trick Posted February 8, 2006 Share Posted February 8, 2006 Tis indeed a LTNS mate! These days I'm face down in running the label, working on my own music and doing 3 radio shows, heheh. Hence, time is kinda stretched at the best of times! As regards this problem, it seems I don't have a WINNT folder either, rendering that part of the entry unnecessary. I just cannot figure out what the issue could be here - and given I used to do this for a living, I reckon that's saying something, lol. It just seems that anything involving the explorer.exe process being called from an app seems to hang the system for ages. So, it could be that clicking a weblink in Outlook, or even something simple like printing from Word to a printer on my other PC. Very, very odd indeed - and increasingly infuriating as its making doing anything bloody torturous Quote Link to comment Share on other sites More sharing options...
Steve Posted February 8, 2006 Author Share Posted February 8, 2006 Did you enable the viewing of hidden/system files in Windows Explorer? If after doing that you still don't see a WINNT folder, take a look in C:\Windows\System32 and see if there's an explorer.exe there. I have a feeling there's a fake viral explorer file there somewhere that's being called via userinit, which would explain your system freezing any time explorer.exe is involved. **EDIT** In fact I'm 99% sure that's what's happening. Quote Link to comment Share on other sites More sharing options...
trick Posted February 8, 2006 Share Posted February 8, 2006 Yup, definitely no WinNt folder. I'm searching the whole C drive now though for explorer.exes. Certainly something is happening here, because when the system freezes its because the CPU usage rockets to 100%... Quote Link to comment Share on other sites More sharing options...
Steve Posted February 8, 2006 Author Share Posted February 8, 2006 I did some Googling and somebody else had a similar thing. As detected by Norton: - Name: C:\WINNT\system32\explorer.exe Virus name: IRC Trojan Status: Not quarantined Sometimes HijackThis will say "WINNT" when it really means "WINDOWS" - it used to happen a lot with the older versions. If there is no explorer.exe file in the System32 folder, I would say go ahead and fix this entry in HijackThis and then reboot: - F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINNT\system32\explorer.exe Make sure you close all other windows before hitting Fix Checked. Let me know the results of your search first anyways. Quote Link to comment Share on other sites More sharing options...
trick Posted February 8, 2006 Share Posted February 8, 2006 Nope - no duplicate instanes, and a virus check on the main explorer.exe checked out fine on that Jotti site... I'm stumped to be honest - I know its doing something when it freezes, but its a case of working out what DLLs are being accessed by explorer.exe, and how... Quote Link to comment Share on other sites More sharing options...
Steve Posted February 8, 2006 Author Share Posted February 8, 2006 Try the fix as mentioned in my previous post. HijackThis makes a backup anyway, so no harm will come from it. I reckon it just might do the trick (no pun intended ). Quote Link to comment Share on other sites More sharing options...
trick Posted February 8, 2006 Share Posted February 8, 2006 Wordy word. I'm just gonna nip off for a calming pint (its been a long day!) and then I'll do the fix and see how it fares from there. I shall update you later mate! (Oh and I might be a bit sociable for once and swing by the main area for a chinwag too!) Quote Link to comment Share on other sites More sharing options...
Steve Posted February 8, 2006 Author Share Posted February 8, 2006 Cool man. Have one for me while you're at it! Quote Link to comment Share on other sites More sharing options...
trick Posted February 8, 2006 Share Posted February 8, 2006 Buggernuts. Still no change. I fixed the stated line in Hijack This, but the PC is still running like a sack of shit. I'm reaching the point where I'm sorely tempted to try a reinstall of XP... Quote Link to comment Share on other sites More sharing options...
Steve Posted February 9, 2006 Author Share Posted February 9, 2006 Arse. The problem with some spyware/viruses is after it's been removed, registry entries can be left over that affect how your machine runs. You could try running something like RegSeeker: - http://www.majorgeeks.com/download2579.html BTW - How many pints did you have?? lol. Quote Link to comment Share on other sites More sharing options...
trick Posted February 9, 2006 Share Posted February 9, 2006 LOL - erm... well I had one, but then we were comfy, so I got another. Then we came back home (we being me and the missus), and I remembered I had a can of Guinness in the fridge. So, I had that. Then I remembered I had another 2 cans in the fridge... so I had those too :$ Anyways - with this problem I've found a possible means to analyse it better. It turns out Process Explorer (http://www.sysinternals.com/Utilities/ProcessExplorer.html) can show the historical CPU usage of DLLs - meaning I should be able to find out precisely what is making the CPU hike to 100% and then freeze. So, I'm installing it now, and fingers crossed that might lead somewhere.... Quote Link to comment Share on other sites More sharing options...
trick Posted February 9, 2006 Share Posted February 9, 2006 Hmmm - interesting. From using this Process Explorer I can see that the issue lies with anything making a call to Internet Explorer, or any program that carries an IE co-dependency (e.g. Word). So, if I load Avant (my default browser) it hangs for ages and the CPU usage rockets. If I open a link from Outlook (where it then launches Avant as its the default browser), it freezes. Basically, in Process Explorer the problem only occurs when the app in question has a handle link to IE in some way. So, I'm starting to wonder if the issue lies with a corruption of the index.dat file or something similar. Problem being, there's no easy way to reinstall IE. Reinstalling Avant certainly hasn't worked, but I didn't expect it to given its only a skin. Most odd... Quote Link to comment Share on other sites More sharing options...
trick Posted February 9, 2006 Share Posted February 9, 2006 Now I'm getting somewhere! I removed Avant and boom - the issue vanished. Sadly I've rebooted and reinstalled it, and the issue persists though The odd thing is that its only with Avant: not IE. If I remove Avant and click a link in Outlook, the IE browser loads super quick. My guess is still that there's a worm or something at work here, which just isn't being deleted by uninstalling Avant. The only other thing I might try now is locking down the firewall to trace ALL network activity, to see if the CPU hike coincides with any attempts to ping out etc... Quote Link to comment Share on other sites More sharing options...
Kper Posted February 11, 2006 Share Posted February 11, 2006 hey steve, im back! nah i've finally got a new machine, and just wanted to check there was nothing wrong with it or anything funny, as it seems a bit slow at times when it should be faster then my old one... if you could have a look when you get a minute that'd be dope (there's no mad rush as it's not crapping out) Logfile of HijackThis v1.99.1Scan saved at 17:17:24, on 11/02/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXEC:\WINDOWS\system32\LXSUPMON.EXEC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Ella\Desktop\cleaning\hijack this!\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimizeO4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXEO4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUNO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe nice one! Quote Link to comment Share on other sites More sharing options...
Steve Posted February 11, 2006 Author Share Posted February 11, 2006 There's nothing bad in the log mate, although there's a few things you can fix. If you don't want to use the Dell homepage, then fix these 4 before setting your own: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway These are unnecessary: - O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime You can also disable some of the other programs from starting when you turn the PC on such as PowerDVD, RealPlayer, MSN Messenger, Microsoft Office etc. You can do that from within each particular program's options. You do need to update your Java installation though. Download the latest version by clicking here: - http://jdl.sun.com/webapps/download/AutoDL?BundleId=10343 Uninstall your current version via Add or Remove Programs, reboot, then install the new one. Quote Link to comment Share on other sites More sharing options...
Kper Posted February 19, 2006 Share Posted February 19, 2006 easy mate, thanks for that. just done did it Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 (edited) Steve you wanna check myself befor i reck myselfcheers Logfile of HijackThis v1.99.1Scan saved at 16:14:20, on 21/02/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\WinRAR\WinRAR.exeC:\DOCUME~1\PAULHO~1\LOCALS~1\Temp\Rar$EX00.812\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.ukR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.1.2R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KarooR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missingF2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exeO2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {2548e425-a332-4c84-9633-4b3101f7d0bb} - (no file)O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dllO2 - BHO: (no name) - {4CFD8060-60C8-45A8-8133-4B086C5AE49F} - (no file)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)O2 - BHO: (no name) - {B9089D79-F34A-7D76-9427-BF5FF9BABCF1} - (no file)O2 - BHO: (no name) - {D881967C-B832-4DE8-B844-98D9D055C89A} - (no file)O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [Windows Word] WINWORD32.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~2\AD-AWARE.EXE" +cO4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimizeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [speedTouchstInstall] "C:/Documents and Settings/Paul Holness/Desktop/SetupWizard/stInstall.exe" O4 - Startup: Karoo.lnk = D:\Start.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htmO8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htmO8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htmO8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htmO8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htmO8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htmO8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htmO8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htmO9 - Extra button: Msn Messenger - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_msn1/?l...puk&ver=1&t=new (file missing)O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: Mis Programas - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_program...puk&ver=1&t=new (file missing)O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra button: Msn Messenger - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\msntmpuk\index.htm (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO13 - WWW. Prefix: http://ehttp.cc/?O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk/O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cabO16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtangent.com/webdrivers/webi...ave/Install.cabO16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cabO16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/Dial...040_pack_XP.cabO16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - http://www.accesoplugin.com/dialercab/PPre...ternacional.cabO16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cabO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cabO16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cabO16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2164798bc85c5b...ip/RdxIE601.cabO16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/aplicacion.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cabO16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamc9-gb/gbc9/games7.cabO16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...nds/install.cabO16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\intralaunch.CABO16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cabO16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://198.143.27.21/dialer_loader/uk.cabO16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cabO16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cabO16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} (PrintScreen Class) - http://www.myemo.com/mypicture/Flash2Image.cabO16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cabO16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{2F1876E1-25BE-4089-9173-4933F8F30001}: NameServer = 212.50.160.100 213.249.130.100O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)O20 - Winlogon Notify: debugg - C:\WINDOWS\SYSTEM32\debugg.dllO21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing) whats all that abouti just got regseeker too shall i hijack this first or regseekercheers again Edited February 21, 2006 by Pman Quote Link to comment Share on other sites More sharing options...
Steve Posted February 21, 2006 Author Share Posted February 21, 2006 Download Ad-Aware here: - http://www.download.com/3000-2144-10045910.html Install it, run it, update it, then have it scan your PC for spyware and fix everything that it finds. Once you're done, reboot the PC and as soon as it's started up run HijackThis and grab a new log and post it up. That should remove some of the crap leaving less to do manually. Quote Link to comment Share on other sites More sharing options...
Guest sirchickski Posted February 21, 2006 Share Posted February 21, 2006 O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) might want to back up your ipod tunes etc... i had file missing then i lost 6000 songs ! was gutted did back it up though thankfully!! so do it now man! i bought external hard drive and just copied n pasted 15k songs accross took like 12 hours but least i got a copy of it Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 Download Ad-Aware here: - http://www.download.com/3000-2144-10045910.html Install it, run it, update it, then have it scan your PC for spyware and fix everything that it finds. Once you're done, reboot the PC and as soon as it's started up run HijackThis and grab a new log and post it up. That should remove some of the crap leaving less to do manually.<{POST_SNAPBACK}> im on itad-aware then reboot then hijack this what about regseekerill post the new hijack this when i've done Cheers Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) might want to back up your ipod tunes etc... i had file missing then i lost 6000 songs ! was gutted did back it up though thankfully!! so do it now man! i bought external hard drive and just copied n pasted 15k songs accross took like 12 hours but least i got a copy of it<{POST_SNAPBACK}> i dont even have a ipod im mate installed it so i got rid Quote Link to comment Share on other sites More sharing options...
Steve Posted February 21, 2006 Author Share Posted February 21, 2006 what about regseekerLeave that til last. You need to get all the dodgy files off your machine first, then deal with any leftover registry entries. Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 Logfile of HijackThis v1.99.1Scan saved at 17:01:21, on 21/02/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Paul Holness\My Documents\Downloads\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.ukR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.1.2R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KarooR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missingF2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exeO2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)O2 - BHO: (no name) - {2548e425-a332-4c84-9633-4b3101f7d0bb} - (no file)O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dllO2 - BHO: (no name) - {4CFD8060-60C8-45A8-8133-4B086C5AE49F} - (no file)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)O2 - BHO: (no name) - {B9089D79-F34A-7D76-9427-BF5FF9BABCF1} - (no file)O2 - BHO: (no name) - {D881967C-B832-4DE8-B844-98D9D055C89A} - (no file)O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [Windows Word] WINWORD32.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~2\AD-AWARE.EXE" +cO4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimizeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [speedTouchstInstall] "C:/Documents and Settings/Paul Holness/Desktop/SetupWizard/stInstall.exe" O4 - Startup: Karoo.lnk = D:\Start.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htmO8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htmO8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htmO8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htmO8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htmO8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htmO8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htmO8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htmO9 - Extra button: Msn Messenger - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_msn1/?l...puk&ver=1&t=new (file missing)O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: Mis Programas - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_program...puk&ver=1&t=new (file missing)O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra button: Msn Messenger - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\msntmpuk\index.htm (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO13 - WWW. Prefix: http://ehttp.cc/?O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk/O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cabO16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtangent.com/webdrivers/webi...ave/Install.cabO16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cabO16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/Dial...040_pack_XP.cabO16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - http://www.accesoplugin.com/dialercab/PPre...ternacional.cabO16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cabO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cabO16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cabO16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2164798bc85c5b...ip/RdxIE601.cabO16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} - O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/aplicacion.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cabO16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamc9-gb/gbc9/games7.cabO16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...nds/install.cabO16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\intralaunch.CABO16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cabO16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://198.143.27.21/dialer_loader/uk.cabO16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cabO16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktank...ownloadCtrl.cabO16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} (PrintScreen Class) - http://www.myemo.com/mypicture/Flash2Image.cabO16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cabO16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cabO16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{2F1876E1-25BE-4089-9173-4933F8F30001}: NameServer = 212.50.160.100 213.249.130.100O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)O20 - Winlogon Notify: debugg - C:\WINDOWS\SYSTEM32\debugg.dllO21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing) Quote Link to comment Share on other sites More sharing options...
Steve Posted February 21, 2006 Author Share Posted February 21, 2006 Your PC is in a bit of a mess mate, but hopefully we can clean it up. Download CCleaner from here, install it, but don't run it yet: - http://www.ccleaner.com Run HijackThis and check off all of the following: - R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.ukR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.1.2R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by KarooR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missingO2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)O2 - BHO: (no name) - {2548e425-a332-4c84-9633-4b3101f7d0bb} - (no file)O2 - BHO: (no name) - {4CFD8060-60C8-45A8-8133-4B086C5AE49F} - (no file)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)O2 - BHO: (no name) - {B9089D79-F34A-7D76-9427-BF5FF9BABCF1} - (no file)O2 - BHO: (no name) - {D881967C-B832-4DE8-B844-98D9D055C89A} - (no file)O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO9 - Extra button: Msn Messenger - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_msn1/?l...puk&ver=1&t=new (file missing)O9 - Extra button: Mis Programas - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_program...puk&ver=1&t=new (file missing)O9 - Extra button: Msn Messenger - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\msntmpuk\index.htm (file missing)O13 - WWW. Prefix: http://ehttp.cc/?O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk/O20 - Winlogon Notify: debugg - C:\WINDOWS\SYSTEM32\debugg.dllO21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) Also check off ALL the items starting with O16. There's some legit ones in there but I can't be arsed to check them all out cos there's so many. Any that are needed will simply be downloaded again next time you visit the particular site that installs them anyway. Once you've selected the items, close all other windows and hit Fix Checked. Reboot the PC into Safe Mode by tapping F8 as it's booting. Start Windows Explorer and hit Tools, then Folder Options. On the View tab, set the following like this: - Show hidden files and folders - CheckedHide extensions for known file types - NOT checkedHide protected operating system files (Recommended) - NOT checked Then hit Apply then OK. Search for the following files and folders shown in bold and delete them if found: - C:\msntmpuk C:\WINDOWS\SYSTEM32\debugg.dll Once you've done that, run CCleaner and let it clean your drive. Then reboot into regular Windows. Start Internet Explorer and hit Tools, then Internet Options. Click on the Programs tab, followed by the Reset Web Settings button. Then click on the Security tab, then the Internet zone icon and see if the security level has been set to low. If it has, hit the Default Level button. Click on the General tab and re-enter the home page you want to use. Now you must click Apply then OK. You're not running a firewall and you were running no anti-virus software up until the other day - that's why your PC is in a state. lol. Anyway, follow those instructions carefully, then come back and post a new log once you're done. Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 i done all of that apart from the safe mode thing i tryed and failedheres the log now Logfile of HijackThis v1.99.1Scan saved at 18:17:19, on 21/02/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Documents and Settings\Paul Holness\My Documents\Downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R3 - Default URLSearchHook is missingF2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exeO2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)O2 - BHO: (no name) - {2548e425-a332-4c84-9633-4b3101f7d0bb} - (no file)O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dllO2 - BHO: (no name) - {4CFD8060-60C8-45A8-8133-4B086C5AE49F} - (no file)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)O2 - BHO: (no name) - {B9089D79-F34A-7D76-9427-BF5FF9BABCF1} - (no file)O2 - BHO: (no name) - {D881967C-B832-4DE8-B844-98D9D055C89A} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [Windows Word] WINWORD32.EXEO4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~2\AD-AWARE.EXE" +cO4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimizeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [speedTouchstInstall] "C:/Documents and Settings/Paul Holness/Desktop/SetupWizard/stInstall.exe" O4 - Startup: Karoo.lnk = D:\Start.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htmO8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htmO8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htmO8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htmO8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htmO8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htmO8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htmO8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} - O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} - O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} - O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} - O16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} - O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - O17 - HKLM\System\CCS\Services\Tcpip\..\{2F1876E1-25BE-4089-9173-4933F8F30001}: NameServer = 212.50.160.100 213.249.130.100O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)O20 - Winlogon Notify: debugg - C:\WINDOWS\SYSTEM32\debugg.dllO21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing) so shall i leave kasperspy running all the timenow what about a firewallcheers Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.