Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HELP! problem overload!


  • Please log in to reply

#1
shol087

shol087

    Member

  • Member
  • PipPip
  • 12 posts
help! ive tried a number of things and i dont quite know how to get rid of this problem! were on a broadband connection and the winfixer virus etc just keeps coming back. any help would be greatly appreciated :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 1:45:57 p.m., on 27/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\Tours\dbas.dll
O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - C:\WINDOWS\system32\hnslnewj.dll (file missing)
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\nvhlytn.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127018120013
O20 - Winlogon Notify: dbas - C:\WINDOWS\Help\Tours\dbas.dll
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi shol087 and Welcome to GeekstoGo!

Please temporily disable TeaTimer in Spybot S&D as it may prevent part of this fix:
Open Spybot and click on Mode, check Advanced Mode:
Check yes to next window.
Click on Tools in bottom left hand corner:
Click on Resident. Uncheck Resident "TeaTimer" box.
Close Spybot. Reboot your computer.


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\Help\Tours\dbas.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\Help\Tours\sabd.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\Tours\dbas.dll

    O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - C:\WINDOWS\system32\hnslnewj.dll (file missing)

    O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\nvhlytn.exe

    O20 - Winlogon Notify: dbas - C:\WINDOWS\Help\Tours\dbas.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.


Make sure Windows is Showing Hidden Files
http://www.bleepingc...al62.html#winxp

Locate and Delete

C:\WINDOWS\System32\nvhlytn.exe<-- File


Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
shol087

shol087

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
hey thank you so much for the help- but spybot has actually been uninstalled on this computer... should i go about the rest of the fix or shall i reinstall it and then disable the above function?
  • 0

#4
shol087

shol087

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ok so i just went ahead and did it- hope thats ok- looks pretty good though.

ActiveScan results:

Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0

Logfile of HijackThis v1.99.1
Scan saved at 12:23:27 p.m., on 29/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Help\Tours\dbas.dll (file missing)
O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - C:\WINDOWS\system32\hnslnewj.dll (file missing)
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\nvhlytn.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127018120013
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: dbas - C:\WINDOWS\Help\Tours\dbas.dll (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\Help\Tours\dbas.dll

The second filepath entered was C:\WINDOWS\Help\Tours\sabd.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 128 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe


Killing PID 200 'winlogon.exe'
Killing PID 200 'winlogon.exe'
Error 0x5 : Access is denied.
--------------------------------------------------------------------------------------

C:\WINDOWS\Help\Tours\dbas.dll Deleted sucessfully.
C:\WINDOWS\Help\Tours\sabd.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
  • 0

#5
shol087

shol087

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ok this is amazing. i havnt had any pop ups and i usually would by now and all the problems wed been having with this computer which our computer guy whod been in twice and couldnt figure out- are gone. you guys are amazing! im a poor student so i dont know if ill be able to give much- but i seriously need to give you something for this... i'll paypal something for you if this is still sweet in a few days for sure! now one final question... how did we get this virus? what can we do to prevent any reocuurance?
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Dont you bother yourself for a second with PayPal,Im not worried about nor do I want you to be,NOT WHY I DO THIS!

You still have an entry in HijackThis that concerns me!

O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\nvhlytn.exe

By chance did you find and delete that file?

Lets look a bit deeper and then we will clean up the HijackThis log and go from there!


Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!


Post the results of the WinPFind log and Ill have a look!

Tell the PC guy not to fret none!

Vundo injects itself into the Winlogon and Explorer process and unless you are real nifty with the Recovery Console and DOS commands,basically you are Whizzing in the Wind so to speak!

I am gald to hear that the PC has returned to a more User Friendly State!
  • 0

#7
shol087

shol087

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
yea actually i couldnt find that file to delete even when i followed your instructions about revealing hidden files. there was a nvhltyn.dat which i deleted instead :tazz:

heres the result of the winPFind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts


Checking %System% folder...
PEC2 5/08/2004 1:00:00 a.m. 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 29/08/2005 2:27:12 p.m. 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 5/10/2005 3:09:08 p.m. 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 5/10/2005 3:09:08 p.m. 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 5/08/2004 1:00:00 a.m. 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 5/08/2004 1:00:00 a.m. 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 11/11/2004 8:53:40 a.m. 245760 C:\WINDOWS\SYSTEM32\RXBarsetupV2.dll
UPX! 26/03/2004 5:52:04 p.m. 50688 C:\WINDOWS\SYSTEM32\SHAgentNew.dll
winsync 5/08/2004 1:00:00 a.m. 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
29/10/2005 5:23:14 p.m. S 2048 C:\WINDOWS\bootstat.dat
28/10/2005 6:32:38 p.m. H 54156 C:\WINDOWS\QTFont.qfn
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\WindowsShell.Manifest
18/09/2005 4:21:04 p.m. H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
20/10/2005 3:08:32 p.m. H 59556 C:\WINDOWS\Downloaded Program Files\Doremi.ttf
18/09/2005 4:21:38 p.m. HS 67 C:\WINDOWS\Fonts\desktop.ini
1/10/2005 10:18:58 a.m. HS 200192 C:\WINDOWS\Help\Tours\htmlTour\Thumbs.db
18/09/2005 5:39:16 p.m. H 0 C:\WINDOWS\inf\oem12.inf
18/09/2005 4:21:04 p.m. H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
18/09/2005 4:22:22 p.m. H 442368 C:\WINDOWS\repair\ntuser.dat
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
18/09/2005 4:21:04 p.m. RH 488 C:\WINDOWS\system32\logonui.exe.manifest
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
18/09/2005 4:21:04 p.m. RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
5/10/2005 2:17:40 p.m. S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
28/09/2005 11:53:30 a.m. S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/09/2005 7:15:08 p.m. S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
29/10/2005 5:23:06 p.m. H 8192 C:\WINDOWS\system32\config\default.LOG
19/09/2005 4:08:04 a.m. H 0 C:\WINDOWS\system32\config\default.tmp.LOG
29/10/2005 5:24:10 p.m. H 1024 C:\WINDOWS\system32\config\SAM.LOG
29/10/2005 5:23:16 p.m. H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
29/10/2005 5:23:40 p.m. H 81920 C:\WINDOWS\system32\config\software.LOG
19/09/2005 4:08:02 a.m. H 0 C:\WINDOWS\system32\config\software.tmp.LOG
29/10/2005 5:23:16 p.m. H 884736 C:\WINDOWS\system32\config\system.LOG
19/09/2005 4:07:30 a.m. H 0 C:\WINDOWS\system32\config\system.tmp.LOG
19/09/2005 4:07:24 a.m. H 1024 C:\WINDOWS\system32\config\TempKey.LOG
19/09/2005 4:08:04 a.m. H 1024 C:\WINDOWS\system32\config\userdiff.LOG
18/09/2005 4:22:22 p.m. H 1024 C:\WINDOWS\system32\config\userdifr.LOG
16/10/2005 7:23:34 p.m. H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
25/09/2005 6:49:26 p.m. S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
25/09/2005 6:49:26 p.m. S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
18/09/2005 5:58:48 p.m. HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\4f07b594-fafc-40ac-9fca-cd7bc73a030f
18/09/2005 5:58:48 p.m. HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
22/10/2005 12:34:06 p.m. HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e58b6752-03d0-4ac5-a2b0-eac40ab9326f
22/10/2005 12:34:06 p.m. HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
29/10/2005 5:22:16 p.m. H 6 C:\WINDOWS\Tasks\SA.DAT
29/10/2005 2:50:28 p.m. H 0 C:\WINDOWS\Temp\TempFolder.aaa\Macromedia.lok

Checking for CPL files...
Microsoft Corporation 5/08/2004 1:00:00 a.m. 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 19/08/2003 5:23:34 p.m. 61547 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 18/12/2001 9:04:20 p.m. 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 5:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 5:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
25/10/2005 1:12:36 p.m. 899 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
18/09/2005 4:22:18 p.m. HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2/11/2003 1:10:38 p.m. 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
2/11/2003 1:08:26 p.m. 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
18/09/2005 4:10:08 p.m. HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
2/11/2003 1:10:32 p.m. 209 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
28/10/2003 4:44:02 p.m. HS 84 C:\Documents and Settings\Holden Family\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
29/10/2003 5:25:48 a.m. HS 62 C:\Documents and Settings\Holden Family\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}
MSEvents Object = C:\WINDOWS\Help\Tours\dbas.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EFDAC3FE-F44A-4030-8589-1E23BC6573D5}
Bho Class = C:\WINDOWS\system32\hnslnewj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} = :
{3678AAD9-7FB5-D9FE-719F-E880904DFB2E} = Lite Memo Internet : C:\PROGRA~1\bashfree\ViewFour.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{337F1C10-7835-4E45-8D42-27B44AC8A5D1} = SuperBar : C:\Program Files\_SUPERBAR\_SUPERBAR.dll
{014DA6C9-189F-421A-88CD-07CFE51CFF10} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MULTIMEDIA KEYBOARD C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
nod32kui "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
JavaUpdate0.07 C:\WINDOWS\System32\nvhlytn.exe
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dbas
= C:\WINDOWS\Help\Tours\dbas.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 29/10/2005 5:30:44 p.m.
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Can you tell me if you know what this program is??

C:\Program Files\bashfree\ViewFour.dll

Im attaching a Zipped folder containing a small batch file to fix some of the leftover garbage,rather than have you search endlessly looking for all this.

Download and Unzip it.

Make sure all other Windows and Browsers are Closed-> double click Clr.bat-> a dos window will appear and disappear quickly.

Restart in Safe Mode and Scan again with WinPFind.

Go back into Normal Mode and Scan the PC here
http://support.f-sec.../home/ols.shtml

Save any results of the Online Scan.

Post back with a fresh HijackThis log and the reports from WinPFind and F-Secure

Attached Files

  • Attached File  Clr.zip   709bytes   105 downloads

Edited by Cretemonster, 29 October 2005 - 03:41 AM.

  • 0

#9
shol087

shol087

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ok cheers, heres the results:

F-Secure Online Scanner Results:
Finished: No viruses found

Scanned files: 80408

Hijack this results:
Logfile of HijackThis v1.99.1
Scan saved at 11:00:57 a.m., on 30/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\nvhlytn.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127018120013
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


WinFind Log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts


Checking %System% folder...
PEC2 5/08/2004 1:00:00 a.m. 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 29/08/2005 2:27:12 p.m. 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 5/10/2005 3:09:08 p.m. 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 5/10/2005 3:09:08 p.m. 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 5/08/2004 1:00:00 a.m. 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 5/08/2004 1:00:00 a.m. 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 5/08/2004 1:00:00 a.m. 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
30/10/2005 10:05:54 a.m. S 2048 C:\WINDOWS\bootstat.dat
28/10/2005 6:32:38 p.m. H 54156 C:\WINDOWS\QTFont.qfn
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\WindowsShell.Manifest
18/09/2005 4:21:04 p.m. H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
20/10/2005 3:08:32 p.m. H 59556 C:\WINDOWS\Downloaded Program Files\Doremi.ttf
18/09/2005 4:21:38 p.m. HS 67 C:\WINDOWS\Fonts\desktop.ini
1/10/2005 10:18:58 a.m. HS 200192 C:\WINDOWS\Help\Tours\htmlTour\Thumbs.db
18/09/2005 5:39:16 p.m. H 0 C:\WINDOWS\inf\oem12.inf
18/09/2005 4:21:04 p.m. H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
18/09/2005 4:22:22 p.m. H 442368 C:\WINDOWS\repair\ntuser.dat
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
18/09/2005 4:21:04 p.m. RH 488 C:\WINDOWS\system32\logonui.exe.manifest
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
18/09/2005 4:21:04 p.m. RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
18/09/2005 4:20:56 p.m. RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
5/10/2005 2:17:40 p.m. S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
28/09/2005 11:53:30 a.m. S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/09/2005 7:15:08 p.m. S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
30/10/2005 10:05:46 a.m. H 8192 C:\WINDOWS\system32\config\default.LOG
19/09/2005 4:08:04 a.m. H 0 C:\WINDOWS\system32\config\default.tmp.LOG
30/10/2005 10:06:06 a.m. H 1024 C:\WINDOWS\system32\config\SAM.LOG
30/10/2005 10:05:56 a.m. H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
30/10/2005 10:06:02 a.m. H 57344 C:\WINDOWS\system32\config\software.LOG
19/09/2005 4:08:02 a.m. H 0 C:\WINDOWS\system32\config\software.tmp.LOG
30/10/2005 10:05:54 a.m. H 856064 C:\WINDOWS\system32\config\system.LOG
19/09/2005 4:07:30 a.m. H 0 C:\WINDOWS\system32\config\system.tmp.LOG
19/09/2005 4:07:24 a.m. H 1024 C:\WINDOWS\system32\config\TempKey.LOG
19/09/2005 4:08:04 a.m. H 1024 C:\WINDOWS\system32\config\userdiff.LOG
18/09/2005 4:22:22 p.m. H 1024 C:\WINDOWS\system32\config\userdifr.LOG
16/10/2005 7:23:34 p.m. H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
25/09/2005 6:49:26 p.m. S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
25/09/2005 6:49:26 p.m. S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
18/09/2005 5:58:48 p.m. HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\4f07b594-fafc-40ac-9fca-cd7bc73a030f
18/09/2005 5:58:48 p.m. HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
22/10/2005 12:34:06 p.m. HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e58b6752-03d0-4ac5-a2b0-eac40ab9326f
22/10/2005 12:34:06 p.m. HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
30/10/2005 10:04:58 a.m. H 6 C:\WINDOWS\Tasks\SA.DAT
29/10/2005 2:50:28 p.m. H 0 C:\WINDOWS\Temp\TempFolder.aaa\Macromedia.lok

Checking for CPL files...
Microsoft Corporation 5/08/2004 1:00:00 a.m. 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 19/08/2003 5:23:34 p.m. 61547 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 18/12/2001 9:04:20 p.m. 287232 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 5:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 5/08/2004 1:00:00 a.m. 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 5:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
25/10/2005 1:12:36 p.m. 899 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
18/09/2005 4:22:18 p.m. HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2/11/2003 1:10:38 p.m. 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
2/11/2003 1:08:26 p.m. 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
18/09/2005 4:10:08 p.m. HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
2/11/2003 1:10:32 p.m. 209 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
28/10/2003 4:44:02 p.m. HS 84 C:\Documents and Settings\Holden Family\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
29/10/2003 5:25:48 a.m. HS 62 C:\Documents and Settings\Holden Family\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} = :
{3678AAD9-7FB5-D9FE-719F-E880904DFB2E} = Lite Memo Internet : C:\PROGRA~1\bashfree\ViewFour.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{337F1C10-7835-4E45-8D42-27B44AC8A5D1} = SuperBar : C:\Program Files\_SUPERBAR\_SUPERBAR.dll
{014DA6C9-189F-421A-88CD-07CFE51CFF10} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MULTIMEDIA KEYBOARD C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
nod32kui "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
JavaUpdate0.07 C:\WINDOWS\System32\nvhlytn.exe
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 30/10/2005 10:11:57 a.m.






Also there is now this file on my desktop called fix.regecho
can i delete or move this from my desktop?
and i have no idea what that viewfour.dll file is!
cheers

Edited by shol087, 29 October 2005 - 04:09 PM.

  • 0

#10
shol087

shol087

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
sorry double post!

Edited by shol087, 29 October 2005 - 04:07 PM.

  • 0

Advertisements


#11
shol087

shol087

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
whoops more like triple post

Edited by shol087, 29 October 2005 - 04:08 PM.

  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I did the triple post thing as well,seems the board was having lots of burps yesterday!

Copy the text below to a blank notepad page and Save it to the Desktop as rem.reg


REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}"=-
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"=-
"{337F1C10-7835-4E45-8D42-27B44AC8A5D1}"=-
"{014DA6C9-189F-421A-88CD-07CFE51CFF10}"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JavaUpdate0.07"=-
"SpybotSD TeaTimer"=-



Double Click rem.reg and allow it to merge into the registry!


Open HijackThis and fix these if they still exist!

O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\nvhlytn.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Restart the PC and Renable System Restore,this will clear out all old nasty Restore Points and create a nice new fresh clean one

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back with a fresh HijackThis log and let me know how things are?
  • 0

#13
shol087

shol087

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
thank you so much! havnt had any problems so far!
heres the hijack this file:

Logfile of HijackThis v1.99.1
Scan saved at 10:12:29 a.m., on 31/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127018120013
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

#14
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Excellent work my friend!! :)


Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :tazz:
  • 0

#15
shol087

shol087

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
thank you so much for your help- you are a genuine life saver :) :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP