\Winamp\winampa.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Skype] "E:\programs\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\programs\BTNtService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

This worm deletes specific files in several anti-virus programs so they can't update. Try uninstalling and reinstalling your program and then see if you can update them successfully.


----------



## s.roopam (Sep 28, 2006)

generally i use IE but sometimes use Avant Browser.....do i need to do the firefox thing also??


----------



## s.roopam (Sep 28, 2006)

did both.....unstalled...restarted and reinstalled

still nt updating

*this the report file which the antivirus generated as a result of failure to update....hav a look if u can make out anything*

[10/9/2006 0:11:15] [INFO] [PLG] C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\
[10/9/2006 0:11:15] Command line for update application: "C:\Program Files\AntiVir PersonalEdition Classic\update.exe" --config-file="C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\update.conf" --install-path="C:\Program Files\AntiVir PersonalEdition Classic" 
[10/9/2006 0:11:15] User changed the logfile name to C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\LOGFILES\Upd-2006-10-8-18-41-15.log
[10/9/2006 0:11:15] Install Path: C:\Program Files\AntiVir PersonalEdition Classic\ Backup Dir: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\BACKUP\ Temp dir: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\
[10/9/2006 0:11:16] [INFO] [GUI] Start the Update GUI... Displaymode: 0
[10/9/2006 0:11:16] [INFO] [PLG] Keyfile: OK [FULL Mode]
[10/9/2006 0:11:16] [INFO] [PLG] Avira AntiVir PersonalEdition Classic
[10/9/2006 0:11:16] [INFO] [PLG] Registry entry created successful: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic |DisplayIcon
[10/9/2006 0:11:16] [INFO] [PLG] Registry entry created successful: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic |DisplayName
[10/9/2006 0:11:16] [INFO] [PLG] Registry entry created successful: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic |HelpLink
[10/9/2006 0:11:16] [INFO] [PLG] Registry entry created successful: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic |Publisher
[10/9/2006 0:11:16] [INFO] [PLG] Registry entry created successful: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic |UninstallString
[10/9/2006 0:11:16] [INFO] [PLG] Registry entry created successful: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic |URLInfoAbout
[10/9/2006 0:11:16] [INFO] [PLG] Registry entry created successful: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic |URLUpdateInfo
[10/9/2006 0:11:16] [INFO] [PLG] Registry entry created successful: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic |ModifyPath
[10/9/2006 0:11:17] The file C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx with the following content is erronous:
[10/9/2006 0:11:17] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
[10/9/2006 0:11:17] 
[10/9/2006 0:11:17] ERROR: The requested URL could not be retrieved
[10/9/2006 0:11:17] 
[10/9/2006 0:11:17] 
[10/9/2006 0:11:17] 
*ERROR*

[10/9/2006 0:11:17] 
*The requested URL could not be retrieved*

[10/9/2006 0:11:17] <HR noshade size="1px">
[10/9/2006 0:11:17]

[10/9/2006 0:11:17] While trying to retrieve the URL:
[10/9/2006 0:11:17] /upd/idx/master.idx
[10/9/2006 0:11:17]

[10/9/2006 0:11:17] The following error was encountered:
[10/9/2006 0:11:17] 

[10/9/2006 0:11:17]

[10/9/2006 0:11:17] *
[10/9/2006 0:11:17] Invalid URL
[10/9/2006 0:11:17] *
[10/9/2006 0:11:17]
[10/9/2006 0:11:17] 
[10/9/2006 0:11:17]

[10/9/2006 0:11:17] Some aspect of the requested URL is incorrect. Possible problems:
[10/9/2006 0:11:17] 

[10/9/2006 0:11:17]
Missing or incorrect access protocol (should be `http://'' or similar)
[10/9/2006 0:11:17]
Missing hostname
[10/9/2006 0:11:17]
Illegal double-escape in the URL-Path
[10/9/2006 0:11:17]
Illegal character in hostname; underscores are not allowed
[10/9/2006 0:11:17]
[10/9/2006 0:11:17]

Your cache administrator is [email protected]. 
[10/9/2006 0:11:17] 
[10/9/2006 0:11:17] 
[10/9/2006 0:11:17] <HR noshade size="1px">
[10/9/2006 0:11:17] 
[10/9/2006 0:11:17] Generated Sun, 08 Oct 2006 19:53:48 GMT by routerall.gim (squid/2.5.STABLE5)
[10/9/2006 0:11:17] 
[10/9/2006 0:11:17] 
[10/9/2006 0:11:17] There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx is corrupted!
[10/9/2006 0:11:17] Switching to next update server
[10/9/2006 0:11:18] The file C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx with the following content is erronous:
[10/9/2006 0:11:18] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
[10/9/2006 0:11:18] 
[10/9/2006 0:11:18] ERROR: The requested URL could not be retrieved
[10/9/2006 0:11:19] 
[10/9/2006 0:11:19] 
[10/9/2006 0:11:19] 
*ERROR*

[10/9/2006 0:11:19] 
*The requested URL could not be retrieved*

[10/9/2006 0:11:19] <HR noshade size="1px">
[10/9/2006 0:11:19]

[10/9/2006 0:11:19] While trying to retrieve the URL:
[10/9/2006 0:11:19] /upd/idx/master.idx
[10/9/2006 0:11:19]

[10/9/2006 0:11:19] The following error was encountered:
[10/9/2006 0:11:19] 

[10/9/2006 0:11:19]

[10/9/2006 0:11:19] *
[10/9/2006 0:11:19] Invalid URL
[10/9/2006 0:11:19] *
[10/9/2006 0:11:19]
[10/9/2006 0:11:19] 
[10/9/2006 0:11:19]

[10/9/2006 0:11:19] Some aspect of the requested URL is incorrect. Possible problems:
[10/9/2006 0:11:19] 

[10/9/2006 0:11:19]
Missing or incorrect access protocol (should be `http://'' or similar)
[10/9/2006 0:11:19]
Missing hostname
[10/9/2006 0:11:19]
Illegal double-escape in the URL-Path
[10/9/2006 0:11:19]
Illegal character in hostname; underscores are not allowed
[10/9/2006 0:11:19]
[10/9/2006 0:11:19]

Your cache administrator is [email protected]. 
[10/9/2006 0:11:19] 
[10/9/2006 0:11:19] 
[10/9/2006 0:11:19] <HR noshade size="1px">
[10/9/2006 0:11:19] 
[10/9/2006 0:11:19] Generated Sun, 08 Oct 2006 19:53:49 GMT by routerall.gim (squid/2.5.STABLE5)
[10/9/2006 0:11:19] 
[10/9/2006 0:11:19] 
[10/9/2006 0:11:19] There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx is corrupted!
[10/9/2006 0:11:19] Switching to next update server
[10/9/2006 0:11:20] The file C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx with the following content is erronous:
[10/9/2006 0:11:20] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
[10/9/2006 0:11:20] 
[10/9/2006 0:11:20] ERROR: The requested URL could not be retrieved
[10/9/2006 0:11:20] 
[10/9/2006 0:11:20] 
[10/9/2006 0:11:20] 
*ERROR*

[10/9/2006 0:11:20] 
*The requested URL could not be retrieved*

[10/9/2006 0:11:20] <HR noshade size="1px">
[10/9/2006 0:11:20]

[10/9/2006 0:11:20] While trying to retrieve the URL:
[10/9/2006 0:11:20] /upd/idx/master.idx
[10/9/2006 0:11:20]

[10/9/2006 0:11:20] The following error was encountered:
[10/9/2006 0:11:20] 

[10/9/2006 0:11:20]

[10/9/2006 0:11:20] *
[10/9/2006 0:11:20] Invalid URL
[10/9/2006 0:11:20] *
[10/9/2006 0:11:20]
[10/9/2006 0:11:20] 
[10/9/2006 0:11:20]

[10/9/2006 0:11:20] Some aspect of the requested URL is incorrect. Possible problems:
[10/9/2006 0:11:20] 

[10/9/2006 0:11:20]
Missing or incorrect access protocol (should be `http://'' or similar)
[10/9/2006 0:11:20]
Missing hostname
[10/9/2006 0:11:20]
Illegal double-escape in the URL-Path
[10/9/2006 0:11:20]
Illegal character in hostname; underscores are not allowed
[10/9/2006 0:11:20]
[10/9/2006 0:11:20]

Your cache administrator is [email protected]. 
[10/9/2006 0:11:20] 
[10/9/2006 0:11:20] 
[10/9/2006 0:11:20] <HR noshade size="1px">
[10/9/2006 0:11:20] 
[10/9/2006 0:11:20] Generated Sun, 08 Oct 2006 19:53:50 GMT by routerall.gim (squid/2.5.STABLE5)
[10/9/2006 0:11:20] 
[10/9/2006 0:11:20] 
[10/9/2006 0:11:20] There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx is corrupted!
[10/9/2006 0:11:20] Switching to next update server
[10/9/2006 0:11:21] The file C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx with the following content is erronous:
[10/9/2006 0:11:21] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
[10/9/2006 0:11:21] 
[10/9/2006 0:11:21] ERROR: The requested URL could not be retrieved
[10/9/2006 0:11:21] 
[10/9/2006 0:11:21] 
[10/9/2006 0:11:21] 
*ERROR*

[10/9/2006 0:11:21] 
*The requested URL could not be retrieved*

[10/9/2006 0:11:21] <HR noshade size="1px">
[10/9/2006 0:11:21]

[10/9/2006 0:11:21] While trying to retrieve the URL:
[10/9/2006 0:11:21] /upd/idx/master.idx
[10/9/2006 0:11:21]

[10/9/2006 0:11:21] The following error was encountered:
[10/9/2006 0:11:21] 

[10/9/2006 0:11:21]

[10/9/2006 0:11:21] *
[10/9/2006 0:11:21] Invalid URL
[10/9/2006 0:11:21] *
[10/9/2006 0:11:21]
[10/9/2006 0:11:21] 
[10/9/2006 0:11:21]

[10/9/2006 0:11:21] Some aspect of the requested URL is incorrect. Possible problems:
[10/9/2006 0:11:21] 

[10/9/2006 0:11:21]
Missing or incorrect access protocol (should be `http://'' or similar)
[10/9/2006 0:11:21]
Missing hostname
[10/9/2006 0:11:21]
Illegal double-escape in the URL-Path
[10/9/2006 0:11:21]
Illegal character in hostname; underscores are not allowed
[10/9/2006 0:11:21]
[10/9/2006 0:11:21]

Your cache administrator is [email protected]. 
[10/9/2006 0:11:21] 
[10/9/2006 0:11:21] 
[10/9/2006 0:11:21] <HR noshade size="1px">
[10/9/2006 0:11:21] 
[10/9/2006 0:11:21] Generated Sun, 08 Oct 2006 19:53:52 GMT by routerall.gim (squid/2.5.STABLE5)
[10/9/2006 0:11:21] 
[10/9/2006 0:11:21] 
[10/9/2006 0:11:21] There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx is corrupted!
[10/9/2006 0:11:21] Switching to next update server
[10/9/2006 0:11:22] The file C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx with the following content is erronous:
[10/9/2006 0:11:22] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
[10/9/2006 0:11:22] 
[10/9/2006 0:11:22] ERROR: The requested URL could not be retrieved
[10/9/2006 0:11:22] 
[10/9/2006 0:11:22] 
[10/9/2006 0:11:22] 
*ERROR*

[10/9/2006 0:11:22] 
*The requested URL could not be retrieved*

[10/9/2006 0:11:22] <HR noshade size="1px">
[10/9/2006 0:11:22]

[10/9/2006 0:11:22] While trying to retrieve the URL:
[10/9/2006 0:11:22] /upd/idx/master.idx
[10/9/2006 0:11:22]

[10/9/2006 0:11:22] The following error was encountered:
[10/9/2006 0:11:22] 

[10/9/2006 0:11:22]

[10/9/2006 0:11:22] *
[10/9/2006 0:11:22] Invalid URL
[10/9/2006 0:11:22] *
[10/9/2006 0:11:22]
[10/9/2006 0:11:22] 
[10/9/2006 0:11:22]

[10/9/2006 0:11:22] Some aspect of the requested URL is incorrect. Possible problems:
[10/9/2006 0:11:22] 

[10/9/2006 0:11:22]
Missing or incorrect access protocol (should be `http://'' or similar)
[10/9/2006 0:11:22]
Missing hostname
[10/9/2006 0:11:22]
Illegal double-escape in the URL-Path
[10/9/2006 0:11:22]
Illegal character in hostname; underscores are not allowed
[10/9/2006 0:11:22]
[10/9/2006 0:11:22]

Your cache administrator is [email protected]. 
[10/9/2006 0:11:22] 
[10/9/2006 0:11:22] 
[10/9/2006 0:11:22] <HR noshade size="1px">
[10/9/2006 0:11:22] 
[10/9/2006 0:11:22] Generated Sun, 08 Oct 2006 19:53:53 GMT by routerall.gim (squid/2.5.STABLE5)
[10/9/2006 0:11:22] 
[10/9/2006 0:11:22] 
[10/9/2006 0:11:22] There was a problem updating from the specified server: Validation error. File C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx is corrupted!
[10/9/2006 0:11:22] Switching to next update server
[10/9/2006 0:11:23] The file C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx with the following content is erronous:
[10/9/2006 0:11:23] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
[10/9/2006 0:11:23] 
[10/9/2006 0:11:23] ERROR: The requested URL could not be retrieved
[10/9/2006 0:11:23] 
[10/9/2006 0:11:23] 
[10/9/2006 0:11:23] 
*ERROR*

[10/9/2006 0:11:23] 
*The requested URL could not be retrieved*

[10/9/2006 0:11:23] <HR noshade size="1px">
[10/9/2006 0:11:23]

[10/9/2006 0:11:23] While trying to retrieve the URL:
[10/9/2006 0:11:23] /upd/idx/master.idx
[10/9/2006 0:11:23]

[10/9/2006 0:11:23] The following error was encountered:
[10/9/2006 0:11:23] 

[10/9/2006 0:11:23]

[10/9/2006 0:11:23] *
[10/9/2006 0:11:23] Invalid URL
[10/9/2006 0:11:23] *
[10/9/2006 0:11:23]
[10/9/2006 0:11:23] 
[10/9/2006 0:11:23]

[10/9/2006 0:11:23] Some aspect of the requested URL is incorrect. Possible problems:
[10/9/2006 0:11:23] 

[10/9/2006 0:11:23]
Missing or incorrect access protocol (should be `http://'' or similar)
[10/9/2006 0:11:23]
Missing hostname
[10/9/2006 0:11:23]
Illegal double-escape in the URL-Path
[10/9/2006 0:11:23]
Illegal character in hostname; underscores are not allowed
[10/9/2006 0:11:23]
[10/9/2006 0:11:23]

Your cache administrator is [email protected]. 
[10/9/2006 0:11:23] 
[10/9/2006 0:11:23] 
[10/9/2006 0:11:23] <HR noshade size="1px">
[10/9/2006 0:11:23] 
[10/9/2006 0:11:23] Generated Sun, 08 Oct 2006 19:53:54 GMT by routerall.gim (squid/2.5.STABLE5)
[10/9/2006 0:11:23] 
[10/9/2006 0:11:23] 
[10/9/2006 0:11:24] Critical error: Validation error. File C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\Update\AVUPDATE_4529464b\idx/master.idx is corrupted!


----------



## Cookiegal (Aug 27, 2003)

Malware has probably corrupted that file.

Try uninstalling and reinstalling your anti-virus program.

Let me know how that goes please.


----------



## s.roopam (Sep 28, 2006)

yes did tht earlier also.....uninstalled -restarted- reinstalled the Antivir PE Classic antivirus.....but its still not updating on click


----------



## Cookiegal (Aug 27, 2003)

Are you able to update it manually from their site?


----------



## s.roopam (Sep 28, 2006)

unable to locate updates....


----------



## Cookiegal (Aug 27, 2003)

Go to Start > Run: cmd

and then enter:

*chkdsk /f*

Let's see if that finds any problems and if you can update after.


----------



## s.roopam (Sep 28, 2006)

plz help ...on doing cmd in Run ...and thn entring chkdsk/f this appeared

C:\Document and Settings\Roopam S>chkdsk/f
The type of the file system is NTFS.
Cannot look current drive.

Chkdsk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts?(Y/N)


----------



## Cookiegal (Aug 27, 2003)

Note the command is: chkdsk /f

The space between the k and the / is necessary.

Answer Yes to the question.


----------



## s.roopam (Sep 28, 2006)

yes done....still nt updating


----------



## Cookiegal (Aug 27, 2003)

Can you try doing a system restore to an earlier date and see if that fixes the problem?


----------



## s.roopam (Sep 28, 2006)

there are several restore points available starting from september 30 '06 to october 16th..there are no restore points before 30th september......to wat date shud i restore it???....and is there any chances of loosing ne data due to system restore???....


----------



## Cookiegal (Aug 27, 2003)

You would not lose data such a Word documents, e-mails, favourites but you would have to reinstall any programs that you had installed.

Are you sure you have no points beyond September 30th? If not, try that one. If no joy you can just undo it to bring it back to the way it is now.

Let me know how it goes.


----------



## s.roopam (Sep 28, 2006)

hey thnx....gt the problem solved...though i m unable to restore my system to any previous restore points...dnt knw wat cud b the reason fr inability of the system to restore..yet the antivirus updates problem was becoz of the proxy server settings which i had not chnaged....so nw antivirus is wrkng fine...yet there is sm problem with the system as a whole becoz of which it is unable to restore to any previous point...


----------



## Cookiegal (Aug 27, 2003)

What happened when you tried the system restore? Did you get an error message?


----------



## s.roopam (Sep 28, 2006)

yes they said no restore point available, hence system cannot be restored to any previous setting.....
I hav created one more big problem, due to which i m unable to use any application of MS-Office.....(MS office 2003 Professional Edition) the license and cd of installation is with our system administrator..
Few days back my excel was nt working ok, so in an attempt to make it work ok i clicked the "Detect and Repair" button under the "Excel Help Menu"
it started some offfice setup and later on asked fr the original installation files or the installation cd.....
i had nothing so i cancelled it
Since than i m unable to run any of the MS office applications properly
everytime i start an application, same intallation starts and creates a lot of trouble...
ne way to get out of it without that CD...
Help plz


----------



## Cookiegal (Aug 27, 2003)

Download GMER from http://www.gmer.net

Save it somewhere safe & unzip it to desktop

Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please.


----------



## s.roopam (Sep 28, 2006)

its a 790 page big log.....hw to paste it here??


----------



## Cookiegal (Aug 27, 2003)

You must have clicked on "show all". I only wanted the rootkit portion.


----------



## s.roopam (Sep 28, 2006)

GMER 1.0.12.11879 - http://www.gmer.net
Rootkit scan 2006-11-05 13:30:19
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE A8ED7C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE A8ED47C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ A8ED060A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE A8ED0AED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION A8EDB958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION A8EDE821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA  A8EE738A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA A8EE6D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS A8EE0BBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION A8EE1331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION A8EEF4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL A8ED7B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL A8ED3948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL A8EDD46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN A8EEE79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL A8EEDC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP A8ED42FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP A8EEE1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible A8EE91F9
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA2CD6B0] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA2CD6B0] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA2CD6B0] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA2CD6B0] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AA2CD6B0] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [AA2CD84C] tfsnifs.sys

---- Files - GMER 1.0.12 ----

ADS E:\ALL MUSIC\VIDEOS\golu ronnie duet.mpg:SummaryInformation 
ADS E:\ALL MUSIC\VIDEOS\golu ronnie duet.mpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- EOF - GMER 1.0.12 ----


----------



## s.roopam (Sep 28, 2006)

can u make out nethng from this log....facing a real big problem with MS office and all its applications


----------



## Cookiegal (Aug 27, 2003)

Is this a company computer?


----------



## s.roopam (Sep 28, 2006)

nope...its personal...neways solved the MS office problem through its original installation cd..


----------



## Cookiegal (Aug 27, 2003)

OK then. Thanks for letting me know.


----------

