I scaned my computer this morning with AAse, I was having problems with it not letting me compleat the scan and having to shut down a min into the scan. I did what was suggested and cancled the scan right before it shut down and deleated the stuff that was causing it. It then ask to scan next time before the computer came on, so during a reastart. I did a smart scan from there and deleated what it found. Now that I have done all that when the computer comes up I get 3 different error boxes. The first one is "Creat Socket Error (0x0000277A)" the second one is "Listen Error" and the third one is "Recv Socket InitConnect Error" I'm not really sure what that all means but my connection to the internet is "limited to no connectivity" I tryed restoring all the quartiened items from AA and still no luck. Please help!

Hi

Could you post back with some more information on your system please.

Are you running Windows XP and if so is it at Service Pack 2?

If are running XP (any version) please also post back with this information:

Press start then select run in the box please enter the following

cmd

click the OK button to proceed. This will open a command window (black background) now enter into the command window the following:

netsh winsock show catalog > C:\lsp.txt

then press the return key to run the command. This will output a listing of the current LSPs to a file.

Now open windows explorer and navigate to the top C: folder and double click on lsp.txt. This will open notepad with the contents of the file showing which Winsock LSPs are installed. Cut and paste the contents in a reply.

Its is running Windows XP service pack 2. heres the info you asked for.


Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Layered Chain Entry
Description: webHancer [UDP/IP]
Provider ID: {47A196B9-3AC7-910A-76A1-B6AB4569B1AB}
Provider Path: C:\WINDOWS\webhdll.dll
Catalog Entry ID: 1127
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 2
Protocol: 17
Protocol Chain Length: 2
Protocol Chain: 0 : 0


Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Layered Chain Entry
Description: webHancer [TCP/IP]
Provider ID: {46A896B0-34C7-990A-7211-56A74560BC78}
Provider Path: C:\WINDOWS\webhdll.dll
Catalog Entry ID: 1126
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 1
Protocol: 6
Protocol Chain Length: 2
Protocol Chain: 0 : 0


Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD Tcpip [TCP/IP]
Provider ID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1001
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 1
Protocol: 6
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD Tcpip [UDP/IP]
Provider ID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1002
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 2
Protocol: 17
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD Tcpip [RAW/IP]
Provider ID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1003
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 3
Protocol: 0
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: RSVP UDP Service Provider
Provider ID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Provider Path: %SystemRoot%\system32\rsvpsp.dll
Catalog Entry ID: 1004
Version: 6
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 2
Protocol: 17
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: RSVP TCP Service Provider
Provider ID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Provider Path: %SystemRoot%\system32\rsvpsp.dll
Catalog Entry ID: 1005
Version: 6
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 1
Protocol: 6
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2655037C-7046-422A-B3C4-FFBC985D53D6}] SEQPACKET 6
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1108
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 5
Protocol: -6
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2655037C-7046-422A-B3C4-FFBC985D53D6}] DATAGRAM 6
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1109
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 2
Protocol: -6
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{129F2282-ECD9-4516-B3D0-BC7B841EF6B6}] SEQPACKET 5
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1110
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 5
Protocol: -5
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{129F2282-ECD9-4516-B3D0-BC7B841EF6B6}] DATAGRAM 5
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1111
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 2
Protocol: -5
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9A7D4970-60D3-4FE2-8242-E760B4FA00BA}] SEQPACKET 4
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1112
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 5
Protocol: -4
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9A7D4970-60D3-4FE2-8242-E760B4FA00BA}] DATAGRAM 4
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1113
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 2
Protocol: -4
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{56BBF2D5-0F64-4B83-9773-7310BDAF528A}] SEQPACKET 3
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1114
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 5
Protocol: -3
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{56BBF2D5-0F64-4B83-9773-7310BDAF528A}] DATAGRAM 3
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1115
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 2
Protocol: -3
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E8B36B52-74E5-450D-9CAD-D02C67CDAB2B}] SEQPACKET 0
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1116
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 5
Protocol: -2147483648
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E8B36B52-74E5-450D-9CAD-D02C67CDAB2B}] DATAGRAM 0
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1117
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 2
Protocol: -2147483648
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{08E43B85-4E9C-40B0-8120-4D4057492B2F}] SEQPACKET 1
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1118
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 5
Protocol: -1
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{08E43B85-4E9C-40B0-8120-4D4057492B2F}] DATAGRAM 1
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1119
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 2
Protocol: -1
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6E5851E0-E908-424D-B688-5265384887AA}] SEQPACKET 2
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1120
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 5
Protocol: -2
Protocol Chain Length: 1

Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6E5851E0-E908-424D-B688-5265384887AA}] DATAGRAM 2
Provider ID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Provider Path: %SystemRoot%\system32\mswsock.dll
Catalog Entry ID: 1121
Version: 2
Address Family: 17
Max Address Length: 20
Min Address Length: 20
Socket Type: 2
Protocol: -2
Protocol Chain Length: 1

Name Space Provider Entry
------------------------------------------------------
Description: Tcpip
Provider ID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Name Space: 12
Active: 1
Version: 0


Name Space Provider Entry
------------------------------------------------------
Description: NTDS
Provider ID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Name Space: 32
Active: 1
Version: 0


Name Space Provider Entry
------------------------------------------------------
Description: Network Location Awareness (NLA) Namespace
Provider ID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Name Space: 15
Active: 1
Version: 0

Windows XP SP2 is good news as it has a command to rebuild Winsock. Also you do not have any third party LSPs so it is safe to rebuild. The bad news is that there is some malware in there too so lets reset Winsock and see if we can clean out webHancer.

First open a command window as before and then enter the following text:

netsh winsock reset catalog

press the enter key to run the command. This will rebuild the Winsock stack, reboot your PC and the error boxes should be gone.

Then run a fresh full scan with Ad-Aware SE. Does it detect webHancer?

Post a log file from the Ad-Aware scan, after the scan has run click next then select the scan log tab, right mouse click in the log and select all then right mouse click and select copy to clip board then paste in a reply

I went to the webhancer site and downloaded their removal tool directly from them. That removed all of webhancers crap off my computer. I still got the error, but in one of there removal steps it said to do exactly what you said, so I went in and reset the winsock and now theres no more problems. The only issues that I'm having now is I cannot access CMD though the start menu, evertime I try to run CMD it gives me an error message saying "cmd is not a valid Win32 application" I have the same problem with regedit. The only way I have found to access them is to go directly to the application in WINDOWS folder and then the SYSTEMS folder (I have to display operating systems folders to get there) Know anything about that?

Hi

First thing to check is if there is a ".com" version of regedit and cmd on your system.

Have a look in the folder: c:\windows\system32 (this is a hidden folder as you mentioned).

Look for cmd.com. cmd.exe is correct and part of windows so should not be deleted but if you have a cmd.com that will be malware of some kind.

Then look for regedt32.com (again regedt32.exe is the correct windows file and should not be deleted).

Next if no sign of the .com versions in c:\windows\system32 try doing a search of the disk for both the .com files.

If you find either or both cmd.com or regedt32.com can you submit then to Lavaosft at the uploading files forum on this web site. Then delete the .com files (not the .exe versions).

Post back if you find the .com files, if not there is another thing we can try.

Did not find either of the .com files in the System32 folder. When I searched the whole C drive I dident find either of them.

Ok, we have eliminated that specific malware tactic as the cause. Please try resetting the registry keys for the .exe file extension.

First download the appropriate registry file fix from Doug Knox's web site at

http://www.dougknox.com/xp/file_assoc.htm

Download this and unzip it into a folder:

EXE File Association Fix (Restore default association for EXE files)

Follow the instructions at the top of Doug Knox's web site under the Note section on how to start Regedit from within Task Manager. Follow these instructions exactly and Regedit should start.

If you use Ad-Watch ensure it is in manual mode: start ad-watch, right click on the icon in the system tray, and select Ad-watch settings. Make sure the selection has a red cross against Automatic. If it is a green tick click on it to deselect automatic.

Now in regedit import the reg file you downloaded above. In regedit select file then select import and browse to where you unzipped the reg file. If prompted to confirm merge select yes to accept.

If you are using Ad-watch it will pop an alert for the merge as well. Ensure you accept the changes in ad-watch.

Post back if this helps or not.

Still no go, same error message on both of them when I try to start them up in run. However I still have no problem opening up either of them from the systme32 folder.

Ok, lets check the value of some environmental variables.

We will need to run cmd.exe so you will have to start cmd.exe using your workaround of running it from the c:\windows\system32 folder.

Can you post back with the following info. In the command window that opens enter

echo %PATH% > c:\path.txt

press enter to run the command then type

echo %PATHEXT% >> c:\path.txt

and press enter again to run this command, note the double >> on the second item and there are spaces either side of the > and >> items.

Then navigate to the c:\ folder double click on path.txt to open in notepad and post back the contents of the file. This will list the values of two environmental variables.

C:\program files\java\jdk1.5.0\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH


Sorry it took so long to post back, I moved into a new appartment yesterday. Thanks for all your help, I hope we can resolve this problem.

Those environmental variables look OK, slightly surprised to see java has added itself to the front of the list, but that should not be the issue you are having.

Can you try downloading Filemon from Sysinternals:

http://www.sysinternals.com/Utilities/Filemon.html

Simply download the zip file and unzip. Start the filemon program and select options then filter/highlight

In the include box ensure the * is removed and replace just with the text:

regedit

click ok to apply the filter, if the screen is full of log info select edit then clear display.

Now press start and select run and enter

regedit


Click Ok and Filemon should now log what is being run when you type this. Back in the filemon window select file and then select save to save the log file, it defaults to the name filemon.log. Can you post back with the contents of this log please.

Hey, haven't read the thread here, so this might be a shot in the dark or already covered.

However, your error messages indicates that your winsocket files are corrupt (needed to get internet connection). If some malware changes the winsock files and the malware is then removed, you might be left with none or defective sockets.

Microsoft's knowledge database about this issue:
http://support.microsoft.com/?kbid=811259

They have a step for step on how to restore the files.

/Mims

287 11:16:50 PM svchost.exe:1092 QUERY INFORMATION C:\WINDOWS\REGEDIT.EXE SUCCESS Attributes: A
288 11:16:50 PM svchost.exe:1092 OPEN C:\WINDOWS\REGEDIT.EXE SUCCESS Options: Open Access: 00020088
289 11:16:50 PM svchost.exe:1092 QUERY INFORMATION C:\WINDOWS\REGEDIT.EXE SUCCESS FileInternalInformation
290 11:16:50 PM svchost.exe:1092 CLOSE C:\WINDOWS\REGEDIT.EXE SUCCESS

Interesting, did regedit start ok, start then instantly close or simply not even start?

Could you open regedit using your workaround and check this key please:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

This there an item called DisableRegistryTools and if so what value does it have? This key may not be present so please post what you find.

Thanks

When ever I try to use Run to get to regedit I still get the error message "regedit is not a valid Win32 application". I can still get to it using my round about and going into the system32 folder. When I searched for the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System the searche came back with nothing, so I typed in HKCU and I got a lot of returns. I found that if I replaced the \ at the end of HKCU with a , I got more results. I tryed this and got nothing back with the full line. The most I could put in and still get valuses back for was HKCU,Software\Microsoft\Windows\CurrentVersion anything after that there was nothing.

OK

It is possible that specific key is not present but I would expect to see some other items under policies.

Could you open regedit (the hard way ;-) ) then click on the plus signs in the left-hand colum to expand each folder in turn:

HKEY_CURRENT_USER
Software
Microsoft
Windows
CurrentVersion
Policies
System


Then click to select System. In the right-hand window do you see an item called DisableRegistryTools ? If so what is the value in the data column? It may well not be present but it is worth double checking.

Repeat the above but this time under HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Policies
System


I will have to do some more investigations to see if I can find a solution but if you could report back on the above that would help.

Thanks

So after I opened regedit the "hard way" (haha) I went thought the HKEY_CURRENT_USER and got all the way to policies. There was no Systems drop menu only and Explorer that had "NoDriveTypeAutoRun" and "(Default)" in it. Then I went thought the HKEY_LOCAL_MACHINE and found a policies and systems drop down menu (I dont know if this matters but both were not capitalized as I noticed everthing else was) there was no DisableRegistryTools. The onlythings in there were "dontdisplaylastusername" "legalnoticecaption" "legalnoticetext" "shutdownwithoutlogon" "undockwithoutlogon" and "(Default)"

I really appreciate all that you are doing for me. Thanks!

Ok, another possible cause eliminated. :-(

Could you try the following, in Windows Explorer navigate to c:\windows\prefetch

Srcoll down the list of files and delete any files that begin

reg.exe
regedit.exe
regedt32.exe

and end in .pf

Now press start and select run, try these commands and post if they work or not:

regedit
regedit.exe
regedt32
regedt32.exe
notepad

The first four should open regedit the last one should open notepad. Which of these work OK?

Well I found 2 of the REGEDIT.EXE-1B606482.pf and REGEDT32.EXE-11878ACD.pf and put them in the recycling bin. Then I tryed the commands you said. "regedit.exe" and "notepad" worked, I also tryed to run the "cmd" (did not work) so I tryed "cmd.exe" and that worked.

OK, those are classic symptoms of when a virus has added a .com version of regedit and cmd but since there is no sign of .com file versions maybe they are being bypassed another way.

Please download Sysinternals' autoruns program from

http://www.sysinternals.com/Utilities/Autoruns.html

Download and unzip the files, click on autoruns.exe (not autorunsc.exe)

When it starts it will immediately start scanning. If your firewall alerts autoruns is connecting to the Internet please allow it. Then either let the scan finish or press the Esc key to stop it.

Now in the autoruns window select options and check (tick) the entry for "Hide Signed Microsoft Entries". Now select file and then click on refresh and let the scan run to completion.

Click on the logon tab then select file and then select "save as" Pick a location to save the file (defaults to the folder you installed it) and save the file as AutoRuns.txt. Next open Windows Explorer and navigate to the folder you saved the Autoruns.txt file to, double click to open in Notepad and paste the contents into a reply.

Thanks

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ AGRSMMSG SoftModem Messaging Applet Agere Systems c:\windows\agrsmmsg.exe

+ CFSServ.exe ConfigFree™ Search for Wireless Devices Version 5.00 TOSHIBA CORPORATION C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

+ dla Drive Letter Access Component Sonic Solutions c:\windows\system32\dla\tfswctrl.exe

+ EOUApp Ease Of Use Wizard Application Intel Corporation c:\program files\intel\wireless\bin\eouwiz.exe

+ HostManager AOL America Online, Inc. c:\program files\common files\aol\1146097344\ee\aolsoftware.exe

+ HotKeysCmds hkcmd Module Intel Corporation c:\windows\system32\hkcmd.exe

+ IgfxTray igfxTray Module Intel Corporation c:\windows\system32\igfxtray.exe

+ IntelWireless Intel Framework MFC Application Intel Corporation c:\program files\intel\wireless\bin\ifrmewrk.exe

+ IPHSend IPHSend Application America Online, Inc. c:\program files\common files\aol\iphsend\iphsend.exe

+ iTunesHelper iTunesHelper Module Apple Computer, Inc. c:\program files\itunes\ituneshelper.exe

+ NeroFilterCheck NeroCheck Ahead Software Gmbh c:\windows\system32\nerocheck.exe

+ outlook File not found: C:\Program Files\outlook\outlook.exe

+ PadTouch PadTouch Main TOSHIBA c:\program files\toshiba\touch and launch\padexe.exe

+ pccguide.exe PCCGuide Trend Micro Incorporated. c:\program files\trend micro\internet security 2006\pccguide.exe

+ Pinger TOSHIBA Pinger TOSHIBA Corporation c:\toshiba\ivp\ism\pinger.exe

+ QuickTime Task QuickTime Task Apple Computer, Inc. c:\program files\quicktime\qttask.exe

+ SmoothView SmoothView TOSHIBA Corporation c:\program files\toshiba\toshiba zooming utility\smoothview.exe

+ SoundMAX SoundMAX Control Center Analog Devices, Inc. c:\program files\analog devices\soundmax\smax4.exe

+ SoundMAXPnP SMax4PNP MFC Application Analog Devices, Inc. c:\program files\analog devices\soundmax\smax4pnp.exe

+ SunJavaUpdateSched Java™ 2 Platform Standard Edition binary Sun Microsystems, Inc. c:\program files\java\jre1.5.0_06\bin\jusched.exe

+ SynTPEnh Synaptics TouchPad Enhancements Synaptics, Inc. c:\program files\synaptics\syntp\syntpenh.exe

+ SynTPLpr TouchPad Driver Helper Application Synaptics, Inc. c:\program files\synaptics\syntp\syntplpr.exe

+ TFncKy TFncKy TOSHIBA Corporation C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

+ THotkey Hotkey Utility TOSHIBA c:\program files\toshiba\toshiba applet\thotkey.exe

+ TkBellExe RealNetworks Scheduler RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe

+ TPSMain C:\Program Files\TOSHIBA\Power Saver\TPSMain.exe

+ Tvs TOSHIBA Virtual Sound Taskbar Module TOSHIBA Corporation c:\program files\toshiba\tvs\tvstray.exe

+ VOBRegCheck c:\windows\system32\vobregcheck.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ Adobe Gamma Loader.exe.lnk Adobe Gamma Loader Adobe Systems, Inc. c:\program files\common files\adobe\calibration\adobe gamma loader.exe

+ Bluetooth.lnk Bluetooth Tray Application Broadcom Corporation. c:\program files\widcomm\bluetooth software\bttray.exe

+ RAMASST.lnk CD Burning of Windows XP disabling tool for DVD MULTI Drive Matsushita Electric Industrial Co., Ltd. c:\windows\system32\ramasst.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ Aim6 AOL America Online, Inc. c:\program files\common files\aol\launch\aollaunch.exe

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components

+ 0 File not found: About:Home

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ CD Copy Shell Extension CD Wizard Shellerweiterung VoB Computersysteme GmbH c:\windows\system32\shellext\cdwshext.dll

+ CD Wizard Shell Extension CD Wizard Shellerweiterung VoB Computersysteme GmbH c:\windows\system32\shellext\cdwshext.dll

+ Display Panning CPL Extension File not found: deskpan.dll

+ DriveLetterAccess Drive Letter Access Component Sonic Solutions c:\windows\system32\dla\tfswshx.dll

+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll

+ iTunes iTunes Mini Player DLL Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll

+ My Bluetooth Places BTNeighborhood DLL Broadcom Corporation. c:\windows\system32\btneighborhood.dll

+ RecordNow! SendToExt Shell Extensions c:\program files\sonic\recordnow!\shlext.dll

+ Shell Extensions for RealOne Player RealPlayer Shell Extensions RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll

+ Synaptics Control Panel TouchPad Control Panel Extensions Synaptics, Inc. c:\program files\synaptics\syntp\syntpcpl.dll

+ TMD Shell Extension Tmdshell Module Trend Micro Incorporated. c:\program files\trend micro\internet security 2006\tmdshell.dll

+ VBPropSheet VBProp Module Trend Micro Incorporated. c:\program files\trend micro\internet security 2006\vbprop.dll

+ WinRAR shell extension c:\program files\winrar\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ AcroIEHlprObj Class AcroIEHelper Module c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx

+ DriveLetterAccess Drive Letter Access Component Sonic Solutions c:\windows\system32\dla\tfswshx.dll

+ SSVHelper Class Java™ 2 Platform Standard Edition binary Sun Microsystems, Inc. c:\program files\java\jre1.5.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ @btrez.dll,-4017 c:\program files\widcomm\bluetooth software\btsendto_ie.htm

+ @xpsp3res.dll,-20001 File not found: C:\WINDOWS\Network

+ AIM AOL Instant Messenger America Online, Inc. c:\program files\aim\aim.exe

HKLM\System\CurrentControlSet\Services

+ btwdins Handles installation and removal of Bluetooth devices. Broadcom Corporation. c:\program files\widcomm\bluetooth software\bin\btwdins.exe

+ CFSvcs Service of ConfigFree. TOSHIBA CORPORATION c:\program files\toshiba\configfree\cfsvcs.exe

+ DVD-RAM_Service Service of RAMAsst for Windows XP Matsushita Electric Industrial Co., Ltd. c:\windows\system32\dvdramsv.exe

+ EvtEng Intel Event Trace Manager Intel Corporation c:\program files\intel\wireless\bin\evteng.exe

+ OwnershipProtocol Ownership protocol service Intel Corporation c:\program files\intel\wireless\bin\oprotsvc.exe

+ PcCtlCom Manages the Trend Micro PC-cillin components. Trend Micro Incorporated. c:\program files\trend micro\internet security 2006\pcctlcom.exe

+ RegSrvc Intel Registry Service Intel Corporation c:\program files\intel\wireless\bin\regsrvc.exe

+ S24EventMonitor Handles the Spectrum24 NDIS Traffic Intel Corporation c:\program files\intel\wireless\bin\s24evmon.exe

+ SoundMAX Agent Service (default) SoundMAX service agent component Analog Devices, Inc. c:\program files\analog devices\soundmax\smagent.exe

+ Swupdtmr c:\toshiba\ivp\swupdate\swupdtmr.exe

+ TAPPSRV TOSHIBA Application Service for Common Module TOSHIBA Corp. c:\program files\toshiba\toshiba applet\tappsrv.exe

+ Tmntsrv Enables scanning in real time. Trend Micro Incorporated. c:\program files\trend micro\internet security 2006\tmntsrv.exe

+ TmPfw Manages the Trend Micro Personal Firewall. Trend Micro Inc. c:\program files\trend micro\internet security 2006\tmpfw.exe

+ tmproxy Manages the Trend Micro Proxy. Trend Micro Inc. c:\program files\trend micro\internet security 2006\tmproxy.exe

HKLM\System\CurrentControlSet\Services

+ aeaudio Andrea Audio Noise Cancellation Driver Andrea Electronics Corporation c:\windows\system32\drivers\aeaudio.sys

+ AegisP AEGIS Protocol (IEEE 802.1x) v3.1.6.0 Meetinghouse Data Communications c:\windows\system32\drivers\aegisp.sys

+ AgereSoftModem SoftModem Device Driver Agere Systems c:\windows\system32\drivers\agrsm.sys

+ asapiW2k ASAPI VOB Computersysteme GmbH c:\windows\system32\drivers\asapiw2k.sys

+ btaudio Bluetooth Audio Device Broadcom Corporation. c:\windows\system32\drivers\btaudio.sys

+ BTDriver Bluetooth BTPORT Driver for Windows 2000 Broadcom Corporation. c:\windows\system32\drivers\btport.sys

+ BTKRNL Bluetooth Bus Enumerator Broadcom Corporation. c:\windows\system32\drivers\btkrnl.sys

+ BTSERIAL Bluetooth Serial Driver for Windows 2000 Broadcom Corporation. c:\windows\system32\drivers\btserial.sys

+ BTSLBCSP Bluetooth Serial Driver for Windows 2000 Broadcom Corporation. c:\windows\system32\drivers\btslbcsp.sys

+ BTWDNDIS Bluetooth LAN Access Server Driver Broadcom Corporation. c:\windows\system32\drivers\btwdndis.sys

+ btwmodem Bluetooth BTPORT Driver for Windows 2000 Broadcom Corporation. c:\windows\system32\drivers\btwmodem.sys

+ BTWUSB Driver for Bluetooth USB Devices Broadcom Corporation. c:\windows\system32\drivers\btwusb.sys

+ CA561 Universal Serial Bus Camera Driver SP c:\windows\system32\drivers\spca561.sys

+ drvmcdb Device Driver Sonic Solutions c:\windows\system32\drivers\drvmcdb.sys

+ GEARAspiWDM CDRom Class Filter Driver GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys

+ ialm Intel Graphics Miniport Driver Intel Corporation c:\windows\system32\drivers\ialmnt5.sys

+ Iviaspi InterVideo ASPI Shell InterVideo, Inc. c:\windows\system32\drivers\iviaspi.sys

+ IWCA Intel Wireless Connection Agent Intel Corporation c:\windows\system32\drivers\iwca.sys

+ msdirectx File not found: C:\WINDOWS\system32\msdirectx.sys

+ Netdevio TOSHIBA Network Device Usermode I/O Protocol TOSHIBA Corporation. c:\windows\system32\drivers\netdevio.sys

+ Pfc Padus® ASPI Shell Padus, Inc. c:\windows\system32\drivers\pfc.sys

+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\drivers\ptilink.sys

+ PxHelp20 Px Engine Device Driver for Windows 2000/XP Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys

+ RioS50 RioS50.sys SonicBlue Inc. c:\windows\system32\drivers\rios50.sys

+ s24trans WLAN Transport Intel Corporation c:\windows\system32\drivers\s24trans.sys

+ Secdrv SafeDisc driver c:\windows\system32\drivers\secdrv.sys

+ smwdm SoundMAX Integrated Digital Audio Analog Devices, Inc. c:\windows\system32\drivers\smwdm.sys

+ SONYPVU1 Sony USB Lower Filter driver Sony Corporation c:\windows\system32\drivers\sonypvu1.sys

+ SynTP Synaptics Touchpad Driver Synaptics, Inc. c:\windows\system32\drivers\syntp.sys

+ TBiosDrv c:\windows\system32\drivers\tbiosdrv.sys

+ tifm21 tifm21.sys Texas Instruments c:\windows\system32\drivers\tifm21.sys

+ tm_cfw Trend Micro Common Firewall Module 2.5 Trend Micro Inc. c:\windows\system32\drivers\tm_cfw.sys

+ Tmfilter Post Filter For XP Trend Micro Inc. c:\windows\system32\drivers\tmxpflt.sys

+ Tmpreflt Pre-Filter For XP Trend Micro Inc. c:\windows\system32\drivers\tmpreflt.sys

+ tmtdi Trend Micro TDI Driver (i386-fre) Trend Micro Inc. c:\windows\system32\drivers\tmtdi.sys

+ TVALD Toshiba Notebook PC SMI Driver Toshiba Corporation c:\windows\system32\drivers\nbsmi.sys

+ Tvs TOSHIBA Audio Filter Driver TOSHIBA Corporation c:\windows\system32\drivers\tvs.sys

+ Vsapint VsapiNT Trend Micro Inc. c:\windows\system32\drivers\vsapint.sys

+ w29n51 Intel® Wireless LAN Driver Intel® Corporation c:\windows\system32\drivers\w29n51.sys

+ wanatw File not found: system32\DRIVERS\wanatw4.sys

+ yukonwxp NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller Marvell c:\windows\system32\drivers\yk51x86.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ igfxcui igfxsrvc Module Intel Corporation c:\windows\system32\igfxsrvc.dll

+ IntelWireless LogonNotify DLL Intel Corporation c:\program files\intel\wireless\bin\lgnotify.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

+ Bluetooth Printer Port bthcrp DLL Broadcom Corporation. c:\windows\system32\bthcrp.dll



There she be!
Thanks

OK, there are some leftover signs of items that have been removed in the past. Have you removed any viruses using an Antivirus program?

Nothing shouts out that is urgent to correct so can try we some more things please.

As before try running some commands from the command window so run cmd.exe the hardway again

Then type the following one at a time and press the return to run, these will output some info to a file.



reg query hkcr\exefile\shell\runas\command > c:\queryinfo.txt

reg query hkcr\exefile\shell\open\command >> c:\queryinfo.txt

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\ >> c:\queryinfo.txt

type "c:\windows\system.ini" >> c:\queryinfo.txt

type "c:\windows\win.ini" >> c:\queryinfo.txt



The first command has one > the rest two >> The quickest way would be to select and copy each bold line above in turn then in the command window right mouse click and select paste.

When finsihed start Windows Exploer and naviagte to C:\ folder and double click on queryinfo.txt to open in notepad. Paste the contents into a reply. You can then delete the c:\queryinfo.txt file.

Then run HijackThis and post the log file along with the above.

See this post for details on how to run HijackThis then post a log in this thread.

http://www.lavasoftsupport.com/index.php?showtopic=216

We can tidy up the info from the autoruns file at the same time as anything extra found from the above.

Many thanks

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\exefile\shell\runas\command
<NO NAME> REG_SZ "%1" %*

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\exefile\shell\open\command
<NO NAME> REG_SZ "%1" %*

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\
<NO NAME> REG_SZ exefile
Content Type REG_SZ application/x-msdownload

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\\PersistentHandler
; for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
; for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
[tmaximizer]
wizard=yes
usertype=2
update=automatic
background=yes
[SciCalc]
layout=1
; for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON


HIJACKTHIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 6:58:52 PM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1146097344\ee\AOLSoftware.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RAMASST.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
c:\program files\common files\aol\1146097344\ee\aim6.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Warnie\LOCALS~1\Temp\Rar$EX01.978\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146097344\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133838052506
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe



As for a viruse, my Trend Micro found a folder under my personal documents called "Complete" (it was under an operation systems file) that had over 26,000 instances of viruse. Each one was about 900kB of a ziped application. It added up to around 5 gigs worth of a file. Its all gone now.
Thanks

Hi

Could you download and run this virus removal tool from Sophos please:

http://www.sophos.com/support/disinfection/alcra.html

Down the file to a folder.

Double click on ALCRAGUI.com to start, accept the terms & conditions, when the program starts click on configure, and check the button "scan all files" click OK. Now click on the green GO start scan button to run the scan.

When the scan finishes there will be a log file at C:\resolve.log can you post the contents of this please.

I will add some more shortly but please post how the above scan goes.

Thanks

RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com

System disinfection for W32/Alcra-B

Data Version 1.01

System scan started at 13:57 on 23 August 2006

Checking for W32/Alcra-B in memory

Checking for registry keys affected by W32/Alcra-B


Checking for files affected by W32/Alcra-B

Scanning C:

Error opening file C:\Documents and Settings\LocalService\Cookies\index.dat

Error opening file C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Error opening file C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

Error opening file C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat

Error opening file C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Error opening file C:\Documents and Settings\LocalService\NTUSER.DAT

Error opening file C:\Documents and Settings\LocalService\ntuser.dat.LOG

Error opening file C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Error opening file C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

Error opening file C:\Documents and Settings\NetworkService\NTUSER.DAT

Error opening file C:\Documents and Settings\NetworkService\ntuser.dat.LOG

Error opening file C:\Documents and Settings\Warnie\Cookies\index.dat

Error opening file C:\Documents and Settings\Warnie\Local Settings\Application Data\AOL\UserProfiles\1146097344\wingman1487\cls\common.cls

Error opening file C:\Documents and Settings\Warnie\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls

Error opening file C:\Documents and Settings\Warnie\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

Error opening file C:\Documents and Settings\Warnie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Error opening file C:\Documents and Settings\Warnie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

Error opening file C:\Documents and Settings\Warnie\Local Settings\History\History.IE5\index.dat

Error opening file C:\Documents and Settings\Warnie\Local Settings\History\History.IE5\MSHist012006082320060824\index.dat

Error opening file C:\Documents and Settings\Warnie\Local Settings\Temporary Internet Files\AntiPhishing\07FB382D-AA75-4683-82F4-EAB265A275CB.dat

Error opening file C:\Documents and Settings\Warnie\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Error opening file C:\Documents and Settings\Warnie\NTUSER.DAT

Error opening file C:\Documents and Settings\Warnie\ntuser.dat.LOG

Error opening file C:\hiberfil.sys

Error opening file C:\pagefile.sys

Error opening file C:\resolve.log

Error opening file C:\WINDOWS\Debug\PASSWD.LOG

Error opening file C:\WINDOWS\SchedLgU.Txt

Error opening file C:\WINDOWS\SoftwareDistribution\ReportingEvents.log

Error opening file C:\WINDOWS\Sti_Trace.log

Error opening file C:\WINDOWS\system32\config\AppEvent.Evt

Error opening file C:\WINDOWS\system32\config\default

Error opening file C:\WINDOWS\system32\config\default.LOG

Error opening file C:\WINDOWS\system32\config\Internet.evt

Error opening file C:\WINDOWS\system32\config\SAM

Error opening file C:\WINDOWS\system32\config\SAM.LOG

Error opening file C:\WINDOWS\system32\config\SecEvent.Evt

Error opening file C:\WINDOWS\system32\config\SECURITY

Error opening file C:\WINDOWS\system32\config\SECURITY.LOG

Error opening file C:\WINDOWS\system32\config\software

Error opening file C:\WINDOWS\system32\config\software.LOG

Error opening file C:\WINDOWS\system32\config\SysEvent.Evt

Error opening file C:\WINDOWS\system32\config\system

Error opening file C:\WINDOWS\system32\config\system.LOG

Error opening file C:\WINDOWS\system32\h323log.txt

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA

Error opening file C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP

Error opening file C:\WINDOWS\wiadebug.log

Error opening file C:\WINDOWS\wiaservc.log

Error opening file C:\WINDOWS\WindowsUpdate.log


Scanning C:\WINDOWS\system32


System scan finished at 14:12 on 23 August 2006

Processes found : 0
Processes terminated or disinfected : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 0
Files deleted : 0

OK, nothing of interest found it that tool.

Can you start autoruns again please as desribed before. When the scan finishes click on the Everything tab and then click on the button to deselect against these two items



outlook File not found: C:\Program Files\outlook\outlook.exe

msdirectx File not found: C:\WINDOWS\system32\msdirectx.sys



next do you recognise this game site: http://www.popcap.com/games?

If not start HijackThis and run a scan, when the scan finished select this one item:


O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab


and click on the "Fixed checked" button.

reboot the PC and then download RootkitRevealer from Sysinterals:

http://www.sysinternals.com/Utilities/RootkitRevealer.html

Unzip the file, close all applications and browser windows and run RootkitRevealer.exe. The scan is intensive so please let it run to completion and do not start any applications etc until the scan completes. WHen the scan has completed select file and save the log. Then post the contents of that log into this thread as well please.

Many thanks