Calling from Australia - need HELP - Windows Explorer encountered ....shut down

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

hicbart

Thread Starter
Joined
Jul 6, 2005
Messages
20
Hi there TechGuys,

I have been having the worst time on my home PC for the past week. Every time that I log on, my desk top loads up, but within a few seconds I get the error message windows has encountered a problem and needs to close. I can still manage to click icons and enter files, but I only have a few seconds before the error message freezes things up, which it does even after I have managed to access a file/function.

I have recently installed AOL Broadband software (the correct one as supplied by the vendor) on my PC but do not know if this is the reason why the errors keep coming. I can restore to before I installed the software but then when I do re-install the software and log onto the internet after a period of success the error message will re-appear (normally after I have closed the Internet Explorer browser)

When I click on the error report it reads:

Appname: explorer.exe
Appver: 6.0.2600.0
Modname: unknown
Modver: 0.0.0.0
Offset: 00000000

Error included in report C:Document/CorinBartley/locals/temp/WER5E.tmp.dir00/appcompat.txt

I have downloaded Hijackthis and have created a log (it's pretty big).
Have also run the start up log (even bigger)

Logfile of HijackThis v1.99.1
Scan saved at 19:44:41, on 8/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=11034
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=11034
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=11034
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11034
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://primusonline.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rbfli.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=11034
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.ramgo.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolwwwsearch.com/z/a/x1.cgi?101 about:blank (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.coolwwwsearch.com/z/a/x1.cgi?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Primus-AOL
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\TRDVJP~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [stmoos] C:\DOCUME~1\CORINB~1\APPLIC~1\btfrdrss.exe -QuieT
O4 - HKLM\..\Run: [41546267.exe] C:\WINDOWS\System32\41546267.exe
O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /nocomm
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O4 - HKLM\..\Run: [sp2ctr] c:\windows\system32\sp2ctr.exe /nocomm
O4 - HKLM\..\Run: [ipvz32.exe] C:\WINDOWS\ipvz32.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [EvtHtm] c:\windows\system32\evthtm.exe /nocomm
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [180ax] c:\windows\180ax.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [fwpcvejn] c:\windows\system32\fwpcvejn.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\CORIN BARTLEY\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Qwsb] C:\WINDOWS\System32\?vchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: winlogin.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://primusonline.com.au/
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.db105.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 81.211.105.20 (HKLM)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm9.chm::/file1.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {1526A79C-E0AE-1DEE-C0E6-5DD331B6073F} - http://69.50.173.166/1/gdnUS1862.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...a0e7f2b4b2a1:a3f5099f60d56ff1d1f59f4600741a6e
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c7.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {3AA34202-8123-49EC-C223-7E5B469CA58B} - http://69.50.182.94/1/rdgAU1342.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/ClickYesToContinue/bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://pluginaccess.com/Browser_Plugin.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.exe
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.sea.mtree.com/mt/dialers/fc/UniDist.CAB
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing)
O20 - AppInit_DLLs: vzeew8f8xxwoz.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q2595772_disk.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Security Service (O?’ŽrtñåȲ$Ó) - Unknown owner - C:\WINDOWS\ipbw.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





StartupList report, 8/7/2005, 19:46:52
StartupList version: 1.52.2
Started from : C:\Program Files\hijackthis\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\dwwin.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\CORIN BARTLEY\Start Menu\Programs\Startup]
PowerReg Scheduler V3.exe
PowerReg Scheduler.exe
Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Microsoft Works Calendar Reminders.lnk = ?
winlogin.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
AHQInit = C:\Program Files\Creative\SBLive\Program\AHQInit.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
stmoos = C:\DOCUME~1\CORINB~1\APPLIC~1\btfrdrss.exe -QuieT
41546267.exe = C:\WINDOWS\System32\41546267.exe
Mscnt = c:\windows\system32\mscnt.exe /nocomm
sncntr = c:\windows\system32\sncntr.exe /nocomm
Win32 Explorer = C:\WINDOWS\System32\explorer32.exe
sp2ctr = c:\windows\system32\sp2ctr.exe /nocomm
ipvz32.exe = C:\WINDOWS\ipvz32.exe
Winad Client = C:\Program Files\Winad Client\Winad.exe
EvtHtm = c:\windows\system32\evthtm.exe /nocomm
IST Service = C:\Program Files\ISTsvc\istsvc.exe
180ax = c:\windows\180ax.exe
sixtysix = C:\WINDOWS\sixtypopsix.exe
fwpcvejn = c:\windows\system32\fwpcvejn.exe
farmmext = C:\WINDOWS\farmmext.exe
Logitech Utility = Logi_MwX.Exe
CPU Watcher = rundll32.exe C:\WINDOWS\cpu.dll,load
Nsv = C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
Media Access = C:\Program Files\Media Access\MediaAccK.exe
msnappau = "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
IMEKRMIG6.1 = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
aimboot = %SystemRoot%\awinrar.exe
Win32 Explorer = C:\WINDOWS\System32\explorer32.exe
ClockSync = "C:\Program Files\ClockSync\Sync.exe" /q
Aida = C:\Documents and Settings\CORIN BARTLEY\Application Data\ttuh.exe
Qwsb = C:\WINDOWS\System32\?vchost.exe
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=vzeew8f8xxwoz.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=C:\WINDOWS\System32\U2SCRE~1.SCR
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\TRDVJP~1.DLL - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[v2cab]
CODEBASE = http://searchmiracle.com/cab/v2cab.cab
OSD = C:\WINDOWS\Downloaded Program Files\OSD319.OSD

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

[Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ISTactivex.dll
CODEBASE = http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

[{10003000-1000-0000-1000-000000000000}]
CODEBASE = ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm9.chm::/file1.exe

[{11111111-1111-1111-1111-111111113457}]
CODEBASE = file://c:\ied_s7m.cab

[{11111111-1111-1111-1111-511111113457}]
CODEBASE = file://c:\x.cab

[{11111111-1111-1111-1111-511111113458}]
CODEBASE = file://c:\x.cab

[{1526A79C-E0AE-1DEE-C0E6-5DD331B6073F}]
CODEBASE = http://69.50.173.166/1/gdnUS1862.exe

[{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WinadX.dll
CODEBASE = http://public.windupdates.com/get_f...a0e7f2b4b2a1:a3f5099f60d56ff1d1f59f4600741a6e

[{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
CODEBASE = http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c7.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\yacscom.dll
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ISTactivex.dll
CODEBASE = http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

[{3AA34202-8123-49EC-C223-7E5B469CA58B}]
CODEBASE = http://69.50.182.94/1/rdgAU1342.exe

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

[brdg Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\bridge.dll
CODEBASE = http://www2.flingstone.com/cab/2000XP/ClickYesToContinue/bridge.cab

[MediaTicketsInstaller Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\MEDIAT~1.OCX
CODEBASE = http://www.mt-download.com/MediaTicketsInstaller.cab

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://pluginaccess.com/Browser_Plugin.cab

[loader Class]
InProcServer32 = C:\WINDOWS\System32\comload.dll
CODEBASE = http://dload.ipbill.com/del/loader.exe

[{D27CDB6E-AE6D-11CF-96B8-222553540000}]
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{D27CDB6E-AE6D-11CF-96B8-333553540000}]
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[IObjSafety.DemoCtl]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\mm63.ocx
CODEBASE = http://cabs.media-motor.net/cabs/diamond.cab

[EPSImageControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EPScontrol.dll
CODEBASE = http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

[MoneyTree Dialer]
InProcServer32 = C:\WINDOWS\DOWNLO~1\UniDist.ocx
CODEBASE = http://xbs.sea.mtree.com/mt/dialers/fc/UniDist.CAB

[Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ISTactivex.dll
CODEBASE = http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

[MultiDist]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MulDist.ocx
CODEBASE = http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\CORINB~1\LOCALS~1\Temp\primusaoltoolbar.exe||C:\WINDOWS\system32\__delete_on_reboot__vzeew8f8xxwoz.dll||C:\WINDOWS\__delete_on_reboot__cpu.dll||C:\WINDOWS\System32\__delete_on_reboot__TRDVJP~1.DLL||C:\DOCUME~1\CORINB~1\LOCALS~1\Temp\__delete_on_reboot__4106464.tmp||C:\DOCUME~1\CORINB~1\LOCALS~1\Temp\__delete_on_reboot__4306101.tmp||C:\DOCUME~1\CORINB~1\LOCALS~1\Temp\__delete_on_reboot__4961243.tmp||C:\DOCUME~1\CORINB~1\LOCALS~1\Temp\__delete_on_reboot__4962776.tmp||C:\DOCUME~1\CORINB~1\LOCALS~1\Temp\__delete_on_reboot__5342782.tmp||C:\DOCUME~1\CORINB~1\LOCALS~1\Temp\__delete_on_reboot__5440593.tmp||C:\DOCUME~1\CORINB~1\LOCALS~1\Temp\__delete_on_reboot__5535990.tmp||C:\DOCUME~1\CORINB~1\LOCALS~1\Temp\__delete_on_reboot__5891331.tmp||C:\DOCUME~1\CORINB~1\LOCALS~1\Temp\__delete_on_reboot__6026725.tmp||C:\WINDOWS\System32\__delete_on_reboot__vbsys2.dll


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
SystemCheck2: C:\WINDOWS\System32\vbsys2

--------------------------------------------------
End of report, 13,440 bytes
Report generated in 0.120 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Pretty big huh! Please if anyone can help to solve my problem I could well do treat you like a god for the reast of my life.

Thanks
Corin
 

amateur

Malware Specialist
Joined
Nov 6, 2004
Messages
520
Yes, definitely infected. You don't seem to have SP2 and a firewall either. Please wait for an expert to help you out.
 

hicbart

Thread Starter
Joined
Jul 6, 2005
Messages
20
Thanks amateur,

Since I posted the above entry, I managed to fix a few things. Firstly, found out that if I 'end tasked' on explorer.exe in task manager I could stop the error message coming up. This allowed me to download some spyware files without the interruption from the error messageand the subsequent stalls (spybot/killbox/ccleaner/ewido).

I have since run spybot and ccleaner and the ewido one keeps popping up whenever it thinks something nasty is on its way.

I have aslo re-run the hijackthis gizmo. It managed to make things not so large, but no at much as I had hoped.

Of your response, how easy it is to put up a firewall on a home PC?

Here are the new logs.

Logfile of HijackThis v1.99.1
Scan saved at 21:34:43, on 8/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\WINDOWS\System32\?vchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=11034
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=11034
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=11034
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=11034
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://primusonline.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rbfli.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=11034
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.ramgo.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Primus-AOL
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\TRDVJP~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [stmoos] C:\DOCUME~1\CORINB~1\APPLIC~1\btfrdrss.exe -QuieT
O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /nocomm
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O4 - HKLM\..\Run: [sp2ctr] c:\windows\system32\sp2ctr.exe /nocomm
O4 - HKLM\..\Run: [ipvz32.exe] C:\WINDOWS\ipvz32.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [EvtHtm] c:\windows\system32\evthtm.exe /nocomm
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [fwpcvejn] c:\windows\system32\fwpcvejn.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CPU Watcher] rundll32.exe C:\WINDOWS\cpu.dll,load
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\CORIN BARTLEY\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Qwsb] C:\WINDOWS\System32\?vchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: winlogin.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://primusonline.com.au/
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.db105.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 81.211.105.20 (HKLM)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm9.chm::/file1.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {1526A79C-E0AE-1DEE-C0E6-5DD331B6073F} - http://69.50.173.166/1/gdnUS1862.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c7.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {3AA34202-8123-49EC-C223-7E5B469CA58B} - http://69.50.182.94/1/rdgAU1342.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: vzeew8f8xxwoz.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\q2595772_disk.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Security Service (O?’ŽrtñåȲ$Ó) - Unknown owner - C:\WINDOWS\ipbw.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

StartupList report, 8/7/2005, 21:35:22
StartupList version: 1.52.2
Started from : C:\Program Files\hijackthis\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\WINDOWS\System32\?vchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\CORIN BARTLEY\Start Menu\Programs\Startup]
PowerReg Scheduler V3.exe
PowerReg Scheduler.exe
Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Microsoft Works Calendar Reminders.lnk = ?
winlogin.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
AHQInit = C:\Program Files\Creative\SBLive\Program\AHQInit.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
stmoos = C:\DOCUME~1\CORINB~1\APPLIC~1\btfrdrss.exe -QuieT
Mscnt = c:\windows\system32\mscnt.exe /nocomm
sncntr = c:\windows\system32\sncntr.exe /nocomm
Win32 Explorer = C:\WINDOWS\System32\explorer32.exe
sp2ctr = c:\windows\system32\sp2ctr.exe /nocomm
ipvz32.exe = C:\WINDOWS\ipvz32.exe
Winad Client = C:\Program Files\Winad Client\Winad.exe
EvtHtm = c:\windows\system32\evthtm.exe /nocomm
sixtysix = C:\WINDOWS\sixtypopsix.exe
fwpcvejn = c:\windows\system32\fwpcvejn.exe
farmmext = C:\WINDOWS\farmmext.exe
Logitech Utility = Logi_MwX.Exe
CPU Watcher = rundll32.exe C:\WINDOWS\cpu.dll,load
Nsv = C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
Media Access = C:\Program Files\Media Access\MediaAccK.exe
msnappau = "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
IMEKRMIG6.1 = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

SpybotSnD = "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
aimboot = %SystemRoot%\awinrar.exe
Win32 Explorer = C:\WINDOWS\System32\explorer32.exe
ClockSync = "C:\Program Files\ClockSync\Sync.exe" /q
Aida = C:\Documents and Settings\CORIN BARTLEY\Application Data\ttuh.exe
Qwsb = C:\WINDOWS\System32\?vchost.exe
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=vzeew8f8xxwoz.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=C:\WINDOWS\System32\U2SCRE~1.SCR
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\TRDVJP~1.DLL - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[v2cab]
CODEBASE = http://searchmiracle.com/cab/v2cab.cab
OSD = C:\WINDOWS\Downloaded Program Files\OSD319.OSD

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

[{10003000-1000-0000-1000-000000000000}]
CODEBASE = ms-its:mhtml:file://C:\foo.mht!http://greg-tut.com/G7/chm9.chm::/file1.exe

[{11111111-1111-1111-1111-111111113457}]
CODEBASE = file://c:\ied_s7m.cab

[{11111111-1111-1111-1111-511111113457}]
CODEBASE = file://c:\x.cab

[{11111111-1111-1111-1111-511111113458}]
CODEBASE = file://c:\x.cab

[{1526A79C-E0AE-1DEE-C0E6-5DD331B6073F}]
CODEBASE = http://69.50.173.166/1/gdnUS1862.exe

[{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}]
CODEBASE = http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c7.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\yacscom.dll
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[{3AA34202-8123-49EC-C223-7E5B469CA58B}]
CODEBASE = http://69.50.182.94/1/rdgAU1342.exe

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

[{D27CDB6E-AE6D-11CF-96B8-222553540000}]
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{D27CDB6E-AE6D-11CF-96B8-333553540000}]
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{E0CE16CB-741C-4B24-8D04-A817856E07F4}]
CODEBASE = http://cabs.media-motor.net/cabs/diamond.cab

[EPSImageControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EPScontrol.dll
CODEBASE = http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\system32\__delete_on_reboot__vzeew8f8xxwoz.dll||C:\WINDOWS\__delete_on_reboot__q2595772_disk.dll||C:\WINDOWS\System32\vzeew8f8xxwoz.dll||C:\WINDOWS\System32\vzeew8f8xxwoz.dll||C:\WINDOWS\System32\vzeew8f8xxwoz.dll||C:\WINDOWS\System32\vzeew8f8xxwoz.dll||C:\WINDOWS\System32\vzeew8f8xxwoz.dll||C:\WINDOWS\System32\vzeew8f8xxwoz.dll||C:\DOCUME~1\CORINB~1\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~1\CORINB~1\Cookies\index.dat||C:\DOCUME~1\CORINB~1\LOCALS~1\History\History.IE5\index.dat||C:\WINDOWS\System32\vzeew8f8xxwoz.dll


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
SystemCheck2: C:\WINDOWS\System32\vbsys2

--------------------------------------------------
End of report, 11,635 bytes
Report generated in 0.070 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Thanks again
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top