Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

SearchToolbar

Started by DeSade , Jul 28 2005 03:58 PM

Page 5 of 7
3
4
5
6
7

Please log in to reply

#61
bricat

Posted 07 August 2005 - 03:26 AM

Visiting Staff

Visiting Consultant
645 posts

Actually the computer is still running like a dog. apps take ages to start, it crashes randomly for no apparant reason (and xp isn't susposed to crash at all).

Also are we finished cleaning yet?

i think you answered that question yourself. obviously there is something that we are missing which is causing the crashes.

if you don't wish to continue trying to fix the computer, let me know.

if you do try this.

Rerun HJT,and put a checkmark beside these :-

O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Office2000\Office\OSA9.EXE
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/...pcaploader1.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab

now close all windows and browsers and click FIX CHECKED

try running sfc \scannow

click on START\RUN and type CMD into the address bar and click OK.

At the DOS PROMPT type SFC /SCANNOW. note the space between SFC and /SCANNOW. hit enter.

please remove any scanners i have got you to install.

except for ewido, if you remove it you will not be able to install it again if you need to run it.

let me know if sfc / scannow turns up anything.

#62
DeSade

Posted 07 August 2005 - 05:37 AM

Member

Topic Starter
Member
377 posts

I am sorry if I came across as not wanting to continue, far from it. I am concerned that the crashes are damaging my hardware, and getting a little frustrated with this.

O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Office2000\Office\OSA9.EXE

these ones (04) were not present in the HJT scan.

I ran that SFC /Scannow and it couldn't find the cd, so I followed the instructions on the site but I ran into a problem there also. After I copied that 1386 file I went into the registry to follow the rest of the quidelines and there the problem hit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Setup\SourcePath

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SourcePath

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection

all the keys mentioned on the site do not exist in my registry.

Edited by DeSade, 07 August 2005 - 06:07 AM.

#63
bricat

Posted 07 August 2005 - 06:15 AM

Visiting Staff

Visiting Consultant
645 posts

You're not the only one that is frustrated. :tazz:

i have went right through all these scan logs again.

follow the instructions HERE to remove netsky C

Go to G:\WINDOWS\System32 and look for bxweb.dll. if you find it delete it. (safe mode if necessary)

let us know how you go.

#64
DeSade

Posted 07 August 2005 - 07:35 AM

Member

Topic Starter
Member
377 posts

No sign of NetSky, any version, and bxweb.dll was not present.

#65
Wizard

Posted 07 August 2005 - 12:26 PM

Retired Staff

Retired Staff
5,661 posts

Hi DeSade,

I am Mike a friends of Bricats and told him I would try to give an extra set of eyes here!

If you dont mind we are going to do some backtracking first then look at a few other things!

I plan to get rid of alot of programs that you just dont need anymore but I am going to need to see a scan of the PC in Safe Mode from this Utility!

WinPFind
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

First lets remove some things we just dont need anymore!

Next, Go to Add\Remove Programs

Kaspersky
TrojanHunter
Spybot Search&Destroy(Ad Aware is lighter)
Adware Away
Microsoft AntiSpyware

While you are in Add\Remove,please look for and remove if found

WareOut
Relevant Knowledge
ISearch
ISTbar
InternetOptimizer
BargainsBuddy
XactSearchbar
SideFind
Targetsaver

Please let me know what you find or dont find!

You will really want to check this game out-> Possible Virus. No disinfected D:\games\blizzard\shadowmaster\shadowmaster.exe

This is why

Possible Virus. No disinfected G:\Documents and Settings\Paul\Local Settings\Temp\ASHeuristic\shadowmaster.exe.vir

The extension on the end of that file bother me for some reason!

If you dont need it,get rid of it!

If you are going to keep it,we need to know where it came from and how it was downloaded!

Next-> Click Start-> Control Panel-> Security Center-> Windows Firewall

Now Click the "Exceptions Tab"

I need to know every single listing there please,so write them down and place them in the next post!(I am looking for an entry like-> rk.exe)

Now,I need you to restart in Safe Mode and Use the Windows Search Assistant!

First,Configure Windows to Show Hidden Files after rebooting into Safe Mode

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Open the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by every box under Advanced Options

Now under All Files and Folders,enter these into the text box:

rdt.ini
cseqz.exe
csbdv.exe
new32.exe
trycrt.exe
StatusCheck.exe
NukeSpan.exe
browsebar.exe
hclean32.exe
hgqhp.exe
dmsst.exe

Delete any exact Matches you find of each of these and Empty the Recycle Bin!

While in Safe Mode,Search for and Delete if found

G:\WINDOWS\System32\wrpdofiq<< Folder

G:\WINDOWS\System32\gaahjns<< Folder

G:\WINDOWS\System32\mgbrml<< Folder

G:\WINDOWS\System32\jkwybk<< Folder

G:\Program Files\WareOut<< Folder

G:\Program Files\Common Files\orku<< Folder

Again,please let us know what you find or dont find!

Now the reason I asked you to get WinPFind is because I havent the patience to wait on Silentrunners and can accomplish the same results in half the time,so lets get a scan!

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

Once the Scan is done,you will see a Scan Complete at the top of the Page!

Go ahead and restart back in Normal Mode!

Look in the WinPFind folder for WinPFind.txt and post those results!

One last thing I need to see is a Copy of you Hosts File-> Open HijackThis-> Click Config-> Click Misc Tools-> Click Open Hosts File Manager-> Click Open in Notepad

Copy&Paste the entire Contents of that Notepad Page to your Next Post!

Once you have those 2 logs posted,tell me how the Search for those Files and Folders Went!

Tell me what you found in the Exceptions of Windows Firewall!

Tell me about that Game and add in any other Information you feel is relevant to whats going on with the PC!

#66
bricat

Posted 07 August 2005 - 01:26 PM

Visiting Staff

Visiting Consultant
645 posts

also, before you run any scans. :-

Go to a Command Prompt:
Start | Run, and type Cmd and hit OK
At the prompt, type the following bold commands:
(note the spaces!!)

cd\ [hit enter]
attrib -h -s c:\recycler [Enter]
del c:\recycler [enter]

then exit the command prompt.

#67
DeSade

Posted 07 August 2005 - 09:35 PM

Member

Topic Starter
Member
377 posts

Hi Mike, good to meet you.

I got more failure than success with your instructions here are my results.

In the add/remove programmes I found none of your listed items

WareOut
Relevant Knowledge
ISearch
ISTbar
InternetOptimizer
BarginsBuddy
XactSearchbar
SideFind
Targetsaver

All negative.

D:\games\blizzard\shadowmaster\shadowmaster.exe

is a character editor for Diablo2, its not important and I have deleted it.

G:\Documents and Settings\Paul\Local Settings\Temp\Asheuristic\Shadowmaster.exe.vir

This does not show up on my system at all, at least not in that location.

Next-> Click Start->Control Panel->Security Center

I do not have a Security Center so everything to do what that area I could not complete.

This is the listing of my Control Panel

AC3 Filter
Add Hardware
Add or Remove Programs
Administrative Tools
Automatic Updates
Date and Time
Display
Folder Options
Fonts
Game Controllers
Internet Options
Java
Keyboard
Mail
Mouse
Network Connections
NVIDIA nView Desktop Manager
Phone and Modem
Portable Media Devices
Power Options
Printers and Faxes
Quicktime
Regional and Language Options
Scanners and Cameras
Scheduled Tasks
Silicon Image ATA Controllers
Sound Effect Manager
Sounds and Audio Devices
Speech
System
Taskbar and Start Menu
User Accounts

Under SafeMode none of these files were found

rdt.ini
cseqz.exe
csbdv.exe
new32.exe
trycrt.exe
StatusCheck.exe
NukeSpan.exe
browsebar.exe
hclean32.exe
hgqhp.exe
dmsst.exe

And the results for the group of folders is

G:\WINDOWS\System32\wrpdofiq<< Folder
Found and deleted

G:\WINDOWS\System32\gaahjns<< Folder
Found and deleted

G:\WINDOWS\System32\mgbrml<< Folder
Found and deleted

G:\WINDOWS\System32\jkwybk<< Folder
Found and deleted

G:\Program Files\WareOut<< Folder
Was not present

G:\Program Files\Common Files\orku<< Folder
Found and deleted

WinPFind Failed.

It came up with a error message

Invalid Data Type for "System" and there was no activity for approx 45 minutes before I shut it down. Ran it twice more after this gave it 15 minutes for activity to show up after the same error at the same place so no scans for that.

HijackThis->Click Config

There is no Config however I did find this

HijackThis->Open the Misc Tools Section->Open Hosts File Manager->Open In Notepad.

I did this and the host file is/was empty

Bricat
I followed your instructions before following Cretemonsters as asked.

Edited by DeSade, 07 August 2005 - 09:37 PM.

#68
Wizard

Posted 08 August 2005 - 03:14 AM

Retired Staff

Retired Staff
5,661 posts

Actually all that is good news except for WinPFind!

What I will do is attach an old copy of WinPFind that I have stored on my computer!

Delete the copy you have and download the version I have attached,it will serve the purpose we need!

Please make sure when you download this version of WinPFind,that you Extract All Files when Unzipping it!

What I am trying to avoid is having you spend a great deal of time scanning or downloading this that and the other!

To see the specific key in the registry I want to see,lets go ahead and do this!

Click Start-> Click Run-> Copy&Paste the bold text below into the Open Run Box and then Click OK!

regedit /e g:\key.txt "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Give this about 5 seconds to run,then go to the G drive and locate key.txt

Post the results of key.txt

Now go to Safe Mode and try to run the WinPFind that you downloaded from this post!

If WinPFind still wont work,please take the time to post a fresh Silent Runners log!

After all that,tell me as much as you can about how the System is set to boot up?

Does it boot from the G drive only?

Is anything starting up from the other drive?

Name all the programs you have downloaded that you feel you just dont need anymore!

After all this,Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!

Once all is enabled in Msconfig,post a fresh HijackThis log,so I can be sure nothing is hiding or being suppressed by Msconfig!

We will go back and tinker with Msconfig and remove any startup items that arent actually needed after I know there are no threats!

If you have any comments you feel might help,please feel free to post them!

So in the next post,place the results of Key.txt and any comments you have!

In a seperate post place the results of WinPFind or Silent runners!

In another seperate post,place a fresh HijackThis log after enabling all in Msconfig!

Lets have a look at those and go from there!

Attached Files

WinPFind.zip 186.85KB 76 downloads

Edited by Cretemonster, 08 August 2005 - 03:23 AM.

#69
bricat

Posted 08 August 2005 - 03:32 AM

Visiting Staff

Visiting Consultant
645 posts

mike just forgot to mention this one :-

please download and run HOSTER.ZIP

unpack the hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Edited by bricat, 08 August 2005 - 03:32 AM.

#70
DeSade

Posted 08 August 2005 - 05:16 AM

Member

Topic Starter
Member
377 posts

OK first post.

The key.txt didn't generate, I run the command line 3 times and searched all harddrives after for key.txt and no luck.

As for comments

I don't have many programmes and each one has a purpose, even thou some are used infrequently.

Only other thing I can think to add is the fact that all crashes seem to happen in one or the other of 2 situations.

Either when I am playing a game (any and all) or when I have left the computer running something overnight, it almost always crashes.

#71
DeSade

Posted 08 August 2005 - 05:17 AM

Member

Topic Starter
Member
377 posts

This is the result of the WinPFind

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 G:\WINDOWS\lpt$vpn.761
qoologic G:\WINDOWS\lpt$vpn.761
SAHAgent G:\WINDOWS\lpt$vpn.761
UPX! G:\WINDOWS\RMAgentOutput.dll
UPX! G:\WINDOWS\tsc.exe
PECompact2 G:\WINDOWS\VPTNFILE.761
qoologic G:\WINDOWS\VPTNFILE.761
SAHAgent G:\WINDOWS\VPTNFILE.761
UPX! G:\WINDOWS\vsapi32.dll
aspack G:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! G:\WINDOWS\system32\CoreAAC.ax
PEC2 G:\WINDOWS\system32\dfrg.msc
PTech G:\WINDOWS\system32\LegitCheckControl.dll
Umonitor G:\WINDOWS\system32\rasdlg.dll
UPX! G:\WINDOWS\system32\RLMPCDec.ax
winsync G:\WINDOWS\system32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! G:\WINDOWS\system32\drivers\avg7core.sys
FSG! G:\WINDOWS\system32\drivers\avg7core.sys
aspack G:\WINDOWS\system32\drivers\avg7core.sys

Checking the Windows folder for system and hidden files within the last 60 days...
29/07/2005 G:\WINDOWS\inf\oem1.inf
8/08/2005 G:\WINDOWS\system32\config\default.LOG
8/08/2005 G:\WINDOWS\system32\config\SAM.LOG
8/08/2005 G:\WINDOWS\system32\config\SECURITY.LOG
8/08/2005 G:\WINDOWS\system32\config\software.LOG
8/08/2005 G:\WINDOWS\system32\config\system.LOG
30/07/2005 G:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\39O1SOWG\desktop.ini
30/07/2005 G:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EDC9658D\desktop.ini
30/07/2005 G:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EV3Y49NR\desktop.ini
30/07/2005 G:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UWV8D3ZB\desktop.ini
30/07/2005 G:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\be646231-b755-4836-99c1-e7d079982e10
30/07/2005 G:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
8/08/2005 G:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
SV1 =

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = G:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = G:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = G:\Program Files\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IZArcCM
{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5} = G:\PROGRA~1\IZArc\IZArcCM.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = G:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = G:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMan SOUNDMAN.EXE
NvCplDaemon RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
AVG7_CC G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Steam G:\Program Files\Valve\Steam\Steam.exe -silent

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= G:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableCAD 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit G:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = G:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.11 - Log file written to "WinPFind.Txt" in the WinPFind folder.

#72
DeSade

Posted 08 August 2005 - 05:18 AM

Member

Topic Starter
Member
377 posts

And finally the HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:18:35 p.m., on 8/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\Program Files\ewido\security suite\ewidoctrl.exe
G:\WINDOWS\System32\nvsvc32.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\System32\RUNDLL32.EXE
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\Program Files\Valve\Steam\Steam.exe
G:\Program Files\Mozilla Firefox\firefox.exe
E:\Pauls Documents\spywareremovaltools\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Steam] G:\Program Files\Valve\Steam\Steam.exe -silent
O8 - Extra context menu item: &Google Search - res://g:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://g:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://g:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://g:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://g:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - G:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - G:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122556946093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9C39F86-0C4E-4D3E-9592-17EB9576A4F3}: NameServer = 202.27.158.40,202.27.156.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC049923-DCC2-4D99-8AE8-9E637BBAD3C0}: NameServer = 202.27.158.40,202.27.156.72
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - G:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\System32\nvsvc32.exe

#73
bricat

Posted 08 August 2005 - 06:56 AM

Visiting Staff

Visiting Consultant
645 posts

just a thought, you say it crashes if you leave it on all night, you might be having an overheating problem.

download and install SPEEDFAN.

this is a small utility which sits in your taskbar and tells you the temperatures your processor is running at. monitor the temperature and let us know if the temperature increases when you are running a game and what temperature it is running at.

i'll let mike look at your latest scans, before i do anything with them.

#74
DeSade

Posted 08 August 2005 - 01:35 PM

Member

Topic Starter
Member
377 posts

hmmmmm

You may have something here Bricat.

Speedfan reports this but I don't know how to tell which fan it is.

Fan1: 5273 RPM Temp1: 34C (blue arrow)
Fan2: 0 RPM Temp2: 39C (blue arrow) Too cold for fan to be needed????
Fan3: 1854 RPM Temp3: 68C (red flame) This is the problem right?
HD1: 39C

These readings are from first installing with nothing else running, not sure if its configured right.