1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

My HijackLog to determine virus [Windows Update not working]

Discussion in 'Malware and Virus Removal Archive' started by Funicula, 2007/09/07.

Page 3 of 5
  1. 2007/09/08
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    No problem. :)
     
    noahdfear,
    #41
  2. 2007/09/08
    Funicula

    Funicula Inactive Thread Starter

    Joined:
    2007/09/07
    Messages:
    50
    Likes Received:
    0
    Ok, I got it attached to an email, I think the zip part got lost along the way...it's basically just says the WindowsUpdatelog, but has no zip at the end of it. Shall i send it to you like that?
     
    Funicula,
    #42


  3. to hide this advert.

  4. 2007/09/08
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Yeah, give it a shot.

    You probably have Windows set to not show known file extensions (that's the default setting), which is why you don't see the zip extension. To correct that, open any window on your drive and click Tools>Folder Options on the menu. Select the view tab then scroll down to and uncheck 'hide extensions for known file types', then click OK.
     
    noahdfear,
    #43
  5. 2007/09/08
    Funicula

    Funicula Inactive Thread Starter

    Joined:
    2007/09/07
    Messages:
    50
    Likes Received:
    0
    ok :) I did create a zip of it it's just I wasn't sure how to attach the zip and so...didn't, it's friggin massive.

    I'll be off for a while now. It's around 1am over here.
     
    Funicula,
    #44
  6. 2007/09/08
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Got it!

    I'll let you know if I find something helpful in the log. Get some sleep! ;)
     
    noahdfear,
    #45
  7. 2007/09/08
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Copy the contents of the quote box below to a blank notepad, then save it to your desktop as;

    Filename: look.bat
    Save as type: All Files (*.*)

    Double click look.bat to run it. It will open policies.txt when it completes. Please post it's contents.
     
    noahdfear,
    #46
  8. 2007/09/09
    Funicula

    Funicula Inactive Thread Starter

    Joined:
    2007/09/07
    Messages:
    50
    Likes Received:
    0
    policies txt

    ! REG.EXE VERSION 3.0

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoDriveTypeAutoRun REG_DWORD 0x91

    ! REG.EXE VERSION 3.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    DefaultLaunchPermission REG_BINARY 01000480640000008000000000000000140000000200500003000000000018000100000001010000000000051200000000000000000018000100000001010000000000050400000000000000000018000100000001020000000000052000000020020000010500000000000515000000A05F841F5E2E6B49CE120303F4010000010500000000000515000000A05F841F5E2E6B49CE120303F4010000
    EnableDCOM REG_SZ Y

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST
     
    Funicula,
    #47
  9. 2007/09/09
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hmmm ........ something amiss in that log. Proceed with caution! Don't make any changes unless instructed to do so.

    Please click Start>Run type regedit then hit enter. Expand by clicking the plus signs and navigate to the following key (folder).

    Code:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    Click the SensLogn key once to select it, then right click and select Export. Save it as a text file on your desktop, then open the text and post it's contents here.
     
    noahdfear,
    #48
  10. 2007/09/09
    Funicula

    Funicula Inactive Thread Starter

    Joined:
    2007/09/07
    Messages:
    50
    Likes Received:
    0
    I navigated to Winlogon and clicked on the plus sign but there's no folder saying Senslog.
     
    Funicula,
    #49
  11. 2007/09/09
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    That key MUST exist for Windows Update to work.

    Close regedit.

    Copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

    Filename: sensfix.reg
    Save as type: All Files (*.*)

    Double click sensfix.reg and allow it to merge with the registry.

    When done, run regedit again and right click the Winlogon key, then export to the desktop as a text file. Post it's contents.
     
    noahdfear,
    #50
  12. 2007/09/09
    Funicula

    Funicula Inactive Thread Starter

    Joined:
    2007/09/07
    Messages:
    50
    Likes Received:
    0
    I tried to do what you posted above about exporting the winlog key, unfortunately it's not coming up as a text file, however I noticed that I have senslogn folder showing now, shall I post the contents of that?
     
    Funicula,
    #51
  13. 2007/09/09
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    In the Save dialog that opens when you click Export, you have to change the Save as type to Text Files (*.txt) just under the filename field.
     
    noahdfear,
    #52
  14. 2007/09/09
    Funicula

    Funicula Inactive Thread Starter

    Joined:
    2007/09/07
    Messages:
    50
    Likes Received:
    0
    Yup did all that, I wasn't typing a name for the file...

    anyways heres the Winlogon key

    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Class Name: <NO CLASS>
    Last Write Time: 9/9/2007 - 10:56 AM
    Value 0
    Name: AutoRestartShell
    Type: REG_DWORD
    Data: 0x1

    Value 1
    Name: DefaultDomainName
    Type: REG_SZ
    Data: PC1

    Value 2
    Name: DefaultUserName
    Type: REG_SZ
    Data: User

    Value 3
    Name: LegalNoticeCaption
    Type: REG_SZ
    Data:

    Value 4
    Name: LegalNoticeText
    Type: REG_SZ
    Data:

    Value 5
    Name: PowerdownAfterShutdown
    Type: REG_SZ
    Data: 0

    Value 6
    Name: ReportBootOk
    Type: REG_SZ
    Data: 1

    Value 7
    Name: Shell
    Type: REG_SZ
    Data: Explorer.exe

    Value 8
    Name: ShutdownWithoutLogon
    Type: REG_SZ
    Data: 0

    Value 9
    Name: System
    Type: REG_SZ
    Data:

    Value 10
    Name: Userinit
    Type: REG_SZ
    Data: C:\WINDOWS\system32\userinit.exe,

    Value 11
    Name: VmApplet
    Type: REG_SZ
    Data: rundll32 shell32,Control_RunDLL "sysdm.cpl "

    Value 12
    Name: SfcQuota
    Type: REG_DWORD
    Data: 0xffffffff

    Value 13
    Name: allocatecdroms
    Type: REG_SZ
    Data: 0

    Value 14
    Name: allocatedasd
    Type: REG_SZ
    Data: 0

    Value 15
    Name: allocatefloppies
    Type: REG_SZ
    Data: 0

    Value 16
    Name: cachedlogonscount
    Type: REG_SZ
    Data: 10

    Value 17
    Name: forceunlocklogon
    Type: REG_DWORD
    Data: 0x0

    Value 18
    Name: passwordexpirywarning
    Type: REG_DWORD
    Data: 0xe

    Value 19
    Name: scremoveoption
    Type: REG_SZ
    Data: 0

    Value 20
    Name: AllowMultipleTSSessions
    Type: REG_DWORD
    Data: 0x1

    Value 21
    Name: UIHost
    Type: REG_EXPAND_SZ
    Data: logonui.exe

    Value 22
    Name: LogonType
    Type: REG_DWORD
    Data: 0x1

    Value 23
    Name: Background
    Type: REG_SZ
    Data: 0 0 0

    Value 24
    Name: DebugServerCommand
    Type: REG_SZ
    Data: no

    Value 25
    Name: SFCDisable
    Type: REG_DWORD
    Data: 0x0

    Value 26
    Name: WinStationsDisabled
    Type: REG_SZ
    Data: 0

    Value 27
    Name: HibernationPreviouslyEnabled
    Type: REG_DWORD
    Data: 0x1

    Value 28
    Name: ShowLogonOptions
    Type: REG_DWORD
    Data: 0x0

    Value 29
    Name: AltDefaultUserName
    Type: REG_SZ
    Data: User

    Value 30
    Name: AltDefaultDomainName
    Type: REG_SZ
    Data: PC1

    Value 31
    Name: AutoAdminLogon
    Type: REG_SZ
    Data: 0


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
    Class Name: <NO CLASS>
    Last Write Time: 6/18/2004 - 4:08 PM

    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}
    Class Name: <NO CLASS>
    Last Write Time: 6/18/2004 - 4:23 PM
    Value 0
    Name: <NO NAME>
    Type: REG_SZ
    Data: Microsoft Disk Quota

    Value 1
    Name: NoMachinePolicy
    Type: REG_DWORD
    Data: 0x0

    Value 2
    Name: NoUserPolicy
    Type: REG_DWORD
    Data: 0x1

    Value 3
    Name: NoSlowLink
    Type: REG_DWORD
    Data: 0x1

    Value 4
    Name: NoBackgroundPolicy
    Type: REG_DWORD
    Data: 0x1

    Value 5
    Name: NoGPOListChanges
    Type: REG_DWORD
    Data: 0x1

    Value 6
    Name: PerUserLocalSettings
    Type: REG_DWORD
    Data: 0x0

    Value 7
    Name: RequiresSuccessfulRegistry
    Type: REG_DWORD
    Data: 0x1

    Value 8
    Name: EnableAsynchronousProcessing
    Type: REG_DWORD
    Data: 0x0

    Value 9
    Name: DllName
    Type: REG_EXPAND_SZ
    Data: dskquota.dll

    Value 10
    Name: ProcessGroupPolicy
    Type: REG_SZ
    Data: ProcessGroupPolicy


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
    Class Name: <NO CLASS>
    Last Write Time: 6/18/2004 - 4:08 PM
    Value 0
    Name: ProcessGroupPolicy
    Type: REG_SZ
    Data: SceProcessSecurityPolicyGPO

    Value 1
    Name: GenerateGroupPolicy
    Type: REG_SZ
    Data: SceGenerateGroupPolicy

    Value 2
    Name: ExtensionRsopPlanningDebugLevel
    Type: REG_DWORD
    Data: 0x1

    Value 3
    Name: ProcessGroupPolicyEx
    Type: REG_SZ
    Data: SceProcessSecurityPolicyGPOEx

    Value 4
    Name: ExtensionDebugLevel
    Type: REG_DWORD
    Data: 0x1

    Value 5
    Name: DllName
    Type: REG_EXPAND_SZ
    Data: scecli.dll

    Value 6
    Name: <NO NAME>
    Type: REG_SZ
    Data: Security

    Value 7
    Name: NoUserPolicy
    Type: REG_DWORD
    Data: 0x1

    Value 8
    Name: NoGPOListChanges
    Type: REG_DWORD
    Data: 0x1

    Value 9
    Name: EnableAsynchronousProcessing
    Type: REG_DWORD
    Data: 0x1

    Value 10
    Name: MaxNoGPOListChangesInterval
    Type: REG_DWORD
    Data: 0x3c0


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}
    Class Name: <NO CLASS>
    Last Write Time: 6/18/2004 - 4:08 PM
    Value 0
    Name: ProcessGroupPolicyEx
    Type: REG_SZ
    Data: ProcessGroupPolicyEx

    Value 1
    Name: GenerateGroupPolicy
    Type: REG_SZ
    Data: GenerateGroupPolicy

    Value 2
    Name: ProcessGroupPolicy
    Type: REG_SZ
    Data: ProcessGroupPolicy

    Value 3
    Name: DllName
    Type: REG_EXPAND_SZ
    Data: iedkcs32.dll

    Value 4
    Name: <NO NAME>
    Type: REG_SZ
    Data: Internet Explorer Branding

    Value 5
    Name: NoSlowLink
    Type: REG_DWORD
    Data: 0x1

    Value 6
    Name: NoBackgroundPolicy
    Type: REG_DWORD
    Data: 0x0

    Value 7
    Name: NoGPOListChanges
    Type: REG_DWORD
    Data: 0x1

    Value 8
    Name: NoMachinePolicy
    Type: REG_DWORD
    Data: 0x1


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
    Class Name: <NO CLASS>
    Last Write Time: 6/18/2004 - 4:08 PM
    Value 0
    Name: ProcessGroupPolicy
    Type: REG_SZ
    Data: SceProcessEFSRecoveryGPO

    Value 1
    Name: DllName
    Type: REG_EXPAND_SZ
    Data: scecli.dll

    Value 2
    Name: <NO NAME>
    Type: REG_SZ
    Data: EFS recovery

    Value 3
    Name: NoUserPolicy
    Type: REG_DWORD
    Data: 0x1

    Value 4
    Name: NoGPOListChanges
    Type: REG_DWORD
    Data: 0x1

    Value 5
    Name: RequiresSuccessfulRegistry
    Type: REG_DWORD
    Data: 0x1


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
    Class Name: <NO CLASS>
    Last Write Time: 6/18/2004 - 4:08 PM
    Value 0
    Name: <NO NAME>
    Type: REG_SZ
    Data: Software Installation

    Value 1
    Name: DllName
    Type: REG_EXPAND_SZ
    Data: appmgmts.dll

    Value 2
    Name: ProcessGroupPolicyEx
    Type: REG_SZ
    Data: ProcessGroupPolicyObjectsEx

    Value 3
    Name: GenerateGroupPolicy
    Type: REG_SZ
    Data: GenerateGroupPolicy

    Value 4
    Name: NoBackgroundPolicy
    Type: REG_DWORD
    Data: 0x0

    Value 5
    Name: RequiresSucessfulRegistry
    Type: REG_DWORD
    Data: 0x0

    Value 6
    Name: NoSlowLink
    Type: REG_DWORD
    Data: 0x1

    Value 7
    Name: PerUserLocalSettings
    Type: REG_DWORD
    Data: 0x1

    Value 8
    Name: EventSources
    Type: REG_MULTI_SZ
    Data: (Application Management,Application)
    (MsiInstaller,Application)


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    Class Name: <NO CLASS>
    Last Write Time: 9/9/2007 - 2:22 PM

    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    Class Name: <NO CLASS>
    Last Write Time: 6/18/2004 - 4:08 PM
    Value 0
    Name: Asynchronous
    Type: REG_DWORD
    Data: 0x0

    Value 1
    Name: Impersonate
    Type: REG_DWORD
    Data: 0x0

    Value 2
    Name: DllName
    Type: REG_EXPAND_SZ
    Data: crypt32.dll

    Value 3
    Name: Logoff
    Type: REG_SZ
    Data: ChainWlxLogoffEvent


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    Class Name: <NO CLASS>
    Last Write Time: 6/18/2004 - 4:08 PM
    Value 0
    Name: Asynchronous
    Type: REG_DWORD
    Data: 0x0

    Value 1
    Name: Impersonate
    Type: REG_DWORD
    Data: 0x0

    Value 2
    Name: DllName
    Type: REG_EXPAND_SZ
    Data: cryptnet.dll

    Value 3
    Name: Logoff
    Type: REG_SZ
    Data: CryptnetWlxLogoffEvent


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    Class Name: <NO CLASS>
    Last Write Time: 6/18/2004 - 4:08 PM
    Value 0
    Name: Logoff
    Type: REG_SZ
    Data: WLEventLogoff

    Value 1
    Name: Impersonate
    Type: REG_DWORD
    Data: 0x0

    Value 2
    Name: Asynchronous
    Type: REG_DWORD
    Data: 0x1

    Value 3
    Name: DllName
    Type: REG_EXPAND_SZ
    Data: sclgntfy.dll


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    Class Name: <NO CLASS>
    Last Write Time: 9/9/2007 - 2:22 PM
    Value 0
    Name: DLLName
    Type: REG_SZ
    Data: WlNotify.dll

    Value 1
    Name: Lock
    Type: REG_SZ
    Data: SensLockEvent

    Value 2
    Name: Logon
    Type: REG_SZ
    Data: SensLogonEvent

    Value 3
    Name: Logoff
    Type: REG_SZ
    Data: SensLogoffEvent

    Value 4
    Name: Safe
    Type: REG_DWORD
    Data: 0x1

    Value 5
    Name: MaxWait
    Type: REG_DWORD
    Data: 0x258

    Value 6
    Name: StartScreenSaver
    Type: REG_SZ
    Data: SensStartScreenSaverEvent

    Value 7
    Name: StopScreenSaver
    Type: REG_SZ
    Data: SensStopScreenSaverEvent

    Value 8
    Name: Startup
    Type: REG_SZ
    Data: SensStartupEvent

    Value 9
    Name: Shutdown
    Type: REG_SZ
    Data: SensShutdownEvent

    Value 10
    Name: StartShell
    Type: REG_SZ
    Data: SensStartShellEvent

    Value 11
    Name: PostShell
    Type: REG_SZ
    Data: SensPostShellEvent

    Value 12
    Name: Disconnect
    Type: REG_SZ
    Data: SensDisconnectEvent

    Value 13
    Name: Reconnect
    Type: REG_SZ
    Data: SensReconnectEvent

    Value 14
    Name: Unlock
    Type: REG_SZ
    Data: SensUnlockEvent

    Value 15
    Name: Impersonate
    Type: REG_DWORD
    Data: 0x1

    Value 16
    Name: Asynchronous
    Type: REG_DWORD
    Data: 0x1


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
    Class Name: <NO CLASS>
    Last Write Time: 8/7/2007 - 5:03 PM

    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings
    Class Name: <NO CLASS>
    Last Write Time: 8/7/2007 - 5:03 PM

    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
    Class Name: <NO CLASS>
    Last Write Time: 5/21/2006 - 1:19 AM
    Value 0
    Name: Asynchronous
    Type: REG_DWORD
    Data: 0x0

    Value 1
    Name: DllName
    Type: REG_SZ
    Data: WRLogonNTF.dll

    Value 2
    Name: Impersonate
    Type: REG_DWORD
    Data: 0x1

    Value 3
    Name: Lock
    Type: REG_SZ
    Data: WRLock

    Value 4
    Name: StartScreenSaver
    Type: REG_SZ
    Data: WRStartScreenSaver

    Value 5
    Name: StartShell
    Type: REG_SZ
    Data: WRStartShell

    Value 6
    Name: Startup
    Type: REG_SZ
    Data: WRStartup

    Value 7
    Name: StopScreenSaver
    Type: REG_SZ
    Data: WRStopScreenSaver

    Value 8
    Name: Unlock
    Type: REG_SZ
    Data: WRUnlock

    Value 9
    Name: Shutdown
    Type: REG_SZ
    Data: WRShutdown

    Value 10
    Name: Logoff
    Type: REG_SZ
    Data: WRLogoff

    Value 11
    Name: Logon
    Type: REG_SZ
    Data: WRLogon


    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts
    Class Name: <NO CLASS>
    Last Write Time: 6/18/2004 - 4:08 PM

    Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
    Class Name: <NO CLASS>
    Last Write Time: 6/18/2004 - 4:08 PM
    Value 0
    Name: HelpAssistant
    Type: REG_DWORD
    Data: 0x0

    Value 1
    Name: TsInternetUser
    Type: REG_DWORD
    Data: 0x0

    Value 2
    Name: SQLAgentCmdExec
    Type: REG_DWORD
    Data: 0x0

    Value 3
    Name: NetShowServices
    Type: REG_DWORD
    Data: 0x0

    Value 4
    Name: IWAM_
    Type: REG_DWORD
    Data: 0x10000

    Value 5
    Name: IUSR_
    Type: REG_DWORD
    Data: 0x10000

    Value 6
    Name: VUSR_
    Type: REG_DWORD
    Data: 0x10000
     
    Funicula,
    #53
  15. 2007/09/09
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Wow ...... there's quite a bit missing from your Notify key. :eek:

    Copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

    Filename: notifyfix.reg
    Save as type: All Files (*.*)

    Double click notifyfix.reg and allow it to merge with the registry.

    Reboot.

    Go to Windows Update and do a custom, then select 5 or so and install them to see if installation is successful.
     
    noahdfear,
    #54
  16. 2007/09/09
    Funicula

    Funicula Inactive Thread Starter

    Joined:
    2007/09/07
    Messages:
    50
    Likes Received:
    0
    I clicked 4 updates to install and all of them installed, NO fails atall. Also a little microsoft globe has appeared in my system tray saying "updates are ready for your computer" Click here to download these updates.
    This is progress right?
     
    Funicula,
    #55
  17. 2007/09/09
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Excellent! Yes, this is progress. :D

    Go back to Windows Updates and install whatever else is offered (should be the same ones that failed last night) to see if they too are successful.
     
    noahdfear,
    #56
  18. 2007/09/09
    Funicula

    Funicula Inactive Thread Starter

    Joined:
    2007/09/07
    Messages:
    50
    Likes Received:
    0
    I downloaded and installed the security updates, all 59 of them, I didn't install service pack 2.
    After the updates installed it told me to restart the computer, which I did, when it came back on, the click your user account thing didn't show up, the only thing that showed was the normal start up blue screen with the welcome sign. Is this normal?

    And I found my Windows XP disc, it was in a box on the top shelf hidden from when you really need it.
     
    Funicula,
    #57
  19. 2007/09/09
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Sounds normal enough. What I've often noticed was that the Update icon on the tray sometimes doesn't show up till after opening IE.

    You can delete the reg and batch files we used, and the logs created. You can also delete the Norton removal tool, dss.exe and the folder C:\Deckard. Then run ATF cleaner again.

    Since we haven't done so yet, I recommend running an online virus scan before going any further with updates, just to make sure we haven't missed something.

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.

    Post the Kaspersky log and one more fresh HijackThis log.
     
    noahdfear,
    #58
  20. 2007/09/09
    Funicula

    Funicula Inactive Thread Starter

    Joined:
    2007/09/07
    Messages:
    50
    Likes Received:
    0
    kaspersky text file

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, September 09, 2007 8:47:05 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
    Kaspersky Online Scanner version: 5.0.93.1
    Kaspersky Anti-Virus database last update: 9/09/2007
    Kaspersky Anti-Virus database records: 410588
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 119324
    Number of viruses found: 3
    Number of infected objects: 3
    Number of suspicious objects: 0
    Duration of the scan process: 04:16:00

    Infected Object Name / Virus Name / Last Action
    C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.g skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\User\ntuser.dat Object is locked skipped
    C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
    C:\Downloads\BurgerRushSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
    C:\Log.txt Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
    C:\System Volume Information\_restore{25833490-D6EB-4590-A6AA-6FEE06FAEF41}\RP399\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{57D11DA4-41C6-4B60-AA07-23ECE368D7E9}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\TFTP316 Infected: Backdoor.Win32.Rbot.15 skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\Temp\Perflib_Perfdata_430.dat Object is locked skipped
    C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
     
    Funicula,
    #59
  21. 2007/09/09
    Funicula

    Funicula Inactive Thread Starter

    Joined:
    2007/09/07
    Messages:
    50
    Likes Received:
    0
    Hijack logfile

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:49:24 PM, on 09/09/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\BT Digital Access USB\vstartx.exe
    C:\Program Files\BT Digital Access USB\gisdnlog.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/26d1963d5bd8b2c80e16/netzip/RdxIE601.cab
    O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1189290024632
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189110392521
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189110375707
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol025.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4918D8-D963-49F8-BEEC-EF05A589CC6F}: NameServer = 213.120.62.97
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
    O23 - Service: BT Digital Access USB start up (Gazel Startup) - British Telecom - C:\Program Files\BT Digital Access USB\vstartx.exe
    O23 - Service: ISDN connection log (GisdnLog) - British Telecom - C:\Program Files\BT Digital Access USB\gisdnlog.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 7258 bytes
     
    Funicula,
    #60
Page 3 of 5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...