PDA

View Full Version : Slos scanspeed



woodchips
2006-03-18, 01:55
Looking for help to increase scanspeed with Spybot S&D and get rid other problems

System Info:

Dell Dimension L933r
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Pentium 3
127.0 MB RAM

Computer won't let me run online scans, due to ActiveX controls
Have not yet been able to complete a Spybot Scan due to time.

Below is my Spybot Log, if HJ log is needed as well, please advise.

LonnyRJones
2006-03-20, 21:09
Welcome woodchips

Please go here and follow instructions.
http://forums.spybot.info/showthread.php?t=288
Post the Hijackthis log here in this thread.
Someone will then take a look at the system and advise you.

woodchips
2006-03-20, 23:11
Welcome woodchips

Please go here and follow instructions.
http://forums.spybot.info/showthread.php?t=288
Post the Hijackthis log here in this thread.
Someone will then take a look at the system and advise you.


That thread was closed. Please see new thread
http://forums.spybot.info/showthread.php?p=16504#post16504

tashi
2006-03-21, 01:11
Hello.
The closed link Lonny gave to you contains information for posting in this forum.
It is not open for members to post into. :)

Please post your log into this topic. Thank you. ;)

woodchips
2006-03-21, 03:18
Per your request, here is my HJT Log. Thanks for the help.


Logfile of HijackThis v1.99.1
Scan saved at 6:11:09 PM, on 3/21/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINDESKTOP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: Class - {64CA2686-435D-CB6D-1C4F-78D558954130} - C:\WINDOWS\WINPT32.DLL
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\PROGRAM FILES\COX\APPLICATIONS\APP\AUTHBHO.DLL
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {C6F6E45B-5927-4D51-AE66-FF4E09AC67DB} - C:\WINDOWS\SYSTEM\CHLM.DLL
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\PROGRAM FILES\COX\APPLICATIONS\APP\AUTHBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe
O4 - Startup: Shortcut to SPOOL32.EXE.lnk = C:\WINDOWS\SYSTEM\SPOOL32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Dell Home - {63D9F689-FA15-4ECF-91BC-C4D0734E14EA} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://www.iwon.com/ct/pm2/iwonpm1,0,2,3.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/sext2sp.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://008i.com/pic//x.chm::/open.exe
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18c218783ecbcfcd0e18/netzip/RdxIE601.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O18 - Filter: text/html - {1F329E35-E353-4D72-93A6-9048ACDCB67A} - C:\WINDOWS\SYSTEM\CHLM.DLL
O18 - Filter: text/plain - {1F329E35-E353-4D72-93A6-9048ACDCB67A} - C:\WINDOWS\SYSTEM\CHLM.DLL
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\abirvalg32.dll
O21 - SSODL: hbeUYKE - {07D00A18-AD7A-A0B2-CACC-77B04D7E07DE} - C:\WINDOWS\SYSTEM\PZRKD.DLL

LonnyRJones
2006-03-21, 07:37
Start Hijackthis and place a check next to ONLY these items If there.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blankInternet
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {64CA2686-435D-CB6D-1C4F-78D558954130} - C:\WINDOWS\WINPT32.DLL
O4 - HKLM\..\Run: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe
O4 - HKCU\..\Run: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe
O4 - Startup: Shortcut to SPOOL32.EXE.lnk = C:\WINDOWS\SYSTEM\SPOOL32.EXE
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://www.iwon.com/ct/pm2/iwonpm1,0,2,3.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/sext2sp.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://008i.com/pic//x.chm::/open.exe
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18c21878...p/RdxIE601.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\abirvalg32.dll
O21 - SSODL: hbeUYKE - {07D00A18-AD7A-A0B2-CACC-77B04D7E07DE} - C:\WINDOWS\SYSTEM\PZRKD.DLL
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rn aboutbuster, save the log to post later.
If prompted to restart the pc do so

Start Hijackthis and place a check next to these items If there.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blankInternet
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C6F6E45B-5927-4D51-AE66-FF4E09AC67DB} - C:\WINDOWS\SYSTEM\CHLM.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {1F329E35-E353-4D72-93A6-9048ACDCB67A} - C:\WINDOWS\SYSTEM\CHLM.DLL
O18 - Filter: text/plain - {1F329E35-E353-4D72-93A6-9048ACDCB67A} - C:\WINDOWS\SYSTEM\CHLM.DLL
====================================
Hit fix checked and close Hijackthis.

Post a a new hijackthis and that first about buster log.

woodchips
2006-03-21, 22:37
Logfile of HijackThis v1.99.1
Scan saved at 1:14:50 PM, on 3/22/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\UECNTBDP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\PROGRAM FILES\COX\APPLICATIONS\APP\AUTHBHO.DLL
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\PROGRAM FILES\COX\APPLICATIONS\APP\AUTHBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Dell Home - {63D9F689-FA15-4ECF-91BC-C4D0734E14EA} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O21 - SSODL: hbeUYKE - {07D00A18-AD7A-A0B2-CACC-77B04D7E07DE} - C:\WINDOWS\SYSTEM\PZRKD.DLL

LonnyRJones
2006-03-21, 23:05
Scan and fix this item with hijackthis
O21 - SSODL: hbeUYKE - {07D00A18-AD7A-A0B2-CACC-77B04D7E07DE} - C:\WINDOWS\SYSTEM\PZRKD.DLL

Had you missed it or has it returned ?

Post a report from one or better yet both of these free online scanners

Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Save the report and post it back here please if there are any that it is unable to deal with.


Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.

You have been using msconfig, I need you to re-able anything you have disabled since the problems started then make and post another hijackthis log
But dont restart the PC yet..

woodchips
2006-03-21, 23:15
I have deleted it with hijackthis, three times, but it keeps returning.
O21 - SSODL: hbeUYKE - {07D00A18-AD7A-A0B2-CACC-77B04D7E07DE} - C:\WINDOWS\SYSTEM\PZRKD.DLL

I will try the online scans next

woodchips
2006-03-22, 01:02
Panda-ActiveScan: performed scan, but would not disinfect. See log below

Kaspersky Lab - would not work. It didn't even initalize

Additional issue now: Can open my computer but when I click on the hard drive no icons appear. It says I still have objects in the lower left hand corner, but nothing is visible. My Documents is still OK, and all files and extensions are marked to be visible. Only happened after trying to run Kaspersky Lab. Please advise.


Incident Status Location

Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM\bdedata2.dll
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM\bdeinsta2.dll
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\WINDOWS\SYSTEM\bdeinstall.exe
Adware:Adware/IdeskBar Not disinfected C:\WINDOWS\SYSTEM\howiper.exe
Adware:Adware/Spoon Not disinfected C:\WINDOWS\SYSTEM\favset.exe
Adware:adware/searchaid Not disinfected C:\WINDOWS\SYSTEM\sdkxp32.exe
Virus:Trj/Downloader.CME Not disinfected C:\WINDOWS\SYSTEM\xdldr24.exe
Adware:adware/cws.aboutblank Not disinfected C:\WINDOWS\SYSTEM\crhz32.dll
Adware:adware/cws.008k Not disinfected C:\WINDOWS\SYSTEM\syssy.dll

LonnyRJones
2006-03-22, 14:01
woodchips
http://forums.spybot.info/showpost.php?p=16545&postcount=6
In that post a download link is missing for aboutBuster, I thought i had posted it , was it there prior or did you find aboutbuster on your own ?

Download Pocket Killbox to the desktop
http://www.downloads.subratam.org/KillBox.exe
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\SYSTEM\bdedata2.dll
C:\WINDOWS\SYSTEM\bdeinsta2.dll
C:\WINDOWS\SYSTEM\bdeinstall.exe
C:\WINDOWS\SYSTEM\howiper.exe
C:\WINDOWS\SYSTEM\favset.exe
C:\WINDOWS\SYSTEM\sdkxp32.exe
C:\WINDOWS\SYSTEM\xdldr24.exe
C:\WINDOWS\SYSTEM\crhz32.dll
C:\WINDOWS\SYSTEM\syssy.dll
C:\WINDOWS\SYSTEM\PZRKD.DLL

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

woodchips
2006-03-22, 14:10
Similar to the problem with My Computer\C: drive access, but now with Internet explorer. Can navigate to main home page of sites, but cannot view auxillar pages.

woodchips
2006-03-23, 01:42
Can't view soma;slkdjf;

woodchips
2006-03-23, 02:14
Found Aboutbuster on own

Ran Killbox, everything went OK

Report.txt

Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please

Reg Entries that were deleted


Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...



Logfile of HijackThis v1.99.1
Scan saved at 5:07:45 PM, on 3/23/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\PROGRAM FILES\COX\APPLICATIONS\APP\AUTHBHO.DLL
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\PROGRAM FILES\COX\APPLICATIONS\APP\AUTHBHO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Dell Home - {63D9F689-FA15-4ECF-91BC-C4D0734E14EA} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: hbeUYKE - {07D00A18-AD7A-A0B2-CACC-77B04D7E07DE} - C:\WINDOWS\SYSTEM\PZRKD.DLL

LonnyRJones
2006-03-23, 10:03
Try Killbox delete on reboot again for file:
C:\WINDOWS\SYSTEM\PZRKD.DLL

It appears you have no antivirus protection

Install atleast a free anti virus program
Dont make the common mistake of installing more than one anti virus program!!!!
AVG Anti-Virus-Free: http://www.grisoft.com/us/us_dwnl_free.php
AntiVir Personal Edition: http://www.free-av.com/
avast! 4 Home - Free antivirus software :
http://www.asw.cz/eng/free_virus_protectio.html

Install one, update it and do a full system scan, If it has problems removing any virus/trojan's do a scan while the PC is in safe mode

woodchips
2006-03-23, 14:15
I have the Cox Hi-Speed Internet Security Suite. It hasn't been able to load successfully since we've started the remedies. I was going to reinstall it after everything was working properly again.

But, I have had it up and running with automatic updates and still had the problems you've helped get rid of. Would you recommend that I use one of the anti-virus programs that you listed instead. Please advise.

Will run Killbox again.

woodchips
2006-03-23, 14:55
It appears killbox can't find the the file C:\WINDOWS\SYSTEM\PZRKD.DLL

Ran killbox in safe mode and searched for the file myself, but didn't find it either way. I have include a new hijack this log, which now says the fill is just missing.

Also, I am still running a selective startup because when I run msconfig and go to the startup tab, windesktop.exe (listed three times) and sp (rundll32) still appear and are marked to run. Should they still be there?

Logfile of HijackThis v1.99.1
Scan saved at 5:38:10 AM, on 3/24/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Dell Home - {63D9F689-FA15-4ECF-91BC-C4D0734E14EA} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: hbeUYKE - {07D00A18-AD7A-A0B2-CACC-77B04D7E07DE} - C:\WINDOWS\SYSTEM\PZRKD.DLL (file missing)

woodchips
2006-03-23, 16:38
Is there any way I can delete files in log for virus scan. Scanner says it can't quarantine or delete these files. Please advise


Report file date: Friday, March 24, 2006 06:29


Jobname: 'Local Drives'

Scanning for 341280 virus strains and unwanted programs.

Licensed to: AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows Me
Windows version: (plain) [4.90.3000] (Windows Me)
Username: unknown
Computer name: OFFICE

Version informations:
AVSCAN.EXE : 7.0.0.28 393256 3/15/2006 19:18:58
AVSCAN.DLL : 7.0.0.28 40488 3/15/2006 19:18:58
LUKE.DLL : 7.0.0.28 110632 3/15/2006 19:18:58
LUKERES.DLL : 7.0.0.28 25600 3/15/2006 19:18:58
ANTIVIR0.VDF : 6.32.0.60 4323840 3/15/2006 15:46:22
ANTIVIR1.VDF : 6.34.0.11 1424384 3/15/2006 15:46:24
ANTIVIR2.VDF : 6.34.0.75 207872 3/24/2006 12:57:30
ANTIVIR3.VDF : 6.34.0.89 26112 3/24/2006 12:57:30
AVEWIN32.DLL : 7.0.0.3 1167872 3/1/2006 00:06:46
AVPREF.DLL : 6.34.0.0 33320 1/18/2006 20:05:46
AVREP.DLL : 6.34.0.50 1712168 3/24/2006 12:57:30
AVPACK32.DLL : 6.33.0.6 331816 1/9/2006 17:03:38
AVREG.DLL : 6.31.0.90 25128 7/28/2005 18:06:12
NETNT.DLL : No Informations!
NETNW.DLL : 6.32.0.0 9768 9/27/2005 15:56:46


Start of the scan: Friday, March 24, 2006 06:30


Start scanning boot sectors:

Boot sector 'A:'
[NOTE] In the drive 'A:' no data medium is inserted!
Boot sector 'E:'
[NOTE] In the drive 'E:' no data medium is inserted!

Starting to scan the registry.

The registry was scanned ( 8 files ).


Starting the file scan:

C:\WINDOWS\WIN386.SWP
[WARNING] The file could not be opened!
C:\My Documents\SpybotSD.Report.txt
[DETECTION] Contains signature of the HTML script virus HTML/Exploit.Mhtml
C:\My Documents\HijackThis\hijackthis.log
[DETECTION] Contains signature of the HTML script virus HTML/Exploit.Mhtml
C:\_RESTORE\TEMP\A0002492.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0002418.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0002618.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0002630.0
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0002644.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0002968.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0003207.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0003395.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0003479.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0003582.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0004582.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0004596.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0005596.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0005597.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0005606.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0005607.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0006002.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0006075.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0006253.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0006485.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0007485.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0007613.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0008613.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0008707.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0009707.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] The file could not be wiped!
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0009984.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0010401.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0010519.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0010527.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0010639.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0011639.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0011663.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0011872.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0012872.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0012958.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0012982.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0013002.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0013003.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0013004.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0013009.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0013239.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0013312.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0013573.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0014400.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0015400.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0015898.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016070.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016090.CPY
[DETECTION] Contains signature of the HTML script virus HTML/Exploit.Mhtml
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016092.CPY
[DETECTION] Contains signature of the HTML script virus HTML/Exploit.Mhtml
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016273.CPY
[DETECTION] Is the Trojan horse TR/StartPage.abg
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016285.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016286.CPY
[DETECTION] Is the Trojan horse TR/Proxy.Agent.DL.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016443.CPY
[DETECTION] Contains signature of the dial-up program DIAL/301140
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016445.CPY
[DETECTION] Is the Trojan horse TR/Dldr.Delf.CB
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016471.CPY
[DETECTION] Is the Trojan horse TR/DNSChanger.R
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016473.CPY
[DETECTION] Is the Trojan horse TR/Dldr.Mediket.S.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016475.CPY
[DETECTION] Is the Trojan horse TR/Drop.Agent.RI.2
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016479.CPY
[DETECTION] Is the Trojan horse TR/Small.ev.308.A
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016481.CPY
[DETECTION] Is the Trojan horse TR/DNSChanger.R
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016485.CPY
[DETECTION] Is the Trojan horse TR/DNSChanger.R
[WARNING] An error has been performed and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\_RESTORE\TEMP\A0016491.CPY
[DETECTION] Is the Trojan horse TR/DNSChanger.R


End of the scan: Friday, March 24, 2006 07:19
Used time: 49:42 min

The scan has been canceled by the user!

1064 Scanning directories
100250 Files were scanned
63 viruses and/or unwanted programs was found
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1005 Archives were scanned
125 Warnings
0 Notes

LonnyRJones
2006-03-24, 02:05
Have hiajckthis fix this item if you havent already done so
O21 - SSODL: hbeUYKE - {07D00A18-AD7A-A0B2-CACC-77B04D7E07DE} - C:\WINDOWS\SYSTEM\PZRKD.DLL (file missing)


[WARNING] The file could not be opened!
C:\My Documents\SpybotSD.Report.txt
[DETECTION] Contains signature of the HTML script virus HTML/Exploit.Mhtml
C:\My Documents\HijackThis\hijackthis.log

Obviously Fasle possitives , for those other have windows delete the old system restore points

System Restore win ME
Purge the old System Restore points to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Right-click My Computer, and then click Properties.
2. On the Performance tab, click File System, or press ALT+F.
3. On the Troubleshooting tab, put a check mark in the 'Turn Off System Restore' check box.
4. Click OK twice, and then click Yes when you are prompted to restart the computer.
5. Repeat steps 1 - 3, this time clearing the box beside 'Turn Off System Restore'

Im not familur with Cox's software, offhand i suggest keeping it(if you get it to work correctly) and doing suplimental free Onlines scan's weekly or byweekly.

woodchips
2006-03-24, 02:23
I followed the steps to turn off system restore, but it was already turned off. So to check it, I turned it back on, but as soon as I closed it, restarted the computer and opened it up again it was turned off again. Could something be disable the system restore. Please advise.

LonnyRJones
2006-03-24, 02:48
Hi

Start msconfig, >startup tab and re-enable everything that is disabled(unchecked), click apply close msconfig and restart the pc, post a new hijackthis log.

woodchips
2006-03-24, 02:57
Logfile of HijackThis v1.99.1
Scan saved at 5:50:04 PM, on 3/24/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\SCHEDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\AVGCTRL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [errorkiller] "C:\Program Files\errorkiller\errorkiller.exe" -boot
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AuthConsoleStart] c:\program files\cox\applications\app\AuthStart.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [avgctrl] "C:\Program Files\AntiVir PersonalEdition Classic\avgctrl.exe" /min
O4 - HKLM\..\RunServices: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CurtainsSysSvc] c:\program files\cox\applications\app\AuthSL.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [schedm] "C:\Program Files\AntiVir PersonalEdition Classic\schedm.exe"
O4 - HKCU\..\Run: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Shortcut to SPOOL32.EXE.lnk = C:\WINDOWS\SYSTEM\SPOOL32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Dell Home - {63D9F689-FA15-4ECF-91BC-C4D0734E14EA} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

LonnyRJones
2006-03-24, 03:10
You have both antivir and cox's antivirus installed ?

Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\Run: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe
O4 - HKCU\..\Run: [windesktop] C:\WINDOWS\SYSTEM\windesktop.exe

Whats this >
O4 - Startup: Shortcut to SPOOL32.EXE.lnk = C:\WINDOWS\SYSTEM\SPOOL32.EXE
If you dont know fix it also
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Replace the Hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated


Now try disabling system restore , restart the pc and re-enable again.

woodchips
2006-03-24, 03:52
O4 - Startup: Shortcut to SPOOL32.EXE.lnk =
:\WINDOWS\SYSTEM\SPOOL32.EXE

This was a remedy per the microsoft website, because my printer wouldn't work. I kept getting Spool32 error messages.

I have antivir and cox's antivirus installed, because as mentioned previously, since beginning repairs cox security suite hasn't been loading. I get an error message about repairing the installation. But I can't navigate the web page to reinstall it because it is just blank. I get error message about java scripts. I have run through the process to enable, but they are already enabled. I checked the java site and it says that all is installed and working properly.

Also, I still am not able to navigate through the C: drive via my computer. The C:\ window loads blank. Can navigate only by right click my computer, left click explore and the selecting the specific file in the left hand drop down lists only.

What would this be caused by?

woodchips
2006-03-24, 05:19
Spybot still hangs up at CoolWWWSearch. Possible reasons?

LonnyRJones
2006-03-24, 10:20
Hows system restore now ?

SPOOL32.EXE.lnk, thanks for the information.

Replace your Hosts file, it was probaly edited by the infection.
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated

Now see if you can get to coxs antivirus area, or any sites that were not previously accessable any luck ?

"Also, I still am not able to navigate through the C: drive via my computer. The C:\ window loads blank."
Try internet explorer's repair option (yes ie is part of explorer) in addremove programs start the uninstall of IE6 and choose repair

Im still unsure what version of SpyBot it is you have ?

woodchips
2006-03-24, 13:54
System restore is working fine now, thank you.

Already replaced the host file last night, but the problem still remains.
Other web pages that won't display that are critical to me:
http://webmail.aol.com/
http://www.hotmail.com

Replaced host again this morning, but no luck.

Control panel is one area that I can't open or navigate at all. Just a blank window whichever method I try.

I am using spybot 1.4

LonnyRJones
2006-03-24, 15:56
Try this
Copy the bolded line below
rundll32 setupwbv.dll,IE6Maintenance "C:\Program Files\Internet Explorer\Setup\SETUP.EXE" /g "C:\WINDOWS\IE Uninstall Log.Txt"
then past it in the start run box and click ok

woodchips
2006-03-25, 02:33
The command you gave fixed the navigation of my computer and the websites.

It didn't do anything for the spybot scan though. Same hang point. Any ideas?

LonnyRJones
2006-03-25, 16:16
Can you access windows control panel now ?

Lets try clearing all temps
Download System Security Suite.
http://www.igorshpak.net/
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' (even cookies this time) tab and click "Clear Selected Items'. You will be prompted to reboot, do so.

Let us know if SSD's scan is back to normal

woodchips
2006-03-27, 04:00
Window control panel is back up and working.

Followed instructions for System Security Suite, no change to Spybot. Uninstalled and reinstalled. Hang up point remains at about 5800 +/-

LonnyRJones
2006-03-27, 12:10
Lets get a look at a silent runners log
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.


When you reinstalled SpyBot did you delete its folder before installing again ?

In windows addremove programs uninstall SpyBot then Restart the PC,
and delete SpyBots folder in program files,
usualy > C:\Program Files\Spybot - Search & Destroy
Then download and install 1.4 once thats done, check for updates, then check for problems, fix everything found, always reboot if SpyBots needs to, to finish the cleanup. http://www.safer-networking.org/index.php?page=tutorial
Download found here http://www.safer-networking.org/en/download/index.html

woodchips
2006-03-27, 16:01
After I download and try to run silent runners, I get the following error message.

Can't find script engine"VBScript" for script.
"C:\WINDOWS\Desktop\Silentrunners.vbs"

I didn't delete any specific files. I just used Add/Remove Programs via Control Panel. Will try again in the mean time.

LonnyRJones
2006-03-27, 16:19
Install windows Windows Script 5.6
Download details Windows Script 5.6 for Windows 98, Windows Millennium Edition, and Windows NT 4.0: http://www.microsoft.com/downloads/details.aspx?FamilyId=0A8A18F6-249C-4A72-BFCF-FC6AF26DC390&displaylang=en

woodchips
2006-03-27, 16:32
"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"EM_EXEC" = "C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "]
"MotiveMonitor" = "C:\Program Files\Motive\motmon.exe" ["Motive Communications, Inc."]
"Adaptec DirectCD" = "C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE" ["Adaptec"]
"AuthConsoleStart" = "c:\program files\cox\applications\app\AuthStart.exe" ["Authentium, Inc."]
"avgctrl" = ""C:\Program Files\AntiVir PersonalEdition Classic\avgctrl.exe" /min" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SSDPSRV" = "C:\WINDOWS\SYSTEM\ssdpsrv.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"CurtainsSysSvc" = "c:\program files\cox\applications\app\AuthSL.exe" ["Authentium, Inc."]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"schedm" = ""C:\Program Files\AntiVir PersonalEdition Classic\schedm.exe"" ["Avira GmbH"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{23CE4E06-2508-11D0-1977-0734210ABE0B}" = "Incinerator"
-> {HKLM...CLSID} = "Incinerator"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\INCINE~1.DLL" ["iolo technologies, LLC"]
"{F408FBC3-47F7-11D3-B7B4-8756DD151C6A}" = "iolo Incinerator Context Menu"
-> {HKLM...CLSID} = "iolo Incinerator Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Incinerator.dll" ["iolo technologies, LLC"]
"{58C83EE0-5261-11D3-81DC-D2AB3F16133C}" = "iolo Incinerator Context Menu"
-> {HKLM...CLSID} = "iolo Incinerator Context Menu for Files"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Incinerator.dll" ["iolo technologies, LLC"]
"{80B24180-4EFB-11D3-A99A-00A024DDB436}" = "iolo Incinerator Properties"
-> {HKLM...CLSID} = "iolo Incinerator Properties Pages"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Incinerator.dll" ["iolo technologies, LLC"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
{58C83EE0-5261-11D3-81DC-D2AB3F16133C}\(Default) = "{58C83EE0-5261-11D3-81DC-D2AB3F16133C}"
-> {HKLM...CLSID} = "iolo Incinerator Context Menu for Files"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Incinerator.dll" ["iolo technologies, LLC"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY SECURITY SUITE\KASPERSKY ANTI-VIRUS PERSONAL\SHELLEX.DLL" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\SHLEXT.DLL" ["H+BEDV Datentechnik GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
{58C83EE0-5261-11D3-81DC-D2AB3F16133C}\(Default) = "{58C83EE0-5261-11D3-81DC-D2AB3F16133C}"
-> {HKLM...CLSID} = "iolo Incinerator Context Menu for Files"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Incinerator.dll" ["iolo technologies, LLC"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY SECURITY SUITE\KASPERSKY ANTI-VIRUS PERSONAL\SHELLEX.DLL" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\SHLEXT.DLL" ["H+BEDV Datentechnik GmbH"]


System Policies [Description]:
------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoActiveDesktopChanges"=dword:00000001
[prevents changes to Active Desktop configuration; removes
Display Properties|Web (tab)]

HIJACK WARNING! "NoDispBackgroundPage"=dword:00000001
[removes Display Properties, Background (tab)]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\My Documents\My Pictures\arizona.bmp"


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

C:\INCINERATE\DESKTOP.INI
[.ShellClassInfo]
CLSID={23CE4E06-2508-11D0-1977-0734210ABE0B}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\INCINE~1.DLL" ["iolo technologies, LLC"]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Shortcut to SPOOL32.EXE" -> shortcut to: "C:\WINDOWS\SYSTEM\SPOOL32.EXE" [MS]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{63D9F689-FA15-4ECF-91BC-C4D0734E14EA}\
"ButtonText" = "Dell Home"
"Exec" = "http://www.dellnet.com" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL" ["Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "blank*" = "http://205.134.182.164/1/" [file not found]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Printer Monitor\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Canon MP FAX Port\Driver = "CNCUPM9X.dll" ["Canon Inc."]
MpUsbMon\Driver = "MpUsbMon.dll" ["Conceptual Systems."]
Canon MP Language Monitor MP360/370/390\Driver = "MPPLM5I.DLL" ["CANON INC."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 32 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 17 seconds.
---------- (total run time: 67 seconds)

LonnyRJones
2006-03-27, 17:28
Hows long does it hang at running bot check ? in other words it might just appear to hang
does it say not responding in the title bar ? or is it just slow as in your topic tile
I can help but think having more than one anti-virus installed or that system mechanic is involved.
Uninstall all but one anti virus program, even if one is manualy disabled it has other active files such as drivers that cannot be disabled and could cause conflicts with other programs..
When checking for problems are you letting it work without running other programs ?

woodchips
2006-03-27, 22:20
It doesn't say "not responding" in the title bar. I continues to count but at the same rate as the my post.

I will usually terminate spybot after the counting has slowed for at least one hour.

I typically have only been running spybot is safemode.

I removed the cox security suite so only Antivir is installed, and I have uninstalled System Mechanic. What next?

LonnyRJones
2006-03-29, 15:37
Im not sure what to suggest, I have asked the others to look in.
Other than continue scanning while in safe mode since that seams to works for you.

woodchips
2006-03-30, 01:02
I haven't been able to complete a single scan yet, even in safe mode. The hang point is the same in both safe and normal mode.

LonnyRJones
2006-03-30, 03:58
Worth a shot but might not help with the problems
Try reseting each zone in Internet explorer > security, Use the default button
If that Button is dimmed out click custom level > change something apply then ok, then use that default button, also Internet option's > advanced and click default settings button.

Also revisit windows update and get any crittical updates that are avaiable.

woodchips
2006-03-30, 15:18
Tried, but no change

woodchips
2006-04-03, 15:38
Noticed some other symptoms and thought they might aide in diagnosis.

Can no longer change desktop wallpaper. Previously, right click on desktop, left click properties, change colors/schemes tab

Mouse cursor blinks and display sometimes blink/strobe. Looks like when you view a video of a monitor back on a TV.

Defragmented memory % free of system resources drops dramatically when cable modem is on. from 80% +/- to 50% +/-

LonnyRJones
2006-04-03, 18:18
Hi

Desktop: Try the registry file
Launch Notepad (not wordpad), and copy and paste the contents of the code box (not the word code)
below into a new text file. Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"WallpaperFileTime"=-
"WallpaperLocalFileTime"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoHTMLWallPaper"=-
"NoAddingComponents"=-
"NoChangingWallpaper"=-
"NoComponents"=-
"NoDeletingComponets"=-
"NoEditingComponents"=-

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Restart your PC or log off then back on again.

woodchips
2006-04-04, 01:43
Followed instructions, opened NOTEPAD, copied contents, saved as appropriate file type.

Resulting error message:

Cannot import C:\WINDOWS\DESKTOP\FIXME.REG. The specified file is not a registry script. You can import only registry files

LonnyRJones
2006-04-04, 04:20
My mistake

change "Windows Registry Editor Version 5.00" to >
REGEDIT4

woodchips
2006-04-04, 04:40
ran fixme.reg, it completed and I rebooted. What was that supposed to remedy? No noticeable change to ability to change desktop wallpaper, etc.

LonnyRJones
2006-04-04, 08:57
That should have helped with the wallpaper problem

One more try, delete fixme.reg
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoDispBackgroundPage"=-

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Lest see if scanreg fix helps with the other problem's, cant hurt to try :)

go start run type
scanreg /fix
when its finished restart the pc as prompted

woodchips
2006-04-05, 03:53
Remedy added one additional tab to display properties, now have 4 total (Screen Saver, Effects, Web, Settings) but still not able to change wallpaper.

After rebooting, results listed in registry edit
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NAME VALUE
CDRAutoRun 00 00 00 00
NoDriveTypeAutoRun 95 00 00 00

Also in registry edit, does this mean anything
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

NAME DATA
disableregistrytools 0x00000000 (0)
NoDispApperancePage 0x00000000 (1)
NoDipBackroundPage 0x00000001 (1)

LonnyRJones
2006-04-05, 07:02
You can safely delete
disableregistrytools
NoDispApperancePage
NoDipBackroundPage

Or change the dword to 0

woodchips
2006-04-05, 15:31
Now have all tabs back on display properties. What would have put those registry keys in?

LonnyRJones
2006-04-06, 00:11
Good, Im glad you took a look at that location.
"What would have put those registry keys in?"
Generaly malware/spyware or if networked a sys administrator

Any progress on the other problems ?

woodchips
2006-04-06, 02:58
Can I delete the registry keys in the following location. (There are several listings for coolwwwsearch or coolwebsearch.)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

woodchips
2006-04-06, 03:31
Don't recognize, can I delete?

HKEY_CURRENT_USER\Software\The Silison Realms Toolworks\Amradillo
HKEY_CURRENT_USER\Software\toolbar_sample
HKEY_CURRENT_USER\Software\Seagate Software

Have two that have same name, first one is out of alphabetical order in editor
HKEY_CURRENT_USER\ Software (additional space before "software"
HKEY_CURRENT_USER\Software (appears to be genuine)

LonnyRJones
2006-04-06, 05:04
The ZoneMap and Domains area is where protection programs put
address's to block access, cookies etc.

Your on your own with those others, editing the regisrty can and usualy does couse more harm than good..

woodchips
2006-04-06, 06:49
Spybot will still not complete?

Do you have any further thoughts?

Either way, I greatly appreciate all that you have done to this point to get my system back into reasonably good working order.

LonnyRJones
2006-04-06, 08:53
Im out of ideas for now.

Keep that PC safe
Lonny

tashi
2006-04-10, 20:30
This topic will be archived to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.

Cheers. :)