1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

HJT log file need suggestion

Discussion in 'Malware and Virus Removal Archive' started by panchal, 2007/03/02.

Page 1 of 2
  1. 2007/03/02
    panchal

    panchal Inactive Thread Starter

    Joined:
    2002/05/21
    Messages:
    122
    Likes Received:
    0
    I was having problem of PC getting automatically shutting off whenever I try to download file viz. google earth etc. Following is HJT log please guide on what to remove and action to be taken.can anyone reply what is the problem ?

    Logfile of HijackThis v1.99.1
    Scan saved at 8:56:58 AM, on 03-Mar-07
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\System32\AcerGoto.exe
    C:\WINDOWS\essspk.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\webHancer\Programs\whAgent.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application

    Launcher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\Documents and Settings\RAJENDRA\Desktop\hotfoon4.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe "
    O1 - Hosts: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN "
    O1 - Hosts: "http://www.w3.org/TR/html4/loose.dtd ">
    O1 - Hosts: <html>
    O1 - Hosts: <head>
    O1 - Hosts: <script LANGUAGE= "JavaScript ">
    O1 - Hosts: <!--
    O1 - Hosts: if (window != top)
    O1 - Hosts: top.location.href = location.href;
    O1 - Hosts: // -->
    O1 - Hosts: </script>
    O1 - Hosts: <title>Site Unavailable</title>
    O1 - Hosts: <meta http-equiv= "Content-Type" content= "text/html; charset=iso-8859-1 ">
    O1 - Hosts: <style type= "text/css ">
    O1 - Hosts: body{text-align:center;}
    O1 - Hosts: .geohead {font-family:Verdana, Arial, Helvetica, sans-serif; font-size:10px;width:750px;margin:10px 0 10px 0;height:35px;}
    O1 - Hosts: .geohead #geologo {width:270px;display:block; float:left; }
    O1 - Hosts: .geohead #rightside {width:480px;display:block; float:right;border-bottom:1px solid #999999; height:27px;}
    O1 - Hosts: .geohead #rightside #welcome {width:50%;display:block; float:left; text-align:left;}
    O1 - Hosts: .geohead #rightside #wlinks {width:50%;display:block; float:right; text-align:right;}
    O1 - Hosts: .ftr { margin:0px; color:#404040; font:x-small Arial,sans-serif; text-align:center; width:750px;}
    O1 - Hosts: .bodywrap{display:block;height:470px;}
    O1 - Hosts: .bodycnt{width:510px; display:block; float:left; background-color:#EEE9F5; height:auto; text-align:left; font-family:Arial, Helvetica, sans-serif;font-size:13px; color:#000000; padding:20px 20px 35px 20px;}
    O1 - Hosts: .title { font-family:Arial, Helvetica, sans-serif; font-weight:bold; font-size:24px; color:#7C56A9}
    O1 - Hosts: .adcnt{width:172px; display:block; float:right; text-align:left;cursor:pointer;cursor:hand;}
    O1 - Hosts: .adcnt td {text-align:left;}
    O1 - Hosts: .adsubt{font-size:10px; font-family:verdana; font-weight:bold; color:#b4b4b4; cursor:default;margin-top:5px;}
    O1 - Hosts: .ybadge { font-family: Verdana, Arial, Helvetica, sans-serif; font-size:10px; color: #666666; margin-top:10px;}
    O1 - Hosts: .ybadge img {margin-top:6px;}
    O1 - Hosts: .adtable {font-family:Verdana, Arial, Helvetica, sans-serif; font-size:10px;border: 1px solid #d6dbe7; background-color:#eff7ff; padding:3px; margin-bottom:10px; width:172px;}
    O1 - Hosts: .adttl{font-weight:bold;margin-bottom:3px;}
    O1 - Hosts: .addescr{color:#6b6b6b; margin-bottom:3px;}
    O1 - Hosts: .adlink a {color:#008200; text-decoration:none;}
    O1 - Hosts: </style>
    O1 - Hosts: </head>
    O1 - Hosts: <body>
    O1 - Hosts: <!-- following code added by server. PLEASE REMOVE -->
    O1 - Hosts: <!-- preceding code added by server. PLEASE REMOVE -->
    O1 - Hosts: <div id= "maincnt ">
    O1 - Hosts: <div class= "geohead "><div id= "geologo "><a href= "http://geocities.yahoo.com "><img height=33 alt= "Yahoo! GeoCities" src= "http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_geo_1.gif" width=259 border=0></a></div>
    O1 - Hosts: <div id= "rightside "><div id= "wlinks "><a href= "http://geocities.yahoo.com ">GeoCities Home</a> - <a
    href= "http://www.yahoo.com ">Yahoo!</a> - <a href= "http://help.yahoo.com/help/us/geo/ ">Help</a></div>
    O1 - Hosts: </div></div>
    O1 - Hosts: <div class= "bodywrap ">
    O1 - Hosts: <div class= "bodycnt ">
    O1 - Hosts: <div class= "title ">Sorry, this GeoCities site is currently unavailable.</div>
    O1 - Hosts: <p>The GeoCities web site you were trying to view has temporarily exceeded its data transfer limit. Please try again later. </p>
    O1 - Hosts: <p>Are you the site owner?
    O1 - Hosts: Avoid service interruptions in the future by increasing your data transfer limit!
    O1 - Hosts: <a href= "http://help.yahoo.com/help/us/geo/transfer/transfer-05.html" target= "_blank ">Find out how.</a> </p>
    O1 - Hosts: <p><a href= "http://help.yahoo.com/help/us/geo/transfer/" target= "_blank ">Learn more about data transfer.</a></p>
    O1 - Hosts: </div>
    O1 - Hosts: <div class= "adcnt ">
    O1 - Hosts: <a target= "_top" href= "http://geocities.yahoo.com "><img src= "http://us.i1.yimg.com/us.yimg.com/i/us/smbiz/b/geo_mast_small2.gif" alt= "Yahoo! GeoCities" border= "0" height= "15" hspace= "0" vspace= "0" width= "141 "></a>
    O1 - Hosts: <div class= "adsubt ">SPONSORED LINKS</div>
    O1 - Hosts: <!--<table width= "172" border= "0" bgcolor= "#FFFFFF"
    class= "adtable "><tr><td align=left>-->
    O1 - Hosts: <div class= "adtable ">
    O1 - Hosts: <div class= "adttl" title= "Reliable plans include domain &amp; 24x7 support. "><a href= "http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27166/*http://smallbusiness.yahoo.com/webhosting" target= "_blank ">Yahoo! Web Hosting<br>
    O1 - Hosts: $25 Setup Waived</a></div>
    O1 - Hosts: <div class= "addescr" title= "Reliable plans include domain &amp; 24x7 support. ">Reliable plans include domain &amp; 24x7 support.</div>
    O1 - Hosts: <div class= "adlink" title= "Reliable plans include domain &amp; 24x7 support. "><a href= "http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27166/*http://smallbusiness.yahoo.com/webhosting" target= "_blank ">webhosting.yahoo.com</a></div>
    O1 - Hosts: </div>
    O1 - Hosts: <div class= "adtable ">
    O1 - Hosts: <div class= "adttl" title= "Reliable plans include domain &amp; 24x7 support. "><a href= "http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27176/*http://smallbusiness.yahoo.com/domains/" target= "_blank ">Domain Names from Yahoo! only $9.95/yr</a></div>
    O1 - Hosts: <div class= "addescr" title= "Includes starter web page, email & domain forwarding, 24x7 support. ">Includes starter web page, email & domain forwarding, 24x7 support.</div>
    O1 - Hosts: <div class= "adlink" title= "Includes starter web page, email & domain forwarding, 24x7 support. "><a
    href= "http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27176/*http://smallbusiness.yahoo.com/domains/" target= "_blank ">domains.yahoo.com</a></div>
    O1 - Hosts: </div>
    O1 - Hosts: <div class= "adtable ">
    O1 - Hosts: <div class= "adttl" title= "Setup fee waived. Up to 10 emails, SpamGuard, forwarding & virus scanning. "><a
    href= "http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27184/*http://smallbusiness.yahoo.com/mail" target= "_blank ">Yahoo! Business Email<br> Domain Included</a></div>
    O1 - Hosts: <div class= "addescr" title= "Setup fee waived. Up to 10 emails, SpamGuard, forwarding & virus scanning. ">Setup fee waived. Up to 10 emails, SpamGuard, forwarding &amp; virus scanning.</div>
    O1 - Hosts: <div class= "adlink" title= "Setup fee waived. Up to 10 emails, SpamGuard, forwarding & virus scanning. "><a
    href= "http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27184/*http://smallbusiness.yahoo.com/mail" target= "_blank ">smallbusiness.yahoo.com</a></div>
    O1 - Hosts: </div>
    O1 - Hosts: <div class= "adtable ">
    O1 - Hosts: <div class= "adttl" title= "$50 setup fee waived. A reliable ecommerce plan, 24x7 support. "><a href= "http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=/27190/*http://smallbusiness.yahoo.com/merchant" target= "_blank ">Ecommerce from Yahoo!<br> 1 Month Free</a></div>
    O1 - Hosts: <div class= "addescr" title= "$50 setup fee waived. A reliable ecommerce plan, 24x7 support. ">$50 setup fee waived. A reliable ecommerce plan, 24x7 support.</div>
    O1 - Hosts: <div class= "adlink" title= "$50 setup fee waived. A reliable ecommerce plan, 24x7 support. "><a
    href= "http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=/27190/*http://smallbusiness.yahoo.com/merchant" target= "_blank ">smallbusiness.yahoo.com</a></div>
    O1 - Hosts: </div>
    O1 - Hosts: <div class= "ybadge ">
    O1 - Hosts: Get your own web site at <br><a target= "_top" href= "http://geocities.yahoo.com ">Yahoo! GeoCities</a>
    O1 - Hosts: <a href= "http://smallbusiness.yahoo.com/webhosting/" target= "_top "><img src= "http://us.i1.yimg.com/us.yimg.com/i/us/wh/gr/badge_hostedby_purp_2.gif" alt= "Hosted by Yahoo! Web Hosting" align= "middle" border= "0" height= "31" width= "88 "></a>
    O1 - Hosts: </div>
    O1 - Hosts: </div>
    O1 - Hosts: </div>
    O1 - Hosts: <div class=ftr>
    O1 - Hosts: <hr size=1 width=100%>
    O1 - Hosts: Copyright &copy;
    O1 - Hosts: 2005 Yahoo! Inc. All rights reserved<br>
    O1 - Hosts: <a href= "http://privacy.yahoo.com/privacy/us/geo/ ">Privacy Policy</a>
    O1 - Hosts: - <a href= "http://docs.yahoo.com/info/copyright/copyright.html ">Copyright Policy</a>
    O1 - Hosts: - <a href= "http://docs.yahoo.com/info/guidelines/community.html ">Guidelines</a>
    O1 - Hosts: - <a href= "http://docs.yahoo.com/info/terms/geoterms.html ">Terms of Service</a>
    O1 - Hosts: - <a href= "http://help.yahoo.com/help/us/geo/ ">Help</a>
    O1 - Hosts: </div>
    O1 - Hosts: </div>
    O1 - Hosts: </body>
    O1 - Hosts: </html>
    O1 - Hosts: <!-- text below generated by server. PLEASE REMOVE --
    ></object></layer></div></span></style></noscript></table></script></applet>
    O1 - Hosts: <IMG SRC= "http://geo.yahoo.com/serv?s=19190039&t=1171852009&f=us-w82" ALT=1 WIDTH=1 HEIGHT=1>
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRA~1\WEBHAN~1\programs\whiehlpr.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe "
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\sempalong.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe "
    O4 - HKCU\..\Run: [HOTFOON2] C:\Documents and Settings\RAJENDRA\Desktop\hotfoon4.exe /h
    O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\RAJENDRA\Local
    Settings\Application Data\smss.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1
    \MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
    O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
    http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158777964895
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - ttps://mathworksevents.webex.com/client/T23SP33EP5/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF310558-BBE4-492D-814C-ACD23050C297}: NameServer = 212.72.1.186 212.72.23.4
    O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program iles\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation -
    C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
    C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Edited to correct formatting, making log easier to read.
     
    panchal,
    #1
  2. 2007/03/04
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi and welcome! :)

    You have yourself a couple infections.
    One being WebHancer (adware/hijacker) and a nasty email worm.

    Info regarding the worm:

    http://www.sophos.com/security/analyses/w32brontokc.html

    We won't be able to remove WebHancer till we remove the worm because it has trashed your ability to run regedit tools or see hidden files.

    Please follow instructions below in the order presented.
    If you don't understand something in the instructions, please ask me before proceeding.

    Looks like ALOT but really shouldn't be bad.

    Please print out or save these instructions in case you have trouble with internet connection part way through fix and this page becomes unavailable.

    1.) Create a folder called "blender "on the desktop so we can put our tools in there.

    2.) Download The following tools and put them in the blender folder on desktop. Do nothing with them till I tell you to.

    Killbox by O^E:

    http://killbox.net/downloads/KillBox.exe

    ATF-Cleaner by Atribune:

    http://www.atribune.org/ccount/click.php?id=1

    LSPFix:

    http://www.cexx.org/LSPFix.exe

    Reg fix:

    Attached is a file called fix.zip
    Download that file to your blender folder.
    Unzip that file.
    Once unzipped you should have fix.reg (looks like blue blocks).
    Move fix.reg right to your C:\ drive. This will just make it easier to run it later.

    --------------

    3.) Close running programs because you will be rebooting shortly. You can have this window open if you like for instructions.

    4.) Open the blender folder and double click killbox to run it.
    Checkmark delete on reboot, then click on "All files ".
    All files button should be flashing green.

    Copy this bold list by hilighting it all and pressing Ctrl + C on the keyboard.

    C:\Documents and Settings\RAJENDRA\Local Settings\Application Data\csrss.exe
    C:\Documents and Settings\RAJENDRA\Local Settings\Application Data\inetinfo.exe
    C:\Documents and Settings\RAJENDRA\Local Settings\Application Data\lsass.exe
    C:\Documents and Settings\RAJENDRA\Local Settings\Application Data\services.exe
    C:\Documents and Settings\RAJENDRA\Local Settings\Application Data\smss.exe
    C:\Documents and Settings\RAJENDRA\Local Settings\Application Data\winlogon.exe
    C:\Documents and Settings\RAJENDRA\Local Settings\Application Data\ListHost11.txt
    C:\Documents and Settings\RAJENDRA\Local Settings\Application Data\Update.11.Bron.Tok.bin
    C:\Documenats and settings\Rajendra\Templates\brengkolang.com
    C:\Documents and Settings\RAJENDRA\Start Menu\Programs\startup\empty.pif
    C:\Documents and settings\all users\start menu\programs\startup\empty.pif
    c:\windows\shellnew\sempalong.exe
    c:\windows\eksplorasi.exe
    c:\windows\system\repclient1's setting.scr
    c:\windows\tasks\at1.job
    C:\windows\system32\drivers\etc\hosts

    In killbox click the "file" menu and choose "paste from clipboard "
    Click the Red circle with White X

    When asked to reboot say Yes

    Your computer should reboot.

    If you get error that says "Pending operations data has been removed by external process![/b] Ok the error and reboot manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe.

    http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe

    Then try Killbox again.

    5.) Once restarted you may get a few errors about missing files.
    This is OK. We'll fix that in a minuite. Just OK the errors.

    Click start> run> type in the following command exactly as you see it then hit enter:

    regedit /s c:\fix.reg

    Not much will be visible happening. You may see your curser flicker but thats about it.

    6.) Open Hijackthis
    Click "Open misc tools options "
    click "open Hosts file manager "
    If you are told the hosts file does not exist and asked if you want to create one answer Yes.
    Hijackthis will replace the Hosts file we deleted with windows default one.

    Exit Hijackthis.

    7.) Double click ATF-Cleaner.exe to run the program.
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache

    The rest are optional - if you want to remove the lot, check "Select All ".
    Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

    If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

    When you have finished, click on the Exit button in the Main menu.

    8a.) Go to add/remove programs and uninstall:

    Webhancer servey companion
    Webhancer Agent

    Reboot

    8b.) Reveal Hidden Files

    1. [*]Click Start.
      [*]Open My Computer.
      [*]SelectTools menu
      [*]Click Folder Options.
      [*]Select the View Tab.
      [*]Select Show hidden files and foldersin the Hidden files and folders section.
      [*]Uncheck Hide protected operating system files (recommended) option.
      [*]Uncheck the Hide file extensions for known file types option.
      [*]Click Yes.
      [*]Click OK.


    8c.) Find and delete the following files/folders if present:

    c:\program files\webhancer <-- folder
    c:\windows\webhdll.dll <-- file
    c:\windows\whagent.inf <-- file
    c:\windows\whInstaller.exe <-- file
    c:\windows\whInstaller.ini <-- file


    9.) If you have trouble connecting to the internet after uninstalling webhancer please do the following:

    Go to your blender folder and double click LSPFix.exe
    DO NOT check or remove anything! Leave settings as they are.
    Scroll down at right and click "finish ".
    Exit program and reboot.

    10.) Please post me a new hijackthis log so I can see how we are doing.
    Please also post this log:
    C:\!Killbox\logs\kb.log

    Careful in the killbox folder please. It has malware in it!!

    11.) Please also do this:

    Using Internet Explorer please do an online scan with Kaspersky Online Scanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:
        • Extended (If available otherwise Standard)
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
    • Click OK
    • Now under select a target to scan select My Computer
    • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save report button.
    • Call it Kaspersky.txt
    • Expand the arrow beside "file types" and save as .txt file.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.


    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

    *Note2
    If you have Internet Explorer 7 installed:
    If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
    Page will reload and you should be able to carry on scan.

    It may take a couple posts to get all logs in. Kaspersky log can be long.
    Let me know if still problems downloading or surfing.

    There will likely be more work to do.

    Thanks

    Tammy
     
    Blender,
    #2


  3. to hide this advert.

  4. 2007/03/04
    panchal

    panchal Inactive Thread Starter

    Joined:
    2002/05/21
    Messages:
    122
    Likes Received:
    0
    feedback on HJT log

    thanks for guiding , I was not able to get show folder options in my computer as on hitting tool> options can see map network drive, disconnect network drive,synchronize etc;

    pl find below new hjt log after carrying out yr suggestion

    Logfile of HijackThis v1.99.1
    Scan saved at 4:09:16 PM, on 04-Mar-07
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\AcerGoto.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\essspk.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\webHancer\Programs\whAgent.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\Documents and Settings\RAJENDRA\Desktop\hotfoon4.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe "
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRA~1\WEBHAN~1\programs\whiehlpr.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\sempalong.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe "
    O4 - HKCU\..\Run: [HOTFOON2] C:\Documents and Settings\RAJENDRA\Desktop\hotfoon4.exe /h
    O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\RAJENDRA\Local Settings\Application Data\smss.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
    O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158777964895
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathworksevents.webex.com/client/T23SP33EP5/webex/ieatgpc.cab
    O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    ALSO, ON REBOOTING I AM GETTING ONE ERROR AS FOLLOWS;

    CANT FIND FILE C:/WINDOWS/eksplorasi.exe pl use search to find this file etc.

    no other issues
     
    panchal,
    #3
  5. 2007/03/08
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi

    Sorry for late reply. I didn't get my topic reply notice in email :eek:

    Did you run that reg file I had you download?
    This file should re-enable your regedit and the other registry damage the worm done.
    If you deleted it already...please download it again (from my previous post) and unzip it to your C: drive. It must be unzipped to work.

    You should have C:\fix.reg when done.
    Icon should look like a set of blue blocks.

    Click start> run> type the following command and hit enter:

    regedit /s C:\fix.reg

    If you get any errors please report back what they are.

    Reboot

    Post a fresh hijackthis log when done please.

    We'll still have work to do.

    Thanks!

    Tammy
     
    Blender,
    #4
  6. 2007/03/08
    panchal

    panchal Inactive Thread Starter

    Joined:
    2002/05/21
    Messages:
    122
    Likes Received:
    0
    feedback new HJT log file

    Hi,
    Thanks, I tried to open file from C:/fix , but message came regedit is disbale by administrator ; however then i tried start>run>regedit /s C:\fix.reg
    , it appears it run as no message came.
    Pl find Hjt log take thereafter as follows:
    Logfile of HijackThis v1.99.1
    Scan saved at 4:03:00 PM, on 08-Mar-07
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\System32\AcerGoto.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe "
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0

    \Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRA~1\WEBHAN~1\programs\whiehlpr.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application

    Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\sempalong.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe "
    O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\RAJENDRA\Local Settings\Application Data\smss.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG

    Compressor\ajcieex.htm
    O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06

    \bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3

    \INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file

    missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

    Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1

    \YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!

    \MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

    http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158777964895
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

    https://mathworksevents.webex.com/client/T23SP33EP5/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF310558-BBE4-492D-814C-ACD23050C297}: NameServer = 212.72.1.186 212.72.23.4
    O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design

    Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design

    Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design

    Science\MathPlayer\MathMLMimer.dll
    O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design

    Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design

    Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design

    Science\MathPlayer\MathMLMimer.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

    Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common

    Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

    AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton

    SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1

    \SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-

    LC\symlcsvc.exe
     
    panchal,
    #5
  7. 2007/03/08
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi

    You rebooted after running regedit /s c:\fix.reg?

    needs a reboot to take effect.

    By running the reg file like I had you do by-passes the restrictions put on regedit. It should have also removed the restrictions and removed the entries related to the worm.

    It is a silent repair so you won't see anything happening. Mabye the curser will fliker for a sec but that is about it.

    Do reboot please and post fresh hijackthis log.
    When the log file is open please click the "format" menu and uncheck "wordwrap ". Then copy/paste the log.

    Till we fix the registry damage -- doing scans and other program removals will be difficult.

    Thanks :)
     
    Blender,
    #6
  8. 2007/03/08
    panchal

    panchal Inactive Thread Starter

    Joined:
    2002/05/21
    Messages:
    122
    Likes Received:
    0
    Hjt Log After Rebooting

    Hi, THanks, pl find below HJT log file after following yr advice:
    Logfile of HijackThis v1.99.1
    Scan saved at 5:46:53 PM, on 08-Mar-07
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\System32\AcerGoto.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Norton AntiVirus\OPScan.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe "
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRA~1\WEBHAN~1\programs\whiehlpr.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\sempalong.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe "
    O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\RAJENDRA\Local Settings\Application Data\smss.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
    O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158777964895
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathworksevents.webex.com/client/T23SP33EP5/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF310558-BBE4-492D-814C-ACD23050C297}: NameServer = 212.72.1.186 212.72.23.4
    O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
    panchal,
    #7
  9. 2007/03/08
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Looks like it didn't work quite the way it was intended to.
    I see the problem now..

    You can delete fix.zip and c:\fix.reg.

    Attached is file called fix2.zip
    Download/save that file and unzip it to C:\
    You should have c:\fix2.reg when done.

    Clisk start> run> type this command and hit enter:

    regedit /s c:\fix2.reg

    Reboot

    New hijackthis log please.
    Let me know if you can access folder options> and unhide hidden files.

    Also try this:

    Start> run> type regedit and hit enter. Does it work?
    Start> run> cmd and hit enter. Work?

    Thanks
     
    Blender,
    #8
  10. 2007/03/08
    panchal

    panchal Inactive Thread Starter

    Joined:
    2002/05/21
    Messages:
    122
    Likes Received:
    0
    Hjt Log After Fix2

    I was able to show hidden folder options but when i try to deleteprogramfile> webhancer folder ; message came saying whiehlpr.dll access denied
    I didnot remove other files like;c:\windows\webhdll.dll <-- file
    c:\windows\whagent.inf <-- file
    c:\windows\whInstaller.exe <-- file
    c:\windows\whInstaller.ini <-- file
    as these I believe are related to WINXP-SP-1 and 'am afraid, can u explain me little bit on this files whether are harmful

    Interestingly , after I run fix2, I was able to run>regedit but earlier i was not able to ; however run>cmd was working earlier also

    I want to know in layman language what is wrong with my PC and how much vulnerable it is ??
    and the proccess which i am following as outlined by u does what?

    Logfile of HijackThis v1.99.1
    Scan saved at 7:38:41 PM, on 08-Mar-07
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\System32\AcerGoto.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRA~1\WEBHAN~1\programs\whiehlpr.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\sempalong.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
    O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158777964895
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathworksevents.webex.com/client/T23SP33EP5/webex/ieatgpc.cab
    O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
    panchal,
    #9
  11. 2007/03/08
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi

    Glad to hear regedit is working now.

    This is the worm we are dealing with:

    http://www.sophos.com/security/analyses/w32brontokc.html

    It is a mass mailer worm which means when running it emails copies of itself to your email contacts in order to spread.
    Part of what the worm does is set permissions in the registry to disallow you from running windows tools to find/remove bad files, remove entries in regedit or run commands in the command console (cmd.exe) to remove it.

    When these tools are damaged/disabled we need to resort to other tools that are not targeted by the malware involved so the offending files can be removed then we fix the damage the malware left.

    This is why I had you use Killbox.
    Killbox is a delete tool and makes it easier to delete many files at once like we did.

    This is also why I had you run those registry files like I did.
    Since regedit was disabled simply clicking the reg files would not work and you had errors.
    Doing like I said bypasses the restrictions on regedit in order to fix it and remove the restrictions.

    -------------

    Webhancer is an tracking program. See here for more info:

    http://vil.nai.com/vil/Content/v_124123.htm

    You can't delete the folder because the program is running. You cannot delete files that are running or in use. We also cannot use killbox to remove this one.
    Each malware has to be dealt with different because they all do different damage. One needs to know what it does and how to fix it properly.

    Did you uninstall those programs I listed and reboot after?

    They need to be uninstalled because if you just try deleting the files/folders we could break your internet.
    This is also why I had you download LSPFix in case uninstall does not go well and you cannot get online. LSPFix repairs damage to the LSP stack which is what is responsible for internet. This is the only time this tool is used.
    I like to have a backup plan in case things go wrong.

    I choose Kaspersky online scanner because it does not clean. It only gives report.
    I prefer to deal with things manually and not let online scanners delete things.
    most online scanners don't have quarentine so if there is a false positive good files can get deleted. (without backup)

    -----------------

    Save these instructions to notepad or print them out.
    You should have your browser closed during fix.

    If you didn't download it already, please download this file and save it:

    http://www.cexx.org/LSPFix.exe

    Close all browser windows.

    Start Hijackthis
    Run system scan only and check:

    O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\sempalong.exe "


    Click "fix checked" and OK.

    Exit Hijackthis.

    Go to add/remove programs and uninstall if present the following programs:

    Webhancer servey companion
    Webhancer Agent

    Reboot once done.

    Find and delete the following if they still exist:

    c:\program files\webhancer <-- folder
    c:\windows\webhdll.dll <-- file
    c:\windows\whagent.inf <-- file
    c:\windows\whInstaller.exe <-- file
    c:\windows\whInstaller.ini <-- file

    Empty recycle bin

    If you cannot connect to internet after removing the above please do the following:

    Close any open browser windows.
    Double click LSPFix.exe to run it.
    Move NOTHING. Leave settings as they are.
    Click "finish" at bottom right and exit the program.

    Reboot

    Internet should be restored.

    Please post:

    New Hijackthis log
    Log from Kaspersky online scan I asked for earlier.

    Let me know how machine is running.

    Thanks! :)
     
    Blender,
    #10
  12. 2007/03/08
    panchal

    panchal Inactive Thread Starter

    Joined:
    2002/05/21
    Messages:
    122
    Likes Received:
    0
    HJT feedback

    Sir,
    I was able to delete 04-HKLM\.... "C:\WINDOWS\SHELLNEW\sempalong.exe
    I also deleted c:\windows|webhdll.dll,,whinsatller.inf.....exe
    BUT
    WAS NOT ABLE TO FIND IN ADD/REMOVE WEBHANCER PRGRAM AND ALSO WHEN I TRY TO DELETED WEBHANCER FOLDER IN PRGRAM FILE IT SAYS ACCCESS DENIED whiehlpr.dll cant be removed.

    I booted back and pl find lates log as follows
    Logfile of HijackThis v1.99.1
    Scan saved at 9:12:45 AM, on 09-Mar-07
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\System32\AcerGoto.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRA~1\WEBHAN~1\programs\whiehlpr.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
    O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158777964895
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathworksevents.webex.com/client/T23SP33EP5/webex/ieatgpc.cab
    O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    GUIDE ME HOW TO REMOVE WEBHANCER FOLDER FROM PROGRAM FILE
     
    panchal,
    #11
  13. 2007/03/08
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Click start> run> type the bold command and hit enter:

    *note* There is a space between the 2 & / also between u & "
    Quotes are to be included in command.

    regsvr32 /u "C:\PROGRA~1\WEBHAN~1\programs\whiehlpr.dll "

    You should get succeeded message.

    Reboot to SAFE mode.
    To get to safe mode:

    [*]Restart your computer

    [*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

    [*]Instead of Windows loading as normal, the Advanced Options Menu should appear;

    [*]Select the first option, to run Windows in Safe Mode, then press Enter.

    [*]Choose your usual account.

    Find and delete:

    C:\Program files\Webhancer <-- folder

    Empty recycle bin.

    Reboot back to normal mode and post a fresh hijackthis log along with the Kaspersky scan I asked for.

    Are you having trouble to run that kaspersky scan? If so what is the errors?

    I really would like to see it since there might be some malware that we do not see in your hijackthis log.

    Thanks!
     
    Blender,
    #12
  14. 2007/03/09
    panchal

    panchal Inactive Thread Starter

    Joined:
    2002/05/21
    Messages:
    122
    Likes Received:
    0
    webhancer got deleted HJT new log file

    Yes it was done , webhancer got deleted and pl find below HJT log; since i have dialup internet ; I tried to scan with kaspersky but it takes lot of time ,shall try once again , in meantime let me know from log status of my PC, all is well now
    Logfile of HijackThis v1.99.1
    Scan saved at 10:50:30 AM, on 09-Mar-07
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\System32\AcerGoto.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
    O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158777964895
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathworksevents.webex.com/client/T23SP33EP5/webex/ieatgpc.cab
    O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
    panchal,
    #13
  15. 2007/03/09
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi

    Log looks good. I didn't realize you were on dial-up. Scan will take a long time.

    Lets try something else.
    I would like to see if there are any other files involved I may have missed.
    This app should show me.

    Download ComboScan to your Desktop.:

    http://www.techsupportforum.com/sectools/Deckard/comboscan.exe

    Close all applications and windows.
    Double-click on comboscan.exe to run it, and follow the prompts.
    When the scan is complete, a text file will open - ComboScan.txt
    Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt here.
    A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
    Ciopy/paste Supplementry.txt in your reply as well

    Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

    What ComboScan will do:
    --create a new System Restore point in Windows XP and Vista.
    --clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
    --check some important areas of your system and produce a report for your analyst to review.
    --ComboScan automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

    Thanks! :)
     
    Blender,
    #14
  16. 2007/03/09
    panchal

    panchal Inactive Thread Starter

    Joined:
    2002/05/21
    Messages:
    122
    Likes Received:
    0
    Comboscan Log File

    PL FIND COMBO SCAN LOG FILE
    ComboScan v20070306.20 run by RAJENDRA on 2007-03-09 at 15:46:55
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created ComboScan Restore Point.


    -- Last 5 Restore Point(s) --
    73: 2007-03-09 11:47:11 UTC - RP145 - ComboScan Restore Point
    72: 2007-03-08 16:01:40 UTC - RP144 - System Checkpoint
    71: 2007-03-07 15:40:10 UTC - RP143 - System Checkpoint
    70: 2007-03-06 15:08:39 UTC - RP142 - System Checkpoint
    69: 2007-03-05 14:35:06 UTC - RP141 - System Checkpoint


    -- First Restore Point --
    1: 2006-12-29 15:18:22 UTC - RP73 - Installed Disc2Phone


    Performed disk cleanup.


    -- HijackThis (run as RAJENDRA.exe) --------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 3:47:58 PM, on 09-Mar-07
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\System32\AcerGoto.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Documents and Settings\RAJENDRA\Desktop\comboscan.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Norton AntiVirus\navw32.exe
    C:\PROGRA~1\HIJACK~1\RAJENDRA.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AcerGoto] C:\WINDOWS\System32\AcerGoto.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
    O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/no...opularScreenSaversFWBInitialSetup1.0.0.15.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1158777964895
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathworksevents.webex.com/client/T23SP33EP5/webex/ieatgpc.cab
    O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    -- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

    backup-20070309-065951-482 O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\sempalong.exe "

    -- File Associations -----------------------------------------------------------

    .bat - batfile - "%1" %*
    .chm - chm.file - "C:\WINDOWS\hh.exe" %1
    .cmd - cmdfile - "%1" %*
    .com - comfile - "%1" %*
    .exe - exefile - "%1" %*
    .hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
    .inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
    .ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
    .js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
    .lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
    .pif - piffile - "%1" %*
    .reg - regfile - regedit.exe "%1 "
    .scr - AutoCADScriptFile - C:\WINDOWS\NOTEPAD.EXE "%1 "
    .txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
    .vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    3S ac97intc (Intel(r) 82801 Audio Driver Install Service (WDM)) - C:\WINDOWS\system32\drivers\ac97intc.sys
    3R ALCXWDM (Service for Avance AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2R Aspi32 - C:\WINDOWS\system32\drivers\aspi32.sys
    3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys
    3S atimtag - C:\WINDOWS\system32\DRIVERS\atimtag.sys (not found)
    3R BlueletAudio (Bluetooth Audio Service) - C:\WINDOWS\system32\drivers\blueletaudio.sys
    3R BT (Bluetooth PAN Network Adapter) - C:\WINDOWS\system32\drivers\BtNetDrv.sys
    3S Btcsrusb (Bluetooth USB For Bluetooth Service) - C:\WINDOWS\system32\drivers\btcusb.sys
    3S BthEnum (Bluetooth Request Block Driver) - C:\WINDOWS\system32\drivers\bthenum.sys
    3R BTHidEnum (Bluetooth HID Enumerator) - C:\WINDOWS\system32\drivers\VBTEnum.sys
    0R BTHidMgr (Bluetooth HID Manager Service) - C:\WINDOWS\system32\drivers\BTHidMgr.sys
    3S BTHMODEM (Bluetooth Serial Communications Driver) - C:\WINDOWS\system32\drivers\bthmodem.sys
    3S BthPan (Bluetooth Device (Personal Area Network)) - C:\WINDOWS\system32\drivers\bthpan.sys
    3S BTHPORT (Bluetooth Port Driver) - C:\WINDOWS\system32\drivers\bthport.sys
    3S BTHUSB (Bluetooth Radio USB Driver) - C:\WINDOWS\system32\drivers\bthusb.sys
    3S BTNetFilter (Bluetooth Network Filter) - C:\WINDOWS\system32\drivers\BTNetFilter.sys
    3S CCDECODE (Closed Caption Decoder) - C:\WINDOWS\system32\drivers\CCDECODE.sys
    3R ctljystk (Creative SBLive! Gameport) - C:\WINDOWS\system32\drivers\ctljystk.sys
    1R dcswap - C:\WINDOWS\system32\drivers\DCSWAP.SYS
    3R E100B (Intel(R) PRO Adapter Driver) - C:\WINDOWS\system32\drivers\e100b325.sys
    3R Edspport (EDSP Port Driver) - C:\WINDOWS\system32\drivers\es56tpi.sys
    3R emu10k (Creative SB Live! series(WDM)) - C:\WINDOWS\system32\drivers\emu10k1f.sys
    3R emu10k1 (Creative Interface Manager Driver (WDM)) - C:\WINDOWS\system32\drivers\ctlface.sys
    3R GEARAspiWDM (GEAR CDRom Filter) - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
    3S HidBth (Microsoft Bluetooth HID Miniport) - C:\WINDOWS\system32\drivers\hidbth.sys
    3R hidusb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
    0R IdeBusDr - C:\WINDOWS\system32\drivers\IdeBusDr.sys
    0R IdeChnDr (Intel(R) Ultra ATA Controller) - C:\WINDOWS\system32\drivers\IdeChnDr.sys
    1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
    1R kbdhid (Keyboard HID Driver) - C:\WINDOWS\system32\drivers\kbdhid.sys
    3R MODEMCSA (Unimodem Streaming Filter Device) - C:\WINDOWS\system32\drivers\MODEMCSA.sys
    3R mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
    3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINDOWS\system32\drivers\MSTEE.sys
    3R ms_mpu401 (Microsoft MPU-401 MIDI UART Driver) - C:\WINDOWS\system32\drivers\msmpu401.sys
    3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINDOWS\system32\drivers\NABTSFEC.sys
    3R NAVENG - C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070307.037\NAVENG.SYS
    3R NAVEX15 - C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070307.037\NAVEX15.SYS
    3S NdisIP (Microsoft TV/Video Connection) - C:\WINDOWS\system32\drivers\NdisIP.sys
    3R NPDriver (Norton Unerase Protection Driver) - C:\WINDOWS\system32\drivers\NPDRIVER.SYS
    2R PfModNT - C:\WINDOWS\system32\PfModNT.sys
    3S RFCOMM (Bluetooth Device (RFCOMM Protocol TDI)) - C:\WINDOWS\system32\drivers\rfcomm.sys
    3R ROOTMODEM (Microsoft Legacy Modem Driver) - C:\WINDOWS\system32\drivers\rootmdm.sys
    1R SAVRT - C:\Program Files\Norton AntiVirus\savrt.sys
    1R SAVRTPEL - C:\Program Files\Norton AntiVirus\Savrtpel.sys
    3R sfman (Creative SoundFont Manager Driver (WDM)) - C:\WINDOWS\system32\drivers\sfman.sys
    3S SLIP (BDA Slip De-Framer) - C:\WINDOWS\system32\drivers\SLIP.sys
    3S streamip (BDA IPSink) - C:\WINDOWS\system32\drivers\StreamIP.sys
    3S STV680 (STV0680 Camera) - C:\WINDOWS\system32\drivers\stv680.sys
    3R SymEvent - C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2R symlcbrd - C:\WINDOWS\system32\drivers\symlcbrd.sys
    3R SYMREDRV - C:\WINDOWS\system32\drivers\symredrv.sys
    1R SYMTDI - C:\WINDOWS\system32\drivers\symtdi.sys
    3S usbaudio (USB Audio Driver (WDM)) - C:\WINDOWS\system32\drivers\USBAUDIO.sys
    3R usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
    3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
    3R usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
    3S usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
    3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\usbstor.sys
    3S usbvideo (USB Video Device (WDM)) - C:\WINDOWS\system32\drivers\usbvideo.sys
    3S usb_rndisx (USB RNDIS Adapter) - C:\WINDOWS\system32\drivers\usb8023x.sys
    3R VComm (Virtual Serial port driver) - C:\WINDOWS\system32\drivers\VComm.sys
    3R VcommMgr (Bluetooth VComm Manager Service) - C:\WINDOWS\system32\drivers\VcommMgr.sys
    3S w810bus (Sony Ericsson W810 Driver driver (WDM)) - C:\WINDOWS\system32\drivers\w810bus.sys
    3S w810mdfl (Sony Ericsson W810 USB WMC Modem Filter) - C:\WINDOWS\system32\drivers\w810mdfl.sys
    3S w810mdm (Sony Ericsson W810 USB WMC Modem Driver) - C:\WINDOWS\system32\drivers\w810mdm.sys
    3S w810mgmt (Sony Ericsson W810 USB WMC Device Management Drivers (WDM)) - C:\WINDOWS\system32\drivers\w810mgmt.sys
    3S w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - C:\WINDOWS\system32\drivers\w810obex.sys
    3R WBMSA (Winbond Memory Stick Storage (MS) Device Driver - A) - C:\WINDOWS\system32\drivers\wbmsa.sys
    3S WSTCODEC (World Standard Teletext Codec) - C:\WINDOWS\system32\drivers\WSTCODEC.SYS


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
    2R Automatic LiveUpdate Scheduler - "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe "
    2R BlueSoleil Hid Service - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    2R BthServ (Bluetooth Support Service) - C:\WINDOWS\system32\svchost.exe -k bthsvcs
    2R ccEvtMgr (Symantec Event Manager) - "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
    3S ccPwdSvc (Symantec Password Validation) - "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe "
    2R ccSetMgr (Symantec Settings Manager) - "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe "
    2R Creative Service for CDROM Access - C:\WINDOWS\system32\CTsvcCDA.EXE
    2R EPSONStatusAgent2 (EPSON Printer Status Agent2) - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    3S iPodService (iPod Service) - "C:\Program Files\iPod\bin\iPodService.exe "
    3S LiveUpdate - "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE "
    2R navapsvc (Norton AntiVirus Auto Protect Service) - "C:\Program Files\Norton AntiVirus\navapsvc.exe "
    2R NProtectService (Norton Unerase Protection) - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    3S SAVScan - "C:\Program Files\Norton AntiVirus\SAVScan.exe "
    2S SBService (ScriptBlocking Service) - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    3S SNDSrvc (Symantec Network Drivers Service) - "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe "
    2R Speed Disk service - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    2R Symantec Core LC - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe
    2R WMDM PMSP Service - C:\WINDOWS\system32\MsPMSPSv.exe


    -- Scheduled Tasks -------------------------------------------------------------

    2007-03-02 20:04:14 488 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job<NORTON~1.JOB>


    -- Files created between 2007-02-09 and 2007-03-09 -----------------------------

    2007-03-09 10:41:34 0 d-------- C:\Documents and Settings\Administrator.PANCHALWORLD\Application Data\InterTrust<INTERT~1>
    2007-03-09 10:41:34 0 d-------- C:\Documents and Settings\Administrator.PANCHALWORLD\Application Data\Adobe
    2007-03-09 10:41:32 0 d-------- C:\Documents and Settings\Administrator.PANCHALWORLD\WINDOWS
    2007-03-09 10:41:32 786432 --ah----- C:\Documents and Settings\Administrator.PANCHALWORLD\NTUSER.DAT
    2007-03-08 19:13:20 550 --a------ C:\fix2.reg
    2007-03-04 15:38:30 0 d-------- C:\fix
    2007-03-04 15:37:40 0 d-------- C:\!KillBox
    2007-03-04 15:33:08 0 d-------- C:\blender
    2007-03-03 08:55:56 488144 --a------ C:\HJTsetup.exe
    2007-03-02 19:56:00 0 d-------- C:\Program Files\SymNetDrv<SYMNET~1>
    2007-03-02 17:02:56 2397 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
    2007-03-02 16:13:15 0 d-------- C:\Program Files\proeWildfire 3.0<PROEWI~1.0>
    2007-03-02 16:11:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
    2007-03-02 16:11:28 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
    2007-03-02 15:59:35 0 d-------- C:\Program Files\Norton AntiVirus<NORTON~1>
    2007-03-02 10:33:09 4718592 --a------ C:\Documents and Settings\RAJENDRA\ntuser.dat
    2007-03-02 10:33:08 245760 --a------ C:\Documents and Settings\LocalService\ntuser.dat
    2007-03-01 16:10:36 0 d-------- C:\Documents and Settings\RAJENDRA\Application Data\Yahoo!
    2007-02-23 19:32:08 0 d-------- C:\WINDOWS\ie7updates<IE7UPD~1>
    2007-02-19 17:09:51 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Teleca
    2007-02-13 14:26:37 0 d-------- C:\WINDOWS\WBEM
    2007-02-13 14:26:36 0 d-------- C:\WINDOWS\system32\en-US
    2007-02-13 14:26:01 0 d--h----- C:\WINDOWS\ie7
    2007-02-13 14:23:20 121856 -----n--- C:\WINDOWS\system32\xmllite.dll
    2007-02-13 14:22:24 0 d-------- C:\WINDOWS\network diagnostic<NETWOR~1>


    -- Find3M Report ---------------------------------------------------------------

    2007-03-09 11:21:28 12 --a------ C:\WINDOWS\bthservsdp.dat<BTHSER~1.DAT>
    2007-03-02 19:56:56 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2007-03-02 17:28:42 7 ---hs---- C:\AUTOEXEC.BAT
    2007-01-30 21:07:34 65480 --a------ C:\Documents and Settings\RAJENDRA\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT>
    2007-01-29 12:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
    2007-01-27 16:44:02 0 d-------- C:\Program Files\Design Science<DESIGN~1>
    2007-01-27 16:43:52 2155320 --a------ C:\MathPlayerSetup.exe<MATHPL~1.EXE>
    2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
    2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
    2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
    2007-01-12 09:27:42 6054400 -----n--- C:\WINDOWS\system32\ieframe.dll
    2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
    2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
    2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
    2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
    2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
    2007-01-08 19:02:02 383488 -----n--- C:\WINDOWS\system32\ieapfltr.dll
    2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
    2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
    2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
    2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
    2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
    2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
    2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-12-26 18:31:32 23904 --a------ C:\WINDOWS\desctemp.dat
    2006-12-20 01:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
    2006-12-19 22:16:48 333824 --a------ C:\WINDOWS\system32\wiaservc.dll


    -- Registry Dump ---------------------------------------------------------------


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "H/PC Connection Agent "= "\ "C:\\PROGRA~1\\MICROS~3\\wcescomm.exe\" "
    "MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "AcerGoto "= "C:\\WINDOWS\\System32\\AcerGoto.exe "
    "AtiPTA "= "atiptaxx.exe "
    "SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
    "BluetoothAuthenticationAgent "= "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent "
    @=" "
    "Sony Ericsson PC Suite "= "\ "C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions "
    "ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
    "Advanced Tools Check "= "C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE "
    "Symantec NetDriver Monitor "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed "= "1 "
    "NoChange "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    "path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk "
    "backup "= "C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup "
    "location "= "Common Startup "
    "command "= "C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\AcroTray.exe "
    "item "= "Acrobat Assistant "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
    "path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BlueSoleil.lnk "
    "backup "= "C:\\WINDOWS\\pss\\BlueSoleil.lnkCommon Startup "
    "location "= "Common Startup "
    "command "= "C:\\PROGRA~1\\IVTCOR~1\\BLUESO~1\\BLUESO~1.EXE "
    "item "= "BlueSoleil "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
    "path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\EPSON Status Monitor 3 Environment Check 2.lnk "
    "backup "= "C:\\WINDOWS\\pss\\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup "
    "location "= "Common Startup "
    "command "= "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_SRCV02.EXE "
    "item "= "EPSON Status Monitor 3 Environment Check 2 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
    "path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\GetRight - Tray Icon.lnk "
    "backup "= "C:\\WINDOWS\\pss\\GetRight - Tray Icon.lnkCommon Startup "
    "location "= "Common Startup "
    "command "= "C:\\PROGRA~1\\GetRight\\getright.exe "
    "item "= "GetRight - Tray Icon "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    "path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk "
    "backup "= "C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup "
    "location "= "Common Startup "
    "command "= "C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
    "item "= "HP Digital Imaging Monitor "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Magic Keyboard.lnk]
    "path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Magic Keyboard.lnk "
    "backup "= "C:\\WINDOWS\\pss\\Magic Keyboard.lnkCommon Startup "
    "location "= "Common Startup "
    "command "= "C:\\PROGRA~1\\MAGICK~1\\MagicKey.exe "
    "item "= "Magic Keyboard "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    "path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk "
    "backup "= "C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup "
    "location "= "Common Startup "
    "command "= "C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l "
    "item "= "Microsoft Office "

    contd in next message :
     
    panchal,
    #15
  17. 2007/03/09
    panchal

    panchal Inactive Thread Starter

    Joined:
    2002/05/21
    Messages:
    122
    Likes Received:
    0
    contd comboscan

    contd'.....
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioHQ]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "AHQTB "
    "hkey "= "HKLM "
    "command "= "C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EssSpkPhone]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "essspk "
    "hkey "= "HKLM "
    "command "= "essspk.exe "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HOTFOON2]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "hotfoon4 "
    "hkey "= "HKCU "
    "command "= "C:\\Documents and Settings\\RAJENDRA\\Desktop\\hotfoon4.exe /h "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "HPWuSchd2 "
    "hkey "= "HKLM "
    "command "= "C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "iTunesHelper "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "dumprep 0 -k "
    "hkey "= "HKLM "
    "command "= "%systemroot%\\system32\\dumprep 0 -k "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "msmsgs "
    "hkey "= "HKCU "
    "command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "NeroCheck "
    "hkey "= "HKLM "
    "command "= "C:\\WINDOWS\\system32\\\\NeroCheck.exe "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "qttask "
    "hkey "= "HKLM "
    "command "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "soundman "
    "hkey "= "HKLM "
    "command "= "soundman.exe "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "Save "
    "hkey "= "HKCU "
    "command "= "\ "C:\\Program Files\\Save\\Save.exe\" "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    "key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
    "item "= "ypager "
    "hkey "= "HKCU "
    "command "= "\ "C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet "
    "inimapping "= "0 "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "mnmsrvc "=dword:00000003


    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
    "Tok-Cirrhatus "= "\ "C:\\Documents and Settings\\NetworkService\\Local Settings\\Application Data\\smss.exe\" "

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
    "Tok-Cirrhatus "= "\ "C:\\Documents and Settings\\NetworkService\\Local Settings\\Application Data\\smss.exe\" "

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=dword:00000001
    "DisableCMD "=dword:00000000

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=dword:00000001
    "DisableCMD "=dword:00000000

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    @=" "

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions "=dword:00000001

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoFolderOptions "=dword:00000001

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    bthsvcs REG_MULTI_SZ BthServ\0\0

    supplemenatary txt.
    ComboScan v20070306.20 run by RAJENDRA on 2007-03-09 at 15:46:55
    Supplementary logfile - please post this as an attachment with your post.
    --------------------------------------------------------------------------------

    -- System Information ----------------------------------------------------------

    Microsoft Windows XP Home Edition (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: Intel(R) Pentium(R) 4 CPU 1700MHz
    Percentage of Memory in Use: 69%
    Physical Memory (total/avail): 255.48 MiB / 77.52 MiB
    Pagefile Memory (total/avail): 617.86 MiB / 416.51 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1995.5 MiB

    A: is Removable (No Media)
    C: is Fixed (FAT32) - 32.43 GiB total, 16.22 GiB free.
    D: is Fixed (FAT32) - 4.82 GiB total, 0.74 GiB free.
    E: is CDROM (CDFS)
    F: is CDROM (No Media)
    M: is Removable (No Media)


    -- Security Center -------------------------------------------------------------

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is enabled.

    AntiVirusDisableNotify is set.
    FirewallDisableNotify is set.



    -- Environment Variables -------------------------------------------------------

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\RAJENDRA\Application Data
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=PANCHALWORLD
    ComSpec=C:\WINDOWS\system32\cmd.exe
    DEFAULT_CA_NR=CA6
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\RAJENDRA
    LOGONSERVER=\\PANCHALWORLD
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\Common Files\Teleca Shared
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntel
    PROCESSOR_LEVEL=15
    PROCESSOR_REVISION=000a
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\RAJENDRA\LOCALS~1\Temp
    TMP=C:\DOCUME~1\RAJENDRA\LOCALS~1\Temp
    USERDOMAIN=PANCHALWORLD
    USERNAME=RAJENDRA
    USERPROFILE=C:\Documents and Settings\RAJENDRA
    windir=C:\WINDOWS


    -- User Profiles ---------------------------------------------------------------

    Owner (new local, admin)
    RAJENDRA (admin)
    Administrator.PANCHALWORLD (new local, admin)


    -- Add/Remove Programs ---------------------------------------------------------

    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\News\CTNews.isu "
    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\SBLive\AudioHQ.isu "
    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\SBLive\Creative Rhythmania\Rhythm.isu "
    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\SBLive\Diagnose.isu "
    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\SBLive\EaxDemo.isu "
    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\SBLive\Midi.isu "
    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\SBLive\PlayCenter2\Player2.isu "
    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\SBLive\Recorder\Recorder.isu "
    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\SBLive\Restore.isu "
    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\SBLive\SoundFont.isu "
    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\SBLive\SurMixer.isu "
    --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\Creative\Uninstall\Installer.isu "
    --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
    --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EA29840-1D27-11D5-93E8-00E0181A27BD}\Setup.exe" -uninst -f "C:\Program Files\Magic Keyboard\uninst.isu" -c "C:\Program Files\Magic Keyboard\UnInst.dll "
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    3D Home Architect(r) Deluxe 3.0 --> C:\WINDOWS\UNINST.EXE -f "C:\3DHAD3\DeIsL1.isu "
    Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f "C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c "C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll "
    Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
    Advanced JPEG Compressor 4.0 --> "C:\Program Files\Advanced JPEG Compressor\unins000.exe "
    ALi USB2.0 Driver --> C:\WINDOWS\System32\UnUSB20.EXE RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8E1DCD15-C9F1-49CE-807B-198C8241EB6B}\Setup.exe" -uninst
    AnswerWorks Runtime --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\WexTech\AnswerWorks\Uninst.isu "
    ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
    AutoCAD 2002 --> MsiExec.exe /I{5783F2D7-0101-0409-0000-0060B0CE6BBA}
    Avance AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
    BlueSoleil --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}\setup.exe" -l0x9
    CC_ccStart --> MsiExec.exe /I{D6414CC7-F215-467F-88B1-546ED863F35B}
    ccCommon --> MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
    dBpowerAMP AAC Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP AAC Codec.dat
    dBpowerAMP Music Converter --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
    dBpowerAMP Skin Designer --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Skin Designer.dat
    dBpowerAMP WMA V9.1 Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat
    Disc2Phone --> MsiExec.exe /I{6E65247F-58F9-41CA-BE69-0316F7907170}
    dMC Power Pack --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dMC Power Pack.dat
    EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
    GetRight Pro --> C:\Program Files\GetRight\GETRIGHT.EXE /UNINSTALL
    Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe "
    HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
    HP Deskjet 3900 series --> C:\Program Files\HP\Digital Imaging\{3819891A-030B-4a4e-98ED-B28A649E48AB}\setup\hpzscr01.exe -datfile hpfscr05.dat
    HP Extended Capabilities 5.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
    HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
    HP Imaging Device Functions 5.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
    HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
    HP Solution Center & Imaging Support Tools 5.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
    Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\Setup.exe" -INTELUNINST
    iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{47808F78-F178-49DC-B708-15FE538B16FF}
    J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
    Java 2 Runtime Environment, SE v1.4.1_06 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6B2F032F-CC54-11D7-9D67-00010240CE95}\setup.exe" Anytext
    LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
    LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
    Magic Keyboard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EA29840-1D27-11D5-93E8-00E0181A27BD}\Setup.exe" -uninst
    MathPlayer --> C:\Program Files\Design Science\MathPlayer\Setup.exe -u
    Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
    Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
    Microsoft Outlook 2002 --> MsiExec.exe /I{911A0409-6000-11D3-8CFE-0050048383C9}
    MotionDV STUDIO 5.3E LE for DV --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{43F8F1E5-C740-4293-A309-EA9DD6474DB1}\setup.exe" UNINSTALL
    Mozilla Firefox (1.5) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5 (en-US) "
    MSRedist --> MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
    Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
    Norton AntiVirus 2004 Professional --> MsiExec.exe /X{C6B28661-7910-442E-ADDD-72EAA8395380}
    Norton AntiVirus 2004 Professional (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\SymSetup\{C6B28661-7910-442E-ADDD-72EAA8395380}.exe /X
    Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
    Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
    Norton SystemWorks 2002 --> MsiExec.exe /I{43C3D832-AC96-463A-8FE4-1B8D1BFA2FAS}
    NTI CD-Maker 2000 Plus --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\NewTech Infosystems\NTI CD-Maker 2000 Plus\Uninst.isu "
    NTI FileCD --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\NewTech Infosystems\FileCD\Uninst.isu "
    Outlook Express Backup Wizard --> C:\WINDOWS\UnGins.exe "C:\Program Files\OEBW\install.log "
    PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\SETUP.EXE" -uninst
    Pro/ENGINEER Release Wildfire 3.0 Datecode F000 --> "C:\Program Files\proeWildfire 3.0\uninstall\i486_nt\obj\psuninst.exe" "C:\Program Files\proeWildfire 3.0\uninstall\instlog.txt "
    QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
    QuickTime Alternative 1.30 --> "C:\Program Files\QuickTime Alternative\unins000.exe "
    Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe "
    Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe "
    Sony Ericsson PC Suite 1.20.173 --> MsiExec.exe /I{C5ADA65A-7828-4D85-B071-ECC52B51F794}
    Sound Blaster Live! --> C:\Program Files\Creative\Uninstall\CTUNINST.EXE /U:UNINST1.INI
    STV0680 Camera v110 Installation Files --> C:\PROGRA~1\STMICR~1\STV680~1\UNWISE.EXE C:\PROGRA~1\STMICR~1\STV680~1\INSTALL.LOG
    Symantec Script Blocking Installer --> MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
    SymNet --> MsiExec.exe /I{E47EE8FB-ACC0-4608-859C-4E2851B18A6A}
    Uninstall Creative Modem Blaster --> C:\WINDOWS\remvdsi
    USB CAMERA ST --> C:\WINDOWS\IsUninst.exe -f "C:\Program Files\USB CAMERA ST\USB CAMERA ST\Uninst.isu "
    Video Stream Driver for Panasonic DVC --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{9A97D672-6C93-4DFA-B527-DE005A761495} /l1033
    Volo View Express --> C:\WINDOWS\uninst.exe -f "C:\Program Files\Volo View Express\DeIsL1.isu "
    Waterfalls Screen Saver --> C:\WINDOWS\uncom\UNWISE.EXE C:\WINDOWS\uncom\INSTALL.LOG
    WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
    WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
    xat.com Image Optimizer --> C:\Program Files\xat.com Image Optimizer\uninstal.exe
    Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG


    -- End of ComboScan: finished at 2007-03-09 at 15:48:55 ------------------------
     
    panchal,
    #16
  18. 2007/03/10
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hi,

    Looking much better. We do have some work left though.

    If you didn't buy Waterfalls Screensaver please go to add/remove programs and uninstall it.
    It is likely what installed WebHancer.

    Reboot when done.

    Question:

    Does regedit work for you if you run it?

    Click start> run> type regedit and click OK.

    Don't do anything in there....just let me know if it runs or you get error.
    Exit regedit.

    While waiting for me to get back....
    You can delete the following:

    C:\fix.reg
    C:\fix
    C:\!killbox
    C:\blender
    C:\HJTsetup.exe

    We'll clean up the rest of the stuff I had you download when we are done.

    Thanks :)
     
    Blender,
    #17
  19. 2007/03/10
    panchal

    panchal Inactive Thread Starter

    Joined:
    2002/05/21
    Messages:
    122
    Likes Received:
    0
    Feedback HJI

    Yes all done and also REGEDIT is working Thanks a lot for your advice and pain taken to help me. do be in touch on similar interesting topics
     
    panchal,
    #18
  20. 2007/03/10
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Good to hear.

    Don't run away yet.
    I will have a few other things for you to do yet as there are still some issues showing in your log.

    Back shortly.

    Tammy
     
    Blender,
    #19
  21. 2007/03/10
    Blender

    Blender Inactive

    Joined:
    2007/01/24
    Messages:
    355
    Likes Received:
    0
    Hello again :)

    You are welcome by the way. No pain at all.

    Attached is likely the last fix we'll need.

    It is fix3.zip.

    Please save this file and unzip it.
    You should have fix3.reg when done.
    Since Regedit is working; you can Right click this file and choose merge
    When asked to add contents of fix3.reg to your registry answer yes

    You should get success messege.

    Once done, reboot your computer.

    Please run comboscan again and post only the comboscan.txt.

    Thanks :)
     
    Blender,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...