• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
colinwhi

KeyBoard Logger +

21 posts in this topic

My problems started with a key board logger "Hook98.dll" detected by PestPatrol. I now have a situation where Restore Points do not work (XP Home) and on the occasions when I can get out on the intenet down load though IE does not work. However download of updates to antivirus software and Spybot do work. I have read the FAQ an tired most of the advice there. I am at a loss. Here are my Logs:

 

Logfile of HijackThis v1.97.7

Scan saved at 20:45:44, on 30/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE

C:\WINDOWS\Mixer.exe

C:\WINDOWS\System32\atiptaxx.exe

C:\WINDOWS\System32\desk98.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE

C:\Program Files\ATI Multimedia\main\launchpd.exe

C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\spydoctor.exe

C:\program files\BigFix\BigFix.exe

C:\program files\Common Files\DataViz\DvzIncMsgr.exe

C:\WINDOWS\System32\rundll32.exe

C:\program files\Aluria Software\ASE\ASE Scheduler.exe

C:\program files\Palm\HOTSYNC.EXE

C:\program files\Microsoft Office\Office\FINDFAST.EXE

C:\program files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe

C:\My Downloads\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.evesham.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe

O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [KeyPatrol] c:\PROGRA~1\PESTPA~1\KeyPatrol.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [PrivacyKeyboard] C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"

O4 - HKCU\..\Run: [ATI Remote Control] C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O4 - Startup: ASE Scheduler.lnk = C:\program files\Aluria Software\ASE\ASE Scheduler.exe

O4 - Startup: HotSync Manager.lnk = C:\program files\Palm\HOTSYNC.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\program files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\program files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe

O4 - Global Startup: Billminder.lnk = C:\program files\Quicken\billmind.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\program files\Common Files\DataViz\DvzIncMsgr.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\program files\Quicken\bagent.exe

O9 - Extra button: ATI TV (HKLM)

O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager.egg.com/activex/accounttracking.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25ae9aa36d338a...ip/RdxIE601.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8121.9732060185

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

StartupList report, 30/06/2004, 20:47:38

StartupList version: 1.52

Started from : C:\My Downloads\HijackThis.EXE

Detected: Windows XP SP1 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE

C:\WINDOWS\Mixer.exe

C:\WINDOWS\System32\atiptaxx.exe

C:\WINDOWS\System32\desk98.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE

C:\Program Files\ATI Multimedia\main\launchpd.exe

C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\spydoctor.exe

C:\program files\BigFix\BigFix.exe

C:\program files\Common Files\DataViz\DvzIncMsgr.exe

C:\WINDOWS\System32\rundll32.exe

C:\program files\Aluria Software\ASE\ASE Scheduler.exe

C:\program files\Palm\HOTSYNC.EXE

C:\program files\Microsoft Office\Office\FINDFAST.EXE

C:\program files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe

C:\My Downloads\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\Colin Whitmore\Start Menu\Programs\Startup]

ASE Scheduler.lnk = C:\program files\Aluria Software\ASE\ASE Scheduler.exe

HotSync Manager.lnk = C:\program files\Palm\HOTSYNC.EXE

Microsoft Find Fast.lnk = C:\program files\Microsoft Office\Office\FINDFAST.EXE

Office Startup.lnk = C:\program files\Microsoft Office\Office\OSA.EXE

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

BigFix.lnk = C:\program files\BigFix\BigFix.exe

Billminder.lnk = C:\program files\Quicken\billmind.exe

DataViz Inc Messenger.lnk = C:\program files\Common Files\DataViz\DvzIncMsgr.exe

Quicken Scheduled Updates.lnk = C:\program files\Quicken\bagent.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

C-Media Mixer = Mixer.exe /startup

AtiPTA = atiptaxx.exe

HydraVisionDesktopManager = desk98.exe

PestPatrol Control Center = c:\PROGRA~1\PESTPA~1\PPControl.exe

CookiePatrol = c:\PROGRA~1\PESTPA~1\CookiePatrol.exe

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HydarVisionDesktopManager =

RoxioDragToDisc = "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

SM1BG = C:\WINDOWS\SM1BG.EXE

KeyPatrol = c:\PROGRA~1\PESTPA~1\KeyPatrol.exe

Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

APVXDWIN = "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s

PrivacyKeyboard = C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

ATI Launchpad = "C:\Program Files\ATI Multimedia\main\launchpd.exe"

ATI Remote Control = C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

Spyware Doctor = "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\ssflwbox.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

 

[AccountTracking Profile Manager Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\accounttracking.dll

CODEBASE = http://moneymanager.egg.com/activex/accounttracking.cab

 

[RdxIE Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll

CODEBASE = http://software-dl.real.com/25ae9aa36d338a...ip/RdxIE601.cab

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8121.9732060185

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

 

--------------------------------------------------

End of report, 7,195 bytes

Report generated in 1.125 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history onlyStartupList report, 30/06/2004, 20:47:38

StartupList version: 1.52

Started from : C:\My Downloads\HijackThis.EXE

Detected: Windows XP SP1 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE

C:\WINDOWS\Mixer.exe

C:\WINDOWS\System32\atiptaxx.exe

C:\WINDOWS\System32\desk98.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE

C:\Program Files\ATI Multimedia\main\launchpd.exe

C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\spydoctor.exe

C:\program files\BigFix\BigFix.exe

C:\program files\Common Files\DataViz\DvzIncMsgr.exe

C:\WINDOWS\System32\rundll32.exe

C:\program files\Aluria Software\ASE\ASE Scheduler.exe

C:\program files\Palm\HOTSYNC.EXE

C:\program files\Microsoft Office\Office\FINDFAST.EXE

C:\program files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe

C:\My Downloads\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\Colin Whitmore\Start Menu\Programs\Startup]

ASE Scheduler.lnk = C:\program files\Aluria Software\ASE\ASE Scheduler.exe

HotSync Manager.lnk = C:\program files\Palm\HOTSYNC.EXE

Microsoft Find Fast.lnk = C:\program files\Microsoft Office\Office\FINDFAST.EXE

Office Startup.lnk = C:\program files\Microsoft Office\Office\OSA.EXE

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

BigFix.lnk = C:\program files\BigFix\BigFix.exe

Billminder.lnk = C:\program files\Quicken\billmind.exe

DataViz Inc Messenger.lnk = C:\program files\Common Files\DataViz\DvzIncMsgr.exe

Quicken Scheduled Updates.lnk = C:\program files\Quicken\bagent.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

C-Media Mixer = Mixer.exe /startup

AtiPTA = atiptaxx.exe

HydraVisionDesktopManager = desk98.exe

PestPatrol Control Center = c:\PROGRA~1\PESTPA~1\PPControl.exe

CookiePatrol = c:\PROGRA~1\PESTPA~1\CookiePatrol.exe

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HydarVisionDesktopManager =

RoxioDragToDisc = "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

SM1BG = C:\WINDOWS\SM1BG.EXE

KeyPatrol = c:\PROGRA~1\PESTPA~1\KeyPatrol.exe

Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

APVXDWIN = "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s

PrivacyKeyboard = C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

ATI Launchpad = "C:\Program Files\ATI Multimedia\main\launchpd.exe"

ATI Remote Control = C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

Spyware Doctor = "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\ssflwbox.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

 

[AccountTracking Profile Manager Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\accounttracking.dll

CODEBASE = http://moneymanager.egg.com/activex/accounttracking.cab

 

[RdxIE Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll

CODEBASE = http://software-dl.real.com/25ae9aa36d338a...ip/RdxIE601.cab

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8121.9732060185

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

 

--------------------------------------------------

End of report, 7,195 bytes

Report generated in 1.125 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

Hi Colinwhi :)

 

Welcome to SWI. Thank you for your patience. You are using an outdated version of HijackThis. Please download version 1.98.2 from here:

http://www.downloads.subratam.org/hijackthis.zip

and make sure to unzip it to a permanent folder. Then please run HijackThis, click "Scan" and "Save log" and post the new log here. I would be happy to take a look at it :D

Share this post


Link to post
Share on other sites

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Re-opened at users request: lpp

176866[/snapback]

 

Sorry it has taken me so long to post. Here is an explanation and my log. My XP SP1 became infected

and try as I may I could not get a working system. I removed the keyboard logger and the system then

complained, on start up, with a pop up box of an Appian Graphics Error “Couldn’t load Hook98.dll”.

Which was the logger I removed. I tried to reg edit the Appian stuff out but it kept returning. I

attempted a XP reload but that failed. Eventually I loaded a new XP to a different folder on my disc so

that I at least had something that worked. That version is now SP2.

 

I now have two OSs on my machine, the infected SP1 and until now a clean SP2. I have managed to

complete the reload of SP1, some of my applications do not work, but that should be a solvable

problem.

 

The Log is from the SP1 version. Any advice would be welcome.

 

Logfile of HijackThis v1.99.0

Scan saved at 17:54:06, on 12/01/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Mixer.exe

C:\WINDOWS\System32\atiptaxx.exe

C:\WINDOWS\System32\desk98.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe

C:\Program Files\ATI Multimedia\main\launchpd.exe

C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\spydoctor.exe

C:\WINDOWS\System32\msiexec.exe

C:\program files\BigFix\BigFix.exe

C:\program files\Common Files\DataViz\DvzIncMsgr.exe

C:\WINDOWS\System32\rundll32.exe

C:\program files\Aluria Software\ASE\ASE Scheduler.exe

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe

C:\program files\Palm\HOTSYNC.EXE

C:\program files\Microsoft Office\Office\FINDFAST.EXE

C:\program files\Microsoft Office\Office\OSA.EXE

A:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.evesham.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [PrivacyKeyboard] C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"

O4 - HKCU\..\Run: [ATI Remote Control] C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O4 - Startup: ASE Scheduler.lnk = C:\program files\Aluria Software\ASE\ASE Scheduler.exe

O4 - Startup: HotSync Manager.lnk = C:\program files\Palm\HOTSYNC.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\program files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\program files\Microsoft Office\Office\OSA.EXE

O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe

O4 - Global Startup: Billminder.lnk = C:\program files\Quicken\billmind.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\program files\Common Files\DataViz\DvzIncMsgr.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\program files\Quicken\bagent.exe

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager.egg.com/activex/accounttracking.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25ae9aa36d338a...ip/RdxIE601.cab

O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)

O23 - Service: Panda Process Protection Service - Unknown - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

O23 - Service: Panda anti-virus service - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe

O23 - Service: PrivacyKeyboard Service - Raytown Corporation LLC - C:\WINDOWS\System32\pksrv.exe

O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: X10 Device Network Service - Unknown - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Share this post


Link to post
Share on other sites

Hi colinwhi :)

 

Welcome to SWI. I am sorry we have had trouble communicating for the past 6 months! I am glad to finally be able to address your problem. :D

 

Please run HijackThis and click Scan, then check:

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25ae9aa36d338a...ip/RdxIE601.cab

 

Close all open windows except for HijackThis and click "Fix Checked".

 

That is the only malware entry I see in your log and it is minor. Let me get all the facts straight --- you had a keylogger, hook98.dll, which you removed, but is still causing error messages? I have a few questions:

 

1) How do you know hook98.dll was a keylogger? What program detected it? I found at least one reference to hook98.dll as a possible legitimate file.

 

2) Are you still seeing this error message regularly? What is the exact text of the error message and what Appian Graphics model do you use?

 

3) Why have you even bothered with all this if you have already installed a new copy of Windows into a new folder? Why don't you just copy your files over to the new version, and remove the old version?

 

Please describe your current problem in as much detail as possible, so I can help you diagnose the source. :)

Share this post


Link to post
Share on other sites
Hi colinwhi :)

 

Welcome to SWI.  I am sorry we have had trouble communicating for the past 6 months!  I am glad to finally be able to address your problem. :D

 

Please run HijackThis and click Scan, then check:

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25ae9aa36d338a...ip/RdxIE601.cab

 

Close all open windows except for HijackThis and click "Fix Checked".

 

That is the only malware entry I see in your log and it is minor.  Let me get all the facts straight --- you had a keylogger, hook98.dll, which you removed, but is still causing error messages?  I have a few questions:

 

1) How do you know hook98.dll was a keylogger?  What program detected it?  I found at least one reference to hook98.dll as a possible legitimate file.

 

2) Are you still seeing this error message regularly?  What is the exact text of the error message and what Appian Graphics model do you use?

 

3) Why have you even bothered with all this if you have already installed a new copy of Windows into a new folder?  Why don't you just copy your files over to the new version, and remove the old version?

 

Please describe your current problem in as much detail as possible, so I can help you diagnose the source.  :)

178970[/snapback]

Share this post


Link to post
Share on other sites
Hi colinwhi :)

 

Welcome to SWI.  I am sorry we have had trouble communicating for the past 6 months!  I am glad to finally be able to address your problem. :D

 

Please run HijackThis and click Scan, then check:

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25ae9aa36d338a...ip/RdxIE601.cab

 

Close all open windows except for HijackThis and click "Fix Checked".

 

That is the only malware entry I see in your log and it is minor.  Let me get all the facts straight --- you had a keylogger, hook98.dll, which you removed, but is still causing error messages?  I have a few questions:

 

1) How do you know hook98.dll was a keylogger?  What program detected it?  I found at least one reference to hook98.dll as a possible legitimate file.

 

2) Are you still seeing this error message regularly?  What is the exact text of the error message and what Appian Graphics model do you use?

 

3) Why have you even bothered with all this if you have already installed a new copy of Windows into a new folder?  Why don't you just copy your files over to the new version, and remove the old version?

 

Please describe your current problem in as much detail as possible, so I can help you diagnose the source.  :)

178970[/snapback]

 

Thanks for the reply here are the answers to you questions:

 

1) The keylogger was detected by Pest Patrol.

 

2) I see the error message every time I reboot the machine. I do not believe I have Appian Graphics loaded at all. I do not have an Appian Graphics model. After I removed the keylogger with Pest Patrol the message kept appearing. A small popup box appears with a heading that says "Appian Graphics Error" in side the box the text message says "Couldn't Load Hook 98.dll", underneath the box is a click ok icon.

 

3) The new version of Windows does not have all my applications. I could not use the infected version of Window so I installed a "bare bones" version so that I could at least use the Internet.

 

In addition as I said in my first post I now have a situation where Restore Points do not work (XP Home) and on the occasions when I can get out on the Internet down load though IE does not work. However download of updates to antivirus software and Spybot do work.

 

Also I did have a laptop networked with this PC and whilst that did not have a key logger it also had problems with Internet access and restore points. I am not worried about the laptop at the moment, but am paranoid enough to have the main PC in stand-alone mode

only.

 

All these problems started after what I am sure was a Browser attack.

Share this post


Link to post
Share on other sites

Hi colinwhi :)

 

Okay, let's deal with one problem at a time. First, about the keylogger "hook98.dll" and the error you are getting related to Appian Graphics --- Appian Graphics is a company that makes multi-monitor drivers and software for ATI graphics cards. You have an ATI graphics card --- are you using a multiple-monitor setup?

 

PestPatrol is famous for false positives --- I have a feeling this may have been a false positive. Or if it was not, then the hook98.dll file may have somehow infected your graphics drivers and files. In either case, the first thing to try would probably be to uninstall and reinstall your monitor drivers and software. You may have to reinstall your graphics card drivers as well. This HijackThis entry:

 

O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe

 

is related to Appian Graphics multi-monitor software. This is the software that probably you will want to uninstall and reinstall. Go to Start -> Control Panel -> Add/Remove Programs and look for anything related to Appian Graphics or HydraVision. Reinstall this software and see if you still get the error messages. You may additionally have to reinstall the ATI graphics card software.

 

That would be the easiest (and obviously most optimal) solution, so let's try that first.

 

About your other problems, what exactly do you mean by restore points and IE downloads "do not work"? Is System Restore enabled? Right-click on My Computer, choose Properties -> System Restore, and make sure it is enabled. These two problems sound much more typical of browser/malware hijacks. Can you describe them in a little more detail? Also, are you using a firewall? If so, disable it, and see if the IE problem goes away --- often firewall configuration problems cause what users think are malware problems.

 

Hope this helps :)

Share this post


Link to post
Share on other sites
Hi colinwhi :)

 

Okay, let's deal with one problem at a time.  First, about the keylogger "hook98.dll" and the error you are getting related to Appian Graphics --- Appian Graphics is a company that makes multi-monitor drivers and software for ATI graphics cards.  You have an ATI graphics card --- are you using a multiple-monitor setup?

 

PestPatrol is famous for false positives --- I have a feeling this may have been a false positive.  Or if it was not, then the hook98.dll file may have somehow infected your graphics drivers and files.  In either case, the first thing to try would probably be to uninstall and reinstall your monitor drivers and software.  You may have to reinstall your graphics card drivers as well.  This HijackThis entry:

 

O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe

 

is related to Appian Graphics multi-monitor software.  This is the software that probably you will want to uninstall and reinstall.  Go to Start -> Control Panel -> Add/Remove Programs and look for anything related to Appian Graphics or HydraVision.  Reinstall this software and see if you still get the error messages.  You may additionally have to reinstall the ATI graphics card software.

 

That would be the easiest (and obviously most optimal) solution, so let's try that first.

 

About your other problems, what exactly do you mean by restore points and IE downloads "do not work"?  Is System Restore enabled?  Right-click on My Computer, choose Properties -> System Restore, and make sure it is enabled.  These two problems sound much more typical of browser/malware hijacks.  Can you describe them in a little more detail?  Also, are you using a firewall?  If so, disable it, and see if the IE problem goes away --- often firewall configuration problems cause what users think are malware problems.

 

Hope this helps :)

183781[/snapback]

Share this post


Link to post
Share on other sites

Thanks for the advice.

 

I went into Add/Remove Programs but did not find anything related to Appian Graphics. Found Hydravision and uninstalled it. System still complained about “Appian Graphics Error”. Uninstalled and reinstalled the ATI software using their installation disc. Problem no longer present.

 

Updated the system to SP2, updated my Zone Alarm firewall, put Antivirus Software on. Connected the modem and went out on the net OK. Updated windows and Antivirus files.

 

Things seem OK. I have done a number of restarts and some restores to see if I can provoke a failure, in the main it looks fine. However after a restore, during which I had left the ATI TV application running, the hook98 made an appearance. The system then seemed to be trashing the disc. I re-booted the machine and it now seems fine.

 

When I had problems before hook98 did not appear on every restart so I need to use the machine for a while to see if it is really OK.

 

You said that this may have been a false positive detection by Pest Patrol, but if so why did it suddenly start appearing?

Edited by colinwhi

Share this post


Link to post
Share on other sites

I don't know why it suddenly began appearing to be honest. Perhaps it was genuinely a keylogger. Did you update your PestPatrol detection rules recently? Perhaps the PestPatrol program added a detection rule for a real keylogger called hook98.dll, which then proceeded to confuse your legitimate version of the DLL for the bad version. There is no real way to know for sure. Run a full scan with PestPatrol and make sure it comes up clean. Then, for a second opinion, you can run the HouseCall online scan here:

http://housecall.trendmicro.com/housecall/start_corp.asp

 

Also, if you use System Restore to restore a previous state, make sure you uninstall and reinstall the ATI software again, to make sure you are using the intact copy rather than the damaged/infected copy.

 

Also, Windows Update and IE downloads now work again?

 

Let me know if it remains stable and working correctly. What other problems, if any, remain? :)

Edited by Swandog46

Share this post


Link to post
Share on other sites
I don't know why it suddenly began appearing to be honest.  Perhaps it was genuinely a keylogger.  Did you update your PestPatrol detection rules recently?  Perhaps the PestPatrol program added a detection rule for a real keylogger called hook98.dll, which then proceeded to confuse your legitimate version of the DLL for the bad version.  There is no real way to know for sure.  Run a full scan with PestPatrol and make sure it comes up clean.  Then, for a second opinion, you can run the HouseCall online scan here:

http://housecall.trendmicro.com/housecall/start_corp.asp

 

Also, if you use System Restore to restore a previous state, make sure you uninstall and reinstall the ATI software again, to make sure you are using the intact copy rather than the damaged/infected copy.

 

Also, Windows Update and IE downloads now work again?

 

Let me know if it remains stable and working correctly. What other problems, if any, remain? :)

187720[/snapback]

 

Hi,

 

Thanks for the help. I have played around for a bit to convince myself that hook98 is a genuine file. As you say it seems that it is part of the ATI suite. So it look like I had a Browser Attack, and then at or around the same time I saw the Pest Patrol Alert for hook98. If I had examined this file I would have seen that it was from ATI. Panic and Paranoia did the rest.

 

As a result I ended up loading XP to WINDOWS2 on the same partition © as my damaged (perhaps) WINDOWS. I am back to using XP on WINDOWS and it does appear to be stable. I occasionally get the Pest Patrol warning about hook98 but I have marked that as OK and now ignore it. I am as sure as I can be that the system is clean having run various scans including, as you suggested “housecall”. Interestingly that picked up a piece of Malware that my Kaspesky did not; unfortunately I was not awake enough to make a note of its identity and simply deleted it.

 

Windows update and IE downloads are working fine. System Restore works but the restore points only last for a couple of days or so. I thought this might be because of an interaction with WINDOWS2, so I booted into that OS and turned restore off. In WINDOWS restore is on and using 12% of the disc, there is plenty of spare space on the C partition (this is the only partition on the disc).

 

The only other problem I have encountered is with Messenger. In WINDOWS2 that is working, in WINDOWS the connection fails with the other end saying there is problem either with the Network or My PC.

 

I would like to correct these problems, and at some stage, either before or after correction completely remove the other OS on WINDOWS2. I suspect this my cause some problems, certainly the registry will be a mess so I would like to be able to clean that up.

 

 

Share this post


Link to post
Share on other sites

Hi colinwhi :)

 

No, the reason you only have a few days' worth of restore points is that when you turn system restore off, as we did a little while earlier, it removes all previous restore points. So your current restore points only date after when you turned system restore back on. That is normal.

 

Using two copies of Windows on the same partition is a mess --- you definitely want to clean that up as soon as possible. I am not sure what goes wrong with Messenger --- can you please post the exact text of any error messages you get?

 

Also, let's be sure that you are clean --- I am a little surprised that you are still getting alerts from PestPatrol. Please run the Panda online antivirus scan here:

http://www.pandasoftware.com/activescan/co...n_principal.htm

Delete any infected files found. Also restart, and run the online trojan scan here:

http://www.windowsecurity.com/trojanscan/

Delete any infected files found. Finally, please submit the hook98.dll file to Jotti's scanner here:

http://virusscan.jotti.org/

It checks single files with 9-10 antivirus scanners, so it will be a good test to see if that single file really is infected for real.

 

Then please post to tell me what happened, and post the exact text of the Messenger error message. :)

Share this post


Link to post
Share on other sites
Hi colinwhi :)

 

No, the reason you only have a few days' worth of restore points is that when you turn system restore off, as we did a little while earlier, it removes all previous restore points.  So your current restore points only date after when you turned system restore back on.  That is normal.

 

Using two copies of Windows on the same partition is a mess --- you definitely want to clean that up as soon as possible.  I am not sure what goes wrong with Messenger --- can you please post the exact text of any error messages you get?

 

Also, let's be sure that you are clean --- I am a little surprised that you are still getting alerts from PestPatrol.  Please run the Panda online antivirus scan here:

http://www.pandasoftware.com/activescan/co...n_principal.htm

Delete any infected files found.  Also restart, and run the online trojan scan here:

http://www.windowsecurity.com/trojanscan/

Delete any infected files found.  Finally, please submit the hook98.dll file to Jotti's scanner here:

http://virusscan.jotti.org/

It checks single files with 9-10 antivirus scanners, so it will be a good test to see if that single file really is infected for real.

 

Then please post to tell me what happened, and post the exact text of the Messenger error message. :)

192837[/snapback]

 

Hi,

 

The restore problem is not as result of turning off/on and effectively restarting its operation. I did that many days ago. If I set a restore point today it will dissappear in about two days. For example the only restore points I have at the moment are for the 18th an 19th (to day) all other points have gone. It is as if there is a space problem.

 

Ran the tools you suggested (thanks for that) here are the results:

 

Panda

Adware:Adware/ExactSearch No disinfected Windows Registry

Adware:Adware/SearchMall No disinfected C:\install.cab[winsrm32.dll]

 

I have removed the cab file but not touched the registry (I find registry changes scary).

 

Trojan scan found no infected files but four that it could not open

 

Unable to scan C:\c009f934467be7ab49\common - Access is denied.

Unable to scan C:\c009f934467be7ab49\sp1 - Access is denied.

Unable to scan C:\c009f934467be7ab49\sp2 - Access is denied.

Unable to scan C:\System Volume Information - Access is denied.

 

I guess that is OK they look like system files.

 

Submitted hook98.dll to the jotti virus scan, it came up clean. As an aside I recently loaded “Mavis Beacon Teaches Typing” Pest patrol found KeyHook.dll with in the application, submitted that to virus scan, that was clean too. Is PestPatrol a pest?

 

As to the Messenger problem it is difficult for me to give the exact message since I do not see it at my end. I and my buddy go thought the contact procedure but when we try to initiate video comms my buddy gets an error message. Here is what he tells me :

“The exact message that I received was in French, but translates into "unable to establish the link, possible source of problem comes from the network or your contact's PC".

I suspect that some of the required ports are blocked or not open. I will have a play around to see if I can get more information.

 

 

Thanks for the Help.

Share this post


Link to post
Share on other sites

Hi colinwhi :)

 

I am fairly confident you are clean. If you want more space for restore points, I would ask you to increase the amount of space devoted to them, but I think 12% is the maximum. How large is your hard drive? Do you have space problems --- System Restore purges previous restore points if your drive has (I think) 50 MB of free space or less? How much space does 12% of your disk comprise? You might try using Event Viewer to see if restore points have been purposely deleted:

http://www.microsoft.com/resources/documen...t_overview.mspx

although I warn you; Event Viewer is a real mess to use. In the Description field, search for "system restore" and see what you get.

 

PestPatrol, as I said, is famous for false positives --- as you can see! I think you are clean; do not worry about these. You can either set them not to alert you anymore, or you might look for an alternative product to PestPatrol (it's not my personal favorite, for exactly these reasons --- but of course that's your decision).

 

The Messenger problem could either be with your friend's computer or connection, or perhaps with some outgoing control on your traffic, since you don't see an error on your end. If you are using a firewall or other port/traffic control programs, try disabling them. If your friend still has problems but you do not, the issue is probably not on your end.

 

I hope this helps :)

Share this post


Link to post
Share on other sites

Hi Swandoq,

 

Once again thanks for the help. It is so easy once you have been infected by a piece of Malware to ascribe every ill to some sort of infection. Your help in this has been very useful. My Messenger problems seem to be caused by my ZoneAlarm firewall, I now have that working.

 

The restore problem I have not had chance to investigate yet. I have plenty of space the drive is 80 Gig with just over 52 Gig spare, so space should not be a problem. I have thought that it may be an interaction with my other XP installation, which I should not have put on the same partition, but I was desperate and it became my lifeboat. My intention now is to backup the whole system to an external drive and cast the lifeboat adrift. I think I will have to edit “boot.ini” as part of the cast off. Then I will have another look at the restore problem.

 

Any advice is welcome.

Share this post


Link to post
Share on other sites

I'm glad you found the source of your other problem --- firewalls are often the culprit for those sorts of things.

 

I have thought that it may be an interaction with my other XP installation, which I should not have put on the same partition

 

This is very plausible. Why don't you remove the other XP installation and do whatever other partitioning/backing up that you want, and then let me know if you still have the problem. I will be watching this thread.

:)

Share this post


Link to post
Share on other sites
I'm glad you found the source of your other problem --- firewalls are often the culprit for those sorts of things.

 

I have thought that it may be an interaction with my other XP installation, which I should not have put on the same partition

 

This is very plausible. Why don't you remove the other XP installation and do whatever other partitioning/backing up that you want, and then let me know if you still have the problem. I will be watching this thread.

:)

202423[/snapback]

 

Hi,

 

I think I have cleaned things up a bit and for a while I thought the restore was working OK. I was provoking it and setting restore points to see what would happen. I decided in the end to leave it alone. Just looked and I have only one restore point, all others have gone, there should be a shed load of system restore points at least. I have not ventured with "Event Viewer", your post suggested that was a can of worms, but it is my next port of call.

 

colinwhi

Share this post


Link to post
Share on other sites

If you turn off System Restore, even temporarily, it clears all previous restore points...

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

If you need this topic reopened, please request this by sending the moderating team

an email with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0