[steveAA]

I've worked with Geeks to go before with excellent help. NOW I really need help.
My other computer will not log on the internet and shows several problems just an hour ago.
PANDA showed Low protection level, and Protection against Threats and Firewall were DISABLED, and it now shows "Error". I cannot access the internet to update it or to contact Panda on that computer. I did not make the changes to Panda !!!!
I restarted in safe mode and "Svchost Error" shows and the system wants to shut down. I could only access Panda and Super spyware thru task manager. I ran "Super Anti Spyware" and had 4 minor cookies, and deleted them, but I've got a DEAD PANDA.
The event viewer shows several boot-start or system start drivers failed to load, like APPFLT, DSAFLT,eeCtrl, FNETMON, IDSFLT, SAADIFSV, SASKUTIL, ShldDrv, SMSFLT and WNMFLT.
I've attached the HJT file and I see a couple of things, but decided not to make any changes until you saw the complete file.

Logfile of HijackThis v1.99.1
Scan saved at 9:01:10 PM, on 1/19/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\taskmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Steve\Desktop\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AvltMain.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\Apvxdwin.exe
c:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
C:\WINNT\system32\svchost.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155058514\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Colorific Control Panel] C:\PROGRA~1\SONNET~1\COLORI~1\PROGRAM\HGCCTL95.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O12 - Plugin for éN
—ac: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/o...utodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {4B48CEDD-EB09-4FD3-AA22-5BDE98EDEF90} (EZXSActiveX Control) - http://www.kotra.or....ezxsactivex.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1154467452281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1166219201234
O16 - DPF: {79C871A6-F9C8-44DA-B2C9-CD9438D9642C} (EZXSInstaller Control) - http://www.buykorea....xsinstaller.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv50.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe

Please help.
Steve

[Advertisements]

I did some more reading of other posts and I looked at the registry and restored it while in "Safe " mode. It now comes up. and I'm running Panda OK. I don't know what happenned, but I had some corrupted files. I had left the computer on and left for awhile and when I returned is when it had the problem, and I know that no one was on it.
I did use HJT to remove: O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
and O12 - Plugin for éN
—ac: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll .
I compared them to a HJT log from last month and they were not there, so I deleted them to "Test". along with a "Back up" of the registry by CCleaner.

I'm up and running now, and Panda is doing a new scan. I'll post what I find.

[steveAA]

I did some more reading of other posts and I looked at the registry and restored it while in "Safe " mode. It now comes up. and I'm running Panda OK. I don't know what happenned, but I had some corrupted files. I had left the computer on and left for awhile and when I returned is when it had the problem, and I know that no one was on it.
I did use HJT to remove: O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
and O12 - Plugin for éN
—ac: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll .
I compared them to a HJT log from last month and they were not there, so I deleted them to "Test". along with a "Back up" of the registry by CCleaner.

I'm up and running now, and Panda is doing a new scan. I'll post what I find.

[steveAA]

Panda found and eliminated a virus in the RECYLER\S-1-5-21--1708537768-1897051121-725345543-1000\Dc193.dll. That's basically atemp file installed by the virus as a .dll file,,, I believe.
At the moment everything looks good.

[steveAA]

Opps. I've still have some problems. I found that my Ebay password was compromised and when I tried to look at MSCONFIG , it says, "Cannot find file MSCONFIG."
Panda now runs OK and SUPER AntiSpyware has a clean run, so I thought I was OK.
Here's the new HJT file.

Logfile of HijackThis v1.99.1
Scan saved at 3:29:28 PM, on 1/22/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\1155058514\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\SONNET~1\COLORI~1\PROGRAM\HGCCTL95.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\program files\common files\aol\1155058514\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1155058514\ee\aolsoftware.exe
c:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155058514\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Colorific Control Panel] C:\PROGRA~1\SONNET~1\COLORI~1\PROGRAM\HGCCTL95.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/o...utodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {4B48CEDD-EB09-4FD3-AA22-5BDE98EDEF90} (EZXSActiveX Control) - http://www.kotra.or....ezxsactivex.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1154467452281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1166219201234
O16 - DPF: {79C871A6-F9C8-44DA-B2C9-CD9438D9642C} (EZXSInstaller Control) - http://www.buykorea....xsinstaller.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv50.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe

Edited by steveAA, 22 January 2007 - 04:21 PM.

[Blender]

Hi & welcome

Just going over a few notes to start.

You fixed this with HJT:
O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll

It's legit. Part of Panda. See here:

http://www.castlecop...20list-133.html

You have HJT on your desktop. Not a recommended spot for it. It did make backups of what you fixed earlier. Created a folder on the desktop called "backups". Leave this folder intact for now. Also leave HJT on desktop for now. Might want to restore that Panda entry you removed earlier.
Then we can make special folder for HJT and move the program itself.

Opps. I've still have some problems. I found that my Ebay password was compromised and when I tried to look at MSCONFIG , it says, "Cannot find file MSCONFIG."

1.) By default Windows 2000 does NOT come with msconfig -- hence the error.

2.) What/who has told you your Ebay password was comprimised?
I ask because there are many emails going around claiming this and clicking the provided links takes you to fake ebay site where they really steal your passwords.
Normally the email tells you that your pass may have been stolen, they "limited" your account and you have to sign in etc to verify info so your account is restored to "full access" again.

-- Ebay/paypal will never email you asking for personal info like passwords and such. More info:

http://pages.ebay.ca...f_websites.html
http://pages.ebay.ca.../spooftutorial/

--------------------------------

On to log(s)

Your current HJT log looks clean.
In light of previous comments/logs I would like to double check.

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    • Extended (If available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save report button.
• Call it Kaspersky.txt
• Expand the arrow beside "file types" and save as .txt file.
• Save the file to your desktop.
• Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Thanks

[steveAA]

Thank you Blender fo the help.
I've moved HJT off the desk top.
I was on Panda trial when I deleted the Avldr file. Since then I've a full subscription. Does that restore the file? Panda works fine now.

The Ebay note came from Ebay, as I went to my ebay account to confirm it and they confirmed it in a e-mail response. You are very right about the phishing sites. They wouldn't say how they knew, but I changed AOL and Ebay passwords.

I think my system is better,, but quite slow, so I don't know if it's something else causing the problem.

I ran Kaspersky and it said no virus. Here's the scan.


KASPERSKY ONLINE SCANNER REPORT
Sunday, January 28, 2007 12:34:52 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 28/01/2007
Kaspersky Anti-Virus database records: 247986


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 30966
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 00:41:11

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\rockadamss\MyDB.idx Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\rockadamss\toolbar.lst Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\idb\SNMaster.idx Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\CACHE\rockadam00 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\rockadamss Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\rockadamss.abi Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\organize\rockadamss.aby Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Steve\Application Data\AOL\C_America Online 9.0\IDB\Apps.Lst Object is locked skipped

C:\Documents and Settings\Steve\Application Data\AOL\C_America Online 9.0\IDB\art.idx Object is locked skipped

C:\Documents and Settings\Steve\Application Data\AOL\C_America Online 9.0\IDB\sap.dat Object is locked skipped

C:\Documents and Settings\Steve\Application Data\AOL\C_America Online 9.0\IDB\spool.lst Object is locked skipped

C:\Documents and Settings\Steve\Application Data\AOL\C_America Online 9.0\IDB\sysnews.lst Object is locked skipped

C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped

C:\Documents and Settings\Steve\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Steve\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Steve\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Steve\Local Settings\History\History.IE5\MSHist012007012820070129\index.dat Object is locked skipped

C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Steve\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Steve\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PSK_NAMES2_3 Object is locked skipped

C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PSK_NAMES_3 Object is locked skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\ipsecpa.log Object is locked skipped

C:\WINNT\Debug\oakley.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\Sti_Trace.log Object is locked skipped

C:\WINNT\system32\CatRoot\SYSMAST.cbd Object is locked skipped

C:\WINNT\system32\CatRoot\SYSMAST.cbk Object is locked skipped

C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbd Object is locked skipped

C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbk Object is locked skipped

C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\HASHMAST.cbd Object is locked skipped

C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\HASHMAST.cbk Object is locked skipped

C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HASHMAST.cbd Object is locked skipped

C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HASHMAST.cbk Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped

C:\WINNT\system32\Perflib_Perfdata_984.dat Object is locked skipped

C:\WINNT\system32\wbem\Repository\CIM.REP Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by steveAA, 28 January 2007 - 02:47 PM.

[steveAA]

Here's the latest HJT.
Logfile of HijackThis v1.99.1
Scan saved at 3:01:03 PM, on 1/28/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\1155058514\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\SONNET~1\COLORI~1\PROGRAM\HGCCTL95.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\program files\panda software\panda antivirus + firewall 2007\WebProxy.exe
C:\program files\common files\aol\1155058514\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1155058514\ee\aolsoftware.exe
C:\WINNT\system32\regedt32.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1155058514\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Colorific Control Panel] C:\PROGRA~1\SONNET~1\COLORI~1\PROGRAM\HGCCTL95.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/o...utodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1154467452281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1166219201234
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv50.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe

[Blender]

Hi there

Glad you got your passwords and such sorted. Did eBay tell you when this was spotted?

If your Panda is working OK I wouldn't worry about it-- trying to restore it shouldn't hurt.
I am not sure of the exact function of that file cept it does load quite early in the boot process.
I don't see that file in your log.
Can you check your system32 folder and see if it is there?
If present; go ahead and restore that O20 line from Hijackthis.

O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll

Does your Panda come with an anti-spyware component?
I ask because it looks like you have a few AS apps running resident.
SuperAntispyware
Spyware Doctor
AOL Antispyware
Possibly Panda.

I would disable the guards on a couple AS apps. Running several will cause conflicts/slowdowns just like running more than one AV or Firewall.

Lets see what new files were created and check a few registry keys.

1. Download this file and save it to c:\ :

http://download.blee...Bs/combofix.exe
http://www.techsuppo...ls/combofix.exe

2. Double click combofix.exe & follow the prompts.
You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Thanks

[steveAA]

Ebay said my password was compromised about Jan 22, as I remember.

I will delete some of AS programs. I wanted to test them then decide. Panda has the AS included in it.
Also, the panda file Avldr.dll is in WINNT System32, but I couldn't find it on HJT to restore it, but as it's in sys32now, I assume that it's OK.

Panda responded when I downloaded Combo fix with a pop up stopping it.
Here's the Combofix results.

"Steve" - Sun 2007-01-28 17:19:20 Service Pack 4
ComboFix 07-01-25 - Running from: "C:\Program Files\GEEKSforum"

((((((((((((((((((((((((((((((( Files Created from 2006-12-28 to 2007-01-28 ))))))))))))))))))))))))))))))))))


2007-01-28 17:17 603 --a------ C:\Combo.bat
2007-01-28 15:15 <DIR> d-------- C:\Program Files\PC MightyMax
2007-01-28 13:51 3,295,633 --a------ C:\Program Files\PPTminimizer2006.exe
2007-01-28 13:37 <DIR> d-------- C:\WINNT\ERDNT
2007-01-28 11:43 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-01-28 11:40 <DIR> d-------- C:\!KillBox
2007-01-28 11:38 <DIR> d-------- C:\SDFix
2007-01-28 11:22 <DIR> d-------- C:\HJT
2007-01-24 16:28 <DIR> d-------- C:\Program Files\eBay
2007-01-22 19:31 <DIR> d-------- C:\Program Files\sup
2007-01-22 19:31 <DIR> d-------- C:\Program Files\srt
2007-01-22 19:31 <DIR> d-------- C:\Program Files\org
2007-01-22 19:31 <DIR> d-------- C:\Program Files\def
2007-01-22 19:31 <DIR> d-------- C:\Program Files\choice
2007-01-22 19:29 <DIR> d-------- C:\Program Files\adult
2007-01-22 19:20 536,811 --a------ C:\Program Files\ie-spyad.exe
2007-01-22 19:20 <DIR> d-------- C:\ie-spyad
2007-01-18 15:34 28,672 --------- C:\WINNT\system32\SiSHook.dll
2007-01-18 15:34 176,128 --------- C:\WINNT\system32\SiSApCom.dll
2007-01-18 15:34 110,592 --------- C:\WINNT\system32\TVMode.dll
2007-01-18 15:33 7,168 --a------ C:\WINNT\InstFunc.dll
2007-01-18 15:33 49,152 --a------ C:\WINNT\system32\SiSPower.dll
2007-01-18 15:33 49,152 --a------ C:\WINNT\system32\SiSBase.dll
2007-01-18 15:33 331,776 --a------ C:\WINNT\system32\sistray.exe
2007-01-18 15:33 32,768 --a------ C:\WINNT\InstFunc.exe
2007-01-18 15:33 258,048 --a------ C:\WINNT\system32\SiSParse.dll
2007-01-18 15:33 184,320 --a------ C:\WINNT\system32\SiSInst.dll
2007-01-18 15:33 <DIR> d-------- C:\Program Files\SiS VGA Utilities V3.65
2007-01-18 15:14 9,472 --a------ C:\WINNT\system32\drivers\sisperf.sys
2007-01-18 15:14 19,712 --a------ C:\WINNT\system32\drivers\sisidex.sys
2007-01-18 15:14 139,264 --a------ C:\WINNT\system32\IDEproperty.dll
2007-01-18 15:03 <DIR> d-------- C:\WINNT\system32\trayres
2007-01-18 14:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-01-18 14:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-18 14:18 <DIR> d-------- C:\DOCUME~1\Steve\Application Data\SUPERAntiSpyware.com
2007-01-18 14:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-01-18 14:17 5,743,392 --a------ C:\Program Files\SUPERAntiSpyware.exe
2007-01-18 12:21 <DIR> d-------- C:\Program Files\SIS downloads
2007-01-13 22:53 23,600 --a------ C:\WINNT\system32\drivers\TVICHW32.SYS
2007-01-03 09:29 <DIR> d-------- C:\WINNT\system32\DRM
2007-01-03 08:56 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-01-03 08:54 <DIR> d-------- C:\DOCUME~1\Steve\SecurityScans


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-28 17:18 -------- d-------- C:\Program Files\geeksforum
2007-01-28 15:28 -------- d-a------ C:\Program Files\america online 9.0
2007-01-28 15:15 -------- d---s---- C:\DOCUME~1\Steve\Application Data\microsoft
2007-01-28 14:01 -------- d-a------ C:\Program Files\spyware doctor
2007-01-28 14:01 -------- d-------- C:\Program Files\registry mechanic
2007-01-28 14:01 -------- d-------- C:\Program Files\quicktime
2007-01-28 11:16 -------- d-------- C:\Program Files\Common Files\scanner
2007-01-28 11:16 -------- d-------- C:\Program Files\aol deskbar
2007-01-26 10:38 -------- d-a------ C:\Program Files\Common Files\aol
2007-01-24 16:28 -------- d--h----- C:\Program Files\installshield installation information
2007-01-22 16:37 -------- d-a------ C:\Program Files\Common Files\aolshare
2007-01-21 22:38 -------- d-------- C:\Program Files\java
2007-01-20 22:10 -------- d-------- C:\Program Files\yahoo!
2007-01-20 22:09 -------- d-------- C:\Program Files\ccleaner
2007-01-20 04:30 497095 --a------ C:\Program Files\ie-ads.txt
2007-01-20 04:30 18790 --a------ C:\Program Files\ie-nfe.txt
2007-01-18 15:23 -------- d-------- C:\Program Files\sisagp
2007-01-18 00:15 31690 --a------ C:\Program Files\readme.txt
2007-01-03 08:54 -------- d-------- C:\Program Files\microsoft baseline security analyzer 2
2006-12-22 20:23 9216 --a------ C:\WINNT\system32\drivers\fnetmon.sys
2006-12-22 20:23 44544 --a------ C:\WINNT\system32\drivers\APPFLT.SYS
2006-12-22 20:23 36864 --a------ C:\WINNT\system32\drivers\dsaflt.sys
2006-12-22 20:23 245760 --a------ C:\WINNT\system32\pavshook.dll
2006-12-22 20:23 23296 --a------ C:\WINNT\system32\drivers\smsflt.sys
2006-12-22 20:23 185472 --a------ C:\WINNT\system32\drivers\idsflt.sys
2006-12-22 20:23 103936 --a------ C:\WINNT\system32\drivers\netfltdi.sys
2006-12-22 20:06 -------- d-a------ C:\Program Files\panda software
2006-12-22 20:05 -------- d-------- C:\Program Files\Common Files\panda software
2006-12-22 20:04 -------- d-------- C:\Program Files\Common Files\symantec shared
2006-12-22 19:58 -------- d-------- C:\Program Files\symantec
2006-12-07 19:02 2174976 --a------ C:\WINNT\system32\wmvcore.dll
2006-11-16 10:44 103984 --a------ C:\WINNT\system32\aoldial.dll
2006-11-14 16:51 26529848 --a------ C:\Program Files\t07promo.exe
2006-11-06 12:47 596480 --a------ C:\WINNT\system32\inetcomm.dll
2006-11-06 11:35 531568 --a------ C:\WINNT\system32\rmactivate_isv.exe
2006-11-06 11:35 523376 --a------ C:\WINNT\system32\rmactivate.exe
2006-11-06 11:35 519280 --a------ C:\WINNT\system32\secproc_isv.dll
2006-11-06 11:35 518768 --a------ C:\WINNT\system32\secproc.dll
2006-11-06 11:35 358000 --a------ C:\WINNT\system32\rmactivate_ssp.exe
2006-11-06 11:35 354416 --a------ C:\WINNT\system32\rmactivate_ssp_isv.exe
2006-11-06 11:35 323696 --a------ C:\WINNT\system32\msdrm.dll
2006-11-06 11:35 192624 --a------ C:\WINNT\system32\secproc_ssp_isv.dll
2006-11-06 11:35 192624 --a------ C:\WINNT\system32\secproc_ssp.dll
2006-10-29 19:28 75736 --a------ C:\WINNT\system32\cdm.dll
2006-10-29 19:28 465368 --a------ C:\WINNT\system32\wuapi.dll
2006-10-29 19:28 41432 --a------ C:\WINNT\system32\wups.dll
2006-10-29 19:28 198616 --a------ C:\WINNT\system32\iuengine.dll
2006-10-29 19:28 194520 --a------ C:\WINNT\system32\wuaueng1.dll
2006-10-29 19:28 18392 --a------ C:\WINNT\system32\wups2.dll
2006-10-29 19:28 174040 --a------ C:\WINNT\system32\wuweb.dll
2006-10-29 19:28 172504 --a------ C:\WINNT\system32\wuauclt1.exe
2006-10-29 19:28 1353688 --a------ C:\WINNT\system32\wuaueng.dll
2006-10-29 19:28 127448 --a------ C:\WINNT\system32\wucltui.dll
2006-10-29 19:28 124376 --a------ C:\WINNT\system32\wuauclt.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\\Program Files\\Spyware Doctor\\swdoctor.exe /Q"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"AOL Fast Start"="C:\\Program Files\\America Online 9.0\\AOL.EXE -b"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1155058514\\ee\\AOLSoftware.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="C:\\Program Files\\QuickTime\\qttask.exe -atboottime"
"Pure Networks Port Magic"="C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe -Run"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"RegistryMechanic"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /QS"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"ASM"="C:\\Program Files\\AOL\\Active Security Monitor\\ASMonitor.exe HIDEMAIN"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe"
"Colorific Control Panel"="C:\\PROGRA~1\\SONNET~1\\COLORI~1\\PROGRAM\\HGCCTL95.EXE"
"SoundMan"="SOUNDMAN.EXE"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus + Firewall 2007\\APVXDWIN.EXE\" /s"
"PCMMRealtime"="C:\\Program Files\\PC MightyMax\\pcmm.exe /R"
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

Edited by steveAA, 28 January 2007 - 07:56 PM.

[Blender]

Hello;

Log looks ok.
Out of curosity what was Panda flagging in Combofix? "process.exe"?
FYI it is not malicious the way we are using it here. process.exe is a tool to stop processes.
Because AVs cannot tell the difference between good and bad use of such programs they may alert the user.
Good to see you got the program ok though.

I'd like to make sure there are no security related cannges done to registry.

I have attached a file called Inspect.zip.
Please download this file> unzip it.
Double click inspect.bat> let it run> post results of log.

Thanks

Attached Files

•  Inspect.zip   792bytes   143 downloads

[steveAA]

I ran Inspect.bat ,, But the dos window came up, scrolled down and disappeared and I couldn't find the results. Where do I go?

Also, Thanks for looking at the registry. I believe I have quite a few incomplete registry keys from when I used Spyware Dr. and I deleted the keys it listed as invalid. It now shows everything OK, but PC Might Max shows 109 problems! I don't like PC MAx as it has popups and I'm thinking about deleting it, unless you can tell me it has something good.

[steveAA]

I clicked on View on the WinZip file of "Inspect" and I got this notepad result. Here it is.
cd %systemdrive%\
If not exist lsafiles MkDir lsafiles
regedit /a /e lsafiles\1.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
regedit /a /e lsafiles\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE
regedit /a /e lsafiles\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
regedit /a /e lsafiles\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
regedit /a /e lsafiles\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
regedit /e /a lsafiles\6.txt HKEY_USERS\DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA
regedit /a /e lsafiles\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
regedit /a /e lsafiles\8.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr"
Regedit /a /e lsafiles\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e lsafiles\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e lsafiles\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall
Regedit /a /e lsafiles\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall
regedit /a /e lsafiles\13.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
regedit /a /e lsafiles\14.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess
regedit /a /e lsafiles\15.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
regedit /a /e lsafiles\16.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
regedit /a /e lsafiles\17.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center"
regedit /a /e lsafiles\18.txt "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore"
regedit /a /e lsafiles\19.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\systemrestore"
regedit /a /e lsafiles\20.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc
regedit /a /e lsafiles\21.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TlntSvr
regedit /a /e lsafiles\22.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
regedit /a /e lsafiles\23.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
regedit /a /e lsafiles\24.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
regedit /a /e lsafiles\26.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter"
regedit /a /e lsafiles\27.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ExclusionList"
reg query "hklm\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" > %systemdrive%\lsafiles\25.txt


Copy lsafiles\*.txt = %systemdrive%\lsa.txt
rmdir /s /q lsafiles
Notepad %systemdrive%\lsa.txt

[Blender]

Hi

I was looking for more info on PC Mightymax. I have not used it myself so I really don't know.
If it has popups.....get rid of it.
It has asvertisement popups?
Let me know if troubles uninstalling it.
Can you tell me where you downloaded this program? I would like to have a look at it.

That inspect.bat I had you run...
log should be here:
c:\lsa.txt

You did see some text scrolling in the dos window....yes?

<<edit>> I see now what is wrong with inspect.bat..
You need to unzip it. It can't run from within the zip.
That stuff you posted is the code in the batch file to do a pile of registry exports.

Right click inspect.zip> extract all> follow wizard to finish extracting it.
When the inspect folder opens double-click inspect.bat from there.
Log should open.

Thanks

[steveAA]

The PC MightyMax program I downloaded because I saw it listed in one of the Forum's threads where it was recommended for repairing registries. I remeber clicking on the link. But'm going to uninstall it because of the way it acts. I still believe I have some registry problems to fix, but not sure how.

Here's tHere is the registry scan you wanted. Thanks for the tip to find the text. I had the program OK, but didn't know where the text file was.
The Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Type"=dword:00000120
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Internet Connection Sharing"
"DependOnService"=hex(7):52,00,61,00,73,00,4d,00,61,00,6e,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"Description"="Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,20,02,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,00,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
00,05,20,00,00,00,23,02,00,00,00,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,01,00,00,00,00,00,05,12,00,00,00

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\OLE]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TlntSvr]
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,54,00,63,00,70,00,\
49,00,70,00,00,00,00,00
"Description"="Allows a remote user to log on to the system and run console programs using the command line."
"DisplayName"="Telnet"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,74,\
00,6c,00,6e,00,74,00,73,00,76,00,72,00,2e,00,65,00,78,00,65,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000003
"Type"=dword:00000010

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Description"="Allows remote registry manipulation."
"DisplayName"="Remote Registry Service"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,\
00,65,00,67,00,73,00,76,00,63,00,2e,00,65,00,78,00,65,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000010
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,e0,ad,08,\
00,01,00,00,00,e8,03,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum]
"0"="Root\\LEGACY_REMOTEREGISTRY\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f,\
00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\
45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\
00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\
54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\
00,6b,00,53,00,76,00,72,00,00,00,00,00
"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,46,\
00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:f3,89,c3,0d,ac,bc,7a,44,ad,96,59,82,6d,04,8b,c8
"CachedOpenLimit"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00

Edited by steveAA, 28 January 2007 - 10:32 PM.

[Blender]

Hi

That log looks fine.
Most likely the reason notepad didn't pop up for you is because some of those registry exports are XP specific. I forgot to remove the ones that don't apply to your system.

Regarding HJT backups...
You should still have a folder on the desktop called "backups" that was created by Hijackthis when you had it there.
Move "backups" to your C:\HJT folder then see.
Open HJT
Click "view list of backups"
Hilight the O20 - Winlogon Notify: avldr - C:\WINNT\SYSTEM32\avldr.dll
then hit "restore"

You will need to reboot.

Post new hijackthis log please. Let me know if you got errors restoring that line.

As for registry cleaners...I personally don't like them. I have seen many systems wrecked beyond repair because of these tools and refuse to recommend any.
Unless your registry mechanic made a log or a backup you can show me...I have no clue what it may have done.
It may have been all OK fixes. I don't know.

What makes you think you still have registry problems? You getting popups from registryfix.com and the like? popups titled "messenger service"?

To be safe lets see a startuplist please.

Open Hijackthis
Click "open misc tools section"
Check the following entries beside "generate startuplist log":

"list also minor sections (full)"
"list empty sections (complete)"

Thanks