# Are There any Nasties Left? HJT log included



## leanneqld (Oct 24, 2007)

Pc(HP desktop intel pent 4, 512 MB ram) was running slow and kept getting "lovecrush" and winantivirus (that would begin downloading even when clicking no)pop ups. Also when booting was getting RUNDLL errors as follows
C:\windows\system32\j62281137.dll
 "     "             "       \jdsagcsp.dll
 ''     "             "       \nwftiikf.dll

I have run Housecall, spybot, adaware and superantispyware. I tried running panda activescan but it scans about 29,000 files and gets to a bunch of windowslivecontact files and slows right down so, it took 27 hours to scan 40,000 files which didn't seem right.
Here the HJT log.................

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:40 AM, on 24/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q404&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {268392DE-4AED-48FA-811F-5A7F91A08B2d} - C:\WINDOWS\system32\lyttfrjy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [JVM0.14] C:\WINDOWS\system32\kicch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [j6281137] rundll32 C:\WINDOWS\system32\j6281137.dll sook
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\jdsagcsp.dll",forkonce
O4 - HKLM\..\Run: [SalesMonitor] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\nwftiikf.dll",sitypnow
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146663582484
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll (file missing)
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 13828 bytes


would appreciate any advice 
Thanks


----------



## oscaryu1 (Oct 24, 2007)

*O2 - BHO: (no name) - {268392DE-4AED-48FA-811F-5A7F91A08B2d} - C:\WINDOWS\system32\lyttfrjy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

*


----------



## leanneqld (Oct 24, 2007)

how do I remove them please?


----------



## ceewi1 (Oct 24, 2007)

oscaryu1, please be more careful.  Not only will your suggestions have no effect at fixing the problem, they will reduce his system security by disabling Spybot's protection and will prevent Java from functioning properly.

leanneqld, please disregard the above advice.  

Please download VundoFix.exe
to your desktop.
 Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
 Once it's done scanning, click the *Remove Vundo* button.
 You will receive a prompt asking if you want to remove the files,  click *YES*
 Once you click yes, your desktop will go blank as it starts removing Vundo.
 When completed, it will prompt that it will reboot your computer, click *OK*.
 Once you've completed the following instructions, please post the contents of C:\*vundofix.txt*
Note: It is possible that VundoFix encountered a file it could not remove.  In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when VundoFix appears at reboot.

Once done, please do the following:
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note: 
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Once done, please run HijackThis and choose *Do a system scan only*
Place a check next to the following items (where still present):

*O2 - BHO: (no name) - {268392DE-4AED-48FA-811F-5A7F91A08B2d} - C:\WINDOWS\system32\lyttfrjy.dll (file missing)*
*O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)*
*O4 - HKLM\..\Run: [JVM0.14] C:\WINDOWS\system32\kicch.exe*
*O4 - HKLM\..\Run: [j6281137] rundll32 C:\WINDOWS\system32\j6281137.dll sook*
*O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\jdsagcsp.dll",forkonce*
*O4 - HKLM\..\Run: [SalesMonitor] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"*
*O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\nwftiikf.dll",sitypnow*
*O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll (file missing)*
*O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)*

Close all open windows except for HijackThis and choose *Fix checked*
Please delete the following file:
*C:\WINDOWS\system32\kicch.exe*

Please reboot and post a new HijackThis log along with the VundoFix and ComboFix logs.  You may need to use multiple posts to fit all the logs in.


----------



## leanneqld (Oct 25, 2007)

Thankyou ceewi1.  I ran Vundo once but the link to the next step wouldn't work.
I got this when I clicked on it

"404 Not Found
The requested URL '/sUBs/combofix.exe' was not found on this server. "


----------



## leanneqld (Oct 25, 2007)

OK..I was able to find combofix at another site. 
First, here is the Vundo text log......




C:\WINDOWS\system32\fkiitfwn.ini
C:\WINDOWS\system32\jdsagcsp.dll
C:\WINDOWS\system32\nwftiikf.dll
C:\WINDOWS\system32\pscgasdj.ini


Now the combofix log................


ComboFix 07-10-23.1 - HP_Owner 2007-10-25 10:01:15.1 - NTFSx86 
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.152 [GMT 10:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\HP_Owner\err.log
C:\Documents and Settings\Shaun\Application Data\macromedia\Flash Player\#SharedObjects\JCAD8MBD\www.broadcaster.com
C:\Documents and Settings\Shaun\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Shaun\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Shaun\Application Data\PCTurbo Pro Free
C:\Documents and Settings\Shaun\Application Data\PCTurbo Pro Free\Logs\update.log
C:\Documents and Settings\Shaun\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\Shaun\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\Shaun\Desktop\WinAntiSpyware 2007.lnk
C:\Program Files\Common Files\fnts~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cfx32.ocx
D:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN


(((((((((((((((((((((((((   Files Created from 2007-09-25 to 2007-10-25  )))))))))))))))))))))))))))))))
.

2007-10-25 10:00	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-10-25 09:07	<DIR>	d--------	C:\VundoFix Backups
2007-10-22 23:23	<DIR>	d--------	C:\Documents and Settings\HP_Owner\.housecall6.6
2007-10-22 23:18	<DIR>	d--------	C:\Program Files\Windows Defender
2007-10-22 23:07	<DIR>	d--------	C:\Program Files\RegCure
2007-10-22 18:29	<DIR>	d--------	C:\Program Files\SUPERAntiSpyware
2007-10-22 18:29	<DIR>	d--------	C:\Documents and Settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2007-10-22 18:28	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 18:02	149,875	---hs----	C:\WINDOWS\system32\ijkmp.ini2
2007-10-03 19:25	<DIR>	d--------	C:\Documents and Settings\HP_Owner\Application Data\Publish Providers
2007-10-03 19:23	<DIR>	d--------	C:\Documents and Settings\HP_Owner\Application Data\Sony
2007-09-30 19:26	<DIR>	d--------	C:\Documents and Settings\Shaun\Application Data\Publish Providers
2007-09-30 19:14	33,340	---------	C:\WINDOWS\system32\dbmsqlgc.dll
2007-09-30 19:14	24,576	---------	C:\WINDOWS\system32\dbmsgnet.dll
2007-09-30 19:11	<DIR>	d--------	C:\Program Files\Microsoft SQL Server
2007-09-30 19:10	<DIR>	d--------	C:\Documents and Settings\Shaun\Application Data\Sony
2007-09-30 19:06	<DIR>	d--------	C:\Program Files\Sony
2007-09-30 18:42	<DIR>	d--------	C:\Program Files\Sony Setup
2007-09-30 18:42	<DIR>	d--------	C:\Documents and Settings\Shaun\Application Data\Sony Setup

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 09:21	---------	d-----w	C:\Program Files\MSN Messenger
2007-10-24 00:51	---------	d-----w	C:\Program Files\Windows Live Toolbar
2007-10-24 00:51	---------	d-----w	C:\Program Files\QuickTime
2007-10-24 00:51	---------	d-----w	C:\Program Files\iTunes
2007-10-24 00:51	---------	d-----w	C:\Program Files\Google
2007-10-23 22:00	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-22 12:59	---------	d-----w	C:\Program Files\7-Zip
2007-10-22 08:08	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-10-17 10:54	---------	d-----w	C:\Program Files\GameSpy Arcade
2007-09-24 07:20	---------	d-----w	C:\Program Files\Steam
2007-09-24 03:32	---------	d-----w	C:\Documents and Settings\Shaun\Application Data\uTorrent
2007-09-23 10:17	---------	d-----w	C:\Program Files\PacificPoker
2007-09-10 02:48	---------	d-----w	C:\Program Files\UltimateBet
2007-08-31 03:00	---------	d-----w	C:\Program Files\Windows Media Connect 2
2007-08-30 01:49	---------	d-----w	C:\Documents and Settings\HP_Owner\Application Data\AVG7
2006-11-27 07:26	2,284,296	----a-w	C:\Documents and Settings\All Users\xfire_installer_22876.exe
2006-06-26 08:34	40	----a-w	C:\Documents and Settings\Shaun\language.dat
2005-12-31 15:54	6	----a-w	C:\Documents and Settings\HP_Owner\ip.bat
2005-10-30 08:10	20,072,184	----a-w	C:\Program Files\QuickTimeInstaller.exe
2005-04-04 09:23	7,316,168	----a-w	C:\Documents and Settings\All Users\INSTALL_MSN_MESSENGER_DL.EXE
2005-04-04 09:10	5,244,336	----a-w	C:\Documents and Settings\HP_Owner\SetupDl.exe
2007-06-15 12:45:10	56	--sh--r	C:\WINDOWS\system32\151FB60BAA.sys
2007-06-16 05:40:38	1,682	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-13 11:52:26	667,663	--sha-w	C:\WINDOWS\system32\nnnmp.bak1
2007-05-13 09:50:14	669,020	--sha-w	C:\WINDOWS\system32\nnnmp.bak2
2007-05-10 12:52:33	597,418	--sha-w	C:\WINDOWS\system32\nnnmp.ini2
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{268392DE-4AED-48FA-811F-5A7F91A08B2d}]
			C:\WINDOWS\system32\lyttfrjy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 05:00]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 02:21 C:\WINDOWS\ALCXMNTR.EXE]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 20:44]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 20:38]
"Home Theater SchSvr"="C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-07-30 10:34]
"WINREMOTE"="C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" [2004-06-25 04:47]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-24 21:10]
"bcmwltry"="bcmwltry.exe" [2003-07-26 09:28 C:\WINDOWS\system32\bcmwltry.exe]
"removecpl"="RemoveCpl.exe" []
"JVM0.14"="C:\WINDOWS\system32\kicch.exe" []
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 18:57 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 18:53 C:\WINDOWS\ALCWZRD.EXE]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-12 04:23]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-27 10:24]
"WINCINEMAMGR"="C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" [2004-06-25 04:47]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-24 09:29]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 12:36]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe" [2004-08-25 21:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 17:49]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnn] 
C:\WINDOWS\system32\pmnnn.dll 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhdn32] 
winhdn32.dll 

R2 SVKP;SVKP;\??\C:\WINDOWS\system32\SVKP.sys
R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
R3 Net6IM;Net6;C:\WINDOWS\system32\DRIVERS\net6im51.sys
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys
S3 gbalink;GBA Link Driver (gbalink.sys);C:\WINDOWS\system32\Drivers\gbalink.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-18 01:25:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-24 23:16:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-25 00:12:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-25 00:10:57 C:\WINDOWS\Tasks\RegCure Program Check.job"
"2007-10-22 13:07:39 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 10:11:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-10-25 10:12:43 - machine was rebooted 
.
	--- E O F ---


----------



## ceewi1 (Oct 25, 2007)

Sorry about the bad link.  There are still a few things to fix.  Can you please perform the HijackThis fixes I indicated at the end of my last post and post a new HijackThis log.


----------



## leanneqld (Oct 25, 2007)

OK done..new HJT as follows....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:51 PM, on 25/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\HP_Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q404&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146663582484
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe


----------



## ceewi1 (Oct 25, 2007)

Just a couple of last cleanup items:

Please run HijackThis and choose *Do a System Scan Only*.

Place a check next to the following entry:
*O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE*

Please close all open windows except for HijackThis and choose *Fix checked*

Please set Windows to show hidden files:
Click *Start*.
Open* My Computer*.
Select the *Tools* menu and click *Folder Options*.
Select the *View* Tab.
Under the Hidden files and folders heading select *Show hidden files and folders*.
Uncheck the *Hide protected operating system files (recommended)* option.
Click *Yes* to confirm.
Click *OK*.

Please delete the following files:
*C:\WINDOWS\system32\ijkmp.ini2*
*C:\WINDOWS\system32\nnnmp.bak1*
*C:\WINDOWS\system32\nnnmp.bak2*
*C:\WINDOWS\system32\nnnmp.ini2*

Please set Windows to hide hidden files again:
Click *Start*.
Open* My Computer*.
Select the *Tools* menu and click *Folder Options*.
Select the *View* Tab.
Under the Hidden files and folders heading select *Hide hidden files and folders*.
Check the *Hide protected operating system files (recommended)* option.
Click *OK*.

Please reboot and post a new HijackThis log.  Are you still having any problems?


----------



## leanneqld (Oct 25, 2007)

Hi ceewi1,
have done what you asked......2 problems left.. 
1.Upon booting up, get an error 
"pchnotify.exe has encountered a problem and needs to close"

2. "internet Exp has encountered a prob with an add-on- the following add-on was running when the problem occurred
googletoolbar2.dll"..
I can only right click on the icon on the desktop to open explorer without any add-ons.

also here is the latest HJT log after removing those items..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:29 AM, on 26/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q404&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146663582484
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 12764 bytes

Thanks


----------



## ceewi1 (Oct 26, 2007)

Great, your logfile appears to be clean.  Now to fix your other problems.

Firstly, uninstall Google Toolbar.  To do so, click on Start -> Control Panel -> Add or Remove Programs.  Click on *Google Toolbar for IE* and click Remove.

Once done, please run HijackThis and choose *Do a System Scan Only*.

Place a check next to the following entries (where still present):
*O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll*
*O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll*
*O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll*
*O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\Pavilion\XPHWWBF4\plugin\bin\ pchbutton.exe*
*O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe*
Please close all open windows except for HijackThis and choose *Fix checked*

Reboot your PC.  If you are still receiving the pchnotify.exe error, please follow the instructions at http://h10025.www1.hp.com/ewfrf/wc/...product=67345&lang=en&cc=us&docname=c00575481

If you are still receiving the googletoolbar2.dll error, open up Internet Explorer, click on Tools -> Options.  Click on the *Programs* tab and click on Manage add-ons.  Click on any Google related entries and click *Disabled*.  Click OK twice and restart Internet Explorer.

Afterwards, you can try reinstalling the Google toolbar if you still want it.


----------



## leanneqld (Oct 26, 2007)

..ok..done that
IE is still not right.
If I double click the desktop icon for IE it brings up the IE frame but  in the address bar is this.....
"http://runonce.msn.com/runonce2.aspx"
instead of the homepage(which is yahoo)
I can get to the home page if I click on the house icon in the IE window.
Also, regardless of whether I have the IE add-ons disabled or enabled IT still won't go straight to the homepage (yahoo), which is what it use to do.
Thanks


----------



## ceewi1 (Oct 26, 2007)

OK, download the following script to your desktop: http://enhanceie.com/dl/NoRunOnce.reg

Double click on it and answer yes when asked whether you wish to merge the information with the registry.  Reboot your PC and see if the problem remains.


----------



## leanneqld (Oct 26, 2007)

OUTSTANDING ceewi1......back to normal
Many Thanks


----------



## leanneqld (Oct 27, 2007)

Damn..I spoke too soon

WE have multiple users set up on this pc. Whilst the problem was fixed for  one user we found out there are now script errors for the other users.
Double clicking the IE icon on the dektop opens to this

"http://runonce.msn.com/runonce2.aspx" (same as previous error)
Also getting script error as follows
"An error has occurred in the script on this page
Line 2
char 1
Code 0
URL:mkMSITSTORE:C:\WINDOWS\HELP\iexplore.chm::/ie_add-ons_disabled_qa.htm"

*Also cannot access User accounts to edit/remove/change details
when I try that I get a script error that cannot be closed  unless rebooting.
*Also cannot change wallpaper to a picture, only plain solid colours.


----------



## ceewi1 (Oct 28, 2007)

OK, you'll need to run that registry file in my last post for each affected user - Internet Explorer keeps those settings separately for each user.  

With regards to the scripting error, try this:

Click *Start*, and then click *Run*.
In the Open box, type *Regsvr32 urlmon.dll*, and then click *OK*.
When prompted with the DllRegisterServer in urlmon.dll succeeded message, click *OK*.
If the issue persists, follow these steps:
Open the Java Virtual Machine. To do so, visit the following Java Web site:
http://www.java.com/en (http://www.java.com/en)
Close all instances of Internet Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
Click the Advanced tab.
Under Browsing, click to clear the Enable third-party browser extensions (requires restart) check box.
Restart Internet Explorer.
If the issue persists, follow these steps:
Open Internet Explorer.
Click Tools, and click Internet Options.
Click the Advanced tab.
Under Browsing, click to select the Disable Script Debugging check box.
Click OK to close all windows, and then restart the computer.

As for the wallpaper problem, download *Wallpaper Hijack Remover*.  Run it and click *Continue*.  Select HKCU if only one user account is affected, or HKLM if all users are affected.  Click on *Check for Hijack* and click on *Repair* for any items whose status is Enabled.


----------



## leanneqld (Oct 28, 2007)

nothing worked..

Was I supposed to download anything from www.java.com/en? or just have it open when i made the change?
I tried changing "Enable third-party browser extensions" to uncheck but everytime i rebooted it would be checked again.

Disable Script Debugging was already checked.

The wallpaper hijack remover did nothing.....most items it said was disabled..I clicked on repair anyway and it said it was repaired..a 2 options came back with an error. 

There are separate registry entries for each user account isn't there?

I searched and found a lot of registry fix's for the wallpaper issue but i had a problem with each directory ..i don't have the file in the registry for this problem user account...example

*HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System.   THere is NO system folder

and this................
*1. Click Start - Run - type REGEDIT and press Enter 
2. Expand to: 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ 
Explorer\ActiveDesktop 
3. On the right side pane - check if there is an entry 
"NoChangingWallpaper". Set its value to 0 by double-clicking or delete the 
entry. 

There is NO Activedesktop folder


----------



## ceewi1 (Oct 28, 2007)

A couple of scripts to run that will hopefully help with your problems.

Firstly, download and run http://windowsxp.mvps.org/reg/olereg.vbs.

Secondly, download and run http://www.kellys-korner-xp.com/regs_edits/wallpaperenable.reg.  Answer yes when asked if you wish to merge the information with the registry (it will automatically create/change the registry keys you've been looking at, along with quite a few others).

Reboot, and see if the problems remain.

If that doesn't work, try this:

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a folder named *SmitfraudFix*) to your Desktop.

Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot to Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).

Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press *Enter* to delete infected files.

You will be prompted : 

Registry cleaning - *Do you want to clean the registry ?*; answer Yes by typing *Y* and press Enter.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the file; answer Yes by typing *Y* and press Enter.

The tool may need to restart your computer; if it doesn't, please restart anyway into normal Windows.  A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at *C:\rapport.txt*


----------



## leanneqld (Oct 28, 2007)

regarding the kelly's corner fix.....when i try to run it i get the error message
"cannot import c:\documents and settings\temp internet f\content.IE5\PCDSQ55\wallpaperenable[1]reg:nat all data was successfully written to the registry. Some keys are open by the system or other processes"\

Should I try and run it on one of the other user accounts?(ie the one that doesn't have the wallpaper issue)?


----------



## ceewi1 (Oct 28, 2007)

No, the registry entries involved are specific to each user account, running them under your own account won't fix the problem.  Is the account in question an Administrator account?  Try running it in Safe Mode, and try running Smitfraudfix as in my previous post.


----------



## leanneqld (Oct 28, 2007)

still no success...also..all the users are administrators. If I could get rid of the scrip error i's just delete the user and set up a new one.
Anyway, here's the log from the smitfraud program

SmitFraudFix v2.242

Scan done at 19:33:36.42, Sun 10/28/2007
Run from C:\recovery\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1       localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done. 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## ceewi1 (Oct 29, 2007)

OK, firstly uninstall Internet Explorer 7, since it can be responsible for a lot of these errors.  You can try reinstalling it again once these problems are fixed up.

Secondly, follow steps 1-9 at http://kb.adobe.com/selfservice/viewContent.do?externalId=fb1634cb&sliceId=2 (I know it's for a different problem, but the idea behind it is to ensure correct access to all registry settings).

Thirdly, click on Start -> Run. Type in *cmd* and click OK to bring up the command prompt.  Type the following commands one at a time pressing Enter at the end of each line:
*cd %windir%\system32
for /f %s in ('dir /b *.dll') do regsvr32 /s %s*

Reboot, and see if the User Account problem remains.


----------



## leanneqld (Oct 29, 2007)

do I run the SubinACL in any user account or do I have to run it in all 3 user accounts?

Also..."control panel/user accounts" the script error has disappeard but the big white box appears with no options except for the home, back arrow and forward arrow. Also the link you gave me to the adobe page doesn't display all the text. I had to read the instructions on another pc.


----------



## leanneqld (Oct 29, 2007)

ok...done everything. I have the text back, I have the user accounts back to normal.  THANKYOU

The only thing left is the dreaded wallpaper issue. I still cant load any of the pics as a wallpaper. 
 any more ideas for that one? ( i'm thinking it's gotta be a registry prob?)


----------



## ceewi1 (Oct 29, 2007)

Glad to hear that worked.  As for the wallpaper problem, I agree it's almost certainly registry settings.  I've attached a zip file to this post.  Please download it and run first fixreg1.reg and then fixreg2.reg in the affected account.  Answer yes when asked whether you want to merge the information with the registry.  See if that fixes the problem, and tell me if you get any errors when running either of the registry files.


----------



## leanneqld (Oct 29, 2007)

fixreg1 worked
fix reg2 didn't. I got this error message..."Cannot import C:\documents and settings\kids\desktop\fixreg\fixreg2.reg:Error accessing the registry"


----------



## ceewi1 (Oct 30, 2007)

Unfortunately, there are quite a few ways to block the desktop background from being changed.  Try this one:

In the affected account, Click on Start -> Run.  Type in *gpedit.msc* and click OK.  This will open the Group Policy Editor.

Expand *User Configuration* (if it isn't already expanded)
Expand *Administrative Templates*
Expand *Control Panel*
Click on *Display*
On the right hand side, double click on *Prevent changing wallpaper*
Click *Disabled*
Click *OK*
Close the Group Policy Editor
See if that allows you to change the background.


----------



## leanneqld (Oct 30, 2007)

hi there,

tried this twice. Once typing in the file name and once copying/pasting from your post. Both times I got an eror message...
" Windows cannot find 'gpedit.msc'. Make sure you typed the name correctly then try again."
I searched the entire pc for this file name and it came up empty as well.


----------



## ceewi1 (Oct 30, 2007)

My mistake, the Group Policy Editor is for XP Pro only, which for some reason I thought you had.  I'll have some more suggestions for you later - right now my Internet connection is barely staying on for long enough for me to post this (darned ISP!)


----------



## leanneqld (Oct 30, 2007)

LOL
no problem.


----------



## ceewi1 (Oct 31, 2007)

Firstly, try running the Kellie's Corner registry file again (http://www.kellys-korner-xp.com/regs_edits/wallpaperenable.reg).  I'd like to know if you still get the same error since changing the permissions.  See if the problem remains.

If that doesn't work, I'd like to see the registry keys in question, to see what's causing this problem.  Please copy and paste the text in the codebox below into a new notepad document.  Please do not include the word Code:

```
Reg export HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies registry.txt
```

Save the file to your desktop as *registry.bat* and make sure the "Save as type" field says "All files".  Double click on it, it will briefly flash up a command box and produce a text file, registry.txt on the desktop.  You may need to press F5 to refresh the screen before you can see that text file.  Please attach registry.txt to your next reply.


----------



## leanneqld (Oct 31, 2007)

got the same error message for the kellys-korner reg fix.

i've attached the txt document as requested


----------



## ceewi1 (Nov 1, 2007)

That's really odd - those settings are the default ones, which means that none of the registry changes we've run have had any effect.  It may actually be quicker to create a new User Account and copy your files over, but if you'd prefer to continue here's the next step.

This is quite possibly a permissions error, please click on Start -> Run and type in *regedit.exe* to access the Registry Editor.  Navigate to the following key: *HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies*

Right click on Policies and choose *Permissions*.  Tell me if "Full Control" is ticked.  If it isn't, tick it.  Click on *Advanced*, tick "Inherit from parent the permissions..." and click *Apply* and *OK*.

Try running the Kellys corner fix once again.

Once done, I've got another batch file for you to run, which will let me see if those changes have made any effect, as well as give me a bit more info.

Please copy and paste the text in the codebox below into a new notepad document. Please do not include the word Code:

```
regedit.exe /e PoliciesLM.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
regedit.exe /e PoliciesCU.txt HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
regedit.exe /e PoliciesSW.txt HKEY_CURRENT_USER\Software\Policies
```

Save the file to a permanent folder as registry.bat and make sure the "Save as type" field says "All files". Double click on it, it will briefly flash up a command box and produce three text files - PoliciesLM, PoliciesCU and PoliciesSW in the folder which you ran the fix. You may need to press F5 to refresh the screen before you can see that text file. Please attach these three files to your next post.


----------



## leanneqld (Nov 2, 2007)

under policies /Full Control and Read had no checks for both allow and deny.
The only check was for special permissions and it was greyed out(allow)
Also I noted that above that under "group or user names" there are only 2 listed...
Administrators(TBR\Administrators)
and SYSTEM

(shouldn't the problem user kids\skinny" be listed there as well?)...i added skinny to this list and ran kelly-s korner again and it accepted the registry fix. But still made no difference.

So, I am attaching a screen print from the time I added user skinny to the registry/policies/permissions....I'm not sure if this was right to do though???????

NEXT.......
I ran the 3 codebox texts as requested but only 2 files were generated. There was no "policiesSW"


----------



## leanneqld (Nov 2, 2007)

Couldn't attch both txt logs...(Exceeded quota)
here is the LM file copy and pasted...


indows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments]
"ScanWithAntiVirus"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{17492023-C23A-453E-A040-C7C580BBF700}"="1"
"{BA2CB6B1-03EE-4068-87CC-F5E4DD772A9B}"="1"
"{7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall]


----------



## leanneqld (Nov 2, 2007)

ceewi1...i also note that if I reset the homepage and close IE, the next time I open it it has changed back to this 


http://searchmarketing.yahoo.com/en_AU/?mkt=au&Partner=hp_au_pav_desk_home


----------



## ceewi1 (Nov 2, 2007)

With regards to your homepage issue, open up Spybot and go to the "Immunize" section. 
Is "Lock IE Start Page Settings" ticked?
If so, uncheck it.

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entries:
*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop*
*R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop*

Please close all open windows except for HijackThis and choose *Fix checked*

With regards to your desktop background issue, can you please tell me exactly what happens when you try to change the background?  Does it change and change back, is the apply button greyed out, etc...


----------



## leanneqld (Nov 2, 2007)

only 1 of those R1 registry keys were there..so i fixed that one. Didn't help. 
There was another very similar entry but it was R0....so i checked that one and fixed it.  Got rid of the search marketing page ,  now it keeps reverting back to msn.com.


With regards to the background....


Right click on a space on the desktop/properties/
under theme  tab .......=modified theme
under desktop tab......= background highlighted is NONE with a red circle and a diagonal line through the circle
If i click on one of the pictures for example "autum" and click apply nothing happens.(it will show the pic in the desktop icon as to how the new picture will look but it won't actually change the desktop..it remains blue)

HOWEVER...
If I click on a colour option it will change the desktop to a different solid colour.


----------



## leanneqld (Nov 2, 2007)

sorry , forgotto mention...when i opened up spybot there was no 
Lock IE Start Page Settings

there was a check next to "enable permanent blocking of bad addresses in Internet Explorer" and then it said "block all pages silently"


So I unchcked that before running HJT.


----------



## ceewi1 (Nov 2, 2007)

With regards to the home page, try the ideas at http://www.fjsmjs.com/IE/homepage.htm.

With regards to the desktop background, try this:

Set Windows to show hidden files:
Click *Start*.
Open* My Computer*.
Select the *Tools* menu and click *Folder Options*.
Select the *View* Tab.
Under the Hidden files and folders heading select *Show hidden files and folders*.
Uncheck the *Hide protected operating system files (recommended)* option.
Click *Yes* to confirm.
Click *OK*.

*Navigate to C:\Documents and Settings\(user name)\Local Settings\Application Data\Microsoft*.  (Replace (user name) with the user name of the affected account).  Is there a file called *Wallpaper1.bmp* there?  If so, what is it?  Try renaming it to Wallpaper1_old.bmp and see if that changes anything.  Also, try right clicking on a picture and choose *Set as Desktop Background*.  Does that change the background?


----------



## leanneqld (Nov 2, 2007)

I'll get to the homepage soon but this is what happened re the wall paper..
navigated to(in the affected user account) c:\documents and settings\user name\..............thats as far as i can go...local documents is missing. So i switched users to a non-affected one.....i can find the affected user there all the way to wallpaper1.......odd
so i renamed that to wallpaper_old and could change the wallpaper to that pic, only it's the non affected user's wallpaper.

I switched back to the problem user account and tried finding the file via right clicking on start/explore/kids(user account)....same problem..local documents still missing.

So I checked further.....every user if accessed from the problen user account is missing the local documents folder.


----------



## ceewi1 (Nov 4, 2007)

Try (within the affected account), clicking on Start -> Run and type in the following:
*%userprofile%\Local Settings\Application Data\Microsoft*
Click OK.  Does that bring up a folder containing wallpaper1?


----------



## leanneqld (Nov 5, 2007)

it brings up both wallpaper thumbnails..wallpaper 1 and wallpaper_old. 
Above that in the white area i get "no preview available" but if i click on the thumbnails the wallpapers will be displayed.


Also, I have fixed the homepage problem. I used the do not hijack homepage fix in Superantispyware.


----------



## leanneqld (Nov 7, 2007)

I still cannot set these previews as desktop wallpaper
Perhaps I should just delete the user account and start a new one?????


----------



## ceewi1 (Nov 7, 2007)

Sorry about the delay, you can try deleting the wallpaper1 and seeing if that makes a difference.  At this point, though, I would suggest that creating a new User Account would be the easiest way to solve the problem.


----------



## leanneqld (Nov 7, 2007)

no problem with the delay...after re-reading my post I thought I may have led you to believe i had fixed everything ( ha ha ha )

I also discovered that I cannot open windows live messenger or the recycle bin....so I am going to attempt to remove the user account altogether.....will post the result (successful or not).


----------



## leanneqld (Nov 7, 2007)

OK....quick and easy, deleted the user and created a new one. Everything works as it should.

ceewi1.......many many thanks for all your help. It is greatly appreciated.
Cheers
Leanne


----------



## ceewi1 (Nov 7, 2007)

Your welcome, I'm sorry we couldn't fix up that wallpaper problem, but glad that everything's fixed now!


----------

