View Full Version : help please
Devlin Carnet
18th Nov 2004, 19:15
Hello,
I need your help, E-Liam, Richard or one of you other kind chaps.
Having serious problems with my fathers P.C.
One of the main troubles is the desktop wallpaper is a spyware/adware program and it will not go away, and windows reports a serious error when it boots, (sometimes it doesnt boot at all)
Ran hijack this and got the following log,
Logfile of HijackThis v1.98.0
Scan saved at 19:35:02, on 18/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\golumm\services.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\WINDOWS\emsw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\clulegih.exe
C:\Documents and Settings\x\Application Data\osrr.exe
C:\WINDOWS\System32\w?nspool.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteBar\ELITEB~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteBar\ELITEB~1.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 "EPSON Stylus C82 Series (Copy 1)" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [golumm] C:\WINDOWS\System32\golumm\services.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\wintzn32.exe
O4 - HKLM\..\Run: [delcab] C:\drivers\deltreew.exe C:\cabs
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [p0] C:\documents and settings\x\local settings\temp\p0.exe
O4 - HKLM\..\Run: [lB] C:\documents and settings\x\local settings\temp\lB.exe
O4 - HKLM\..\Run: [L] C:\documents and settings\ x\local settings\temp\L.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\x\HXIUL.EXE
O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\System32\golumm\services.exe
O4 - HKCU\..\Run: [Ko08RgK2U] clulegih.exe
O4 - HKCU\..\Run: [Pldo] C:\Documents and Settings\ x\Application Data\osrr.exe
O4 - HKCU\..\Run: [Ibrx] C:\WINDOWS\System32\w?nspool.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C:�oo.mhtml!http://81.9.3.86//scripts//dw//chm.chm?id=dp::/win.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {12C5D0C2-3DA8-16A4-D9B4-62644D0DFAE7} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {14C85530-DDB3-7953-8BD6-37EC45890F02} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {1E3E231C-9DB4-4AD8-F591-72F6090FDEDE} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/us/ringtone/ringtone.exe
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
Very much in your debt, Thanks
Naples Air Center, Inc.
19th Nov 2004, 13:54
Devlin Carnet,
You have been hit by serveral Malware Programs including CoolWebSearch.
These arfe either Spyware or highly suspect:
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\WINDOWS\emsw.exe
C:\WINDOWS\System32\clulegih.exe
C:\Documents and Settings\x\Application Data\osrr.exe
C:\WINDOWS\System32\w?nspool.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\WINDOWS\System32\golumm\services.exe
Now have HJT! fix these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteBar\ELITEB~1.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteBar\ELITEB~1.DLL
O4 - HKLM\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe
O4 - HKLM\..\Run: [golumm] C:\WINDOWS\System32\golumm\services.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\wintzn32.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [p0] C:\documents and settings\x\local settings\temp\p0.exe
O4 - HKLM\..\Run: [lB] C:\documents and settings\x\local settings\temp\lB.exe
O4 - HKLM\..\Run: [L] C:\documents and settings\ x\local settings\temp\L.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\x\HXIUL.EXE
O4 - HKCU\..\Run: [sysinit] C:\WINDOWS\System32\golumm\services.exe
O4 - HKCU\..\Run: [Ko08RgK2U] clulegih.exe
O4 - HKCU\..\Run: [Pldo] C:\Documents and Settings\ x\Application Data\osrr.exe
O4 - HKCU\..\Run: [Ibrx] C:\WINDOWS\System32\w?nspool.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mhtml!http://81.9.3.86//scripts//dw//chm.chm?id=dp::/win.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {12C5D0C2-3DA8-16A4-D9B4-62644D0DFAE7} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {14C85530-DDB3-7953-8BD6-37EC45890F02} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {1E3E231C-9DB4-4AD8-F591-72F6090FDEDE} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/us/ringtone/ringtone.exe
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildAppNonUS.cab
Once you fix the list above, make sure you run:
Ad-Aware SE Personal Edition 1.05 (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-2)
and
CWShredder (http://cwshredder.net/bin/CWSInstall.exe)
Take Care,
Richard
Devlin Carnet
19th Nov 2004, 14:02
Richard,
Thank you, I knew I'd get the help I need on this forum.
Will do as you say and report back :ok:
Naples Air Center, Inc.
19th Nov 2004, 14:11
Devlin Carnet,
I just hope WinXP is not damaged to the point you need to do a fresh install. :(
Take Care,
Richard
Devlin Carnet
20th Nov 2004, 13:39
Hi Richard, E-Liam Et al,
Did what you said, and here is the new Log,
Still having the problem with the desktop though,
Ironically its a warning about malware, just sits there and wont budge, wont let me set the desktop wallpaper.
Anyhow see what you think,
Logfile of HijackThis v1.98.0
Scan saved at 14:31:06, on 20/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\apps\ABoard\ABoard.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AOL 8.0\waol.exe
C:\Program Files\AOL 8.0\shellmon.exe
C:\WINDOWS\slrundll.exe
C:\hijack\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {7C216C01-E8F6-4ECF-9DF4-F4DD1C0B0C1A} - C:\WINDOWS\system32\ecc.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [delcab] C:\drivers\deltreew.exe C:\cabs
O4 - HKLM\..\Run: [p0] C:\documents and settings\local settings\temp\p0.exe
O4 - HKLM\..\Run: [lB] C:\documents and settings\local settings\temp\lB.exe
O4 - HKLM\..\Run: [L] C:\documents and settings\local settings\temp\L.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{C805FA6D-3FE4-4D35-948B-44261656B80D}: NameServer = 195.93.35.134
E-Liam
20th Nov 2004, 18:23
Hi Devlin Carnet,
Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
O2 - BHO: (no name) - {7C216C01-E8F6-4ECF-9DF4-F4DD1C0B0C1A} - C:\WINDOWS\system32\ecc.dll (file missing)
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [delcab] C:\drivers\deltreew.exe C:\cabs
O4 - HKLM\..\Run: [p0] C:\documents and settings\local settings\temp\p0.exe
O4 - HKLM\..\Run: [lB] C:\documents and settings\local settings\temp\lB.exe
O4 - HKLM\..\Run: [L] C:\documents and settings\local settings\temp\L.exe
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and delete the entire contents of the C:\Windows\Temp folder, but not the folder itself. Next please find and delete the following bolded files...
win32x.exe (Probably in the C:\Windows\System32\.. folder, but if not, you'll need to search for it)
C:\documents and settings\local settings\temp\.. (please delete the entire contents of this folder, but again, not the folder itself.)
Then please boot back into normal mode and download AdAware SE from here (http://www.lavasoftusa.com/support/download/).
First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.
Next, we need to configure Ad-aware for a full scan.
Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file
· Under Click here to select drives + folders, choose:
· All of your hard drives | Proceed
3. Click on the Advanced button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information
4. Click the Tweak button and select:
· Under the Scanning Engine:
· Unload recognized processes & modules during scan
· Include additional Ad-aware settings in logfile
· Under the Cleaning Engine:
· Let Windows remove files in use at next reboot
5. Click on Proceed to save the settings.
6. Click Start and on the next screen choose:
· Use Custom Scanning Options
7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Next, please reboot again and download Spybot - Search & Destroy 1.3 from here (http://security.kolla.de): if you haven't already got the program.
Click on Updates | Download Updates, and follow the prompts.
Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Next reboot and go here (http://housecall.trendmicro.com/housecall/start_corp.asp), and run the online virus scan; choosing the Autoclean option just before clicking the Scan button.
Then please post a new log for a final once over.
This should do it, and is the easier option. If not, we'll go the more complex route and get rid of it that way instead.. :)
Cheers
Liam
Naples Air Center, Inc.
20th Nov 2004, 19:06
Liam,
I am leaning in the direction of a fresh install of WinXP for Devlin Carnet. What are your thoughts?
Take Care,
Richard
Devlin Carnet
21st Nov 2004, 16:06
Hi, E-Liam, Richard,
Done everything suggested,couldnt run the online virus scan but ran stinger,
Clean logs from stinger, Adaware, spybot and coolweb shredder
Could'nt find the file win32x.exe (search program not working for some reason but had a good search through system and system32)
the Problem still exists though, (this is probably the cleanest system in the world apart from this nuisance)
Any way here is the new log:
Logfile of HijackThis v1.98.0
Scan saved at 16:48:48, on 21/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AOL 8.0\waol.exe
C:\Program Files\AOL 8.0\shellmon.exe
C:\WINDOWS\slrundll.exe
C:\hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.fast-search.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fast-search.org
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C805FA6D-3FE4-4D35-948B-44261656B80D}: NameServer = 195.93.35.134
Many thanks.
E-Liam
21st Nov 2004, 18:22
Hi Devlin Carnet,
Hmm, it is looking better, so lets go one more time, and see if we can't fix this..
Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-search.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fast-search.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.fast-search.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fast-search.org
O4 - HKLM\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe
O4 - HKCU\..\Run: [Windows System Object] C:\WINDOWS\system32\winsysrun.vbe
Then find and delete the following bolded file..
C:\WINDOWS\system32\winsysrun.vbe
Reboot and post a new log.
Cheers
Liam
Devlin Carnet
22nd Nov 2004, 17:47
Hi, Liam, Richard I'm back again,
Did as you said Liam, and here is the new Log,
The problem is still there though, ie I cant access the desktop, it is covered by an HTML document.
Also, as a side note, the references to Fast-search.org re appear in the hijack log after re connecting to the web.
Any way heres the log, see what you think, Cheers Liam.
Logfile of HijackThis v1.98.0
Scan saved at 18:17:06, on 22/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\hijack\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Thanks guys.
Thanks,
E-Liam
22nd Nov 2004, 19:11
Hi DC,
I'm wondering why Shredder didn't take care of fast search, as it's a fairly old version of CWS. Firstly, could you open Shredder, click to update it, and then run it by clicking the Fix button.
Next, could you please update HJT, as you are using an old version. The current version is 1.98.2. To do this open HJT, click Config | Misc Tools | Update and follow the prompts.
Once done, please on the same page, click on Generate Startup List, but before doing so select both the options to list extra files.
Then please post back with both the startup list and also a new HJT log.
Cheers
Liam
Devlin Carnet
24th Nov 2004, 17:49
Hi, Liam,
Here goes, startup list,
StartupList report, 24/11/2004, 18:18:33
StartupList version: 1.52.2
Started from : C:\hijack\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijack\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\x\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SoundMan = SOUNDMAN.EXE
ATIModeChange = Ati2mdxx.exe
ATIPTA = C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
ACTIVBOARD = c:\apps\ABoard\ABoard.exe
VCSPlayer = "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
CleanEasyImg = c:\apps\easydvd\cleanall.exe
EPSON Stylus C82 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
(Default) =
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
AOL Spyware Protection = "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
(Default) =
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOn ce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Start WingMan Profiler =
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOn ce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
To be continued..
File association entry for .EXE:
HKEY_CLASSES_ROOT\\exefile\\shell\\open\\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\\comfile\\shell\\open\\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\\batfile\\shell\\open\\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\\piffile\\shell\\open\\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\\scrfile\\shell\\open\\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\\htafile\\shell\\open\\command
(Default) = C:\\WINDOWS\\System32\\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command
(Default) = %SystemRoot%\\system32\\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\\Software\\Microsoft\\Active Setup\\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\\WINDOWS\\inf\\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\\system32\\shmgrate.exe OCInstallUserConfigIE
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\\system32\\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\\system32\\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\\system32\\themeui.dll
[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\\WINDOWS\\System32\\rundll32.exe" "C:\\Program Files\\Messenger\\msgsc.dll",ShowIconsUser
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\\Outlook Express\\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\msmsgs.inf,BLC.Install.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\\Outlook Express\\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\\system32\\ie4uinit.exe
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\\Software\\Mirabilis\\ICQ\\Agent\\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\\WINDOWS\\WIN.INI:
load=
run=
Load/Run keys from Registry:
HKLM\\..\\Windows NT\\CurrentVersion\\WinLogon: load=*Registry value not found*
HKLM\\..\\Windows NT\\CurrentVersion\\WinLogon: run=*Registry value not found*
HKLM\\..\\Windows\\CurrentVersion\\WinLogon: load=*Registry key not found*
HKLM\\..\\Windows\\CurrentVersion\\WinLogon: run=*Registry key not found*
HKCU\\..\\Windows NT\\CurrentVersion\\WinLogon: load=*Registry value not found*
HKCU\\..\\Windows NT\\CurrentVersion\\WinLogon: run=*Registry value not found*
HKCU\\..\\Windows\\CurrentVersion\\WinLogon: load=*Registry key not found*
HKCU\\..\\Windows\\CurrentVersion\\WinLogon: run=*Registry key not found*
HKCU\\..\\Windows NT\\CurrentVersion\\Windows: load=
HKCU\\..\\Windows NT\\CurrentVersion\\Windows: run=*Registry value not found*
HKLM\\..\\Windows NT\\CurrentVersion\\Windows: load=*Registry value not found*
HKLM\\..\\Windows NT\\CurrentVersion\\Windows: run=*Registry value not found*
HKLM\\..\\Windows NT\\CurrentVersion\\Windows: AppInit_DLLs=*Registry value not found*
--------------------------------------------------
Shell & screensaver key from C:\\WINDOWS\\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\\WINDOWS\\System32\\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\\..\\Policies: Shell=*Registry key not found*
HKLM\\..\\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\\WINDOWS\\Explorer.exe: PRESENT!
C:\\Explorer.exe: not present
C:\\WINDOWS\\Explorer\\Explorer.exe: not present
C:\\WINDOWS\\System\\Explorer.exe: not present
C:\\WINDOWS\\System32\\Explorer.exe: not present
C:\\WINDOWS\\Command\\Explorer.exe: not present
C:\\WINDOWS\\Fonts\\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: \'Microsoft Corporation\'
- Original filename OK: \'REGEDIT.EXE\'
- File description: \'Registry Editor\'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
*No BHO\'s found*
--------------------------------------------------
Enumerating Task Scheduler jobs:
HDReg.job
WebReg 20041108143955.job
--------------------------------------------------
Enumerating Download Program Files:
[DirectAnimation Java Classes]
CODEBASE = file://C:\\WINDOWS\\Java\\classes\\dajava.cab
OSD = C:\\WINDOWS\\Downloaded Program Files\\DirectAnimation Java Classes.osd
[Microsoft XML Parser for Java]
CODEBASE = file://C:\\WINDOWS\\Java\\classes\\xmldso.cab
OSD = C:\\WINDOWS\\Downloaded Program Files\\Microsoft XML Parser for Java.osd
[HouseCall Control]
InProcServer32 = C:\\WINDOWS\\DOWNLO~1\\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
[Java Plug-in 1.3.1_03]
InProcServer32 = C:\\Program Files\\JavaSoft\\JRE\\1.3.1_03\\bin\\npjava131_03.dll
CODEBASE = http://java.sun.com/products/plugin/1.3.1/jinstall-131_03-win.cab
[Java Plug-in 1.3.1_03]
InProcServer32 = C:\\Program Files\\JavaSoft\\JRE\\1.3.1_03\\bin\\npjava131_03.dll
CODEBASE = http://java.sun.com/products/plugin/1.3.1/jinstall-131_03-win.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\\WINDOWS\\System32\\mswsock.dll
NameSpace #2: C:\\WINDOWS\\System32\\winrnr.dll
NameSpace #3: C:\\WINDOWS\\System32\\mswsock.dll
Protocol #1: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #2: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #3: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #4: C:\\WINDOWS\\system32\\rsvpsp.dll
Protocol #5: C:\\WINDOWS\\system32\\rsvpsp.dll
Protocol #6: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #7: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #8: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #9: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #10: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #11: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #12: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #13: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #14: C:\\WINDOWS\\system32\\mswsock.dll
Protocol #15: C:\\WINDOWS\\system32\\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
abp480n5: System32\\DRIVERS\\ABP480N5.SYS (system)
Microsoft ACPI Driver: System32\\DRIVERS\\ACPI.sys (system)
adpu160m: System32\\DRIVERS\\adpu160m.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\\drivers\\aec.sys (manual start)
AFD Networking Support Environment: \\SystemRoot\\System32\\drivers\\afd.sys (autostart)
Intel AGP Bus Filter: System32\\DRIVERS\\agp440.sys (system)
Compaq AGP Bus Filter: System32\\DRIVERS\\agpCPQ.sys (system)
Aha154x: System32\\DRIVERS\\aha154x.sys (system)
aic78u2: System32\\DRIVERS\\aic78u2.sys (system)
aic78xx: System32\\DRIVERS\\aic78xx.sys (system)
Service for Realtek AC97 Audio (WDM): system32\\drivers\\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\\System32\\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\\System32\\alg.exe (manual start)
AliIde: System32\\DRIVERS\\aliide.sys (system)
ALI AGP Bus Filter: System32\\DRIVERS\\alim1541.sys (system)
AMD AGP Bus Filter Driver: System32\\DRIVERS\\amdagp.sys (system)
AMD K7 Processor Driver: System32\\DRIVERS\\amdk7.sys (system)
amsint: System32\\DRIVERS\\amsint.sys (system)
AOL Spyware Protection Service: C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\\\aolserv.exe (autostart)
Application Management: %SystemRoot%\\system32\\svchost.exe -k netsvcs (manual start)
asc: System32\\DRIVERS\\asc.sys (system)
asc3350p: System32\\DRIVERS\\asc3350p.sys (system)
asc3550: System32\\DRIVERS\\asc3550.sys (system)
RAS Asynchronous Media Driver: System32\\DRIVERS\\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\\DRIVERS\\atapi.sys (system)
ATI Smart: C:\\WINDOWS\\system32\\ati2sgag.exe (autostart)
ati2mtag: System32\\DRIVERS\\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\\DRIVERS\\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\\DRIVERS\\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
cbidf: System32\\DRIVERS\\cbidf2k.sys (system)
cd20xrnt: System32\\DRIVERS\\cd20xrnt.sys (system)
CD-ROM Driver: System32\\DRIVERS\\cdrom.sys (system)
Indexing Service: %SystemRoot%\\system32\\cisvc.exe (manual start)
ClipBook: %SystemRoot%\\system32\\clipsrv.exe (manual start)
CmdIde: System32\\DRIVERS\\cmdide.sys (system)
COM+ System Application: C:\\WINDOWS\\System32\\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: System32\\DRIVERS\\cpqarray.sys (system)
Cryptographic Services: %SystemRoot%\\system32\\svchost.exe -k netsvcs (autostart)
dac2w2k: System32\\DRIVERS\\dac2w2k.sys (system)
dac960nt: System32\\DRIVERS\\dac960nt.sys (system)
Kodak Camera Proxy: System32\\DRIVERS\\DcCam.sys (system)
DcFpoint: System32\\DRIVERS\\DcFpoint.sys (manual start)
Kodak DCFS2K Driver: system32\\drivers\\dcfs2k.sys (autostart)
Legacy Polling Service: System32\\DRIVERS\\DcLps.sys (manual start)
dcptp: System32\\DRIVERS\\DcPTP.sys (manual start)
DHCP Client: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\\DRIVERS\\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\\System32\\dmadmin.exe /com (manual start)
dmboot: System32\\drivers\\dmboot.sys (disabled)
dmio: System32\\drivers\\dmio.sys (disabled)
dmload: System32\\drivers\\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\\drivers\\DMusic.sys (manual start)
DNS Client: %SystemRoot%\\System32\\svchost.exe -k NetworkService (autostart)
dpti2o: System32\\DRIVERS\\dpti2o.sys (system)
Microsoft Kernel DRM Audio Descrambler: system32\\drivers\\drmkaud.sys (manual start)
EpsonBidirectionalService: C:\\Program Files\\Common Files\\EPSON\\EBAPI\\eEBSVC.exe (autostart)
EPSON Printer Status Agent2: C:\\Program Files\\Common Files\\EPSON\\EBAPI\\SAgent2.exe (autostart)
Error Reporting Service: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\\system32\\services.exe (autostart)
COM+ Event System: C:\\WINDOWS\\System32\\svchost.exe -k netsvcs (manual start)
Exportit: System32\\DRIVERS\\exportit.sys (system)
Fast User Switching Compatibility: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\\DRIVERS\\fdc.sys (manual start)
VIA Rhine Family Fast Ethernet Adapter Driver Service: System32\\DRIVERS\\fetnd5b.sys (manual start)
Floppy Disk Driver: System32\\DRIVERS\\flpydisk.sys (manual start)
Volume Manager Driver: System32\\DRIVERS\\ftdisk.sys (system)
Game Port Enumerator: System32\\DRIVERS\\gameenum.sys (manual start)
Generic Packet Classifier: System32\\DRIVERS\\msgpc.sys (manual start)
Help and Support: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\\System32\\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\\DRIVERS\\hidusb.sys (manual start)
hpn: System32\\DRIVERS\\hpn.sys (system)
i2omp: System32\\DRIVERS\\i2omp.sys (system)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\\DRIVERS\\i8042prt.sys (system)
CD-Burning Filter Driver: System32\\DRIVERS\\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\\WINDOWS\\System32\\imapi.exe (manual start)
ini910u: System32\\DRIVERS\\ini910u.sys (system)
IntelIde: System32\\DRIVERS\\intelide.sys (system)
IP Traffic Filter Driver: System32\\DRIVERS\\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\\DRIVERS\\ipinip.sys (manual start)
IP Network Address Translator: System32\\DRIVERS\\ipnat.sys (manual start)
IPSEC driver: System32\\DRIVERS\\ipsec.sys (system)
IR Enumerator Service: System32\\DRIVERS\\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\\DRIVERS\\isapnp.sys (system)
Keyboard Class Driver: System32\\DRIVERS\\kbdclass.sys (system)
Keyboard HID Driver: System32\\DRIVERS\\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\\drivers\\kmixer.sys (manual start)
Kodak Camera Connection Software: %SystemRoot%\\system32\\drivers\\KodakCCS.exe (autostart)
Server: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\\System32\\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\\WINDOWS\\System32\\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\\DRIVERS\\mouclass.sys (system)
Mouse HID Driver: System32\\DRIVERS\\mouhid.sys (manual start)
mraid35x: System32\\DRIVERS\\mraid35x.sys (system)
WebDav Client Redirector: System32\\DRIVERS\\mrxdav.sys (manual start)
MRXSMB: System32\\DRIVERS\\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\\WINDOWS\\System32\\msdtc.exe (manual start)
Windows Installer: C:\\WINDOWS\\System32\\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\\drivers\\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\\drivers\\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\\drivers\\MSPQM.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\\drivers\\msmpu401.sys (manual start)
Mtlmnt5: System32\\DRIVERS\\Mtlmnt5.sys (manual start)
Mtlstrm: System32\\DRIVERS\\Mtlstrm.sys (manual start)
MustekMA1908Driver: \\??\\C:\\WINDOWS\\system32\\drivers\\ma1908.sys (autostart)
Remote Access NDIS TAPI Driver: System32\\DRIVERS\\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\\DRIVERS\\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\\DRIVERS\\ndiswan.sys (manual start)
NetBIOS Interface: System32\\DRIVERS\\netbios.sys (system)
NetBios over Tcpip: System32\\DRIVERS\\netbt.sys (system)
Network DDE: %SystemRoot%\\system32\\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\\system32\\netdde.exe (manual start)
Net Logon: %SystemRoot%\\System32\\lsass.exe (manual start)
Network Connections: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\\System32\\lsass.exe (manual start)
Removable Storage: %SystemRoot%\\system32\\svchost.exe -k netsvcs (manual start)
NtMtlFax: System32\\DRIVERS\\NtMtlFax.sys (manual start)
nv: System32\\DRIVERS\\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\\DRIVERS\\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\\DRIVERS\\nwlnkfwd.sys (manual start)
Parallel port driver: System32\\DRIVERS\\parport.sys (manual start)
PCI Bus Driver: System32\\DRIVERS\\pci.sys (system)
PCIIde: System32\\DRIVERS\\pciide.sys (system)
perc2: System32\\DRIVERS\\perc2.sys (system)
perc2hib: System32\\DRIVERS\\perc2hib.sys (system)
Plug and Play: %SystemRoot%\\system32\\services.exe (autostart)
IPSEC Services: %SystemRoot%\\System32\\lsass.exe (autostart)
WAN Miniport (PPTP): System32\\DRIVERS\\raspptp.sys (manual start)
Processor Driver: System32\\DRIVERS\\processr.sys (system)
Protected Storage: %SystemRoot%\\system32\\lsass.exe (autostart)
QoS Packet Scheduler: System32\\DRIVERS\\psched.sys (manual start)
Direct Parallel Link Driver: System32\\DRIVERS\\ptilink.sys (manual start)
PxHelp20: System32\\DRIVERS\\PxHelp20.sys (system)
ql1080: System32\\DRIVERS\\ql1080.sys (system)
Ql10wnt: System32\\DRIVERS\\ql10wnt.sys (system)
ql12160: System32\\DRIVERS\\ql12160.sys (system)
ql1240: System32\\DRIVERS\\ql1240.sys (system)
ql1280: System32\\DRIVERS\\ql1280.sys (system)
Remote Access Auto Connection Driver: System32\\DRIVERS\\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\\DRIVERS\\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\\DRIVERS\\raspppoe.sys (manual start)
Direct Parallel: System32\\DRIVERS\\raspti.sys (manual start)
Rdbss: System32\\DRIVERS\\rdbss.sys (system)
RDPCDD: System32\\DRIVERS\\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\\DRIVERS\\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\\WINDOWS\\system32\\sessmgr.exe (manual start)
recagent: \\??\\C:\\WINDOWS\\System32\\DRIVERS\\RecAgent.sys (manual start)
Digital CD Audio Playback Filter Driver: System32\\DRIVERS\\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\\System32\\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\\System32\\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\\system32\\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\\System32\\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\\system32\\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\\System32\\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\\System32\\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
ScsiAccess: C:\\WINDOWS\\System32\\ScsiAccess.EXE (autostart)
Secdrv: System32\\DRIVERS\\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\\system32\\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\\DRIVERS\\serenum.sys (manual start)
Serial port driver: System32\\DRIVERS\\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: System32\\DRIVERS\\sisagp.sys (system)
SmartLink AMR_PCI Driver: System32\\DRIVERS\\slntamr.sys (manual start)
SlNtHal: System32\\DRIVERS\\Slnthal.sys (manual start)
SmartLinkService: slserv.exe (autostart)
SlWdmSup: System32\\DRIVERS\\SlWdmSup.sys (manual start)
Sparrow: System32\\DRIVERS\\sparrow.sys (system)
Microsoft Kernel Audio Splitter: system32\\drivers\\splitter.sys (manual start)
Print Spooler: %SystemRoot%\\system32\\spoolsv.exe (autostart)
System Restore Filter Driver: \\SystemRoot\\System32\\DRIVERS\\sr.sys (disabled)
System Restore Service: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
Srv: System32\\DRIVERS\\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\\System32\\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\\System32\\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\\DRIVERS\\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\\drivers\\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\\WINDOWS\\System32\\dllhost.exe /Processid:{6B1C53D3-3752-41EB-8F0A-7DB80BFD7AA4} (manual start)
symc810: System32\\DRIVERS\\symc810.sys (system)
symc8xx: System32\\DRIVERS\\symc8xx.sys (system)
sym_hi: System32\\DRIVERS\\sym_hi.sys (system)
sym_u3: System32\\DRIVERS\\sym_u3.sys (system)
Microsoft Kernel System Audio Device: system32\\drivers\\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\\system32\\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\\DRIVERS\\tcpip.sys (system)
Terminal Device Driver: System32\\DRIVERS\\termdd.sys (system)
Terminal Services: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
TosIde: System32\\DRIVERS\\toside.sys (system)
Distributed Link Tracking Client: %SystemRoot%\\system32\\svchost.exe -k netsvcs (autostart)
ultra: System32\\DRIVERS\\ultra.sys (system)
Microcode Update Driver: System32\\DRIVERS\\update.sys (manual start)
Upload Manager: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\\System32\\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\\System32\\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\\DRIVERS\\usbehci.sys (manual start)
USB2 Enabled Hub: System32\\DRIVERS\\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\\DRIVERS\\usbprint.sys (manual start)
USB Scanner Driver: System32\\DRIVERS\\usbscan.sys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\\DRIVERS\\usbuhci.sys (manual start)
vcsmpdrv: System32\\DRIVERS\\vcsmpdrv.sys (system)
Virtual CD v4 Security service (SDK - Version): C:\\Program Files\\Virtual CD v4 SDK\\system\\vcssecs.exe (autostart)
VgaSave: \\SystemRoot\\System32\\drivers\\vga.sys (system)
VIA AGP Bus Filter: System32\\DRIVERS\\viaagp.sys (system)
VIA AGP Filter: System32\\DRIVERS\\viaagp1.sys (system)
ViaIde: System32\\DRIVERS\\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\\System32\\vssvc.exe (manual start)
Windows Time: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\\DRIVERS\\wanarp.sys (manual start)
WAN Miniport (ATW): System32\\DRIVERS\\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\\WINDOWS\\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\\drivers\\wdmaud.sys (manual start)
WebClient: %SystemRoot%\\System32\\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\\system32\\svchost.exe -k netsvcs (autostart)
Logitech Virtual Bus Enumerator Driver: system32\\drivers\\WmBEnum.sys (manual start)
Portable Media Serial Number Service: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Logitech WingMan HID Filter Driver: system32\\drivers\\WmFilter.sys (manual start)
WMI Performance Adapter: C:\\WINDOWS\\System32\\wbem\\wmiapsrv.exe (manual start)
Logitech Virtual Hid Device Driver: system32\\drivers\\WmVirHid.sys (manual start)
Logitech WingMan Translation Layer Driver: system32\\drivers\\WmXlCore.sys (manual start)
Automatic Updates: %systemroot%\\system32\\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT \'Wininit.ini\':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\\WINDOWS\\system32\\SHELL32.dll
CDBurn: C:\\WINDOWS\\system32\\SHELL32.dll
WebCheck: C:\\WINDOWS\\System32\\webcheck.dll
SysTray: C:\\WINDOWS\\System32\\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\policies \\Explorer\\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\policies \\Explorer\\Run
*Registry key not found*
--------------------------------------------------
End of report, 34,153 bytes
Report generated in 0.094 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Net Logon: %SystemRoot%\\System32\\lsass.exe (manual start)
Network Connections: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\\System32\\lsass.exe (manual start)
Removable Storage: %SystemRoot%\\system32\\svchost.exe -k netsvcs (manual start)
NtMtlFax: System32\\DRIVERS\\NtMtlFax.sys (manual start)
nv: System32\\DRIVERS\\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\\DRIVERS\\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\\DRIVERS\\nwlnkfwd.sys (manual start)
Parallel port driver: System32\\DRIVERS\\parport.sys (manual start)
PCI Bus Driver: System32\\DRIVERS\\pci.sys (system)
PCIIde: System32\\DRIVERS\\pciide.sys (system)
perc2: System32\\DRIVERS\\perc2.sys (system)
perc2hib: System32\\DRIVERS\\perc2hib.sys (system)
Plug and Play: %SystemRoot%\\system32\\services.exe (autostart)
IPSEC Services: %SystemRoot%\\System32\\lsass.exe (autostart)
WAN Miniport (PPTP): System32\\DRIVERS\\raspptp.sys (manual start)
Processor Driver: System32\\DRIVERS\\processr.sys (system)
Protected Storage: %SystemRoot%\\system32\\lsass.exe (autostart)
QoS Packet Scheduler: System32\\DRIVERS\\psched.sys (manual start)
Direct Parallel Link Driver: System32\\DRIVERS\\ptilink.sys (manual start)
PxHelp20: System32\\DRIVERS\\PxHelp20.sys (system)
ql1080: System32\\DRIVERS\\ql1080.sys (system)
Ql10wnt: System32\\DRIVERS\\ql10wnt.sys (system)
ql12160: System32\\DRIVERS\\ql12160.sys (system)
ql1240: System32\\DRIVERS\\ql1240.sys (system)
ql1280: System32\\DRIVERS\\ql1280.sys (system)
Remote Access Auto Connection Driver: System32\\DRIVERS\\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\\DRIVERS\\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\\DRIVERS\\raspppoe.sys (manual start)
Direct Parallel: System32\\DRIVERS\\raspti.sys (manual start)
Rdbss: System32\\DRIVERS\\rdbss.sys (system)
RDPCDD: System32\\DRIVERS\\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\\DRIVERS\\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\\WINDOWS\\system32\\sessmgr.exe (manual start)
recagent: \\??\\C:\\WINDOWS\\System32\\DRIVERS\\RecAgent.sys (manual start)
Digital CD Audio Playback Filter Driver: System32\\DRIVERS\\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\\System32\\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\\System32\\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\\system32\\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\\System32\\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\\system32\\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\\System32\\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\\System32\\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
ScsiAccess: C:\\WINDOWS\\System32\\ScsiAccess.EXE (autostart)
Secdrv: System32\\DRIVERS\\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\\system32\\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\\DRIVERS\\serenum.sys (manual start)
Serial port driver: System32\\DRIVERS\\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: System32\\DRIVERS\\sisagp.sys (system)
SmartLink AMR_PCI Driver: System32\\DRIVERS\\slntamr.sys (manual start)
SlNtHal: System32\\DRIVERS\\Slnthal.sys (manual start)
SmartLinkService: slserv.exe (autostart)
SlWdmSup: System32\\DRIVERS\\SlWdmSup.sys (manual start)
Sparrow: System32\\DRIVERS\\sparrow.sys (system)
Microsoft Kernel Audio Splitter: system32\\drivers\\splitter.sys (manual start)
Print Spooler: %SystemRoot%\\system32\\spoolsv.exe (autostart)
System Restore Filter Driver: \\SystemRoot\\System32\\DRIVERS\\sr.sys (disabled)
System Restore Service: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
Srv: System32\\DRIVERS\\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\\System32\\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\\System32\\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\\DRIVERS\\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\\drivers\\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\\WINDOWS\\System32\\dllhost.exe /Processid:{6B1C53D3-3752-41EB-8F0A-7DB80BFD7AA4} (manual start)
symc810: System32\\DRIVERS\\symc810.sys (system)
symc8xx: System32\\DRIVERS\\symc8xx.sys (system)
sym_hi: System32\\DRIVERS\\sym_hi.sys (system)
sym_u3: System32\\DRIVERS\\sym_u3.sys (system)
Microsoft Kernel System Audio Device: system32\\drivers\\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\\system32\\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\\DRIVERS\\tcpip.sys (system)
Terminal Device Driver: System32\\DRIVERS\\termdd.sys (system)
Terminal Services: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
TosIde: System32\\DRIVERS\\toside.sys (system)
Distributed Link Tracking Client: %SystemRoot%\\system32\\svchost.exe -k netsvcs (autostart)
ultra: System32\\DRIVERS\\ultra.sys (system)
Microcode Update Driver: System32\\DRIVERS\\update.sys (manual start)
Upload Manager: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\\System32\\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\\System32\\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\\DRIVERS\\usbehci.sys (manual start)
USB2 Enabled Hub: System32\\DRIVERS\\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\\DRIVERS\\usbprint.sys (manual start)
USB Scanner Driver: System32\\DRIVERS\\usbscan.sys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\\DRIVERS\\usbuhci.sys (manual start)
vcsmpdrv: System32\\DRIVERS\\vcsmpdrv.sys (system)
Virtual CD v4 Security service (SDK - Version): C:\\Program Files\\Virtual CD v4 SDK\\system\\vcssecs.exe (autostart)
VgaSave: \\SystemRoot\\System32\\drivers\\vga.sys (system)
VIA AGP Bus Filter: System32\\DRIVERS\\viaagp.sys (system)
VIA AGP Filter: System32\\DRIVERS\\viaagp1.sys (system)
ViaIde: System32\\DRIVERS\\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\\System32\\vssvc.exe (manual start)
Windows Time: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\\DRIVERS\\wanarp.sys (manual start)
WAN Miniport (ATW): System32\\DRIVERS\\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\\WINDOWS\\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\\drivers\\wdmaud.sys (manual start)
WebClient: %SystemRoot%\\System32\\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\\system32\\svchost.exe -k netsvcs (autostart)
Logitech Virtual Bus Enumerator Driver: system32\\drivers\\WmBEnum.sys (manual start)
Portable Media Serial Number Service: %SystemRoot%\\System32\\svchost.exe -k netsvcs (manual start)
Logitech WingMan HID Filter Driver: system32\\drivers\\WmFilter.sys (manual start)
WMI Performance Adapter: C:\\WINDOWS\\System32\\wbem\\wmiapsrv.exe (manual start)
Logitech Virtual Hid Device Driver: system32\\drivers\\WmVirHid.sys (manual start)
Logitech WingMan Translation Layer Driver: system32\\drivers\\WmXlCore.sys (manual start)
Automatic Updates: %systemroot%\\system32\\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\\System32\\svchost.exe -k netsvcs (autostart)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT \'Wininit.ini\':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\\WINDOWS\\system32\\SHELL32.dll
CDBurn: C:\\WINDOWS\\system32\\SHELL32.dll
WebCheck: C:\\WINDOWS\\System32\\webcheck.dll
SysTray: C:\\WINDOWS\\System32\\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\policies \\Explorer\\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\policies \\Explorer\\Run
*Registry key not found*
--------------------------------------------------
End of report, 34,153 bytes
Report generated in 0.094 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
And the log..
Logfile of HijackThis v1.98.2
Scan saved at 18:25:50, on 24/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\spoolsv.exe
C:\\Program Files\\Common Files\\EPSON\\EBAPI\\eEBSVC.exe
C:\\Program Files\\Common Files\\EPSON\\EBAPI\\SAgent2.exe
C:\\WINDOWS\\system32\\drivers\\KodakCCS.exe
C:\\WINDOWS\\System32\\ScsiAccess.EXE
C:\\WINDOWS\\system32\\slserv.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\Program Files\\Virtual CD v4 SDK\\system\\vcssecs.exe
C:\\WINDOWS\\wanmpsvc.exe
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\SOUNDMAN.EXE
C:\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe
C:\\apps\\ABoard\\ABoard.exe
C:\\Program Files\\Virtual CD v4 SDK\\system\\vcsplay.exe
C:\\apps\\ABoard\\AOSD.exe
C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.E XE
C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe
C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe
C:\\Program Files\\Messenger\\msmsgs.exe
C:\\Program Files\\AOL 8.0\\aoltray.exe
C:\\Program Files\\WinZip\\WZQKPICK.EXE
C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe
C:\\WINDOWS\\System32\\wuauclt.exe
C:\\hijack\\HijackThis.exe
O4 - HKLM\\..\\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\\..\\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\\..\\Run: [ATIPTA] C:\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe
O4 - HKLM\\..\\Run: [ACTIVBOARD] c:\\apps\\ABoard\\ABoard.exe
O4 - HKLM\\..\\Run: [VCSPlayer] "C:\\Program Files\\Virtual CD v4 SDK\\system\\vcsplay.exe"
O4 - HKLM\\..\\Run: [CleanEasyImg] c:\\apps\\easydvd\\cleanall.exe
O4 - HKLM\\..\\Run: [EPSON Stylus C82 Series] C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.E XE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\\..\\Run: [TkBellExe] "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe" -osboot
O4 - HKLM\\..\\Run: [Share-to-Web Namespace Daemon] C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe
O4 - HKLM\\..\\Run: [AOL Spyware Protection] "C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe"
O4 - HKCU\\..\\Run: [MSMSGS] "C:\\Program Files\\Messenger\\msmsgs.exe" /background
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\\Program Files\\AOL 8.0\\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\\Program Files\\WinZip\\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=file://C:\\APPS\\IE\\offline\\uk.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Thanks guys
E-Liam
24th Nov 2004, 19:02
Hi DC,
Nothing there either..:confused:
Did you update and run CWS? Have you still got the same problem?
Sorry, it's taken me so long to check out, and I'm off to play darts now.
I'll be back in a bit.
Cheers
Liam
Devlin Carnet
25th Nov 2004, 08:46
Hi, Liam,
Hope you won your match,
Yep, ran new CWS, I have put a line into the hosts file to block fast search, seems to work.
The desktop problem is still there, so I guess I'll have to persevere with that, But many thanks for your work, very much appreciated.
And thank you Richard also.
D.C.
Naples Air Center, Inc.
25th Nov 2004, 13:37
Devlin Carnet,
If you want to get rid of the problem, you could use the WinXP CD to do a fresh install of WinXP on top of itself. As long as you tell it during the install to keep the current file system intact you will only lose any data you had in the Windows Directory.
If you are going to go this route, just make sure you have all the drivers for your hardware downloaded (including SP2) before starting the fresh install.
Take Care,
Richard
P.S. I just thought of one more idea, try creating a new Administrator Account and delete your current account. Then if you still get the serious error, right click on your Hard Drive and go to Properties >> Tools >> Error Checking >> Check Now Button. Put a check mark in both options and hit the Start Button. The computer will want you to reboot in order to run the check. Reboot and just let it run.