Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

poka poka, elite toolbar and more? [CLOSED]


  • This topic is locked This topic is locked

#1
shanpan

shanpan

    Member

  • Member
  • PipPip
  • 21 posts
Here is a copy of the Hijack This log.

I have followed the steps given and removed what I could. Most of the time my computer would crash during a scan, and I was not able to finish all of them sucessfully although I have been working on this faithfully for over a week.

Logfile of HijackThis v1.99.1
Scan saved at 6:51:01 PM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.971searchbox.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [OpwareSE2] "D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\system32\canada.exe -N
O4 - HKLM\..\Run: [System service73] C:\WINDOWS\\\etb\\pokapoka73.exe
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\\\etb\\pokapoka75.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\myptC03.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\myptC03.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.cab
O16 - DPF: {4B6E165B-1085-4550-A4E4-7C6D874AD96B} - http://www.topmoxie....nts/mypt800.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)



I hope that someone can help.





A bit of additional information . . .

I had read several of the other forums regarding poka poka.

Part of the fix process was to download and run LQfix.

I tried this unsuccessfully. When I ran the program I received the following message:

LQfirst.bfu and/or LQsecond.bfu NOT PRESENT Please post to forum.

. . . . . . .
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

You have to download LQfix to your desktop, and don't click 'open' on the link, because it won't work then.

If you still get the same message about the scripts are missing, Go to your C\Windows-folder and seach for the LQfix-folder.
Then download next scripts: (rightclick the link and choose: save)

http://users.telenet...ols/LQfirst.bfu
http://users.telenet...ls/LQsecond.bfu

Place LQfirst.bfu and LQsecond.bfu in your C:\Windows\LQfix-folder!
Then open that folder again: C:\Windows\LQfix, so next must be present:

LQfirst.bfu
LQsecond.bfu
BFU.exe
ClickThis.bat


If above four are present, please doubleclick ClickThis.bat
If some of above are missing, please post this in your next reply what is missing.

Also, You already started another thread with this log and John L replied there. Why did you start a new thread then?

Edited by miekiemoes, 16 October 2005 - 07:35 AM.

  • 0

#3
shanpan

shanpan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
[font=Franklin Gothic Medium]
Hello,

Thanks for your response. I'm sorry about the double posting -- I read that as starting a new topic for some reason.

I've managed to get LQ Fix installed properly now and have run it.

Here is the new Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:49:13 PM, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Documents and Settings\Owner\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.971searchbox.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [OpwareSE2] "D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\system32\canada.exe -N
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\myptC03.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\myptC03.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.cab
O16 - DPF: {4B6E165B-1085-4550-A4E4-7C6D874AD96B} - http://www.topmoxie....nts/mypt800.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

[font=Arial]
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.971searchbox.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.971searchbox.com/sp2.php
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\system32\canada.exe -N
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\myptC03.htm (file missing) (HKCU)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.cab
O16 - DPF: {4B6E165B-1085-4550-A4E4-7C6D874AD96B} - http://www.topmoxie....nts/mypt800.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete next file if still present:

C:\WINDOWS\system32\canada.exe

Then, open the C:\Windows\LQfix-folder and doubleclick BFU.exe
Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/derbiz.bfu

Click Ok
Then click execute in Brute Force Uninstaller.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

REBOOT

Post back to this topic using the add reply button with a fresh HijackThis log.

Edited by miekiemoes, 18 October 2005 - 05:07 AM.

  • 0

#5
shanpan

shanpan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:26:03 PM, on 19/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Owner\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [QuickFinder Scheduler] "D:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [OpwareSE2] "D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\myptC03.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I see a clean log! How are things running now?
  • 0

#7
shanpan

shanpan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi,

Unfortunately the computer is still crashing -- "the system has recovered from a serious error".

Is there anything else that I can try now that the virus is gone?

I am most grateful for your help!

Shannon
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

I rather think this is hardwarerelated. Did you install new drivers recently or updated new drivers?

Anyway, I want to be sure there isn't anything present anymore malware related that can cause this, so I want you to perform two scans...

* Please download ewido:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")

* Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido.

* Perform an online scan with Kaspersky Online Scanner

Click "Launch Kaspersky Anti-Virus Web Scanner"
You will be prompted if you want to install an ActiveX component from Kaspersky, click yes.
This will start downloading the latest definition files.
Once the files have been downloaded click on "Next"

* Click "Scan Settings"
Select the following in Scan Settings (normally they are already selected by default)

Scan using the following Anti-Virus database: Standard

Scan Options: Scan Archives
Scan Mail Bases

* Click OK
* Under select a target to scan, select "My Computer"

* This program will start to scan your system.
The scan will take a while so be patient and let it run.
When the scan is done, it will show a list of infected files found.

* Click on the "Save as Text"- button:
Save the scan log and post it along with the log from ewido.
  • 0

#9
shanpan

shanpan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
:tazz:

Hello!

I finally got through the Ewido scan, but have not been able to run the Kapersky. With Ewido, the computer crashed the first three times, but then was able to run the scan on the fourth (it took just under four hours). With Kapersky, the computer has crashed each of the ten times that I have tried to run it.

Here is the Ewido log. Please advise . . .

I also have removed any unneccessary software (children's programs etc) to see if one of them had a driver that was causing the crashing. I wasn't able to remove some of them -- Arc Soft Photo Studio, Canon CanoScan Toolbox, Manual CanoScan 4200F, Omni Page SE, One Sick Puppy, and Shrek Icon Library.

The computer will also turn itself on randomly after it has been shut down . . .


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:18:59 PM, 22/10/2005
+ Report-Checksum: 512DF48D

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED103D9F-3070-4580-AB1E-E5C179C1AE41} -> Spyware.SearchMiracle : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000EF1-0786-4633-87C6-1AA7A44296DA} -> Spyware.FavoriteMan : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0026AD90-C86F-4269-97F3-DAB4897C6D06} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0199DF25-9820-4BD5-9FEE-5A765AB4371E} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} -> Spyware.SearchMiracle : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-DCF7-F96DA086B434} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{556DDE35-E955-11D0-A707-000000521958} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D60FF48-95BE-4956-B4C6-6BB168A70310} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{82315A18-6CFB-44A7-BDFD-90E36537C252} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} -> Spyware.EliteBar : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9DBAFCCF-592F-FFFF-FFFF-00608CEC297B} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBBD88E5-C372-469D-B4C5-1FE00352AB9B} -> Spyware.FavoriteMan : Cleaned with backup
HKU\S-1-5-21-1844237615-746137067-1957994488-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED103D9F-3070-4580-AB1E-E5C179C1AE41} -> Spyware.SearchMiracle : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED103D9F-3070-4580-AB1E-E5C179C1AE41} -> Spyware.SearchMiracle : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K9F03ZY2\silent_setup[1].exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\system32\P2P Networking -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL102.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking100.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL103.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking101.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL104.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking102.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL105.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking103.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL106.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking104.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL107.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking105.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL108.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking106.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL109.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking107.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL110.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking108.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking113.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking109.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL111.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking110.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking114.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking111.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL112.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking112.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking115.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL113.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking116.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL114.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking117.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL115.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking118.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL116.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking119.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL117.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking120.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL118.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking121.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL119.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking122.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL120.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking123.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL121.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking124.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL122.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking125.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL123.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking126.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL124.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking127.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL125.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking128.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL126.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking129.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL127.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking130.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL128.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking131.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL129.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking132.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL130.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking133.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL131.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking134.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL132.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking135.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL133.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking136.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL134.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking137.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking138.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking139.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking140.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking141.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking142.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking143.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking144.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL61.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking59.eng -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL62.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking60.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL63.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking61.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL64.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking62.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL65.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking63.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL66.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking64.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL67.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking65.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL68.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking66.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL69.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking67.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL70.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking68.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL71.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking69.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL72.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking70.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL73.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking71.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL74.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking72.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL75.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking73.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL76.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking74.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL77.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking75.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL78.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking76.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL79.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking77.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL80.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking78.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL81.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking79.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL82.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking80.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL83.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking81.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL84.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking82.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL85.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking83.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL86.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking84.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL87.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking85.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL88.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking86.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL89.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking87.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL90.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking88.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL91.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking89.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL92.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking90.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL93.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking91.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL94.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking92.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL95.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking93.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL96.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking94.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL97.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking95.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL98.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking96.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL99.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking97.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL100.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking98.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\MARSHAL101.DLL -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\P2P Networking99.ENG -> Spyware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\shawn_1.dll.tcf -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\proxy_inst.exe -> Trojan.EliteBar.d : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\262650_3660_1088_3812_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\131766_3660_1088_2340_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\263124_3660_1088_2936_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\263110_3660_1088_3224_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\197120_3660_1088_3404_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\131664_3660_1088_3124_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\131658_3660_1088_3080_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\197578_3660_1088_3772_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\132264_3660_1088_3044_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\394164_3660_1088_2640_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\66854_3660_1088_2024_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Local Settings\Temp\132486_3660_1088_2644_73.41.tmp -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\Jaiden\Cookies\jaiden@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Jaiden\Cookies\jaiden@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Jaiden\Cookies\jaiden@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Program Files\FileSubmit\One Sick Puppy\NNEZTA388.exe -> Spyware.NewDotNet : Cleaned with backup
C:\Program Files\FileSubmit\One Sick Puppy\TBEZA127Q.exe.tcf -> Spyware.Quick : Cleaned with backup
C:\x.cab/VMInstaller.exe -> TrojanDownloader.Small.ok : Cleaned with backup
C:\x.cab/VM.exe -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End
  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I assume things are still crashing?

I see some leftovers from Norton/symantec in a previous hijackthislog. Are there any entries of Norton/symantec present in add/remove programs? If so, uninstall it.

Also, an Antivirus can cause these crashes as well if not properly installed, so as a test, can you also uninstall AVG ?? Reboot and see if your system is still crashing.
We can reinstall it afterwards if AVG is not the cause.

Let me know. We'll find the cause. :tazz:
  • 0

Advertisements


#11
shanpan

shanpan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I have removed AVG, and there were no Norton or Symantec entries in add/delete programs.

I've tried four times to run the Kaspersky scan still without success -- the computer is still crashing.
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Ok, reinstall AVG again.

Can you tell me exactly WHEN it is crashing? Is it when you open a certain program? Is your computer just freezing? Do you get an error? If so, what error do you exactly get?

Also perform next:

Download winpfind

Reboot in SAFE MODE !! Important !!
To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key

Doubleclick winpfind.exe
Click start Scan.
It will scan for a while, so please be patient.
Let it finish the job.

Reboot back to normal mode.

Post the contents of winpfind.txt which is present in the winpfind-folder in your next reply.
  • 0

#13
shanpan

shanpan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
:tazz: Sorry to be out of touch -- I've been away!

I've reinstalled AVG.

Here are the new scan results

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 21/12/1999 7:58:02 AM 21312 C:\WINDOWS\choice.exe
UPX! 09/10/2005 1:16:18 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 09/10/2005 1:16:18 PM 1044560 C:\WINDOWS\vsapi32.dll
UPX! 09/10/2005 1:16:20 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 09/10/2005 1:16:10 PM 16034367 C:\WINDOWS\VPTNFILE.881
qoologic 09/10/2005 1:16:10 PM 16034367 C:\WINDOWS\VPTNFILE.881
SAHAgent 09/10/2005 1:16:10 PM 16034367 C:\WINDOWS\VPTNFILE.881
PECompact2 09/10/2005 1:16:10 PM 16034367 C:\WINDOWS\LPT$VPN.881
qoologic 09/10/2005 1:16:10 PM 16034367 C:\WINDOWS\LPT$VPN.881
SAHAgent 09/10/2005 1:16:10 PM 16034367 C:\WINDOWS\LPT$VPN.881
UPX! 03/05/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll

Checking %System% folder...
PEC2 31/03/2003 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 04/08/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\RASDLG.dll
winsync 31/03/2003 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
aspack 04/08/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 03/11/1998 1:01:02 AM 324096 C:\WINDOWS\SYSTEM32\ipebase11.dll
PECompact2 04/10/2005 8:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/10/2005 8:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe

Checking %System%\Drivers folder and sub-folders...
PTech 03/08/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
UPX! 05/11/2005 5:41:00 PM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 05/11/2005 5:41:00 PM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 05/11/2005 5:41:00 PM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 05/11/2005 5:41:00 PM 726592 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
05/11/2005 5:50:44 PM S 2048 C:\WINDOWS\bootstat.dat
05/11/2005 5:49:50 PM H 868352 C:\WINDOWS\system32\config\system.LOG
05/11/2005 5:49:50 PM H 73728 C:\WINDOWS\system32\config\software.LOG
05/11/2005 5:49:50 PM H 8192 C:\WINDOWS\system32\config\default.LOG
05/11/2005 5:50:56 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
05/11/2005 5:50:44 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
16/10/2005 11:44:40 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
02/10/2005 10:05:22 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0DQ341IF\desktop.ini
02/10/2005 10:05:24 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K9F03ZY2\desktop.ini
02/10/2005 10:05:24 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4HCYAPZZ\desktop.ini
02/10/2005 10:05:24 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W9QFC1IB\desktop.ini
22/09/2005 6:46:36 PM S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
22/09/2005 6:46:36 PM S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
22/09/2005 6:46:36 PM S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
22/09/2005 6:46:36 PM S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
01/10/2005 1:54:46 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
01/10/2005 1:54:46 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2ad0370b-7e2b-4dc8-9df0-bf5b59d1f5d0
04/10/2005 7:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
28/09/2005 11:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
09/09/2005 7:15:08 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
01/10/2005 2:02:08 PM H 0 C:\WINDOWS\inf\oem40.inf
05/11/2005 5:49:44 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04/08/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
11/11/1999 9:11:00 PM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 31/03/2003 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 31/03/2003 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 31/03/2003 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Apple Computer, Inc. 20/06/2001 4:34:36 PM 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Hewlett-Packard 26/01/1999 12:06:28 AM 25524 C:\WINDOWS\SYSTEM32\hpsctrlc.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Microsoft Corporation 31/03/2003 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 31/03/2003 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 31/03/2003 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
06/02/2004 5:39:48 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
05/02/2004 2:38:52 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
06/02/2004 5:39:46 PM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
05/02/2004 2:38:48 PM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
22/04/2004 6:38:02 PM 12358 C:\Documents and Settings\Owner\Application Data\PFP100JCM.{PB
22/04/2004 6:38:02 PM 61678 C:\Documents and Settings\Owner\Application Data\PFP100JPR.{PB

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
acc=none =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0003-C0E1-C0E1C0E1C0E1} = D:\Program Files\Corel\WordPerfect Office 2002\PROGRAMS\PFSE100.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickFinder Scheduler "D:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
MULTIMEDIA KEYBOARD C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
REGSHAVE C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
hplampc C:\WINDOWS\system32\hplampc.exe
OpwareSE2 "D:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
RegistryMechanic
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key &DksZi*
Hint jaid
FileName0 C:\WINDOWS\System32\RSACi.rat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 0
PleaseMom 1
Enabled 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
l 0
n 0
s 0
v 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 05/11/2005 6:02:45 PM
  • 0

#14
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi, you forgot to answer my question:

Can you tell me exactly WHEN it is crashing? Is it when you open a certain program? Is your computer just freezing? Do you get an error? If so, what error do you exactly get?


I can't anything suspicious though, only a small regfix we need to perform..

Open notepad and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"acc=none"=-


Save this as fix.reg Choose to save as *all files and place it on your desktop.
This is how the regfix must look afterwards: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
  • 0

#15
shanpan

shanpan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi,

I realized earlier today that I hadn't answered your question -- sorry!

The computer crashes frequently when we use the internet. Also when trying to do scans and when defragmenting.

The computer will also be completely shut down, and the next thing you know it has turned itself back on and is running again . . .
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP