Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Qucik Launch Toolbar disappears

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Qucik Launch Toolbar disappears

Unread postby benfield1 » December 8th, 2007, 7:19 am

Hi all, I'm running window XP and IE6. I have a recurring problem when I boot up
there is no quick launch on the toolbar and I have to right click the
toolbar every time and select quick launch, It stays like that until the next time I boot up, then its gone and then I have to do it all over again.

I've tried all the usual suggestions. The problem seemed to start after I ran SpyBot to clean the registry - and looking at the various Internet fora, I don't think I'm alone.

Much appreciated if someone could have a look at the attached log

Cheers - Andy
benfield1
Active Member
 
Posts: 12
Joined: December 8th, 2007, 6:50 am
Advertisement
Register to Remove

Re: Qucik Launch Toolbar disappears

Unread postby SpotCheckBilly » December 11th, 2007, 8:50 pm

Hi Andy,

Sorry it's taken so long for someone to respond. As you can probably see, it's very busy around here and everyone is a volunteer. Often there just are not enough to keep up. That being said, let's see if we can take care of your problem. 8)

The first thing I would suggest if you believe that Spybot - Search & Destroy caused your problem, use the Restore function to undo the changes that were made. You can restore all changes or just a single one. Safer Networking (creators of Spybot - Search & Destroy) has a Tutorial explaining all of the functions of the program and how to use them.

If using the Restore function doesn't work, my next suggestion would be to go to the Safer Networking Forums, register, and post your problem there.

Incidentally, Safer Networking forums also have a board for posting HijackThis logs. If you should decide, after working with the folks there, that you wish to continue at that board, please reply to this post and let me know so that I can close the thread here. Posting the same problems in multiple forums causes confusion and is strongly discouraged everywhere.

If you wish to come back here I will be happy to help you. Run a fresh HijackThis scan, then copy/paste the results into your reply. Either way, I am now subscribed to this post and await your reply. :wave:

SpotCheckBilly
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

Re: Quick Launch Toolbar disappears

Unread postby benfield1 » December 13th, 2007, 1:56 pm

Hi SCB,

Many thanks for your reply and suggestion.

The Spybot forum doesn't list my problem aqs a known one. I've reloaded the discarded reg entries, but I still get the problem.

I was following this link: http://www.techspot.com/vb/topic73355.html as my problem seems to be the same (Quick Launch toolbar disappears and Recycle bin on right following a reboot.) I don' think I've got the same Malware (Vundo) but perhaps you could give the log a quick check. The other issue I have found that sounds similar on other fora is Blaze...something.

At any rate it's an annoyance to have to reinstate the Quick Launch toolbar each time I start the computer, but if there are no indications of anything more serious, I'll just have to live with it.

Regards

Andy
benfield1
Active Member
 
Posts: 12
Joined: December 8th, 2007, 6:50 am

Re: Qucik Launch Toolbar disappears

Unread postby SpotCheckBilly » December 13th, 2007, 7:05 pm

Hi Andy,

***Very Important***

Under no circumstances use a fix designed for another person's machine. Each machine is configured/set up differently and using a fix tailored to a specific machine can cause irreparable damage to your computer.

OK, let's make sure we have the most current data available. If you already have the latest version of HijackThis (2.0.2) just skip the download/install section of the following instructions. Incidentally, one of the major differences between this forum and some of the others is that we don't attach log files here. Just copy/paste the logs contents into your reply. 8)

Please click Here or Here to download HJTInstall.exe.
  • Save HJTInstall.exe to your desktop.
  • Double click the HJTInstall.exe icon on your desktop.
  • Click Install.
  • By default program will install to C:\Program Files\Trend Micro\HijackThis.
  • HijackThis (HJT) will launch.
  • Close any/all browsers, messenger, mediaplayer, Office and mail client windows and applications.
  • Click Do a system scan and save a logfile
  • When the scan is finished, a Notepad window will open containing the contents.
  • Hit Ctrl+a to select all of the logs contents.
  • Hit Ctrl+c to copy the logs contents.
  • Come back to this thread.
  • Click Reply.
  • Hit Ctrl+v to paste the log into the Message body box..
  • DO NOT have HijackThis fix anything yet. (Most of what it finds will be harmless or even essential.)
  • Make certain your post shows the entire log, please.
NOTE: For subsequent HijackThis scans:
Double click the HijackThis shortcut on your desktop.

C:\Program Files\Trend Micro\HijackThis is where you will find the HJT logs that you save. This is also where you will find the backup copies created by HijackThis when you have it "fix" entries.

Finally, before closing HJT:
  • Please Click the AnalyzeThis button.
  • "Analyze This" is for use by TrendMicro only!
  • "AnalyzeThis" DOES NOT mean "Analyze My Log".
  • You will need to post your log back to the forum.
  • Close the web page that appears then close HijackThis.
I'll check over your log and post back my recommendations. NOTE: Please DO NOT run any other scans or fixes unless instructed to do so. Some malware requires fixes be done in specific order using specific tools. Doing things out of sequence can turn a (relatively) simple fix into a nightmare.

So let's dig in and see what we can find. :wave:

SpotCheckBilly
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

Re: Qucik Launch Toolbar disappears

Unread postby benfield1 » December 14th, 2007, 4:49 am

OK following your instructions:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:45:46, on 14/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
c:\jdk1.3.1_01\bin\java.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Windows\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_14\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_14\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [EPSON Stylus Photo RX520 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE /P31 "EPSON Stylus Photo RX520 Series" /O6 "USB001" /M "Stylus Photo RX520"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_14\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_14\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_14\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://portal.mydsti.com/Citrix/ICAWEB ... ica32t.exe
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{7878798B-3E5D-4A17-A51F-B8A7C4D752BF}: Domain = dstintl.com
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6192 bytes

Regards

Andy
benfield1
Active Member
 
Posts: 12
Joined: December 8th, 2007, 6:50 am

Re: Qucik Launch Toolbar disappears

Unread postby SpotCheckBilly » December 14th, 2007, 9:17 pm

Hello Andy,

Well, your log does not show the Vundo infection, the sister. However, I'm curious about a couple of things. The following entries:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present


O17 - HKLM\System\CCS\Services\Tcpip\..\{7878798B-3E5D-4A17-A51F-B8A7C4D752BF}: Domain = dstintl.com

Would seem to indicate that this is a corporate computer. If this is so, do you have permission to make administrative changes? If you don't, we can go no further since you will need administrator privileges.

If this is a corporate machine, it would be best to have the folks in your IT department take care of the problem.

Let me know what's up, and we can proceed from there. :wave:

SCB
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

Re: Qucik Launch Toolbar disappears

Unread postby benfield1 » December 15th, 2007, 5:52 am

Hi SCB

Glad to know I don't have Vundo.

No, it's not a corporate computer and I have full Admin rights. The reason for the domain entry is that I need ia defined workgroup which matches my laptop exactly to set up a local null-modem with to my laptop (which is a company one that I can't change) to xfer files.

I've looked at the registry entries you highlighted: (attached file), Could these be the problem?

Really appreciate your help - thanks

Andy
benfield1
Active Member
 
Posts: 12
Joined: December 8th, 2007, 6:50 am

Re: Qucik Launch Toolbar disappears

Unread postby SpotCheckBilly » December 16th, 2007, 7:09 pm

Hi Andy,

Sorry I didn't get that you earlier, but I had problems logging on to the forum yesterday. Unfortunately, just because your HijackThis log doesn't show signs of Vundo, it doesn't mean that it -- or something else isn't lurking in your machine. So let's take a little closer look. 8)

First, let's do a couple of quick scans to see if anything pops out. First:

Deckard's System Scanner
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

Next,d ownload Silent Runners.zip and extract it to your Desktop.
  • Double-click the Silent Runners.vbs file.
  • You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
  • If your antivirus program has a script blocker, you may get a prompt asking if you want to allow Silent Runners.vbs to run.
  • Please allow it. Note: A text file named Startup Programs (computer name) date.txt will show up on your desktop-the script has NOT finished yet.
  • Let the scan run (It won't appear to be doing anything!)
  • When the "All Done!" prompt flashes up, the script will be done running and the log file will be complete.

These two scans will produce pretty detailed information about what's going on inside of your machine. We should be able to tell if there's any malware hiding out and formulate a plan of attack from the results.

So, in your next reply, please include:
  • main.txt from the DSS scan.
  • extra.txt from the DSS scan.
  • the results from the Silent Runners scan.

NOTE: These logs can get quite lengthy so it may require several replies to post their entire contents. :wave:

SCB
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

Re: Qucik Launch Toolbar disappears

Unread postby benfield1 » December 17th, 2007, 5:01 am

Deckard's System Scanner v20071014.68
Run by Andy on 2007-12-17 08:51:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Andy.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:55:46, on 17/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
c:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe
c:\jdk1.3.1_01\bin\java.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_14\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\utilities\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Andy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_14\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [EPSON Stylus Photo RX520 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE /P31 "EPSON Stylus Photo RX520 Series" /O6 "USB001" /M "Stylus Photo RX520"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_14\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_14\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_14\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://portal.mydsti.com/Citrix/ICAWEB ... ica32t.exe
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{7878798B-3E5D-4A17-A51F-B8A7C4D752BF}: Domain = dstintl.com
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6307 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 FreeTdi (Radialpoint Filter) - c:\windows\system32\drivers\freetdi.sys <Not Verified; Radialpoint Inc.; Radialpoint>
R3 Intels51 (Creatix V.9X DSP Data Fax Modem) - c:\windows\system32\drivers\ctxs51.sys <Not Verified; Intel Corporation; Intel® 536EP Modem Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 usbcm (USB Cable Modem 351000 NDIS Driver) - c:\windows\system32\drivers\usbcm.sys <Not Verified; Microsystems Corp; USBCM 351000>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 ham50 (Creatix V.92 HAM Data Fax Modem) - c:\windows\system32\drivers\ctxh51.sys <Not Verified; Intel Corporation; Intel® Hardware accelerated Modem Driver>
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 SABProcEnum - c:\program files\internet explorer\sabprocenum.sys (file missing)
S3 STV680 (Digital Camera) - c:\windows\system32\drivers\stv680.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apache - "c:\program files\apache group\apache\apache.exe" --ntservice
R2 FWS (Radialpoint Service) - c:\program files\ntl\ntl netguard\fws.exe <Not Verified; Radialpoint Inc.; Radialpoint Security Services 5.2.0>

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Freedom Miniport
Device ID: ROOT\ZK_MINIPORT\0001
Manufacturer: Zero-Knowledge Systems Inc.
Name: WAN Miniport (IPX) - Freedom Miniport
PNP Device ID: ROOT\ZK_MINIPORT\0001
Service: FREEDOM


-- Scheduled Tasks -------------------------------------------------------------

2007-12-14 16:00:00 392 --ah----- C:\WINDOWS\Tasks\{EC79432F-933C-4400-BB71-330272A3E9EB}_BENFIELD_Andy.job
2007-12-14 16:00:00 392 --ah----- C:\WINDOWS\Tasks\{A641225E-78B9-47CB-AD82-9B9C52756207}_BENFIELD_Andy.job
2007-12-14 09:00:00 392 --ah----- C:\WINDOWS\Tasks\{94843DD9-49E4-4C54-8EFD-6A6FC36F5AC8}_BENFIELD_Andy.job


-- Files created between 2007-11-17 and 2007-12-17 -----------------------------

2007-12-15 09:52:12 0 dr-h----- C:\Documents and Settings\Andy\Recent
2007-12-10 11:13:06 0 d-------- C:\Documents and Settings\Andy\Application Data\Virgin Broadband
2007-12-10 11:12:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2007-12-10 10:47:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-09 10:37:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-08 15:38:28 0 d-------- C:\Documents and Settings\Andy\.housecall6.6
2007-12-08 10:35:40 0 d-------- C:\Program Files\Trend Micro
2007-12-03 13:30:38 0 d-------- C:\LTSB_CBT_Acquire2
2007-12-03 12:19:47 0 d-------- C:\LloydsTSB
2007-12-03 12:15:23 0 d-------- C:\Lcsentry
2007-12-02 16:56:37 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 17:11:45 0 d-------- C:\temp
2007-11-18 10:57:50 88 --a------ C:\WINDOWS\CwbRmDir.bat
2007-11-18 10:41:23 63 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-11-18 10:41:03 143360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll <Not Verified; MaxSecure Software; MaxSecure Registration Module>
2007-11-18 10:41:03 0 d-------- C:\Program Files\Max Registry Cleaner


-- Find3M Report ---------------------------------------------------------------

2007-12-10 16:35:08 0 d-------- C:\Program Files\Common Files\Command Software
2007-11-23 11:06:35 0 d-------- C:\Program Files\DST
2007-11-22 12:55:37 0 d-------- C:\Program Files\Java
2007-11-12 10:43:44 0 d-------- C:\Program Files\Business Intelligence NT Server
2007-10-29 11:17:39 0 d-------- C:\Documents and Settings\Andy\Application Data\Apple Computer


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15/10/2004 18:40]
"EPSON Stylus Photo RX520 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.exe" [07/04/2005 04:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [14/03/2007 18:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [16/02/2007 09:54]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/04/2004 16:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_14\bin\jusched.exe" [05/10/2007 03:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 16:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoActiveDesktop"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=00000000
"ClearRecentDocsOnExit"=01000000
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoSaveSettings"=00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FlashPath Monitor.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{576c0f32-f0a5-11db-b692-00d059f240df}]
AutoRun\command- H:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2007-12-17 08:57:25 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.53GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 511.49 MiB / 248.64 MiB
Pagefile Memory (total/avail): 1247.94 MiB / 994.49 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.16 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.25 GiB total, 21.71 GiB free.
D: is Fixed (NTFS) - 34.34 GiB total, 11.88 GiB free.
E: is Fixed (FAT32) - 2.93 GiB total, 0.13 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)
I: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST380020A - 74.53 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 37.28 GiB - D: - E:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

AntivirusOverride is set.

FW: ntl Netguard Firewall v5.2.0 (Ntl) Disabled
FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)
AV: ntl Netguard Anti-virus v5.2.0 (Ntl) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\AWDWIN\\BIN\\ABOUTAWD.EXE"="C:\\AWDWIN\\BIN\\ABOUTAWD.EXE:*:Enabled:About"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealOne Player"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Disabled:Microsoft Fax Console"
"C:\\AWD_NT\\BIN\\VMANAGER.EXE"="C:\\AWD_NT\\BIN\\VMANAGER.EXE:*:Disabled:VMANAGER"
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"="C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE:*:Enabled:Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"="C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE:*:Enabled:ActiveSync Application"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\DST\\AWD\\SERVER\\3.1\\BIN\\vmsd.exe"="C:\\Program Files\\DST\\AWD\\SERVER\\3.1\\BIN\\vmsd.exe:*:Enabled:vmsd"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Run a DLL as an App"
"C:\\j2sdk1.4.2_09\\jre\\bin\\java.exe"="C:\\j2sdk1.4.2_09\\jre\\bin\\java.exe:*:Enabled:java"
"C:\\jdk1.5.0_05\\bin\\java.exe"="C:\\jdk1.5.0_05\\bin\\java.exe:*:Disabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\DST\\AWD\\SERVER\\3.2\\BIN\\vmsd.exe"="C:\\Program Files\\DST\\AWD\\SERVER\\3.2\\BIN\\vmsd.exe:*:Enabled:AWD Server 3.2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\Java\\jre1.5.0_14\\bin\\java.exe"="C:\\Program Files\\Java\\jre1.5.0_14\\bin\\java.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\j2sdk1.4.2_09\\bin\\java.exe"="C:\\j2sdk1.4.2_09\\bin\\java.exe:*:Enabled:java"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
ANT_HOME=C:\jakarta-ant-1.5.1
APPDATA=C:\Documents and Settings\Andy\Application Data
AWDSRVDIR=C:\Program Files\DST\AWD\SERVER\3.1\
AWD_HOME=C:\AWDWIN
BDMCLSPTH=C:\Program Files\DST\AWD BI Server for Windows\3.1\java\BIJMAP.jar;C:\j2sdk1.4.2_09\jre\lib\ext\log4j-1.2.8.jar;c:\BIJMAP\Release
BDMJVMPTH=C:\j2sdk1.4.2_09\jre\bin\server
BDMPRPPTH=C:\Program Files\DST\AWD BI Server for Windows\3.1\Properties
BILBUILDENV=C:\BILUpgrade\BIL_Custom\ServerUpgrade\BILReferences
buildenv100=c:\AWD_DEVELOPMENT\AWD_BUILD_ENVIRONMENT\V100
BUILDENV200=c:\AWD_DEVELOPMENT\AWD_BUILD_ENVIRONMENT\V200
buildenv300=c:\AWD_DEVELOPMENT\AWD_BUILD_ENVIRONMENT\V300
BUILDENV310=C:\AWD_Development\AWD_Build_Environment\V310
BUILDENV320=C:\AWD_Development\AWD_Build_Environment\V320
BUILDMAJORVERSION=1
BUILDMINORVERSION=1
CATALINA_HOME=C:\jakarta-tomcat-4.0
CLASSPATH=.;C:\Program Files\DST\AWD RIP\JARS\awdaft.jar;C:\Program Files\DST\AWD RIP\JARS\RIP31msg_en_US.jar;C:\Program Files\DST\AWD RIP\JARS\jh.jar;C:\Program Files\DST\AWD RIP\JARS\RIP31.jar;C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
COMMONCODE=C:\AWD_Development\Development\AWD Clients\LCS\CommonArea\common_code
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BENFIELD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Andy
include=C:\Program Files\Microsoft Visual Studio\VC98\atl\include;C:\Program Files\Microsoft Visual Studio\VC98\mfc\include;C:\Program Files\Microsoft Visual Studio\VC98\include
JAVA_HOME=C:/j2sdk1.4.2_09
LCSACQUIRE=C:\AWD_Development\Development\AWD Clients\LCS
lib=C:\Program Files\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files\Microsoft Visual Studio\VC98\lib
LOGONSERVER=\\BENFIELD
MSDevDir=C:\Program Files\Microsoft Visual Studio\Common\MSDev98
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=c:\dst\awdview\bin;c:\dst\awdview\dll;c:\program files\dst\awd\server\3.1\bin\update;c:\program files\dst\awd\server\3.1\bin;c:\awdwin\bin;c:\awdwin\dll;c:\program files\dst\business intelligence\3.0\bin;c:\j2sdk1.3.1_01\bin;c:\j2sdk1.4.1_02\bin;c:\windows\system32;c:\windows;C:\Program Files\Business Intelligence NT Server
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip
RPB_HOME=C:\WorkMonitor
SESSIONNAME=Console
SOMIR=C:\AWDWIN\AWDWIN.IR
SQLTRACE=C:\AWDWIN\BIN
SYSTEMBUILD=C:\LTSB_CBT_Acquire2\SystemBuild\ExecutableFiles
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\DOCUME~1\Andy\LOCALS~1\Temp
TMP=C:\DOCUME~1\Andy\LOCALS~1\Temp
USERDOMAIN=BENFIELD
USERNAME=Andy
USERPROFILE=C:\Documents and Settings\Andy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Andy (admin)
Wendy (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{B0B2F265-B6AA-11D4-82AE-10A055C10000}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Apache HTTP Server 1.3.22 --> MsiExec.exe /I{5D29A4EF-A57F-4F47-89F8-4EB3C5302A53}
Apache JServ 1.1.2 --> C:\WINDOWS\unvise32.exe C:\Program Files\Apache JServ 1.1.2\uninstal.log
Avance AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
AWD Administration 3.2 ENH 06300100 --> MsiExec.exe /I{2BF90568-5BC1-4AC3-9F49-7971EDE56221}
AWD Business Intelligence Server for Windows --> MsiExec.exe /I{5DE82716-742D-4471-85AD-AE16AF223A28}
AWD Content Services Administration --> MsiExec.exe /I{B1CC198E-6775-4921-8218-5A58364B1C1D}
AWD Content Services Administration PTF 2_2 --> MsiExec.exe /I{DD0A7EC0-C6E9-4ABA-9BAE-3A70C8808DDE}
AWD RIP 3.1 --> MsiExec.exe /I{F1ED663C-B68D-4A1B-97D7-9336B18AD21E}
AWD Server 3.1 for Windows Server using SMC --> MsiExec.exe /I{63AA57DC-EC18-4BB9-8852-E1CD84E8F1A0}
AWD Server 3.1 PTF 05340101 --> MsiExec.exe /I{27485244-B29F-4434-8AE7-8CA04584AA66}
AWD Server 3.1 PTF 06160101 --> MsiExec.exe /I{786951D4-44BD-48BC-9A05-47D129480D55}
AWD Server 3.2.2 for Windows Server using content services --> MsiExec.exe /I{A9D6C787-9D95-46CF-B595-DE056B75A7D2}
AWD Server for Windows NT SQL Server --> C:\WINDOWS\IsUninst.exe -fC:\AWD_NT\AWDServerSQL233.isu
AWD Software Developer's Toolkit --> C:\WINDOWS\IsUninst.exe -fC:\AWDWIN\TOOLKIT\Uninst.isu
AWD/Business Intelligence Server 3.2 for Windows --> MsiExec.exe /I{46662468-1CA8-40F1-A8BD-97858CF95558}
AWD/Business Intelligence Server V1.1 for Windows NT --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Business Intelligence NT Server\BISERVER11.ISU"
AWD/Knowledge Enabler Client for Windows NT/2000/XP --> C:\WINDOWS\IsUninst.exe -fC:\AWDWIN\AWDKE12.isu
AWD/Knowledge Enabler for Windows NT using SQL Server --> C:\WINDOWS\IsUninst.exe -fC:\AWD_NT\AWDKEServerSQL12.isu
AWD/NetServer 3.1 --> MsiExec.exe /I{C1404F57-8592-44AE-978D-B6D8ED060ABE}
AWD/Thin Client 3.1 --> MsiExec.exe /I{49581AB4-D0D7-4AFB-9065-E3541C2AAB1E}
AWD/Viewstation for Windows NT/2000/XP --> C:\WINDOWS\IsUninst.exe -fC:\AWDWIN\AWDView234b.isu
AWDView 1.5.3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D84BF1CA-6AF1-4315-BC4E-2D7ABB60D311}\Setup.exe" UNINSTALL
Citrix ICA Web Client --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
ClearType Tuning Control Panel Applet --> MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
CmdHere Powertoy For Windows XP --> MsiExec.exe /I{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}
EditPlus 2 --> C:\Program Files\EditPlus 2\remove.exe
EnCorr 1.5a with PTF 06186100 --> MsiExec.exe /I{9A5CB02E-D0E4-4FBB-ACFA-EA71E4042E47}
EPSON File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x9 UNINST
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Scan Assistant --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
ESPRX520 User's Guide --> C:\Program Files\EPSON\TPMANUAL\ESPRX520\USE_G\DOCUNINS.EXE
Ethereal 0.99.0 --> "C:\Program Files\Ethereal\uninstall.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Informations about your PC --> MsiExec.exe /I{0AB149EB-2AE0-466C-9BA4-3A718CF06432}
InstallShield for Microsoft Visual C++ 6 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\InstallShield\InstallShield for Microsoft Visual C++ 6\Uninst.isu"
iPod for Windows 2005-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} /l1033
iTunes --> MsiExec.exe /I{AB90749C-7422-4580-8A7A-66CC5E9E5F98}
J2SE Development Kit 5.0 Update 14 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150140}
J2SE Development Kit 5.0 Update 5 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150050}
J2SE Runtime Environment 5.0 Update 14 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150140}
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
Java 2 SDK Standard Edition v1.3.1_01 --> C:\WINDOWS\IsUninst.exe -fC:\jdk1.3.1_01\Uninst.isu
Java 2 SDK, SE v1.4.2_09 --> MsiExec.exe /I{35A3A4F4-B792-11D6-A78A-00B0D0142090}
Java(TM) Web Services Developer Pack 1.3 --> C:\jwsdp-1.3\_uninst\uninstaller.exe
JCreator Pro 2.50 --> "C:\Program Files\Xinox Software\JCreator Pro\unins000.exe"
KE Utility Suite v3.3.9 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C87B58E1-8075-11D7-8B1E-000103846BBD}\setup.exe" -l0x9
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft ActiveSync 3.7 --> "C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft AutoRoute 2002 --> MsiExec.exe /I{F7F2DC0A-C22E-49AD-AD37-797309A54E7B}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Outlook 2002 --> MsiExec.exe /I{911A0409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server 2000 (AWD3) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\MSSQL$AWD3\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\MSSQL$AWD3\sqlsun.dll" -msql.mif i=AWD3
Microsoft Visual Basic 6.0 Enterprise Edition --> "C:\Program Files\Microsoft Visual Studio\VB98\Setup\1033\Setup.exe"
Microsoft Visual Studio 6.0 Enterprise Edition --> "C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
MSDN Library - Visual Studio 6.0a --> "C:\Program Files\Microsoft Visual Studio\MSDN98\98VSa\1033\Setup\Setup.exe"
Navman SmartST Desktop 2005 for Pocket PC --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E70FB91C-B8C7-46AB-A697-7F2C2A99A750}\expand.exe" -l0x9
Nero --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
NetBeans IDE 4.1 --> C:\netbeans-4.1\_uninst\uninstaller.exe
ntl Netguard Security --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{AA78B670-C664-432A-817D-B1C7879777A2}
OLYMPUS C-3.0W95E --> C:\WINDOWS\uninst.exe -fC:\OLYMPUS\CAMERA95\DeIsL1.isu
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SnagIt 7 --> C:\Program Files\TechSmith\SnagIt 7\SIUNINST.EXE
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Su Doku Deluxe --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6CA01179-49EF-45E8-9079-881B5A17FCCB}\setup.exe" -l0x9
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
TextBridge Classic --> "C:\PROGRA~1\TEXTBR~1\bin\setup.exe" -funinstal.ins
The Ultimate Troubleshooter --> C:\PROGRA~1\ANSWER~1\TROUBL~1\UNWISE.EXE C:\PROGRA~1\ANSWER~1\TROUBL~1\INSTALL.LOG
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
VPN Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5624C000-B109-11D4-9DB4-00E0290FCAC5}\Setup.exe" -l0x9 VpnUninstall
Windows Installer Clean Up --> MsiExec.exe /I{121634B0-2F4A-11D3-ADA3-00C04F52DD53}
WinPcap 3.1 --> C:\Program Files\WinPcap\uninstall.exe
WinZip --> C:\Program Files\WinZip\WINZIP32.EXE /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type64740 / Warning
Event Submitted/Written: 12/17/2007 08:44:09 AM
Event ID/Source: 19011 / MSSQL$AWD3
Event Description:
SuperSocket info: (SpnRegister) : Error 1355.

Event Record #/Type64734 / Error
Event Submitted/Written: 12/17/2007 08:44:04 AM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type64723 / Warning
Event Submitted/Written: 12/16/2007 04:26:08 PM
Event ID/Source: 19011 / MSSQL$AWD3
Event Description:
SuperSocket info: (SpnRegister) : Error 1355.

Event Record #/Type64717 / Error
Event Submitted/Written: 12/16/2007 04:26:05 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type64707 / Warning
Event Submitted/Written: 12/15/2007 09:25:07 AM
Event ID/Source: 19011 / MSSQL$AWD3
Event Description:
SuperSocket info: (SpnRegister) : Error 1355.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type101409 / Error
Event Submitted/Written: 12/17/2007 08:53:36 AM
Event ID/Source: 7 / Disk
Event Description:
The device, \Device\Harddisk0\D, has a bad block.

Event Record #/Type101392 / Warning
Event Submitted/Written: 12/17/2007 08:43:52 AM
Event ID/Source: 2511 / Server
Event Description:
The server service was unable to recreate the share iSeries because the directory D:\iSeries no longer exists. Please run "net share iSeries /delete" to delete the share, or recreate the directory D:\iSeries.

Event Record #/Type101391 / Warning
Event Submitted/Written: 12/17/2007 08:43:52 AM
Event ID/Source: 2511 / Server
Event Description:
The server service was unable to recreate the share Z because the directory D:\Z no longer exists. Please run "net share Z /delete" to delete the share, or recreate the directory D:\Z.

Event Record #/Type101370 / Warning
Event Submitted/Written: 12/16/2007 04:25:44 PM
Event ID/Source: 2511 / Server
Event Description:
The server service was unable to recreate the share iSeries because the directory D:\iSeries no longer exists. Please run "net share iSeries /delete" to delete the share, or recreate the directory D:\iSeries.

Event Record #/Type101369 / Warning
Event Submitted/Written: 12/16/2007 04:25:44 PM
Event ID/Source: 2511 / Server
Event Description:
The server service was unable to recreate the share Z because the directory D:\Z no longer exists. Please run "net share Z /delete" to delete the share, or recreate the directory D:\Z.



-- End of Deckard's System Scanner: finished at 2007-12-17 08:57:25 ------------
benfield1
Active Member
 
Posts: 12
Joined: December 8th, 2007, 6:50 am

Re: Qucik Launch Toolbar disappears

Unread postby benfield1 » December 17th, 2007, 5:12 am

Hi SCB

I'm having trouble with Silent Runner:

Line 9228
Char 1
Error Out of Memory
Code: 800A0007
Microsoft VBScript runtime error

- will try again later
benfield1
Active Member
 
Posts: 12
Joined: December 8th, 2007, 6:50 am

Re: Qucik Launch Toolbar disappears

Unread postby benfield1 » December 17th, 2007, 9:57 am

Still got the 'out of memory' error runing Silent Runners with the supplementary scan option. This is the result without the supplementary scan:

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"EPSON Stylus Photo RX520 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE /P31 "EPSON Stylus Photo RX520 Series" /O6 "USB001" /M "Stylus Photo RX520"" ["SEIKO EPSON CORPORATION"]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_14\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = (no title provided)
-> {HKLM...CLSID} = "HelperObject Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll" ["TechSmith Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}\(Default) = "Pop-Up Blocker BHO"
-> {HKLM...CLSID} = "PopKill Class"
\InProcServer32\(Default) = "C:\Program Files\ntl\ntl Netguard\pkR.dll" ["Radialpoint Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{56071E0D-C61B-11D3-B41C-00E02927A304}\(Default) = "Form Filler BHO"
-> {HKLM...CLSID} = "ZKBho Class"
\InProcServer32\(Default) = "C:\Program Files\ntl\ntl Netguard\FBHR.dll" ["Radialpoint Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_14\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\
<<!>> "Debugger" = ""C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\msdev.exe" -p %ld -e %ld" [MS]
"Auto" = "0"

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
EditPlus\(Default) = "{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}"
-> {HKLM...CLSID} = "EditPlus Context Menu Handler"
\InProcServer32\(Default) = "C:\Program Files\EditPlus 2\eppshell.dll" [null data]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 7\SnagItShellExt.dll" ["TechSmith Corporation"]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {HKLM...CLSID} = "SnagItShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 7\SnagItShellExt.dll" ["TechSmith Corporation"]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktop" = (REG_BINARY) hex:00 00 00 00
{Disable Active Desktop}

"ClearRecentDocsOnExit" = (REG_BINARY) hex:01 00 00 00
{unrecognized setting}

"NoToolbarCustomize" = (REG_DWORD) dword:0x00000000
{Disable customizing browser toolbar buttons}

"NoBandCustomize" = (REG_DWORD) dword:0x00000000
{Disable customizing browser toolbars}

"NoToolbarsOnTaskbar" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSaveSettings" = (REG_BINARY) hex:00 00 00 00
{Don't save settings at exit}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoToolbarCustomize" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoBandCustomize" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoToolbarsOnTaskbar" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSaveSettings" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoActiveDesktop" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ClassicShell" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{Prevent access to registry editing tools}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Andy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\System32\Fish.scr" [null data]


Enabled Scheduled Tasks:
------------------------

"{94843DD9-49E4-4C54-8EFD-6A6FC36F5AC8}_BENFIELD_Andy" -> launches: "c:\windows\system32\mobsync.exe /Schedule="{94843DD9-49E4-4C54-8EFD-6A6FC36F5AC8}_BENFIELD_Andy"" [MS]
"{A641225E-78B9-47CB-AD82-9B9C52756207}_BENFIELD_Andy" -> launches: "c:\windows\system32\mobsync.exe /Schedule="{A641225E-78B9-47CB-AD82-9B9C52756207}_BENFIELD_Andy"" [MS]
"{EC79432F-933C-4400-BB71-330272A3E9EB}_BENFIELD_Andy" -> launches: "c:\windows\system32\mobsync.exe /Schedule="{EC79432F-933C-4400-BB71-330272A3E9EB}_BENFIELD_Andy"" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 28
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided)
-> {HKLM...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll" ["TechSmith Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_14"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_14\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_14"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_14\bin\npjpi150_14.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INETREPL.DLL" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INETREPL.DLL" [MS]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.medion.co.uk

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apache, Apache, ""C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice" [null data]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
DvpApi, dvpapi, ""C:\Program Files\Common Files\Command Software\dvpapi.exe"" ["Authentium, Inc."]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
MSSQL$AWD3, MSSQL$AWD3, "C:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sAWD3" [MS]
Radialpoint Service, FWS, "C:\Program Files\ntl\ntl Netguard\fws.exe" ["Radialpoint Inc."]
SAP Agent, NwSapAgent, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipxsap.dll" [MS]}
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPSON Stylus Photo RX520 Series 2KMonitor5E\Driver = "E_FLMAGE.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-12-17 13:48:45)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 57 seconds, including 8 seconds for message boxes)
benfield1
Active Member
 
Posts: 12
Joined: December 8th, 2007, 6:50 am

Re: Qucik Launch Toolbar disappears

Unread postby SpotCheckBilly » December 17th, 2007, 7:50 pm

Hi Andy,

Sorry about the trouble that you're having with Silent Runners. I will check around here to see if anyone has encountered this problem before. You can also contact the creators using their Contact Page. With the DSS scan we may not have to worry about it.

Couple of things that we can take care of while I analyze the scans. Do you have SUPERAntiSpyware installed? This O20 entry:

O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\

Is not the place that it should be running from, which is:

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.

You may wish to uninstall it, then have HijackThis fix that O20 entry.

Next, Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Step 1:

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE): Currently Version 6, Update 3.
  • Scroll down to: ""Java Runtime Environment (JRE) 6u3 allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check-mark (tic): "Accept License Agreement".
  • Page will refresh.
  • Click "Windows Offline Installation (with or without Multilanguage) ".
  • Save to desktop.

Step 2:

Remove older versions:
  • Close any programs you may have running - especially web browser(s).
  • Go to Start => Control Panel
  • Double-click Add/Remove programs.
  • Highlight any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click Remove or Change/Remove.
  • Repeat for any/all versions of Java.

Step 3:

Install newest version:
  • After all Java components are removed:
    Reboot
  • Double-click jre-6u3-windows-i586-p.exe on your desktop.
  • Follow prompts to install new version.

I'll check over the information that you provided and get back to you as soon as I can. :wave:

SCB
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

Re: Qucik Launch Toolbar disappears

Unread postby SpotCheckBilly » December 18th, 2007, 9:24 pm

Hi Andy,

The good news is that I don't see any signs of malware in either one of your logs. There are a couple things going on that are of concern, though. First off, it would seem that in addition to your Sygate firewall, you also have the XP firewall enabled, as shown by these two entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe"

Windows Internal Firewall is enabled.


If you're using a paid version of Sygate Personal Firewall, you're probably OK. However, the free version, if I'm not mistaken is no longer supported -- or even available if my memory serves. So if you're using a freebie I would recommend that you replace it. Both COMODO and Sunbelt Personal Firewall (formerly Kerio) offer very good free products. Sunbelt offers a paid for version as well. In any case third-party firewalls do not get along with the built-in XP firewall. Whether you change or not, you should go into Windows Security Center and disable the XP firewall.

The next area of concern is that it would seem the reason you're unable to keep/change your taskbar settings is caused by policies that block registry edits. These entries from your DSS log:

System Policies:

[[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoActiveDesktop"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=00000000
"ClearRecentDocsOnExit"=01000000
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoSaveSettings"=00000000


Indicate that you are currently unable to edit your registry settings, which is required if you wish to save your desktop modifications e.g. Quick Launch, icon placement etc. This is very common in computers that have been used on a corporate network. For security and continuity reasons system administrators (and rightly so) don't want people -- or malicious code unwittingly downloaded by an employee -- mucking around in the registry.

It's quite possible that Netgear was used to set these policies and if that's the case you should be able to remove the restrictions using it. If you still have Netgear installed, of course. I've asked some of the other experts here at Malware Removal to take a look at this thread and give me their input.

Let me know if you still haveNetgear installed and whether you are able to remove the registry restrictions. Otherwise, we'll have to attack this from a different direction. Looking forward to your reply. :wave:

SCB
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

Re: Qucik Launch Toolbar disappears

Unread postby benfield1 » December 19th, 2007, 5:13 am

Hi SCB,

You've been busy...

1) I'll change my version of java at the weekend.

2) I don't have SuperAntiSpyware installed; can I use HJT fix just to remove the registry entry?

3) I use the freebie Sygate, so I'll change that. Which of those two replacements would you recommend? Once installed I'll switch off the XP firewall - I only have it on to avoid the MS 'nag screens'

4) I didn't use Netgear and don't have it installed at all. Those registry entries were made explicitly by me, following reading other posts on similar problems. I thought they were binary switches, so "NoToolbarsOnTaskbar"=0 (0x0) meant 'Not NoToolbars' i.e. allow toolbars; "NoSaveSettings"=00000000 meant 'Save settings' etc.

This could be my problem. Let me know which entries I should take out.

5) I didn't put in:
[[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0). This must have been software installed. Should I remove it?

Again, many thanks for your help,

Andy
benfield1
Active Member
 
Posts: 12
Joined: December 8th, 2007, 6:50 am

Re: Qucik Launch Toolbar disappears

Unread postby SpotCheckBilly » December 20th, 2007, 8:38 pm

Hi Andy,

Sorry I didn't get back to you yesterday, my ISP who was down all day which is very unusual. Roadrunner has been a virtual rock since I first got it four years ago. I've consulted with several other experts and we don't believe that you have any sort of a malware problem. We are working to see if we can find a solution to your troubles. Meanwhile, we can take care of your current concerns. Let's take these one at a time.

1) I'll change my version of java at the weekend.
Good plan. Some malware uses JavaScript so keeping it up to date makes sure that the vulnerabilities are patched.

2) I don't have SuperAntiSpyware installed; can I use HJT fix just to remove the registry entry?
Before you fix that entry, let's do this:

Access the Uninstall Manager:
  • Launch HijackThis.
  • Click Open the "Misc.Tools" section.
  • Click Open Uninstall Manager.
  • Scroll through the list to see if SuperAntiSpyware is present.
  • If it is Highlight the entry.
  • Click Delete this entry .
  • Exit Hijackthis.
If SuperAntiSpyware is not present, it's okay, go ahead and close HijackThis. Using Windows Explorer, delete any folders labeled SuperAntiSpyware. Let's hold off fixing anything with HijackThis right now.

3) I use the freebie Sygate......
well, I personally use COMODO. It's pretty easy to use and configure and (maybe I shouldn't mention this LOL), it has plenty of advanced features for power tweaking.

4) I didn't use Netgear......
Does your ISP Come with its own pop up blocker and firewall? Netgear, is also part of a security suite (Netguard). Netguard also offers bundles to corporations and ISPs which, if I had been able to do a little bit more digging, I would have discovered. Needless to say, I went off on a complete tangent there. Sorry.

Those registry entries.....I didn't put in.....
In my next reply, I will include a reg script to take care of the registry edits. After we take care of those, we will take care of the HijackThis entries. We should have a much clearer picture of four were looking at then. :wave:

SCB
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware