Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware Infection?

Started by Formless , Jan 23 2007 11:36 PM

Please log in to reply

#1
Formless

Posted 23 January 2007 - 11:36 PM

New Member

Member
7 posts

I have a Gateway Laptop - Running Windows XP Media Center Edition 2005 SP2 - From the time I got the laptop (about a month ago) the speeds have basically died and I have very little power. it seems that explorer.exe and svchost.exe are taking up massive amounts of memory, but I am very uneducated about what is causing my PC to run so slowly. I ran all of the programs listed in the "must do" post, and its a little better, but its still extremely slow. (ex.- iTunes (or any other media player) skips no matter what - playback is choppy and sounds terrible. Programs take much longer to load than I have ever experienced. Usually once or twice a day I will get a blue screen informing me that Windows shut down because of an error to protect my computer.

Stats:
Gateway Laptop
46.8GB free out of 67.6GB
1 GB RAM

Reports:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:51:28 PM 1/23/2007

+ Scan result:

C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP21\A0013234.dll -> Adware.Altnet : Cleaned with backup (quarantined).
HKU\S-1-5-21-1572723459-330773635-1790224436-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet\newdotnet7_48.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\themexp\NNWDAB638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP11\A0005492.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0007690.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0008702.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0008720.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP23\A0016020.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP23\A0016021.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP23\A0016022.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP5\A0004788.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP8\A0005037.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP8\A0005038.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP8\A0005055.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Tldctl2.URLLink -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Tldctl2.URLLink.1 -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Tldctl2.URLLink\CLSID -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Tldctl2.URLLink\CurVer -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\New.net Startup -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-1572723459-330773635-1790224436-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-1572723459-330773635-1790224436-1006\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0008691.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP5\A0004799.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP6\A0004983.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\Program Files\themexp\VVSNInst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP11\A0005493.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0008698.exe/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP14\A0008698.exe/ffext.mod/{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0011410.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP8\A0005044.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP20\A0012968.dll -> Adware.Solution : Cleaned with backup (quarantined).
C:\WINDOWS\system32\2s73iN13ls.ini -> Backdoor.Dragonbot.k : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0011699.exe -> Backdoor.Tagent.e : Cleaned with backup (quarantined).
:mozilla.170:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.173:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.174:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.332:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.199:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.26:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.27:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.28:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.64:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.65:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.66:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.198:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.483:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.241:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.242:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.186:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.117:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.118:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.119:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.120:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.164:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.165:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.166:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.167:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.453:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.329:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.330:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.331:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.204:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.205:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.206:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.207:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.208:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.349:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.350:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.370:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.371:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.372:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.373:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.374:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.100:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.101:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.102:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.103:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.104:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.105:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.98:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.99:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.116:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.482:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.95:C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
HKU\S-1-5-21-1572723459-330773635-1790224436-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E14DCE67-8FB7-4721-8149-179BAA4D792C} -> Trojan.Ciadoor.m : Cleaned with backup (quarantined).

::Report end

-----------------------------------------------------------

SAS LOG:
SUPERAntiSpyware Scan Log
Generated 01/23/2007 at 12:13 PM

Application Version : 3.5.1016

Core Rules Database Version : 3170
Trace Rules Database Version: 1180

Scan type : Complete Scan
Total Scan Time : 02:02:59

Memory items scanned : 186
Memory threats detected : 0
Registry items scanned : 6823
Registry threats detected : 41
File items scanned : 27126
File threats detected : 6

Trojan.NewDotNet
[New.net Startup] C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
HKLM\Software\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\InprocServer32
HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\InprocServer32#ThreadingModel
HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\ProgID
HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\Programmable
HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\TypeLib
HKCR\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\VersionIndependentProgID
C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET7_48.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
HKCR\Tldctl2.URLLink
HKCR\Tldctl2.URLLink\CLSID
HKCR\Tldctl2.URLLink\CurVer
HKCR\Tldctl2.URLLink.1
HKCR\Tldctl2.URLLink.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#URLUpdateInfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#VersionMajor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net#VersionMinor
HKU\S-1-5-21-1572723459-330773635-1790224436-1006\Software\New.net
HKLM\Software\New.net
HKLM\Software\New.net#InstalledVersion
HKLM\Software\New.net#InstalledPath
HKLM\Software\New.net#Tag
HKLM\Software\New.net#DiscardTag
HKLM\Software\New.net#FirstTime
HKLM\Software\New.net#Source
HKLM\Software\New.net#Prt
HKLM\Software\New.net#NextUpgradeHi
HKLM\Software\New.net#NextUpgradeLo
HKLM\Software\New.net#UpgradeCounter
HKLM\Software\New.net#Activity
HKLM\Software\New.net#XpiDone
C:\Program Files\NewDotNet
C:\WINDOWS\NDNUNINSTALL7_48.EXE

Trojan.NewDotNet-Installer
C:\PROGRAM FILES\THEMEXP\NNWDAB638.EXE

Adware.WhenU
C:\PROGRAM FILES\THEMEXP\VVSNINST.EXE
------------------------------------------------

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:23:34 AM, on 1/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.William\My Documents\Burn Sector\EXEs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TB&M=MX6426
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...TB&M=MX6426
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.onlinereg...erial/gwCID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,wbsys.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

---------------------------------------------------

Any Help would be PHENOMENAL! I hat starting my laptop and waiting upwards of 6 minutes to be able to do anything and Waiting a little less than a minute when loading a program is terribly irritating.

Thank you so much
Any additional Information needed I will glady get for anyone who can help.

-William

#2
cfa-ddg2

Posted 24 January 2007 - 03:45 PM

Visiting Staff

Visiting Consultant
963 posts

Hello Formless...welcome to G2G!

I do not see much of significance in your HJT log with regards to malware....It looks like the SAS and AVG cleaned out a lot of stuff.

I do notice however that you have two software Firewalls installed and apparently operational at the same time...there is a firewall in the CA/eTrust security suite and you are also using ZoneLabs' ZoneAlarm firewall. While I cannot say for certain, it has been reported that running two software firewalls can cause system conflicts as they both are doing the same thing and both utilize system resources. Here is a link to the ZoneLabs site:

http://64.233.167.10...lient=firefox-a

Although it is possible to run two different software firewalls on your computer, we do not recommend doing so because it may cause performance problems or conflicts. The risk for potential conflict does not outweigh the benefits.

I would disable or uninstall one of the software firewalls and see if this helps the performance of your system...I'm not sure about being able to disable or uninstall the firewall in the eTrust suite since it's part of a 'package' if you will.

I'd like to see two additional things:

1. Open HijackThis, click Open Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

2. Let's do an online scan:

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Post back with the uninstall list, the Panda Scan results and let me know if correcting the multiple firewall issue helps with your problems...

#3
Formless

Posted 25 January 2007 - 09:11 PM

New Member

Topic Starter
Member
7 posts

Alright - Sorry it took awhile, I've been at a conference.

First, I tried to disable the Zone Labs Product (ZoneAlarm) But I found no access to it anywhere in my computer... I couldn't open the program anywhere to disable it, and found no traces to uninstall it.

Second, The Uninstall Log-
-----------------------
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.9
Advanced System Optimizer 2.01
AIM 6.0
AnyDVD
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
BitTorrent 5.0.5
Broadcom 802.11 Network Adapter
Browser Address Error Redirector
CA eTrust Internet Security Suite
Conexant AC-Link Audio
Google Desktop
gtw_logo
HijackThis 1.99.1
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB914906)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Photosmart and Deskjet 7.0 Software
iTunes
J2SE Runtime Environment 5.0 Update 2
Kodak DIGITAL GEM Airbrush Professional Plug-In 1.0.1
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.1)
MSXML 4.0 SP2 (KB927978)
MyPhoneExplorer
Napster Burn Engine
Nero 7 Ultra Edition
Panda ActiveScan
PowerDVD
QuickTime
RealPlayer Basic
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Soft Data Fax Modem with SmartCP
Sonic Encoders
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
Themexp.org File
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB886185
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
---------------------------------

Third, The Panda ActiveScan-
----------------------------------

Incident Status Location

Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt[.go.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner.William\Application Data\Mozilla\Firefox\Profiles\vjk45hup.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner.William\Cookies\owner@2o7[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner.William\Cookies\owner@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner.William\Cookies\owner@doubleclick[1].txt
Potentially unwanted tool:Application/CloseApp Not disinfected C:\WINDOWS\system32\closeapp.exe

----------------------------------

And lastly, I wasn't sure if a startup log list would say anything to you, so i used HJT to gather the following.
Ignore it if it is useless to you, and sorry for wasting the space.
----------------------------------StartupList report, 1/25/2007, 5:12:35 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner.William\My Documents\Burn Sector\EXEs\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5730.0011)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.William\My Documents\Burn Sector\EXEs\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner.William\My Documents\Unused\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ehTray = C:\WINDOWS\ehome\ehtray.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Broadcom Wireless Manager UI = C:\WINDOWS\system32\WLTRAY
CaISSDT = "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
QOELOADER = "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
CaAvTray = "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
CAVRID = "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
Zone Labs Client = "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
NeroFilterCheck = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
GrooveMonitor = "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
LClock = C:\Program Files\LClock\LClock.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Aim6 = "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
updateMgr = C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[KB910393] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{407408d4-94ed-4d86-ab69-a7f649d112ee}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,wbsys.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=C:\WINDOWS\system32\gtw_logo.scr
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
Browser Address Error Redirector - c:\windows\system32\BAE.dll - {CA6319C0-31B7-401E-A518-A07C3DB8F777}
(no name) - C:\Program Files\Advanced System Optimizer\IEHelper.dll - {CF7C3CF0-4B15-11D1-ABED-709549C10000}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
Spybot - Search & Destroy - Scheduled Task.job

--------------------------------------------------

Enumerating Download Program Files:

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[compid Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gwCID.dll
CODEBASE = http://www.onlinereg...erial/gwCID.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.ma...ent/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\VetRedir.dll
Protocol #2: C:\WINDOWS\system32\VetRedir.dll
Protocol #3: C:\WINDOWS\system32\VetRedir.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\rsvpsp.dll
Protocol #8: C:\WINDOWS\system32\rsvpsp.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\VetRedir.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: system32\DRIVERS\ABP480N5.SYS (system)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: system32\DRIVERS\ACPIEC.sys (system)
adpu160m: system32\DRIVERS\adpu160m.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AEGIS Protocol (IEEE 802.1x) v3.2.0.3: system32\DRIVERS\AegisP.sys (autostart)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: system32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: system32\DRIVERS\agpCPQ.sys (system)
Aha154x: system32\DRIVERS\aha154x.sys (system)
aic78u2: system32\DRIVERS\aic78u2.sys (system)
aic78xx: system32\DRIVERS\aic78xx.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: system32\DRIVERS\aliide.sys (system)
ALI AGP Bus Filter: system32\DRIVERS\alim1541.sys (system)
AMD AGP Bus Filter Driver: system32\DRIVERS\amdagp.sys (system)
AMD Processor Driver: system32\DRIVERS\AmdK8.sys (system)
amsint: system32\DRIVERS\amsint.sys (system)
AnyDVD: System32\Drivers\AnyDVD.sys (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: system32\DRIVERS\arp1394.sys (manual start)
asc: system32\DRIVERS\asc.sys (system)
asc3350p: system32\DRIVERS\asc3350p.sys (system)
asc3550: system32\DRIVERS\asc3550.sys (system)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
CAISafe: C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe (autostart)
Conexant AMC Audio: system32\drivers\camc6aud.sys (manual start)
CAMCHALA: system32\drivers\camc6hal.sys (manual start)
cbidf: system32\DRIVERS\cbidf2k.sys (system)
cd20xrnt: system32\DRIVERS\cd20xrnt.sys (system)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Microsoft ACPI Control Method Battery Driver: system32\DRIVERS\CmBatt.sys (manual start)
CmdIde: system32\DRIVERS\cmdide.sys (system)
Microsoft Composite Battery Driver: system32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: system32\DRIVERS\cpqarray.sys (system)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: system32\DRIVERS\dac2w2k.sys (system)
dac960nt: system32\DRIVERS\dac960nt.sys (system)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
dpti2o: system32\DRIVERS\dpti2o.sys (system)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
dtscsi: \SystemRoot\System32\Drivers\dtscsi.sys (manual start)
Media Center Receiver Service: C:\WINDOWS\eHome\ehRecvr.exe (autostart)
Media Center Scheduler Service: C:\WINDOWS\eHome\ehSched.exe (autostart)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
hpn: system32\DRIVERS\hpn.sys (system)
HSFHWATI: system32\DRIVERS\HSFHWATI.sys (manual start)
HSF_DPV: system32\DRIVERS\HSF_DPV.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: system32\DRIVERS\i2omp.sys (system)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
ini910u: system32\DRIVERS\ini910u.sys (system)
IntelIde: system32\DRIVERS\intelide.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Media Center Extender Service: C:\WINDOWS\ehome\mcrdsvc.exe (autostart)
mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
MHN: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MHN driver: system32\DRIVERS\mhndrv.sys (manual start)
Microsoft Office Groove Audit Service: "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe" (manual start)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
mraid35x: system32\DRIVERS\mraid35x.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
NBService: C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Microsoft Office Diagnostics Service: "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: system32\DRIVERS\ohci1394.sys (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Pcmcia: system32\DRIVERS\pcmcia.sys (system)
perc2: system32\DRIVERS\perc2.sys (system)
perc2hib: system32\DRIVERS\perc2hib.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\system32\HPZipm12.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
PrismXL: C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (autostart)
Processor Driver: system32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
ql1080: system32\DRIVERS\ql1080.sys (system)
Ql10wnt: system32\DRIVERS\ql10wnt.sys (system)
ql12160: system32\DRIVERS\ql12160.sys (system)
ql1240: system32\DRIVERS\ql1240.sys (system)
ql1280: system32\DRIVERS\ql1280.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Realtek RTL8185 54M Wireless LAN Network Adapter Driver: system32\DRIVERS\rtl8185.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SASDIFSV: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (system)
SASENUM: \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS (manual start)
SASKUTIL: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
sdbus: system32\DRIVERS\sdbus.sys (manual start)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: system32\DRIVERS\sisagp.sys (system)
Sparrow: system32\DRIVERS\sparrow.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{9E3AC8D5-E861-4AB9-8C09-D5CA3A540C50} (manual start)
symc810: system32\DRIVERS\symc810.sys (system)
symc8xx: system32\DRIVERS\symc8xx.sys (system)
sym_hi: system32\DRIVERS\sym_hi.sys (system)
sym_u3: system32\DRIVERS\sym_u3.sys (system)
Synaptics TouchPad Driver: system32\DRIVERS\SynTP.sys (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tifm21: system32\drivers\tifm21.sys (manual start)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
TosIde: system32\DRIVERS\toside.sys (system)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: system32\DRIVERS\ultra.sys (system)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VET Message Service: C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe (autostart)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: system32\DRIVERS\viaagp.sys (system)
ViaIde: system32\DRIVERS\viaide.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): system32\DRIVERS\wanatw4.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
winachsf: system32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Broadcom Wireless LAN Tray Service: %SystemRoot%\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\wmpnetwk.exe" (manual start)
WpdUsb: System32\Drivers\wpdusb.sys (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller: system32\DRIVERS\yk51x86.sys (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 38,989 bytes
Report generated in 0.438 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
-----------------------------------

#4
cfa-ddg2

Posted 25 January 2007 - 10:28 PM

Visiting Staff

Visiting Consultant
963 posts

Alright - Sorry it took awhile, I've been at a conference.

First, I tried to disable the Zone Labs Product (ZoneAlarm) But I found no access to it anywhere in my computer... I couldn't open the program anywhere to disable it, and found no traces to uninstall it.

Hi formless....

I'm not seeing much in those logs either...other than to note that your Java is out of date. Panda found only some cookies and a 'questionable app' (closeapp.exe)...it may be possible that your problems are not malware related.

I do have some questions about ZoneAlarm though...

Did you install it and try to remove it previously? How did you try to remove it? I have seen where removing ZoneAlarm from the add/remove programs list may not completely remove the program...some components are of it are very clearly still running in your process list and services list in HJT.

The fact that you can find no direct access to the ZoneAlarm program makes me wonder if your version of CA eTrust security suite is one that uses a rebranded version of ZoneAlarms firewall in the eTrust security 'package'.....is this your version of the eTrust security suite, or do you have the manual for the program to see?:

http://72.14.205.104...lient=firefox-a

The reason I am confused is that there are more than one listing for firewalls:

C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe and

The file description for ca.exe is here:

http://72.14.203.104...lient=firefox-a

It makes no mention of ZoneAlarm....

#5
Formless

Posted 26 January 2007 - 12:17 AM

New Member

Topic Starter
Member
7 posts

I think I uninstalled ZoneAlarm a few days after my first startup of the computer because I was using eTrust. I am not 100% sure I did, but I can almost say for certain that I remember removing it using add/remove programs in the control panel.

#6
cfa-ddg2

Posted 26 January 2007 - 07:46 PM

Visiting Staff

Visiting Consultant
963 posts

I think I uninstalled ZoneAlarm a few days after my first startup of the computer because I was using eTrust. I am not 100% sure I did, but I can almost say for certain that I remember removing it using add/remove programs in the control panel.

Hmmm...while I'm not sure it's causing your problems, the incomplete uninstall of ZoneAlarm may be one of your problems. It seems to coincide with your problems time frame, since you removed ZoneAlarm right after getting the computer, and you state the problems have been since the time you got the computer. I really do not see anything malware related in your HJT log.

Here are some links to ZoneAlarm's forums and website (and others) to see if they have a way to get a clean uninstall of ZoneAlarm:

http://forum.zonelab...d?board.id=inst

http://www.nohold.ne...stallNonNT.html

See if these help.

What you are going to do depends on what version of ZoneAlarm you had on your system...do you know which version you had? Is there no ZoneAlarm entries in the system tray or the programs list?

#7
Formless

Posted 26 January 2007 - 11:08 PM

New Member

Topic Starter
Member
7 posts

No mention of ZoneAlarm anywhere anymore - And when I disable eTrust Firewall, the Windows error thing tells me that I have no firewall running (idk if that means anything to you)

My computer had been running quite well for the last two days (and much faster) and I noticed that explorer.exe was down to less than half the average memory it was using prior to running all the apps on this site (from usually 60k to about 19k) and SVChost.exe was majorly down as well (was 6-9 instances of it running - each using 12k to 30k of my memory) to about 3 instances with much less memory usage. In the past 24 hours my computer crashed twice - A blue screen comes up and doesn't stay up long enough for me to read - but the end says something about a "physical memory dump" being completed.

The problems seem to come and go - and are (I do not understand this part) usually worse closer to startup than after the computer has been running for awhile.

#8
cfa-ddg2

Posted 27 January 2007 - 03:44 PM

Visiting Staff

Visiting Consultant
963 posts

Hello Formless...

OK, I've been reviewing all of your logs with a fine tooth comb again (so to speak)...and I came across this line from the start up list:

Zone Labs Client = "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"

I'm thinking now that you do indeed have a version of the eTrust security software that incorporates the ZoneAlarm firewall...since the Zone Labs client refers to the ca.exe file for the eTrust firewall. I think I over called the firewall issue, not realizing that your eTrust security suite utilized the zonealarm product...I would leave that alone.

I do not see anything in your HJT logs that leads me to believe that your problems are malware related...whatever SAS and AVG found it cleaned, and it was mostly adware and cookies. The Panda scan was similiarly unimpressive and as I said before, the HJT log is OK.

It would help tremendously if you could get the error message from the BSOD (blue screen of death)..it might give us more information as to what conflicts are occurring on your system. G2G has an excellent Windows tech help forum found here: http://www.geekstogo...2003_NT-f5.html

They may be able to help with your system problems since they do not appear to be malware related.

There are two things you should do that are minor:

1. Boot into safe mode, and remove the following using add or remove programs:

ThemeXP.org file

Reboot back into normal mode.

2. Update Java and Remove old Java Versions

Download the latest version of Java Runtime Environment (JRE) 6 .<== scroll down the list to find THIS entry
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Remove older Java Versions:

Close any programs you may have running - especially your web browser.
Go to Start >> Control Panel double-click on Add/Remove Programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.

Install latest Java Version:

From your desktop, double-click on jre-6-windows-i586.exe to install the newest version.

Let me know if I can help you further...

#9
Formless

Posted 27 January 2007 - 06:40 PM

New Member

Topic Starter
Member
7 posts

I have tried to remove ThemeXP in many ways. Add/Remove Programs tells me that it is unable to locate the uninstall file and asks me if I would like to remove ThemeXP.org File from the list.

I have tried to manually run the uninstall and when I do so a window appears to look for another file - and I do not know what it is asking me to do as the application provides no instructions. I am sure I have uninstalled it from add/remove programs before, but I do not know how to remove the remaining traces.

----------------

Updating Java as soon as I finish this message.

----------------

I really appreciate all of your help - I will try and get what the 'BSOD' says and get it either here of in the Windows Help forums you mentioned.

#10
cfa-ddg2

Posted 27 January 2007 - 08:31 PM

Visiting Staff

Visiting Consultant
963 posts

No problem.... :whistling:

The ThemeXP probably brought along the New.Net that SAS and AVG removed earlier....it's been documented.

Anyway, the ThemeXp uninstaller may be gone after the anti-spyware scans, and it in an of itself is probably not a bother...it was the bundled software like new.net and gator that often came with it that was the problem with ThemeXP.

Let me or the Windows tech forum know the info from the BSOD if you can get it and we'll see if we can help.

Good luck...