1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help requested for BSOD

Discussion in 'Windows XP' started by robmd, May 27, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. robmd

    robmd Thread Starter

    Joined:
    May 10, 2002
    Messages:
    111
    Good evening All!

    I recently installed Eudora 8 which is still in beta. All seemed to work O.K., but a few days later when shutting down I had all the usual messages (saving settings etc.), but instead of stopping as usual I had an BSOD with the following message:-

    STOP: c000021a {Fatal System Error}
    The Windows Logon Process System Terminated Unexpectedly with a status of
    0x00000000 (0x00000000 0x00000000)
    The system has been shut down.

    The computer will restart and appears to operate O.K. but when I shut down the same screen appears and I have to switch off manually.
    Using restart also results in Windows stopping just before it is due to shut down, so although I can start and use Windows, I cannot install/remove anything that requires a restart
    I have deleted Eudora 8 but the problem remains.

    I have tried "Last Known Good Configuration", with no effect and tried to use System Restore from a normal state and in "Safe Mode", but as Windows shuts down when restarting, System Restore does not complete.

    I have just installed Windows XP Service Pack 3 to see if that would correct the problem - but no joy!.

    I cannot find any info on the Error Code with the status parameters given above, but it appears to be a Logon Security Related issue.
    As there is no value for GINA in the registry, according to Microsoft, MSGINA is used as default. I have checked it in the relevant folder, and it doesn't show as having been modified, but I re-installed it anyway - still no joy!

    I have also run a full virus check with my virus killer (Kaspersky) and also run Spybot S&D which doesn't show up any undue problems.

    I have also run an Registry Checker/Repairer without success.

    Below is an HiJack this log which may be of help if anyone is able to help with this problem.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:54:17, on 27/05/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Utils2\Adaware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\pupxpman.exe
    C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Comms\CookieWall\cookie.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
    C:\Program Files\Misc\ClocX\ClocX.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Bluetooth Software\BTTray.exe
    C:\Program Files\Misc\Calendarium\Calendarium.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Comms\Sigchanger\sigchanger.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    D:\Working\CleanUp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=3C01&lc=0809&ac
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1027
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: SYSTRAN Office Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [CookieWall] C:\Program Files\Comms\CookieWall\cookie.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Macara Client] "C:\Program Files\Comms\Bytemobile\mcgui.exe" -d
    O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
    O4 - HKLM\..\Run: [ClocX] C:\Program Files\Misc\ClocX\ClocX.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: SigChanger V2.1.0.lnk = ?
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Calendarium.lnk = C:\Program Files\Misc\Calendarium\Calendarium.exe
    O4 - Global Startup: CleanTemp.lnk = C:\Program Files\Utils1\CleanTemp\CleanTemp.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147042730212
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147043207558
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9F4843E9-ECF0-44B5-A2CD-8DA09E593DF2}: NameServer = 194.168.4.100,194.168.8.100
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O20 - Winlogon Notify: winnsy32 - C:\WINDOWS\SYSTEM32\winnsy32.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Utils2\Adaware\aawservice.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 9802 bytes



    I don't want to re-install Windows and have to install all my settings and programs again, so any help on this problem will be greatly appreciated!!!
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    This entry indicates a past or present infection >>

    O20 - Winlogon Notify: winnsy32 - C:\WINDOWS\SYSTEM32\winnsy32.dll

    See if HijackThis will delete it for you and check again after a reboot.

    If not, try to do it manually by running regedit and navigate to >>

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

    Delete ONLY the entry that contains winnsy32


    You might also look for any "Pending File Rename" entries under the key >>

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations

    and delete those.
     
  3. robmd

    robmd Thread Starter

    Joined:
    May 10, 2002
    Messages:
    111
    Hi Rollin' Rog!

    Many thanks for responding to my cry for Help!

    I ran HJT and deleted the winnsy32.dll entry and verified it was removed by checking with Regedit. On shutting down, Windows stopped with same error just before it was due to switch off. After restarting I checked again, and the winnsy32.dll entry had reinstalled itself. I deleted it again using Regedit, and the same thing happened.
    Should I have gone into the system32 folder and attempted to delete winnsy32.dll???

    I checked under session manager, and although folders were present for "pending file rename", and "file rename operations", both folders were empty.

    Thanks again for your help!!!
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I'm going to ask someone else to help you with this. There are some specialized programs that should be able to get that for you. You may have other hidden malware as well.
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,921
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

    Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

    Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
     
  6. robmd

    robmd Thread Starter

    Joined:
    May 10, 2002
    Messages:
    111
    Good Evening Rollin Rog!

    Once again, many thanks for your help and for passing this onto someone else - Normally I am careful about what I download and run, but this one caught me out!!!
     
  7. robmd

    robmd Thread Starter

    Joined:
    May 10, 2002
    Messages:
    111
    Good Evening CookieGal!

    Thanks for taking this up, it is much appreciated - I'll go and do as you say now.
     
  8. robmd

    robmd Thread Starter

    Joined:
    May 10, 2002
    Messages:
    111
    Hi There Again CookieGal!

    Below are posted the Combo-Fix and HJT logs as requested.

    Before running Combo-Fix, I shut down all running programs in the Tray and also one via the Task Manager - I forgot to shut down the Screensaver, although it didn't stop Combo-Fix from working.
    When Windows was restarted, it stopped just before shutdown with the usual error message. I stopped the computer on the button and restarted after which it booted O.K.and finished creating the log.
    I also didn't disable Tea-Timer from restarting on the computer re-start.

    Here are the logs:-

    ComboFix 09-05-29.01 - Rob 29/05/2009 23:05.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.317 [GMT 1:00]
    Running from: c:\documents and settings\Rob\Desktop\Combo-Fix.exe
    AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\recycler\NPROTECT\NPROTECT.LOG
    c:\windows\system32\system
    c:\windows\system32\system\msxml4.dll
    c:\windows\system32\system\msxml4r.dll
    d:\recycled\NPROTECT\NPROTECT.LOG

    .
    ((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-29 )))))))))))))))))))))))))))))))
    .

    2009-05-27 11:15 . 2009-05-27 12:22 -------- d-----w c:\program files\RegCure
    2009-05-26 22:39 . 2009-05-26 22:48 -------- d-----w c:\program files\PostCast Server
    2009-05-26 13:29 . 2008-04-14 04:42 221184 ----a-w c:\windows\system32\wmpns.dll
    2009-05-26 12:39 . 2008-04-14 04:39 6144 ------w c:\windows\system32\kbdbhc.dll
    2009-05-26 12:36 . 2008-04-14 04:42 294912 -c----w c:\windows\system32\dllcache\dlimport.exe
    2009-05-26 12:34 . 2008-04-13 21:06 144384 ------w c:\windows\system32\drivers\hdaudbus.sys
    2009-05-26 12:34 . 2008-04-13 23:10 10240 ------w c:\windows\system32\drivers\sffp_mmc.sys
    2009-05-26 12:11 . 2009-05-26 12:11 -------- dc----w c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
    2009-05-24 11:11 . 2009-05-24 11:11 39936 ----a-w c:\windows\system32\winnsy32.dll
    2009-05-24 11:08 . 2009-05-24 11:08 40448 ----a-w c:\windows\system32\winohf32.dll
    2009-05-23 22:14 . 2009-05-24 14:16 -------- d-----w c:\documents and settings\Rob\Local Settings\Application Data\Thunderbird
    2009-05-23 22:14 . 2009-05-23 22:14 -------- d-----w c:\documents and settings\Rob\Application Data\Thunderbird
    2009-04-30 19:51 . 2009-04-30 19:51 -------- d-----w c:\program files\Smith Micro
    2009-04-30 19:50 . 2009-04-30 19:50 -------- d-----w c:\documents and settings\Rob\Local Settings\Application Data\Downloaded Installations

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-29 22:37 . 2008-06-18 14:55 6119712 --sha-w c:\windows\system32\drivers\fidbox.dat
    2009-05-29 22:35 . 2008-06-18 14:55 259104 --sha-w c:\windows\system32\drivers\fidbox2.dat
    2009-05-29 22:33 . 2008-06-18 14:55 84008 --sha-w c:\windows\system32\drivers\fidbox.idx
    2009-05-29 22:33 . 2008-06-18 14:55 25292 --sha-w c:\windows\system32\drivers\fidbox2.idx
    2009-05-29 21:13 . 2008-06-18 14:55 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2009-05-27 17:28 . 2001-11-09 17:25 78586 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
    2009-05-26 22:37 . 2006-05-24 18:08 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
    2009-05-23 17:29 . 2008-06-18 14:57 94643 ----a-w c:\windows\system32\drivers\klick.dat
    2009-05-23 17:29 . 2008-06-18 14:57 105395 ----a-w c:\windows\system32\drivers\klin.dat
    2009-05-17 16:09 . 2009-04-10 17:08 1437696 ----a-w c:\documents and settings\NetworkService\NTUSER.DAT.tmp
    2009-04-30 21:28 . 2002-06-18 16:09 -------- d-----w c:\program files\Utils1
    2009-04-30 21:23 . 2003-03-02 18:59 -------- d-----w c:\program files\Utils3
    2009-04-30 21:23 . 2001-11-09 18:00 -------- d--h--w c:\program files\InstallShield Installation Information
    2009-04-30 15:25 . 2009-04-28 15:17 -------- d-----w c:\documents and settings\Rob\Application Data\GARMIN
    2009-04-28 15:17 . 2009-04-28 15:17 -------- d-----w c:\documents and settings\All Users\Application Data\GARMIN
    2009-04-28 14:57 . 2009-04-28 14:57 -------- d-----w c:\program files\DIFX
    2009-04-28 14:57 . 2009-04-28 14:57 -------- d-----w c:\program files\Garmin
    2009-04-10 17:34 . 2009-04-10 17:22 -------- d-----w c:\program files\jv16 PowerTools 2009
    2009-04-10 17:22 . 2009-04-10 17:22 23 --sha-w c:\windows\system32\edacded0_x.dat
    2009-04-10 17:08 . 2009-04-10 17:08 1437696 ----a-w c:\documents and settings\LocalService\NTUSER.DAT.tmp
    2009-03-16 22:35 . 2009-03-16 22:35 249856 ------w c:\windows\Setup1.exe
    2009-03-16 22:35 . 2002-07-13 23:30 73216 ----a-w c:\windows\ST6UNST.EXE
    2009-03-02 20:30 . 2009-03-02 20:30 503808 ----a-w c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-42f96f8c-n\msvcp71.dll
    2009-03-02 20:30 . 2009-03-02 20:30 499712 ----a-w c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-42f96f8c-n\jmc.dll
    2009-03-02 20:30 . 2009-03-02 20:30 348160 ----a-w c:\documents and settings\Rob\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-42f96f8c-n\msvcr71.dll
    2009-03-02 20:28 . 2009-03-02 20:29 410984 ----a-w c:\windows\system32\deploytk.dll
    2009-03-02 20:26 . 2009-03-02 20:26 152576 ----a-w c:\documents and settings\Rob\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
    2007-12-28 20:49 . 2007-12-28 20:49 23 --sha-w c:\windows\system32\bbfafc_r.dll
    2002-09-21 17:16 . 2002-09-21 17:16 4 --sh--r c:\windows\system32\fgxp.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2001-10-16 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2001-10-16 401408]
    "srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
    "mspwr"="c:\windows\System32\pupxpman.exe" [2002-04-29 114688]
    "CPQEASYACC"="c:\program files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-10-10 28672]
    "CookieWall"="c:\program files\Comms\CookieWall\cookie.exe" [2002-07-01 97796]
    "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2004-03-15 684032]
    "Macara Client"="c:\program files\Comms\Bytemobile\mcgui.exe" [2003-02-11 311296]
    "AS00_Gear511"="c:\program files\NETGEAR\WG511SCU\Utility\Gear511.exe" [2006-01-20 1122412]
    "ClocX"="c:\program files\Misc\ClocX\ClocX.exe" [2007-07-26 270336]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-02 136600]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-04-04 98304]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 227856]
    "AtiPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2002-02-07 315392]
    "ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2002-08-28 28672]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

    c:\documents and settings\Rob\Start Menu\Programs\Startup\
    SigChanger V2.1.0.lnk - c:\program files\Comms\Sigchanger\sigchanger.exe [2002-7-3 531968]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\Bluetooth Software\BTTray.exe [2005-9-19 581693]
    Calendarium.lnk - c:\program files\Misc\Calendarium\Calendarium.exe [2001-2-20 1512960]
    CleanTemp.lnk - c:\program files\Utils1\CleanTemp\CleanTemp.exe [1999-3-2 501248]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMMyDocs"= 00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="c:\windows\System32\logonui.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winnsy32]
    2009-05-24 11:11 39936 ----a-w c:\windows\system32\winnsy32.dll

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
    "MIDI1"= SYNCOR11.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "pct"=c:\program files\PCT\pct.exe
    "Microsoft Works Update Detection"=???\WkDetect.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
    "QD FastAndSafe"=c:\windows\System32\pupxpman.exe
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\KAV\\Kaspersky Internet Security 7.0.1.325\\english\\setup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [3/21/2004 5:21 PM 19478]
    R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [3/21/2004 5:21 PM 635012]
    R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [3/21/2004 5:21 PM 431236]
    R2 NProtectService;Norton Unerase Protection;c:\progra~1\NORTON~1\NORTON~2\NPROTECT.EXE [9/10/2003 5:26 AM 81920]
    R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [1/21/2006 12:52 AM 16194]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [12/13/2007 1:28 PM 24592]
    S1 EACMOS;EACMOS;c:\windows\system32\drivers\EACMOS.SYS --> c:\windows\system32\drivers\EACMOS.SYS [?]
    S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [3/21/2004 5:21 PM 64093]
    S3 ACGPRS;Sierra Wireless GPRS Adapter;c:\windows\system32\drivers\acgprs.sys [7/23/2005 9:44 PM 148492]
    S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\drivers\wg511nd5.sys [3/21/2006 6:34 PM 449888]
    S3 NuVision;Hauppauge WinTV USB Pro (PAL I);c:\windows\system32\drivers\Nuvision.sys [7/28/2002 8:18 PM 259996]
    S3 SUSCOM;Susteen Serial port driver;c:\windows\system32\drivers\SUSCOM.SYS [1/17/2003 9:59 PM 40448]
    .
    Contents of the 'Scheduled Tasks' folder

    2004-04-08 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
    - c:\program files\Norton SystemWorks\OBC.exe [2003-09-12 19:16]

    2009-05-27 c:\windows\Tasks\RegCure Program Check.job
    - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

    2009-05-27 c:\windows\Tasks\RegCure.job
    - c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

    2005-02-09 c:\windows\Tasks\Symantec Drmc.job
    - c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 03:48]

    2005-04-04 c:\windows\Tasks\Symantec NetDetect.job
    - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-04-08 12:24]
    .
    - - - - ORPHANS REMOVED - - - -

    ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
    SafeBoot-AVG Anti-Spyware Driver
    SafeBoot-procexp90.Sys
    SafeBoot-AVG Anti-Spyware Guard


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = hxxp://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumer&ap=b201&c=3C01&lc=0809&ac
    mSearch Bar = hxxp://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
    uInternet Settings,ProxyServer = http=localhost:1027
    IE: Add to Anti-Banner
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Send To &Bluetooth - c:\program files\Bluetooth Software\btsendto_ie_ctx.htm
    LSP: c:\windows\system32\bmi_lsp.dll
    TCP: {9F4843E9-ECF0-44B5-A2CD-8DA09E593DF2} = 194.168.4.100,194.168.8.100
    Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
    DPF: Microsoft XML Parser for Java
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-05-29 23:36
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0]
    @DACL=(02 0000)
    "bhhphijojgfcdocagmhjgjbhmieinfap omclbkmbeidfbmlombnoibdfojjnince"="Compaq Computer Corporation"
    "bhhphijojgfcdocagmhjgjbhmieinfap fiabkgpbafgpcapdiapfnjhkfjmmkafh"="Compaq Computer Corporation"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1024)
    c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
    c:\windows\system32\klogon.dll
    c:\windows\system32\winnsy32.dll
    c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll

    - - - - - - - > 'lsass.exe'(1084)
    c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
    c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
    c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
    c:\windows\system32\bmi_lsp.dll
    c:\windows\system32\bmzlib.dll

    - - - - - - - > 'explorer.exe'(388)
    c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
    c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
    c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll
    c:\windows\system32\msi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Utils2\Adaware\aawservice.exe
    c:\windows\system32\ati2evxx.exe
    c:\program files\Bluetooth Software\bin\btwdins.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\progra~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\program files\COMPAQ\Easy Access Button Support\CPQEADM.exe
    c:\compaq\EAKDRV\EAUSBKBD.exe
    c:\progra~1\COMPAQ\EASYAC~1\BttnServ.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Internet Explorer\iexplore.exe
    c:\windows\system32\winver.exe
    .
    **************************************************************************
    .
    Completion time: 2009-05-29 23:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-05-29 22:48

    Pre-Run: 27,554,734,080 bytes free
    Post-Run: 28,129,726,464 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /FASTDETECT /NoExecute=OptIn

    Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
    232





    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:53:31, on 29/05/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Utils2\Adaware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Program Files\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\pupxpman.exe
    C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Comms\CookieWall\cookie.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Program Files\Bluetooth Software\BTTray.exe
    C:\Program Files\Misc\Calendarium\Calendarium.exe
    C:\Program Files\Comms\Sigchanger\sigchanger.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    D:\Working\CleanUp\HiJack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=3C01&lc=0809&ac
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1027
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: SYSTRAN Office Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [CookieWall] C:\Program Files\Comms\CookieWall\cookie.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Macara Client] "C:\Program Files\Comms\Bytemobile\mcgui.exe" -d
    O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
    O4 - HKLM\..\Run: [ClocX] C:\Program Files\Misc\ClocX\ClocX.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: SigChanger V2.1.0.lnk = ?
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Calendarium.lnk = C:\Program Files\Misc\Calendarium\Calendarium.exe
    O4 - Global Startup: CleanTemp.lnk = C:\Program Files\Utils1\CleanTemp\CleanTemp.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147042730212
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147043207558
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9F4843E9-ECF0-44B5-A2CD-8DA09E593DF2}: NameServer = 194.168.4.100,194.168.8.100
    O20 - Winlogon Notify: winnsy32 - C:\WINDOWS\SYSTEM32\winnsy32.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Utils2\Adaware\aawservice.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 9094 bytes



    Hope the above are as required

    Rob.
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Thanks Karen :)

    Rob, you might think back to 2009-05-24 11:11 , whch seems to be the install date of the malicious files, to get some idea of how it happened ;)
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,921
    You're welcome Rog. :)
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,921
    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    http://forums.techguy.org/windows-nt-2000-xp/830437-help-requested-bsod.html#post6724022
    
    Collect::
    c:\windows\system32\winnsy32.dll
    c:\windows\system32\winohf32.dll
    
    File::
    c:\documents and settings\Rob\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
    c:\windows\system32\bbfafc_r.dll
    c:\windows\system32\fgxp.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winnsy32]
     
    Save the file to your desktop and name it CFScript.txt

    Referring to the picture below, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.

    Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     
  12. robmd

    robmd Thread Starter

    Joined:
    May 10, 2002
    Messages:
    111
    Hi Rollin Rog!

    My e-mail client of choice on my Desktop is (and has been for some years) Eudora.
    I decided to load it onto my Laptop so downloaded and installed the Beta version of Eudora8 it was just after that the problems started, so I uninstalled Eudora8 in case that was the cause of the problem.
    I think I also updated PhotoFiltre at about that time
     
  13. robmd

    robmd Thread Starter

    Joined:
    May 10, 2002
    Messages:
    111
    Good Morning CookieGal!

    I dragged the script tp Combo-Fix which ran O.K. until tried to reboot when I had to switch off and restart. After restart, a log wasn't generated although I waited for over half an hour.
    I didn't re-run the script & Combo-Fix again just in case of problems, but have posted below an HJT Log File.
    Kaspersky reloaded on restart and came up with a threat warning. These seemed to be related to Combo-Fix so I didn't take any action to disinfect them.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:30:04, on 31/05/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Utils2\Adaware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\pupxpman.exe
    C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Comms\CookieWall\cookie.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
    C:\Program Files\Misc\ClocX\ClocX.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Program Files\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Misc\Calendarium\Calendarium.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Program Files\Comms\Sigchanger\sigchanger.exe
    C:\Program Files\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    D:\Working\CleanUp\HiJack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=3C01&lc=0809&ac
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1027
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: SYSTRAN Office Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [CookieWall] C:\Program Files\Comms\CookieWall\cookie.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Macara Client] "C:\Program Files\Comms\Bytemobile\mcgui.exe" -d
    O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
    O4 - HKLM\..\Run: [ClocX] C:\Program Files\Misc\ClocX\ClocX.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: SigChanger V2.1.0.lnk = ?
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Calendarium.lnk = C:\Program Files\Misc\Calendarium\Calendarium.exe
    O4 - Global Startup: CleanTemp.lnk = C:\Program Files\Utils1\CleanTemp\CleanTemp.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147042730212
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147043207558
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9F4843E9-ECF0-44B5-A2CD-8DA09E593DF2}: NameServer = 194.168.4.100,194.168.8.100
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Utils2\Adaware\aawservice.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 8840 bytes


    Thanks for returning to this so promptly :)
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,921
    Do you see a log at C:\combofix.txt?
     
  15. robmd

    robmd Thread Starter

    Joined:
    May 10, 2002
    Messages:
    111
    Hi CookieGal!

    I shut down my Laptop just after my last post - and it shut down normally.
    I see that the Registry entry for winnsy32.dll has been removed, and the dll file is not in the system32 folder.
    I have just shut down the Laptop again, and it stopped normally. I am now waiting for it to finish loading Windows.
    On the last start, Kaspersky did give a warning that svhost was to be changed, but I didn't allow the change at that time.

    I cannot see the file combofix.txt at C:\

    Kaspersky has indicated:-
    Virus Eicar - Test file on 2 counts
    I assume these were test files created by Combo-Fix? I haven't done anything about them in case they are required.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved Help requested
  1. mag777
    Replies:
    18
    Views:
    304
  2. aamberdawn35
    Replies:
    1
    Views:
    166
  3. Robertico22
    Replies:
    8
    Views:
    346
  4. Clueless63
    Replies:
    1
    Views:
    325
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/830437

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice