Hijack This! logs

trick · February 8, 2006

Tis indeed a LTNS mate! These days I'm face down in running the label, working on my own music and doing 3 radio shows, heheh. Hence, time is kinda stretched at the best of times!

As regards this problem, it seems I don't have a WINNT folder either, rendering that part of the entry unnecessary.

I just cannot figure out what the issue could be here - and given I used to do this for a living, I reckon that's saying something, lol. It just seems that anything involving the explorer.exe process being called from an app seems to hang the system for ages. So, it could be that clicking a weblink in Outlook, or even something simple like printing from Word to a printer on my other PC. Very, very odd indeed - and increasingly infuriating as its making doing anything bloody torturous

Steve · February 8, 2006

Did you enable the viewing of hidden/system files in Windows Explorer?

If after doing that you still don't see a WINNT folder, take a look in C:\Windows\System32 and see if there's an explorer.exe there. I have a feeling there's a fake viral explorer file there somewhere that's being called via userinit, which would explain your system freezing any time explorer.exe is involved.

**EDIT**

In fact I'm 99% sure that's what's happening.

trick · February 8, 2006

Yup, definitely no WinNt folder. I'm searching the whole C drive now though for explorer.exes. Certainly something is happening here, because when the system freezes its because the CPU usage rockets to 100%...

Steve · February 8, 2006

I did some Googling and somebody else had a similar thing. As detected by Norton: -

Name: C:\WINNT\system32\explorer.exe
Virus name: IRC Trojan
Status: Not quarantined

Sometimes HijackThis will say "WINNT" when it really means "WINDOWS" - it used to happen a lot with the older versions. If there is no explorer.exe file in the System32 folder, I would say go ahead and fix this entry in HijackThis and then reboot: -

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINNT\system32\explorer.exe

Make sure you close all other windows before hitting Fix Checked. Let me know the results of your search first anyways.

trick · February 8, 2006

Nope - no duplicate instanes, and a virus check on the main explorer.exe checked out fine on that Jotti site...

I'm stumped to be honest - I know its doing something when it freezes, but its a case of working out what DLLs are being accessed by explorer.exe, and how...

Steve · February 8, 2006

Try the fix as mentioned in my previous post. HijackThis makes a backup anyway, so no harm will come from it. I reckon it just might do the trick (no pun intended ).

trick · February 8, 2006

Wordy word. I'm just gonna nip off for a calming pint (its been a long day!) and then I'll do the fix and see how it fares from there. I shall update you later mate!

(Oh and I might be a bit sociable for once and swing by the main area for a chinwag too!)

Steve · February 8, 2006

Cool man. Have one for me while you're at it!

trick · February 8, 2006

Buggernuts. Still no change. I fixed the stated line in Hijack This, but the PC is still running like a sack of shit. I'm reaching the point where I'm sorely tempted to try a reinstall of XP...

Steve · February 9, 2006

Arse. The problem with some spyware/viruses is after it's been removed, registry entries can be left over that affect how your machine runs. You could try running something like RegSeeker: -

http://www.majorgeeks.com/download2579.html

BTW - How many pints did you have?? lol.

trick · February 9, 2006

LOL - erm... well I had one, but then we were comfy, so I got another. Then we came back home (we being me and the missus), and I remembered I had a can of Guinness in the fridge. So, I had that.

Then I remembered I had another 2 cans in the fridge... so I had those too :$

Anyways - with this problem I've found a possible means to analyse it better. It turns out Process Explorer (http://www.sysinternals.com/Utilities/ProcessExplorer.html) can show the historical CPU usage of DLLs - meaning I should be able to find out precisely what is making the CPU hike to 100% and then freeze.

So, I'm installing it now, and fingers crossed that might lead somewhere....

trick · February 9, 2006

Hmmm - interesting. From using this Process Explorer I can see that the issue lies with anything making a call to Internet Explorer, or any program that carries an IE co-dependency (e.g. Word). So, if I load Avant (my default browser) it hangs for ages and the CPU usage rockets. If I open a link from Outlook (where it then launches Avant as its the default browser), it freezes. Basically, in Process Explorer the problem only occurs when the app in question has a handle link to IE in some way.

So, I'm starting to wonder if the issue lies with a corruption of the index.dat file or something similar. Problem being, there's no easy way to reinstall IE. Reinstalling Avant certainly hasn't worked, but I didn't expect it to given its only a skin.

Most odd...

trick · February 9, 2006

Now I'm getting somewhere! I removed Avant and boom - the issue vanished.

Sadly I've rebooted and reinstalled it, and the issue persists though

The odd thing is that its only with Avant: not IE. If I remove Avant and click a link in Outlook, the IE browser loads super quick. My guess is still that there's a worm or something at work here, which just isn't being deleted by uninstalling Avant. The only other thing I might try now is locking down the firewall to trace ALL network activity, to see if the CPU hike coincides with any attempts to ping out etc...

Kper · February 11, 2006

hey steve,

im back! nah i've finally got a new machine, and just wanted to check there was nothing wrong with it or anything funny, as it seems a bit slow at times when it should be faster then my old one... if you could have a look when you get a minute that'd be dope (there's no mad rush as it's not crapping out)

Logfile of HijackThis v1.99.1

Scan saved at 17:17:24, on 11/02/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE

C:\WINDOWS\system32\LXSUPMON.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Ella\Desktop\cleaning\hijack this!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize

O4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

nice one!

Steve · February 11, 2006

There's nothing bad in the log mate, although there's a few things you can fix. If you don't want to use the Dell homepage, then fix these 4 before setting your own: -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway

These are unnecessary: -

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

You can also disable some of the other programs from starting when you turn the PC on such as PowerDVD, RealPlayer, MSN Messenger, Microsoft Office etc. You can do that from within each particular program's options.

You do need to update your Java installation though. Download the latest version by clicking here: -

http://jdl.sun.com/webapps/download/AutoDL?BundleId=10343

Uninstall your current version via Add or Remove Programs, reboot, then install the new one.

Kper · February 19, 2006

easy mate,

thanks for that. just done did it

Pman · February 21, 2006

Steve

you wanna check myself befor i reck myself

cheers

Logfile of HijackThis v1.99.1

Scan saved at 16:14:20, on 21/02/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\PAULHO~1\LOCALS~1\Temp\Rar$EX00.812\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.1.2

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Karoo

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2548e425-a332-4c84-9633-4b3101f7d0bb} - (no file)

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O2 - BHO: (no name) - {4CFD8060-60C8-45A8-8133-4B086C5AE49F} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: (no name) - {B9089D79-F34A-7D76-9427-BF5FF9BABCF1} - (no file)

O2 - BHO: (no name) - {D881967C-B832-4DE8-B844-98D9D055C89A} - (no file)

O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [Windows Word] WINWORD32.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~2\AD-AWARE.EXE" +c

O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [speedTouchstInstall] "C:/Documents and Settings/Paul Holness/Desktop/SetupWizard/stInstall.exe"

O4 - Startup: Karoo.lnk = D:\Start.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: Msn Messenger - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_msn1/?l...puk&ver=1&t=new (file missing)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Mis Programas - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_program...puk&ver=1&t=new (file missing)

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Msn Messenger - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\msntmpuk\index.htm (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - WWW. Prefix: http://ehttp.cc/?

O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk/

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtangent.com/webdrivers/webi...ave/Install.cab

O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/Dial...040_pack_XP.cab

O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - http://www.accesoplugin.com/dialercab/PPre...ternacional.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2164798bc85c5b...ip/RdxIE601.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} -

O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/aplicacion.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamc9-gb/gbc9/games7.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...nds/install.cab

O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\intralaunch.CAB

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab

O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://198.143.27.21/dialer_loader/uk.cab

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} -

O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cab

O16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} (PrintScreen Class) - http://www.myemo.com/mypicture/Flash2Image.cab

O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2F1876E1-25BE-4089-9173-4933F8F30001}: NameServer = 212.50.160.100 213.249.130.100

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)

O20 - Winlogon Notify: debugg - C:\WINDOWS\SYSTEM32\debugg.dll

O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing)

:(( whats all that about

i just got regseeker too shall i hijack this first or regseeker

cheers again

Edited February 21, 2006 by Pman

Steve · February 21, 2006

Download Ad-Aware here: -

http://www.download.com/3000-2144-10045910.html

Install it, run it, update it, then have it scan your PC for spyware and fix everything that it finds. Once you're done, reboot the PC and as soon as it's started up run HijackThis and grab a new log and post it up. That should remove some of the crap leaving less to do manually.

February 21, 2006

O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

might want to back up your ipod tunes etc... i had file missing then i lost 6000 songs ! was gutted did back it up though thankfully!! so do it now man! i bought external hard drive and just copied n pasted 15k songs accross took like 12 hours but least i got a copy of it

Pman · February 21, 2006

Download Ad-Aware here: -

http://www.download.com/3000-2144-10045910.html

Install it, run it, update it, then have it scan your PC for spyware and fix everything that it finds. Once you're done, reboot the PC and as soon as it's started up run HijackThis and grab a new log and post it up. That should remove some of the crap leaving less to do manually.
<{POST_SNAPBACK}>

im on it

ad-aware then reboot then hijack this what about regseeker

ill post the new hijack this when i've done

Cheers

Pman · February 21, 2006

O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

might want to back up your ipod tunes etc... i had file missing then i lost 6000 songs ! was gutted did back it up though thankfully!! so do it now man! i bought external hard drive and just copied n pasted 15k songs accross took like 12 hours but least i got a copy of it
<{POST_SNAPBACK}>

i dont even have a ipod im mate installed it so i got rid

Steve · February 21, 2006

what about regseeker

Leave that til last. You need to get all the dodgy files off your machine first, then deal with any leftover registry entries.

Pman · February 21, 2006

Logfile of HijackThis v1.99.1

Scan saved at 17:01:21, on 21/02/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Paul Holness\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.1.2

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Karoo

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)

O2 - BHO: (no name) - {2548e425-a332-4c84-9633-4b3101f7d0bb} - (no file)

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O2 - BHO: (no name) - {4CFD8060-60C8-45A8-8133-4B086C5AE49F} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)