# Solved: cpu usage 100% all the time



## ras1 (Jul 13, 2005)

My daughter has a 2 year old dell inspiron laptop with XP and has been complaining that it is very slow.I wasn't too surprised as she runs a heck of a lot of music
on it.However I looked at it today when she was out.[I did tell her I would]

Oh my god. 45 processes running,and cpu constantly on 100%!No wonder
it is slow.First of all she is using Ezula,sahagent,mywebsearch,funtoolbar,and
virtual bouncer.I will wait till she comes in before advising her to get rid.

I guess that the cpu at 100% is not good all the time?By removing those programs,will that reduce the cpu usage?She has amongst her many processes NOPBD and PCTSPK both of which can use from 80 to 100% of her
cpu capacity.I don't know if these ones are doing that,but how can I disable them please?

Also how can I reduce the many processes she has running-I use w2k so 
am not familiar with what xp needs on start up-but it seems a lot more than mine.SO how can I stop them from starting please.

When she comes in I will also d/l spybot,ewido etc to see if it is more than just adware and spyware that she has giving probs.


----------



## mattFleming (Jul 29, 2005)

First... try running pandas online virus scan: www.pandasoftware.com/activescan .

Next.. Run Adaware and delete all the crap that comes up

Finally.. post up a Hijack this logfile. I believe people will take a look at them here.

-Matt


----------



## ras1 (Jul 13, 2005)

Sorry Matt I ran adaware first and then pandasoft-hope it doesn't make a difference?
Adaware found over 320 different probs -all sorted now.Panda found nothing.

I have added the Hijack this as you suggested-the 010 entries are interesting and help
to explain her troubles!I am not familiar with XP and notice that it is in a temp file.How can I transfer it to "program files".

Maria Stewart
Logfile of HijackThis v1.99.1
Scan saved at 19:35:13, on 09/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\1pe7aa03\1pe7aa03.exe
C:\windows\system32\rlvknlg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\1pe7aa03\1pe7aa03.exe
C:\Program Files\1pe7aa03\49209024.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Gearbox Connection Kit\bin\gbdash.exe
C:\Documents and Settings\mariac\Local Settings\Temp\Temporary 
Directory 1 for
hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.ntlworld.com/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = 
Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {00000000-0000-4AA0-8964-C92242E82065} - 
C:\Program
Files\1pe7aa03\1pe7aa03.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program 
Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD 
Creator
5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection
Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton 
SystemWorks\Norton
Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE 
/STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program 
Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program 
Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [navapp] C:\Program
Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [1pe7aa03] C:\Program Files\1pe7aa03\1pe7aa03.exe
O4 - HKLM\..\Run: [OSS] C:\windows\system32\rlvknlg.exe -boot
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program 
Files\Gearbox
Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" 
/background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: GoBack.lnk = C:\Program 
Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP -
C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP -
C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} -
C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - 
{FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/CursorManiaFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) -
http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer 
Class) -
http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - 
HKLM\System\CCS\Services\Tcpip\..\{0F7A3374-9E34-4569-92E5-FAF011AA6B8C}:
NameServer = 194.168.4.100 194.168.8.100
O17 - 
HKLM\System\CS1\Services\Tcpip\..\{0F7A3374-9E34-4569-92E5-FAF011AA6B8C}:
NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation 
-
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - 
Symantec
Corporation - C:\Program Files\Common Files\Symantec 
Shared\ccPwdSvc.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program 
Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation -
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - 
C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - 
Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\Program Files\Norton SystemWorks\Norton
Utilities\NPROTECT.EXE
O23 - Service: PACSPTISVR - Sony Corporation -
C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec 
Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe


----------



## D_Trojanator (May 13, 2005)

This should really be moved to security as you will get the best help there!
David


----------



## ras1 (Jul 13, 2005)

Cor-give the ink time to dry!!1
Do I move it to security or do the admin?


----------



## JohnWill (Oct 19, 2002)

ras1 said:


> Cor-give the ink time to dry!!1
> Do I move it to security or do the admin?


Does that answer your question?


----------



## ~Candy~ (Jan 27, 2001)

Please go to add/remove programs and see if you can uninstall NEWDOT.net.

And the thread has already been moved


----------



## bassetman (Jun 7, 2001)

EAFiedler moved this to security!


----------



## ~Candy~ (Jan 27, 2001)

Are WE all over this or what? 

Cookiegal, you're up next


----------



## bassetman (Jun 7, 2001)

AcaCandy said:


> Are WE all over this or what?
> 
> Cookiegal, you're up next


Hehe, I barely get the notice and ea already has it moved!


----------



## Cookiegal (Aug 27, 2003)

Please copy and paste the HijackThis program into a separate folder of it's own, not in the Temporary files, so that it functions properly.

Uninstall NewDotNet from the Control Panel as Candy mentioned. If that doesn't uninstall it then do this:

*here* and scroll to the bottom of the page to *Procedure 4* and download and run the New.Net uninstaller.

Download Cleanup from *Here* 

 A window will open and choose *SAVE*, then *DESKTOP* as the destination.
 On your Desktop, click on *Cleanup40.exe icon.*
 Then, click *RUN* and place a checkmark beside "*I Agree*"
 Then click *NEXT* followed by *START* and *OK.*
 A window will appear with many choices, *keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.*
 Click* OK*
 *DO NOT RUN IT YET*

Download the trial version of Ewido Security Suite *here*.
Install ewido.
During the installation, under "Additional Options" *uncheck* "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click *update*
Click on *Start* and let it update.
*DO NOT* run a scan yet. You will do that later in safe mode.

*Click here* for info on how to boot to safe mode if you don't already know how.

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:

Run Ewido:
Click on *scanner*
Click *Complete System Scan* and the scan will begin.
During the scan it will prompt you to clean files, click *OK*
When the scan is finished, look at the bottom of the screen and click the *Save report* button.
Save the report to your desktop

Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Restart back into Windows normally now.

Do an on-line scan:

*Housecall*

Reboot and post another log but please don't edit it as the last one was difficult to read. When using Notepad be sure click on Format and make sure that "word wrap" has a check mark beside it.


----------



## ras1 (Jul 13, 2005)

Thanks for all of your help.My daughter has all her work on the computer [she is going for her msc. and has to have the work completed this week,so she is kind of tight on time for me to d/l and fix her pc.Not only that I think she is worried that by cleaning it out,some of her work might go out with it and wants to finish her course first.
Understandable I guess,so I may not be able to do too much for a day or two.But it
will need to be sorted and then I will need all the help I can get since I didn't edit the first scan,and getting into safe mode with her pc is different to mine.


----------



## ~Candy~ (Jan 27, 2001)

Nothing we have you do is going to destroy her work 

Most all pcs arrive in safe mode by tapping the f8 key and choosing safe mode.


----------



## Cookiegal (Aug 27, 2003)

Has she uninstalled NewdotNet? If not, there is always the possibility that she will lose her Internet connection. I think it's best to have her download this small program that will regain her connection, if that should happen.

This is only to be used if she loses her Internet connection:

Download the LSP Fix and run it to get the connection back and click the "I know what I'm doing" checkbox. (Don't do anything else)

Then click Finish.

http://cexx.org/lspfix.htm


----------



## ras1 (Jul 13, 2005)

Thanks for that Cookiegal-I didn't know that was possible.
I'll try after she has gone to sleep.At the moment their is a twelve mile exclusion area around her pc.


----------



## ~Candy~ (Jan 27, 2001)

ras1 said:


> At the moment their is a twelve mile exclusion area around her pc.


Lol, now that made me laugh today


----------



## Cookiegal (Aug 27, 2003)

You'd better be careful, there may be some traps set up in there.


----------



## ~Candy~ (Jan 27, 2001)

Or land mines?


----------



## Cookiegal (Aug 27, 2003)

And watch out for the webcam!


----------



## ras1 (Jul 13, 2005)

Fortunately this daughter is fairly gentle.My elder one-oh my God!! An exocet missile is the minimum response.I thought she might mellow with age.....

Cannot get access to the internet on her computer as it is password protected.Cannot
even move H/T from its present position.as the folder it is in is also PW/PD


----------



## bassetman (Jun 7, 2001)

AcaCandy said:


> Nothing we have you do is going to destroy her work
> 
> Most all pcs arrive in safe mode by tapping the f8 key and choosing safe mode.


Ctrl key on others.


----------



## Cookiegal (Aug 27, 2003)

Would you like to proceed and fix what we can without going on-line? If so, can you post another HijackThis log please?


----------



## ras1 (Jul 13, 2005)

It took me ages to do almost everything-there was nothing at the bottom of ewido to 
enable a report to be done.Suffice to say it found 120 plus items to delete or quarantine.The first report will be Spyware Check 3 spyware programs removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet. 
Results:
We have detected 12 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 9 spyware(s) passed, 0 spyware(s) no action available 
- 3 spyware(s) removed, 0 spyware(s) unremovable 
Spyware Name Spyware Type Action Taken 
ADW_MIWAY.A Adware Removal successful 
COOKIE_611 Cookie Pass 
COOKIE_1020 Cookie Pass 
COOKIE_1802 Cookie Pass 
COOKIE_2250 Cookie Pass 
COOKIE_2275 Cookie Pass 
COOKIE_2817 Cookie Pass 
COOKIE_2842 Cookie Pass 
COOKIE_3189 Cookie Pass 
ADW_TARGETSAV.A Adware Removal successful 
COOKIE_3235 Cookie Pass 
ADW_SIDESEARCH.A Adware Removal successful

Microsoft Vulnerability Check 28 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix. 
Results:
We have detected 28 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix 
Critical This security bulletin focuses on the following vulnerabilities: Shell Vulnerability (CAN-2004-0214), and Program Group Converter Vulnerability (CAN-2004-0572). Shell vulnerability exists on the way Windows Shell launches applications that could enable remote malicious user or malware to execute arbitrary code. Windows Shell function does not properly check the length of the message before copying to the allocated buffer. Program Group Converter is an application used to convert Program Manager Group files that were produced in Windows 3.1, Windows 3.11, Windows for Workgroups 3.1, and Windows for Workgroups 3.11 so that they can still be used by later operating systems. The vulnerability lies in an unchecked buffer within the Group Converter Utility. MS04-037 
Critical This is a remote code execution vulnerability that exists in the Internet Explorer. It allows remote code execution on an affected system. An attacker could exploit this vulnerability by constructing a malicious Web Page. The said routine could allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability. MS04-038 
Critical This security update addresses and resolves a vulnerability in Internet Explorer that could allow remote code execution. A Web page can be crafted to exploit this vulnerability such that an arbitrary application can be executed on visiting systems with the same priviledge as the currently logged on user. MS04-040 
Important This security advisory explains the two discovered vulnerabilities in Microsoft Word for Windows 6.0 Converter, which is used by WordPad in converting Word 6.0 to WordPad file format. Once exploited, this remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. MS04-041 
Important This security update addresses and resolves two windows vulnerabilites, both of which may enable the current user to take control of the affected system. Both of these vulnerabilites require that the curernt user be able to log on locally and execute programs. They cannot be exploited remotely, or by anonymous users. A privilege elevation vulnerability exists in the way that the Windows Kernel launches applications. This vulnerability could allow the current user to take complete control of the system. A privilege elevation vulnerability exists in the way that the LSASS validates identity tokens. This vulnerability could allow the current user to take complete control of the affected system. MS04-044 
Critical This update resolves a newly-discovered, publicly reported vulnerability. A vulnerability exists in the HTML Help ActiveX control in Windows that could allow information disclosure or remote code execution on an affected system. MS05-001 
Critical This update resolves several newly-discovered, privately reported and public vulnerabilities. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, install programs, view, change, or delete data, or create new accounts that have full privileges. MS05-002 
Important This update resolves a newly-discovered, privately reported vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full privileges. While remote code execution is possible, an attack would most likely result in a denial of service condition. MS05-003 
Important This is an information disclosure vulnerability. An attacker who successfully exploits this vulnerability could remotely read the user names for users who have an open connection to an available shared resource. MS05-007 
Important This remote code execution vulnerability exists in the way Windows handles drag-and-drop events. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow an attacker to save a file on the users system if a user visited a malicious Web site or viewed a malicious e-mail message. MS05-008 
Critical This remote code execution vulnerability exists in Server Message Block (SMB). It allows an attacker who successfully exploits this vulnerability to take complete control of the affected system. MS05-011 
Critical This privilege elevation vulnerability exists in the way that the affected operating systems and programs access memory when they process COM structured storage files. This vulnerability could grant a currently logged-on user to take complete control of the system.;This remote code execution vulnerability exists in OLE because of the way that it handles input validation. An attacker could exploit the vulnerability by constructing a malicious document that could potentially allow remote code execution. MS05-012 
Critical This vulnerability exists in the DHTML Editing Component ActiveX Control. This vulnerability could allow information disclosure or remote code execution on an affected system. MS05-013 
Critical This update resolves known vulnerabilities affecting Internet Explorer. An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. MS05-014 
Critical A remote code execution vulnerability exists in the Hyperlink Object Library. This problem exists because of an unchecked buffer while handling hyperlinks. An attacker could exploit the vulnerability by constructing a malicious hyperlink which could potentially lead to remote code execution if a user clicks a malicious link within a Web site or e-mail message. MS05-015 
Important A remote code execution vulnerability exists in the Windows Shell because of the way that it handles application association. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. However, user interaction is required to exploit this vulnerability. MS05-016 
Important This security bulletin resolves newly-discovered, privately-reported vulnerabilities affecting Windows. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. MS05-018 
Critical This security bulletin resolves newly discovered, privately-reported vulnerabilities affecting Windows. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. However, an attacker who successfully exploited the most severe of these vulnerabilities would most likely cause the affected system to stop responding. MS05-019 
Critical This security bulletin resolves three newly-discovered, privately-reported vulnerabilities affecting Internet Explorer. If a user is logged on with administrative user rights, an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. MS05-020 
Critical This security bulletin resolves the following vulnerabilities affecting Internet Explorer.; The PNG Image Rendering Memory Corruption vulnerability could allow an attacker to execute arbitrary code on the system because of a vulnerability in the way Internet Explorer handles PNG images.; The XML Redirect Information Disclosure vulnerability could allow an attacker to read XML data from another Internet Explorer domain because of a vulnerability in the way Internet Explorer handles certain requests to display XML content. MS05-025 
Critical HTML Help is the standard help system for the Windows platform. Authors can use it to create online Help files for a software application or content for a multimedia title or a Web site. This vulnerability in HTML Help could allow attackers to execute arbitrary code on the affected system via a specially crafted Compiled Windows Help (CHM) file, because it does not completely validate input data. MS05-026 
Critical A remote code execution vulnerability exists in the Microsofts implementation of the Server Message Block (SMB) protocol, which could allow an attacker to execute arbitrary codes to take complete control over a target system. This vulnerability could be exploited over the Internet. An attacker would have to transmit a specially crafted SMB packet to a target system to exploit it. However, failure to successfully exploit the vulnerability could only lead to a denial of service. MS05-027 
Important A vulnerability exists in the way that Windows processes Web Client requests, which could allow a remote attacker to execute arbitrary code and take complete control over the affected system. MS05-028 
Important A remote code execution vulnerability exists in Outlook Express when it is used as a newsgroup reader. An attacker could exploit this vulnerability by constructing a malicious newsgroup server that could that potentially allow remote code execution if a user queried the server for news. MS05-030 
Moderate This vulnerability could enable an attacker to spoof trusted Internet content because security prompts can be disguised by a Microsoft Agent character. MS05-032 
Moderate This vulnerability in the Microsoft Telnet client could allow an attacker to gain sensitive information about the affected system and read the session variables of users who have open connections to a malicious Telnet server. MS05-033 
Critical This vulnerability could allow a remote attacker to execute arbitrary codes on the affected system via a malicious image file in a Web site or email message. This vulnerability exists because of the way Microsoft Color Management Module handles ICC profile format tag validation. MS05-036 
Critical A COM object, the JView Profiler (Javaprxy.dll), contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system by hosting a malicious Web site. MS05-037

....................................................................................................................

Logfile of HijackThis v1.99.1
Scan saved at 14:40:12, on 11/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Gearbox Connection Kit\bin\gbdash.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mariac\Local Settings\Temp\Temporary Directory 2 for hijackthis_1.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {00000000-0000-4BB3-95C1-45C40442E301} - C:\Program Files\1pe7aa03\1pe7aa03.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [1pe7aa03] C:\Program Files\1pe7aa03\1pe7aa03.exe
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F7A3374-9E34-4569-92E5-FAF011AA6B8C}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F7A3374-9E34-4569-92E5-FAF011AA6B8C}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe


----------



## ras1 (Jul 13, 2005)

I've just remembered that on housecall,I think,[sorry I was doing this very late last night] I got this message "C:\programfiles\nortonsystemworks\nortoncleansweep\backup\caxo946BUD/windows/download programfiles/WUinst.dll cannot be removed because it is embedded in the archive of C:\programfilesetc etc,......do you want to remove the whole archive?"I clicked no,but was that the right option?


----------



## Cookiegal (Aug 27, 2003)

Go to the forum *here* and upload this (these) file(s):

*C:\Program Files\1pe7aa03\1pe7aa03.exe *

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.


----------



## Cookiegal (Aug 27, 2003)

Those warnings in the vulnerability check mean that she is way behind on her Microsoft critical updates and patches thereby leaving some security holes unpatched.


----------



## ras1 (Jul 13, 2005)

Thanks for getting back to me Cookiegal. I will spank her later about the updates and I have d/ld a fire wall for her.
I will need some help tho with this file.I cannot drag the file from its position in program files to the forum window.Do I just write it in after I have located it,or is there something else I have to do.I couldn't even copy and paste it to notepad first.
Also there is no 1pe7aa03.exe in the folder.Inside there are about 11 files and another folder[?]named 1pe7aa031


----------



## ras1 (Jul 13, 2005)

To help perhaps,inside the 03 folder are 1folder,7 dlls,2 text documents and what looks like the code bar that supermarket tills register read for the price,a bin file and a dat file.
In the 031 folder is a dll file and a green coloured rectangle with the letters
c
s
AOL
L D R only the c and s are much closer together,and I think it says aol but its difficult to read as the letters are similar in colour to the green background.

One of the text documents is legible

csie_usb_patterns.bin|ab5fb406|400000|
csie_usb_campaigns.bin|f64bc8ca|10000|
csie_usb_rules.dat|b162459a|200|
csie_tsb_patterns.bin|1b19781e|5000|
csie_tsb_campaigns.bin|2ead3c30|500|
csie_tsb_edomains.bin|e11c521d|10000|
csie_tsb_rules.dat|e5233cad|500|
csie_ron_campaigns.bin|7bd08ff7|5000|
csie_ron_rules.dat|c3b46691|500|
csie_mpu_mirrors.bin|9845940e|1000|
csie_mpu_rules.dat|7096ac2e|500|
csie_dictionary_english.bin|636b3ea6|300000|
csie_ss_edomains.bin|bd06dd43|1000|
csie_ss_idomains.bin|aff4dc98|1000|
csie_ss_rules.dat|93b39797|600|
csie_promos.bin|05149822|3000|
csie_servers.bin|737b3de7|300|
end|

In google, csie is either some computer science facility or part of the clear search scum
bag ware.And she did have clear search on her computer.


----------



## Cookiegal (Aug 27, 2003)

This may make it easier to locate that file:

Configure your computer to show all hidden files and folders like so:

Go to Start - Search and under "More advanced search options", make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders."

Next, click on My Computer, Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders." Click "Apply" and then "OK."

To upload the file:

Once you've started your new thread at thespykiller forum, Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file there.


----------



## ras1 (Jul 13, 2005)

I found it in windows\prefetch thanks.However I ran the cursor over one of the dlls and the legend said it was a loader/updater and the company was clear search.Is it worth putting it to the other forum when it now seems clear it is spyware?


----------



## ras1 (Jul 13, 2005)

bump


----------



## ~Candy~ (Jan 27, 2001)

Cookiegal isn't online yet today, she will get back to you.


----------



## Cookiegal (Aug 27, 2003)

Anything in the prefetch folder can be deleted.

Go to Control Panel - Add/Remove programs and remove:

*NavExcel or NavHelper*

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

*
O2 - BHO: (no name) - {00000000-0000-4BB3-95C1-45C40442E301} - C:\Program Files\1pe7aa03\1pe7aa03.dll (file missing)

O4 - HKLM\..\Run: [navapp] C:\Program 
Files\NavExcel\NavHelper\v2.0.4d\navapp.exe

O4 - HKLM\..\Run: [1pe7aa03] C:\Program Files\1pe7aa03\1pe7aa03.exe
Insert entries to be deleted
*

Then boot to safe mode:

*Click here* for info on how to boot to safe mode.

Locate and delete these folders:

C:\Program Files\*1pe7aa03*

O4 - HKLM\..\Run: [navapp] C:\Program 
Files\*NavExcel*

Reboot and post another HijackThis log please.


----------



## ras1 (Jul 13, 2005)

Hi cookiegal-thanks for your advice.Could not find Nav anything in add/remove,nor in
program files or hidden files using the search function after I fixed it on HJT.How does the scan look now?

Logfile of HijackThis v1.99.1
Scan saved at 01:56:37, on 13/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Gearbox Connection Kit\bin\gbdash.exe
C:\Documents and Settings\mariac\Local Settings\Temp\Temporary Directory 5 for hijackthis_1.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F7A3374-9E34-4569-92E5-FAF011AA6B8C}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F7A3374-9E34-4569-92E5-FAF011AA6B8C}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


----------



## Cookiegal (Aug 27, 2003)

It looks good now. How's everything running?


----------



## ~Candy~ (Jan 27, 2001)

Just a suggestion, I'd slim down on some of the (04) startup items. Many are not necessary and only bogs down your startup time. Those can be turned off via start, run, type msconfig and hit enter, go to the startup tab and uncheck.


----------



## ras1 (Jul 13, 2005)

Thankyou very much,Cookiegal for all your help-I couldn't have done it without you.I 
haven't done too much on her computer but it still doesn't seem quite up to speed yet.I have got her processes down to 38 from 47 or so,and almost 10,000 threads on the go,so perhaps the speed is not too surprising,tho she appears to have enough memory.
I agree with you Acacandy,but its hard to know what to remove safely .I still have a few things I might try but heaven knows what she has been doing since Ewido and Adaware between them removed almost 500 items .I rescanned with ewido again today and it found another 30 or so items`quite a lot were cookies but others were not.Possibly not deleted completely from the first scan?
Not sure if there is much more you can do at your end.I will let her loose with it again and if everything is fine for her in a few days I will mark it as solved.
Once again thankyou so much for all your help.


----------



## Cookiegal (Aug 27, 2003)

Please post the log from the latest Ewido scan.

Also, do another scan from Panda and post that log too please.


----------



## ras1 (Jul 13, 2005)

having probs with panda,but here is the last scan from ewido

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 04:47:40, 13/08/2005
+ Report-Checksum: 7F22D9FD

+ Scan result:

C:\Documents and Settings\mariac\Cookies\[email protected][2].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\mariac\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\mariac\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\mariac\Cookies\[email protected][2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\mariac\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\mariac\Cookies\[email protected][1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\mariac\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\mariac\Cookies\[email protected][2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\mariac\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\mariac\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\mariac\Cookies\[email protected][1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\mariac\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\mariac\Local Settings\Temp\temp.frE9D9 -> Spyware.ClearSearch : Cleaned with backup
C:\Documents and Settings\mariac\Local Settings\Temp\temp.frF8EB\TvmBho.dll -> Spyware.TotalVelocity : Cleaned with backup
C:\Documents and Settings\mariac\Local Settings\Temp\temp.frF8EB\TvmCore.dll -> Spyware.TotalVelocity : Cleaned with backup
C:\Documents and Settings\mariac\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\mariac\My Documents\My Pictures\21odhr0b.exe -> Spyware.F1Organizer : Cleaned with backup
C:\Documents and Settings\mariac\My Documents\My Pictures\uninstall6_76.exe -> Spyware.NewDotNet : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\cax0946.BUD/WINDOWS/Downloaded Program Files/WUInst.dll -> Adware.SaveNow : Error during cleaning
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\cax0946.BUD/WINDOWS/SYSTEM32/cax.dll -> TrojanDownloader.Small.fy : Error during cleaning
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059703.dll -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059704.exe -> Backdoor.Ruledor.g : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059705.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059706.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059707.exe -> Spyware.Quick : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059708.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059709.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059710.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059711.dll -> TrojanDownloader.Rameh.c : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059712.dll -> Spyware.RK : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059713.exe -> Spyware.RK : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059714.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059715.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP232\A0059716.dll -> Spyware.VirtualBouncer : Cleaned with backup

::Report End


----------



## Cookiegal (Aug 27, 2003)

What happens when you try to scan with Panda?

Turn off system restore:

On the Desktop, right-click *My Computer. *

Click *Properties*.

Click the *System Restore tab*.

Check *Turn off System Restore*.

Click *Apply*, and then click *OK. *

Restart your computer.

*Click here* and do an on-line virus scan.

Reboot to safe mode:

*How to boot to safe mode*

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## ras1 (Jul 13, 2005)

Panda is not compatible with the microsoft xp home version so I had to download a 
program from Microsoft.My daughter has not visited Microsoft ever,so I needed to validate the program.strong letter sent as I bought the computer brand new from Dell
2 years ago -who can find documents from that time-even if my daughter had been here.So no scan yet.So thats why the first scan was registerd as clear-because they couldn't do it.

Anyhow,I did every thing else you asked,and the scan report follows.
BTW I went back and turned the system restore back on as Zone labs is reporting 
the computer is being probed every couple of minutes at the moment so I want all 
the defences I can get till they give up.Was it ok for me to restore?

housecall Scan 
1 virus detected 


Results:
We have detected 1 infected file(s) with 1 virus(es) on your computer. Only 0 out of 0 infected files are displayed. 
Detected File Associated Virus Name 
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\cax0946.BUD 
- WINDOWS\SYSTEM32\cax.dll TROJ_SMALL.FY 




Trojan/Worm Check No worm/Trojan horse detected 

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer. 
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed.
Trojan/Worm Name Trojan/Worm Type 




Spyware Check 2 spyware programs detected 

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet. 
Results:
We have detected 2 spyware(s) on your computer. Only 0 out of 0 spywares are displayed. 
Spyware Name Spyware Type 
COOKIE_650 Cookie 
COOKIE_2275 Cookie 




Microsoft Vulnerability Check 28 vulnerabilities detected 

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix. 
Results:
We have detected 28 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed. 
Risk Level Issue How to Fix 
Critical This security bulletin focuses on the following vulnerabilities: Shell Vulnerability (CAN-2004-0214), and Program Group Converter Vulnerability (CAN-2004-0572). Shell vulnerability exists on the way Windows Shell launches applications that could enable remote malicious user or malware to execute arbitrary code. Windows Shell function does not properly check the length of the message before copying to the allocated buffer. Program Group Converter is an application used to convert Program Manager Group files that were produced in Windows 3.1, Windows 3.11, Windows for Workgroups 3.1, and Windows for Workgroups 3.11 so that they can still be used by later operating systems. The vulnerability lies in an unchecked buffer within the Group Converter Utility. MS04-037 
Critical This is a remote code execution vulnerability that exists in the Internet Explorer. It allows remote code execution on an affected system. An attacker could exploit this vulnerability by constructing a malicious Web Page. The said routine could allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability. MS04-038 
Critical This security update addresses and resolves a vulnerability in Internet Explorer that could allow remote code execution. A Web page can be crafted to exploit this vulnerability such that an arbitrary application can be executed on visiting systems with the same priviledge as the currently logged on user. MS04-040 
Important This security advisory explains the two discovered vulnerabilities in Microsoft Word for Windows 6.0 Converter, which is used by WordPad in converting Word 6.0 to WordPad file format. Once exploited, this remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. MS04-041 
Important This security update addresses and resolves two windows vulnerabilites, both of which may enable the current user to take control of the affected system. Both of these vulnerabilites require that the curernt user be able to log on locally and execute programs. They cannot be exploited remotely, or by anonymous users. A privilege elevation vulnerability exists in the way that the Windows Kernel launches applications. This vulnerability could allow the current user to take complete control of the system. A privilege elevation vulnerability exists in the way that the LSASS validates identity tokens. This vulnerability could allow the current user to take complete control of the affected system. MS04-044 
Critical This update resolves a newly-discovered, publicly reported vulnerability. A vulnerability exists in the HTML Help ActiveX control in Windows that could allow information disclosure or remote code execution on an affected system. MS05-001 
Critical This update resolves several newly-discovered, privately reported and public vulnerabilities. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, install programs, view, change, or delete data, or create new accounts that have full privileges. MS05-002 
Important This update resolves a newly-discovered, privately reported vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full privileges. While remote code execution is possible, an attack would most likely result in a denial of service condition. MS05-003 
Important This is an information disclosure vulnerability. An attacker who successfully exploits this vulnerability could remotely read the user names for users who have an open connection to an available shared resource. MS05-007 
Important This remote code execution vulnerability exists in the way Windows handles drag-and-drop events. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow an attacker to save a file on the users system if a user visited a malicious Web site or viewed a malicious e-mail message. MS05-008 
Critical This remote code execution vulnerability exists in Server Message Block (SMB). It allows an attacker who successfully exploits this vulnerability to take complete control of the affected system. MS05-011 
Critical This privilege elevation vulnerability exists in the way that the affected operating systems and programs access memory when they process COM structured storage files. This vulnerability could grant a currently logged-on user to take complete control of the system.;This remote code execution vulnerability exists in OLE because of the way that it handles input validation. An attacker could exploit the vulnerability by constructing a malicious document that could potentially allow remote code execution. MS05-012 
Critical This vulnerability exists in the DHTML Editing Component ActiveX Control. This vulnerability could allow information disclosure or remote code execution on an affected system. MS05-013 
Critical This update resolves known vulnerabilities affecting Internet Explorer. An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. MS05-014 
Critical A remote code execution vulnerability exists in the Hyperlink Object Library. This problem exists because of an unchecked buffer while handling hyperlinks. An attacker could exploit the vulnerability by constructing a malicious hyperlink which could potentially lead to remote code execution if a user clicks a malicious link within a Web site or e-mail message. MS05-015 
Important A remote code execution vulnerability exists in the Windows Shell because of the way that it handles application association. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. However, user interaction is required to exploit this vulnerability. MS05-016 
Important This security bulletin resolves newly-discovered, privately-reported vulnerabilities affecting Windows. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. MS05-018 
Critical This security bulletin resolves newly discovered, privately-reported vulnerabilities affecting Windows. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. However, an attacker who successfully exploited the most severe of these vulnerabilities would most likely cause the affected system to stop responding. MS05-019 
Critical This security bulletin resolves three newly-discovered, privately-reported vulnerabilities affecting Internet Explorer. If a user is logged on with administrative user rights, an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. MS05-020 
Critical This security bulletin resolves the following vulnerabilities affecting Internet Explorer.; The PNG Image Rendering Memory Corruption vulnerability could allow an attacker to execute arbitrary code on the system because of a vulnerability in the way Internet Explorer handles PNG images.; The XML Redirect Information Disclosure vulnerability could allow an attacker to read XML data from another Internet Explorer domain because of a vulnerability in the way Internet Explorer handles certain requests to display XML content. MS05-025 
Critical HTML Help is the standard help system for the Windows platform. Authors can use it to create online Help files for a software application or content for a multimedia title or a Web site. This vulnerability in HTML Help could allow attackers to execute arbitrary code on the affected system via a specially crafted Compiled Windows Help (CHM) file, because it does not completely validate input data. MS05-026 
Critical A remote code execution vulnerability exists in the Microsofts implementation of the Server Message Block (SMB) protocol, which could allow an attacker to execute arbitrary codes to take complete control over a target system. This vulnerability could be exploited over the Internet. An attacker would have to transmit a specially crafted SMB packet to a target system to exploit it. However, failure to successfully exploit the vulnerability could only lead to a denial of service. MS05-027 
Important A vulnerability exists in the way that Windows processes Web Client requests, which could allow a remote attacker to execute arbitrary code and take complete control over the affected system. MS05-028 
Important A remote code execution vulnerability exists in Outlook Express when it is used as a newsgroup reader. An attacker could exploit this vulnerability by constructing a malicious newsgroup server that could that potentially allow remote code execution if a user queried the server for news. MS05-030 
Moderate This vulnerability could enable an attacker to spoof trusted Internet content because security prompts can be disguised by a Microsoft Agent character. MS05-032 
Moderate This vulnerability in the Microsoft Telnet client could allow an attacker to gain sensitive information about the affected system and read the session variables of users who have open connections to a malicious Telnet server. MS05-033 
Critical This vulnerability could allow a remote attacker to execute arbitrary codes on the affected system via a malicious image file in a Web site or email message. This vulnerability exists because of the way Microsoft Color Management Module handles ICC profile format tag validation. MS05-036 
Critical A COM object, the JView Profiler (Javaprxy.dll), contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system by hosting a malicious Web site. MS05-037


----------



## Cookiegal (Aug 27, 2003)

I hope you didn't actually "do" a system restore but just turned it back on.

So there were only a couple of cookies found but more importantly, a bunch of critical Microsoft updates. Since she hasn't been there, as you said, she will need to get those ASAP but only after we're sure the system is clean.

Panda should work with XP home. Is it possible you didn't allow the ActiveX control to download?


----------



## ras1 (Jul 13, 2005)

No I didn't do the system restore,just restored the computer to its former settings.

However,I had a major problem I think.When I went to switch on her pc just now,I got a blue screen come up with advice that a problem has been detected and windows shut down to prevent damage.Carries on to say that if this is the first time this stop error has occurred [it is],restart the computer.
{the error was 0x0000007E [0xc0000005, 0x804 ,D8A65,0xF96E0c04,
oxFG96E0904

I pressed every button I could see but the computer just would not shut down.In the end I had tio remove the battery to shut the power off.When
I replaced the battery and rebooted it was fine.I hope its nothing I have done
as she will go ballistic if there are probs with it.


----------



## ~Candy~ (Jan 27, 2001)

http://support.microsoft.com/?kbid=330182&sd=RMVP


----------



## Cookiegal (Aug 27, 2003)

That error is related to a memory access violation. 

Go to Control Panel - Administrative Tools - Event Viewer and click on system (in the left pane). 

See if there are any errors reported in there and if so, let me know what they are please.


----------



## ras1 (Jul 13, 2005)

Hi Cookiegal-I really appreciate your patience with me.There are two errors showing-
both probably caused by me trying to get her processes down from 48 or so.For instance she needed the use of a printer a few days ago,just a one off use,but the Lex
programs continued to run on start up despite the fact that they were now disconnected.So I disabled them,but in doing so seem to have caused another problem.
Not sure what the DCOM is but both that and Lex appear in the log on each boot up.

Re Microsoft validation-am still talking to them and hopeful it will be resolved within
the next day or so.In the meantime I will see if I can override Pandasoft compability
probs as I find them hard to believe as the computer is relatively new and the xp home
is not exactly an old version.If successful,I will post the results asap.

DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service ImapiService with arguments "-Service" in order to run the server:
{520CCA63-51A5-11D3-9144-00104BA11C5E}

..............................................................................................................................................

The Print Spooler service depends on the LexBce Server service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The Print Spooler service depends on the LexBce Server service which failed to start because of the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

The print spooler one has to do with the printer being disabled.

The other one appears to be releated to a CD burning service.

Have you noticed any changes in performance since this occurred?


----------



## ras1 (Jul 13, 2005)

I don't really use her computer except to clean it up with your help.She burned
some sounds on to a cd this afternoon ands did not say that she had noticed any probs.


----------



## Cookiegal (Aug 27, 2003)

I would like to check something.

Download *FindIts.zip* to your desktop. 
Unzip/extract the files inside open the folder and run the FindIts.bat and wait for a text to open, it will take awhile be patient, post the results please.

http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443


----------



## ras1 (Jul 13, 2005)

Here is the scan you asked for

Microsoft Windows XP [Version 5.1.2600]
The current date is: 17/08/2005 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\SCMAIN.EXE
* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\RMAGEN~1.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 2485-7363

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 2485-7363

Directory of C:\WINDOWS\system32

09/08/2005 18:06 1,406 AddQuit.ico
09/08/2005 18:06 9,470 Desktop.ico
09/08/2005 18:06 1,406 Help.ico
09/08/2005 18:06 5,350 IE.ico
07/12/2001 13:40 22,486 LRNXP.ICO
09/08/2005 18:06 1,718 Open.ico
09/08/2005 18:06 1,718 Quick.ico
09/08/2005 18:06 2,550 Uninstall.ico
8 File(s) 46,104 bytes
0 Dir(s) 8,015,527,936 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


----------



## Cookiegal (Aug 27, 2003)

Please post one more HijackThis log so we can see how things stand.


----------



## ras1 (Jul 13, 2005)

There is still something wrong.On the Ie address bar,she only has techguy and google showing.I clicked go on techguy and it wouldn't move,so I switched to google,clicked on go and it immediately threw up www.doubleclick.com.Second try It did take me to google then on to techguy.
The good news is that microsoft finally agreed that she does have a genuine windows package-but I expect it will take hours to d/l all she is missing.

Logfile of HijackThis v1.99.1
Scan saved at 05:01:21, on 18/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Gearbox Connection Kit\bin\gbdash.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mariac\Local Settings\Temp\Temporary Directory 2 for hijackthis_1.zip\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ntl world
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F7A3374-9E34-4569-92E5-FAF011AA6B8C}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F7A3374-9E34-4569-92E5-FAF011AA6B8C}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


----------



## Cookiegal (Aug 27, 2003)

*SPYBOT SEARCH & DESTROY*

Go *here* and download *Spybot Search & Destroy*.

Install the program and launch it.

Before scanning press *Online* and *Search for Updates* .

Put a check mark at and install *all updates*.

Click *Check for Problems* and when the scan is finished let Spybot fix/remove *all* it finds marked in RED.

*Restart your computer*.

Click here: http://www.atribune.org/downloads/l2mfix.exe to download L2mfix.

Save the file to your desktop and double click *l2mfix.exe*. Read and Accept the agreement. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click *l2mfix.bat* and select option *#1* for *Run Find Log* by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

*IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!*


----------



## ras1 (Jul 13, 2005)

Hi Cookiegal,I've done what you asked-tho I did not delete the Download
Accelerator keys that Spybot wanted,since that would disable the service I think.We don't have broadband here and it just makes things a lot quicker if we retain yt.Is that ok?Below is the scan you asked for-it took me awhile to work it out as I feel there has been an upgrade,and there is not now a .bat file

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"iebar"=""
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{D89937E0-C7D0-11D1-9960-00A0244EE2F7}"="Internet Connections"
"{a6359360-4bf7-11d2-ae14-00a0244ee2f7}"="Dial-Up Phonebooks"
"{eaaa4b80-4bf7-11d2-ae14-00a0244ee2f7}"="Dial Locations"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atl71.dll Tue 9 Aug 2005 9:59:02 A.... 89,088 87.00 K
cdm.dll Thu 26 May 2005 4:16:24 A.... 75,544 73.77 K
gwfspi~1.dll Wed 3 Aug 2005 10:33:38 A.... 23,304 22.76 K
hhsetup.dll Fri 27 May 2005 3:04:28 A.... 41,472 40.50 K
icm32.dll Wed 29 Jun 2005 2:46:00 A.... 254,976 249.00 K
itircl.dll Fri 27 May 2005 3:04:28 A.... 155,136 151.50 K
itss.dll Fri 27 May 2005 3:04:28 A.... 137,216 134.00 K
iuengine.dll Thu 26 May 2005 4:16:24 A.... 198,424 193.77 K
kerberos.dll Wed 15 Jun 2005 18:49:30 A.... 295,936 289.00 K
legitc~1.dll Wed 3 Aug 2005 10:33:42 A.... 520,456 508.26 K
mscms.dll Wed 29 Jun 2005 2:46:00 A.... 74,240 72.50 K
mucltui.dll Thu 26 May 2005 4:16:24 A.... 127,208 124.23 K
muweb.dll Thu 26 May 2005 4:19:32 A.... 178,408 174.23 K
tapisrv.dll Fri 8 Jul 2005 17:27:56 A.... 249,344 243.50 K
umpnpmgr.dll Thu 30 Jun 2005 3:02:40 A.... 118,272 115.50 K
vsdata.dll Wed 20 Jul 2005 2:45:14 A.... 83,728 81.77 K
vsinit.dll Wed 20 Jul 2005 2:45:26 A.... 141,072 137.77 K
vsmonapi.dll Wed 20 Jul 2005 2:45:34 A.... 104,208 101.77 K
vspubapi.dll Wed 20 Jul 2005 2:45:38 A.... 227,088 221.77 K
vsregexp.dll Wed 20 Jul 2005 2:45:42 A.... 71,440 69.77 K
vsutil.dll Wed 20 Jul 2005 2:45:54 A.... 382,736 373.77 K
vsxml.dll Wed 20 Jul 2005 2:46:02 A.... 100,112 97.77 K
wuapi.dll Thu 26 May 2005 4:16:30 A.... 465,176 454.27 K
wuaueng.dll Thu 26 May 2005 4:16:30 A.... 1,343,768 1.28 M
wuaueng1.dll Thu 26 May 2005 4:16:30 A.... 194,328 189.77 K
wucltui.dll Thu 26 May 2005 4:16:30 A.... 127,256 124.27 K
wups.dll Thu 26 May 2005 4:16:30 A.... 41,240 40.27 K
wups2.dll Thu 26 May 2005 4:16:30 A.... 18,200 17.77 K
wuweb.dll Thu 26 May 2005 4:19:32 A.... 173,536 169.47 K
zlcomm.dll Wed 20 Jul 2005 2:46:22 A.... 79,632 77.77 K
zlcommdb.dll Wed 20 Jul 2005 2:46:26 A.... 71,440 69.77 K

31 items found: 31 files, 0 directories.
Total of file sizes: 6,163,984 bytes 5.88 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2485-7363

Directory of C:\WINDOWS\System32

19/08/2005 03:20 DLLCACHE
18/01/2004 15:18 32 {E98C6E86-8E7A-4B7C-8211-1DF63840F1C3}.dat
18/01/2004 15:18 32 {86BBE87B-43B8-49E8-971C-689C505F0CDB}.dat
18/01/2004 15:17 32 {8E56485F-B7AB-49E1-B9F3-E83AF05DE803}.dat
18/01/2004 15:15 32 {3AC39183-2191-4CAE-B436-CF1B485D4F3B}.dat
18/01/2004 15:15 32 {D42A9DA3-613F-444E-9E1B-D9428F8FDDA5}.dat
18/01/2004 15:15 32 {75610FBD-2869-426D-8CEE-696F70DF1BD1}.dat
22/10/2003 12:21 32 {FC2876A5-8FA5-49CE-A613-1F5706386EB9}.dat
22/10/2003 11:38 Microsoft
7 File(s) 224 bytes
2 Dir(s) 6,230,863,872 bytes free


----------



## Cookiegal (Aug 27, 2003)

That's fine that you kept DAP. 

Are you still haveing the problem with doubleclick.com?


----------



## ras1 (Jul 13, 2005)

It has been ok so far tho I haven't used it that much as I prefer my own one.I cannot get the hang of the mouse on her laptop-its so much aggravation. 

The only thing I have done is to start to d/l some of Microsofts updates which
seems to have slowed it shutting down.


----------



## Cookiegal (Aug 27, 2003)

You mentioned earlier that she uses these programs and if she still is, she should get rid of them.

Ezula, sahagent, mywebsearch, funtoolbar and virtual bouncer.

*Delete your temporary files to free up space:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

She should delete any programs she is no longer using and images or music files that are no longer needed. Those take up a lot of space.

She should defrag the hard drive regularly.

Let us know if any of this helps to speed things up.


----------



## ras1 (Jul 13, 2005)

Ewido spybot etc etc cleared out all that rubbish early on.

I already tried a defrag last week and it was fine.
I also keep her temp files and cookies pretty clear now anyway.
However I did notice in disc clean up [the trash can]that she has a folder with "compressed files not used for some time"or words to that effect.Can I
delete those or might she need them at a later date?And does that mean the computer is now clean?


----------



## ras1 (Jul 13, 2005)

The only other thing that slows her down possibly[?] is the fact that she still has 40
processes running and almost 10,000 threads.This drops her Ram down to around 50k or sometimes less when the pc has been running for a while.


----------



## ~Candy~ (Jan 27, 2001)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

Kill those via start, run, msconfig, startup tab.

I must say, I had problems with ZoneAlarm on one system eating my resources. Finally turned it off.


----------



## ras1 (Jul 13, 2005)

Thanks Acacandy-two down,thirty six to go.
I don't have probs with zone alarm,3.5k is a drop in the bucket compared to iexplorer
taking up 50k,explorer another 15k,svchost 20k,vsmon 11k and gbdash 25k!I wish I could get round using gearbox to get on the net,as it is so heavy on resources-I guess
because its a laptop thats the way it is.


----------



## Cookiegal (Aug 27, 2003)

Lets take a look at a start-up log from Hijack This. Click on config  misc tools  then beside Generate startuplist log put a check in both boxes and then click on General startuplist log and copy and paste the log here.


----------



## ~Candy~ (Jan 27, 2001)

http://www.tasklist.org/task_confsvr_exe_4480.html

Looks like it doesn't need to load at startup?


----------



## ras1 (Jul 13, 2005)

Acacandy-not sure but my internet connection via ntl was disabled-possibly by disabling confsr.exe.However I went through the control panel and connected by reenabling,then found I could access the net without the use of gearbox etc etc.If it will now open automatically this way I will be pleased since it will save about 20k of ram plus cut down three processes too.


----------



## ras1 (Jul 13, 2005)

Cookiegal,I haven't forgotten you.Here is the scan you asked for-hope it means something to you as it is all greek to me.

StartupList report, 21/08/2005, 01:04:27
StartupList version: 1.52.2
Started from : C:\DOCUME~1\mariac\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_1.zip\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\mariac\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_1.zip\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\mariac\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
PCTVOICE = pctspk.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
GhostStartTrayApp = C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Gearbox Deferal Check = C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\Monet.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------


----------



## ras1 (Jul 13, 2005)

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124342209273

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124341596572

[Sinstaller Class]
CODEBASE = http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5free/asinst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: \SystemRoot\System32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: \SystemRoot\System32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\System32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (disabled)
AliIde: \SystemRoot\System32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\System32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
asc: \SystemRoot\System32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVERS\asc3550.sys (disabled)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Broadcom 440x 10/100 Integrated Controller XP Driver: System32\DRIVERS\bcm4sbxp.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
cbidf: \SystemRoot\System32\DRIVERS\cbidf2k.sys (disabled)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation Service: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
cd20xrnt: \SystemRoot\System32\DRIVERS\cd20xrnt.sys (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Microsoft ACPI Control Method Battery Driver: System32\DRIVERS\CmBatt.sys (manual start)
CmdIde: \SystemRoot\System32\DRIVERS\cmdide.sys (disabled)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\System32\DRIVERS\cpqarray.sys (disabled)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: \SystemRoot\System32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\System32\DRIVERS\dac960nt.sys (disabled)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
dpti2o: \SystemRoot\System32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (disabled)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (disabled)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GBPoll: C:\Program Files\Roxio\GoBack\GBPoll.exe (autostart)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
GhostStartService: C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE (autostart)
GhostPciScanner: \??\C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
hpn: \SystemRoot\System32\DRIVERS\hpn.sys (disabled)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: \SystemRoot\System32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (disabled)
ini910u: \SystemRoot\System32\DRIVERS\ini910u.sys (disabled)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: C:\Program Files\iPod\bin\iPodService.exe (disabled)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LexBce Server: C:\WINDOWS\system32\LEXBCES.EXE (disabled)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (disabled)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
mraid35x: \SystemRoot\System32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040310.005\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040310.005\NavEx15.Sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
nenum13E: \??\C:\DOCUME~1\mariac\LOCALS~1\Temp\nenum13E.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Net MD: System32\Drivers\NETMDUSB.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton Unerase Protection Driver: \??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS (manual start)
Norton Unerase Protection: "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI WDM Device Driver: System32\DRIVERS\omci.sys (system)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
PACSPTISVR: C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
perc2: \SystemRoot\System32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\System32\DRIVERS\perc2hib.sys (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
W2K Pctel Serial Device Driver: System32\DRIVERS\ptserial.sys (manual start)
ql1080: \SystemRoot\System32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\System32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\System32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\System32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\WINDOWS\System32\Drivers\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
High-Capacity Floppy Disk Drive: System32\DRIVERS\sfloppy.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\System32\DRIVERS\sisagp.sys (disabled)
Sparrow: \SystemRoot\System32\DRIVERS\sparrow.sys (disabled)
Speed Disk service: C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Audio Driver (WDM) - SigmaTel CODEC: system32\drivers\STAC97.sys (manual start)
STEC3: \??\C:\WINDOWS\System32\STEC3.sys (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3} (manual start)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\System32\DRIVERS\symc8xx.sys (disabled)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \??\C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\System32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TosIde: \SystemRoot\System32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: \SystemRoot\System32\DRIVERS\ultra.sys (disabled)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
W2k Vmodem: System32\DRIVERS\vmodem.sys (system)
W2k Vpctcom: System32\DRIVERS\vpctcom.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
W2k Vvoice: System32\DRIVERS\vvoice.sys (system)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (disabled)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
AIM 3.0 Part 01 Codec Driver CH-7017-A: system32\drivers\A311.sys (manual start)
AIM 3.0 Part 01 Codec Driver CH-7017-B: system32\drivers\A310.sys (manual start)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 37,028 bytes
Report generated in 0.450 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## ~Candy~ (Jan 27, 2001)

ras1 said:


> Acacandy-not sure but my internet connection via ntl was disabled-possibly by disabling confsr.exe.However I went through the control panel and connected by reenabling,then found I could access the net without the use of gearbox etc etc.If it will now open automatically this way I will be pleased since it will save about 20k of ram plus cut down three processes too.


Purrrrrfect


----------



## Cookiegal (Aug 27, 2003)

Have things improved now?


----------



## ras1 (Jul 13, 2005)

I think so Cookiegal.
It couldn't fail to be after clearing out all the rubbish that she had picked up over time.
She is away right now and I only access it to sort it out for her,so not %100 sure 
that it will be faster for her.
Once she is back,she will replace the password control that she normally runs,and I 
guess that will be crunch time since it was on "guest" that the pc was running flat out all the time.

But it is certainly a lot better than my own one,since she doesn't get the winfixer popup very so often.
I wil put this problem as "solved" now and thankyou so much for all the time you have spent sorting it out.


----------



## ~Candy~ (Jan 27, 2001)

Can you post another hijack this log so I can take another glance at the (04) items we have remaining?


----------



## Cookiegal (Aug 27, 2003)

You're welcome. 

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER & SPYWAREGUARD* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------



## ras1 (Jul 13, 2005)

Here is a current ht.
Processes are down to 33 and gear box only kicks in
if it is called upon to get on the net.I don't think it does start as you showed me how to avoid using it,for which I thankyou[not sure if I said it first time round as I was not sure it would always work].I have two refs on processes-
gbpoll and gb tray,but I think they are to do with Roxio and its Goback program.[And what a great little program that is-its saved my bacon quite a few times].
Any other suggestions gratefully received.

Logfile of HijackThis v1.99.1
Scan saved at 18:16:28, on 22/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\mariac\LOCALS~1\Temp\Temporary Directory 3 for hijackthis_1.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124342209273
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124341596572
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F7A3374-9E34-4569-92E5-FAF011AA6B8C}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0F7A3374-9E34-4569-92E5-FAF011AA6B8C}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


----------



## ~Candy~ (Jan 27, 2001)

http://www.liutilities.com/products/wintaskspro/processlibrary/pctspk/

http://www.liutilities.com/products/wintaskspro/processlibrary/msmsgs/


----------



## bassetman (Jun 7, 2001)

Cookiegal said:


> You're welcome.
> 
> Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:
> 
> ...


Cookie, just a question. I did the %temp% and deleted all (twice I think) and ended up with a NAV error in trying to find a file. Is there a way to identify the file NAV uses so we could leave that for safety?


----------



## Cookiegal (Aug 27, 2003)

Bman,

There shouldn't be any valid NAV file that is required running from the Temp files. Can you reproduce the error and see what the file is?


----------



## ras1 (Jul 13, 2005)

Acacandy -thanks for that.I kept the msmgs as my daughter chats a fair bit on it.

Not sure if the Bassetman posting belonged to my thread??


----------



## ~Candy~ (Jan 27, 2001)

Bassethound, errrr, Bassetman, doesn't really belong anywhere, but he's cute, so we keep him around 

Every once in awhile someone will try to take advantage of other expertise, I think he was just asking cookiegal a related question.....we won't de-flea him for that


----------



## bassetman (Jun 7, 2001)

> Not sure if the Bassetman posting belonged to my thread??





> Bassethound, errrr, Bassetman, doesn't really belong anywhere, but he's cute, so we keep him around
> 
> Every once in awhile someone will try to take advantage of other expertise, I think he was just asking cookiegal a related question.....we won't de-flea him for that


Some days it doesn't pay to get out of bed!


----------



## ras1 (Jul 13, 2005)

Bassetman,I am sorry -didn't mean you to be hounded.
In all honesty,I totally missed Cookiegal's post [I guess I am more beagle eyed than eagle eyed][so was trying to make sense of your post rather than being pug-nacious.


----------

