Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Smithfraud infection

Started by Krava , May 23 2005 02:01 AM

Please log in to reply

#1
Krava

Posted 23 May 2005 - 02:01 AM

New Member

Member
9 posts

My computer got infected by some trojans and spyware, so I followed all the steps this forum recommends.
1. I deleted temporary files with CleanUp!
2. I installed and run Ad-aware SE, CWShredder, Spybot S&D.
3. I installed and run Ewido Security Suite and did the Trend Housecall online scan.

After the first scan which cleaned up some things, following Ewido scan and online scan show nothing, but I still have the desktop wallpaper warning me (YOU'RE IN DANGER...) and an icon in the taskbar warning me my computer is infected.

I also run hijack this, and following some other posts, cleaned some lines, but the desktop problem persists. Since I'm stuck now and don't know what else to do, please help me.

Here is my latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:53:53, on 23.5.2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
C:\WINNT\System32\NA_Service.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\NA_XWAY.exe
C:\WINNT\System32\OpcEnum.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svcquery.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\sm56hlpr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Siemens\Common\S7ubtoox\s7ubtstx.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\System32\winnook.exe
C:\WINNT\System32\internat.exe
C:\Program Files\BugCD Pretrazivac\BugCD Pretrazivac.exe
C:\Siemens\Common\Sqlany\dbsrv50.exe
C:\Siemens\Common\Sqlany\dbclient.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iskon.hr/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [S7UB Start] "C:\Siemens\Common\S7ubtoox\s7ubtstx.exe" -StartDB
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [Intel system tool] C:\WINNT\System32\winnook.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BugCD Pretrazivac] C:\Program Files\BugCD Pretrazivac\BugCD Pretrazivac.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
O23 - Service: NetAccess Service (NA_Service) - Schneider Automation - C:\WINNT\System32\NA_Service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINNT\System32\OpcEnum.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: Windows Managment Browser (svcquery) - Unknown owner - C:\WINNT\System32\svcquery.exe

#2
Wizard

Posted 23 May 2005 - 06:54 AM

Retired Staff

Retired Staff
5,661 posts

Howdy Krava and Welcome to the Geeks to Go Help Forums!

Before running through the Steps below>please get a file scanned for me!

C:\WINNT\System32\winnook.exe

Scan it Here

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\system32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\System32\ole32vbs.exe
C:\WINNT\System32\svcquery.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\WINNT\System32\Log Files
C:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Click Start>>Click Run>>Type in Services.msc and Click OK!

Scroll the list for either of these

"Windows Managment Browser (Dont confuse with Windows Managment Instumentation)
or
svcquery

Right-Click and select Properties!

Click the Stop Button and Change the StartUp Type to Disabled!
Click Apply and OK!

Please calrify in the next post which Service Name you found!

Click Start>>Click Run>>Copy&Paste the Bold Text below into the Open Run Box and Click OK!

sc delete Windows Managment Browser

and

sc delete svcquery

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.

#3
Krava

Posted 27 May 2005 - 02:07 AM

New Member

Topic Starter
Member
9 posts

Hi and sorry for not replying sooner, but I have been out of town.
I have followed your instructions and Kaspersky has found some viruses (also winnook.exe was infected).

I have found the Windows Managment Browser and disabled it, but when I entered sc delete Windows Managment Browser in the Open Run Box, I got the following message: Cannot find the file 'sc' (or one of its components). Make sure the path and filename are correct and that all required libraries are available.
Same thing happened with sc delete svcquery.

Also, when I tried to restore original hosts with the Hoster program I got the message: File access denied.

And finally, Panda ActiveScan doesn't seem to work for me. It just freezes when I start the scan.

So, here is my latest HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 10:01:00, on 27.5.2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
C:\WINNT\System32\NA_Service.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\NA_XWAY.exe
C:\WINNT\System32\OpcEnum.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\sm56hlpr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Siemens\Common\S7ubtoox\s7ubtstx.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINNT\System32\internat.exe
C:\Program Files\BugCD Pretrazivac\BugCD Pretrazivac.exe
C:\Siemens\Common\Sqlany\dbsrv50.exe
C:\Siemens\Common\Sqlany\dbclient.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iskon.hr/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [S7UB Start] "C:\Siemens\Common\S7ubtoox\s7ubtstx.exe" -StartDB
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [BugCD Pretrazivac] C:\Program Files\BugCD Pretrazivac\BugCD Pretrazivac.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NetAccess Service (NA_Service) - Schneider Automation - C:\WINNT\System32\NA_Service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINNT\System32\OpcEnum.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE

My desktop is still not restored (it's flashing grey and white background).
Thanks for the help and hope to hear from you soon.

#4
Wizard

Posted 27 May 2005 - 05:17 PM

Retired Staff

Retired Staff
5,661 posts

OK.....Open HiajckThis and Click Config>>Misc Tools>>Delete an NT Service

Copy&Paste Windows Managment Browser into the open box and click OK!

While you are under Misc Tools>>Click Open Hosts File Manager>Click Open in Notepad>Copy&Paste the entire Contents of that Notepad Page to your Next Post!

OK,I need you to download and run Silent Runners:
http://www.silentrun...ent Runners.zip

Unzip it and select Extract all files!

Run the SilentRunners.vbs file.

If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

It will start scanning the System,be patient,be ertain it is complete before copying the contents of the scan!

Once Completed,it will produce a Notepad page,I need you to Copy&Paste those results into your next post!

#5
Krava

Posted 02 June 2005 - 12:26 AM

New Member

Topic Starter
Member
9 posts

Ok, first to say, I managed to restore my desktop.
I deleted the Windows Managment Browser as you instructed.

Here is the Host File from notepad:
127.0.0.1 localhost

Here is also the log from the Silent Runners:

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"Steam" = "C:\Program Files\Steam\Steam.exe -silent" [file not found]
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" ["Analog Devices, Inc."]
"DrvListnr" = "C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NeroCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SMSERIAL" = "sm56hlpr.exe" ["Motorola Inc."]
"Pop-Up Stopper" = ""C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"" ["Panicware, Inc."]
"S7UB Start" = ""C:\Siemens\Common\S7ubtoox\s7ubtstx.exe" -StartDB" ["SIEMENS AG"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"KAVPersonal50" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize" ["Kaspersky Lab"]
"VirtualCOM" = "C:\Program Files\M2M\V COM\vsp.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\wincmd\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\wincmd\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\wincmd\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "CorelDRAW Shell Extension Component"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll" ["Corel Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{84c04ec0-2dd3-11d1-abd2-0020af3ebad8}" = "PanelBuilder Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Allen-Bradley\PanelBuilder32\pb32shx.dll" ["Allen-Bradley Company, LLC."]

Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Milan\My Documents\My Pictures\Andjelina1.jpg"

Startup items in "Milan" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Milan\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Harmony, Harmony, "C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE" ["Rockwell Software Inc."]
kavsvc, kavsvc, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"" ["Kaspersky Lab"]
NetAccess Service, NA_Service, "C:\WINNT\System32\NA_Service.exe" ["Schneider Automation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]
OpcEnum, OpcEnum, "C:\WINNT\System32\OpcEnum.exe" ["OPC Foundation"]
RSLinx, RSLinx, "C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE /SERVICE" ["Rockwell Software, Inc."]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

#6
Wizard

Posted 02 June 2005 - 02:30 AM

Retired Staff

Retired Staff
5,661 posts

All those look fine to me!!!

Open Internet Explorer and Click tools>>>If you see Reset Web Settings click that and allow it to restore the default settings,you will have to reset your Homepage!

If that option is available,after you click it,the Panda Scan should work!

If that option is unavailable,Open IE and Click tools>>Click Internet Options>>Security>>Click Custom Level and Run the slider to the lowest selection available!

Try the Panda Scan and it should work now!

As soon as you have downloaded the ActiveX content and started the Scan,go back to IE and under the security tab>Click Default!

Here is a good page for IE Security settings
http://www.microsoft...rity/setup.mspx

Post back and let me know how it goes!!!