Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Tabs appearing from nowhere

  • 10-04-2007 2:02pm
    #1
    Registered Users, Registered Users 2 Posts: 6,462 ✭✭✭


    Hi

    I use Internet Explorer 7 which allows the use of several tabs along the top. I have noticed something strange recently (particularly while browsing the Boards site) , in that tabs mysteriously appear. For example while I have been typing this, the "How much is my computer worth" page has appeared on another tab. I am 100% sure that I am not clicking the mouse by accident.

    Any thoughts on this?


Comments

  • Moderators, Education Moderators, Music Moderators Posts: 10,686 Mod ✭✭✭✭melekalikimaka


    i had that, windows popped up too, i also was unable to install ANY anti virus. turns out it was rootkits, had to wipe and format. sh1tone :p


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    download this
    http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10379544.html?tag=lst-0-1
    unzip it into a permanent folder, click "Do a system scan and save a logfile" and post that here.

    Do this also :

    Please download F-Secure BlackLight
    • Save BlackLight to your desktop.
    • Double-click blbeta.exe then accept the agreement.
    • Click > Scan then > Next
    • After the scan you'll see a list of all items found. Please click Next and exit. Don't choose to rename anything yet! I want to see the log first, because legitimate items can also be present there.
    • There will be a log on your desktop with the name fsbl.xxxxxxx.log (where the xxxxxxx are numbers)
      Please post the contents of this log in your next reply.


  • Registered Users, Registered Users 2 Posts: 6,462 ✭✭✭TheBazman


    Ok here goes

    I presume I have to use HijackThis to fix the problem also?

    I ran Blacklight but no hidden items were found



    Logfile of HijackThis v1.99.1
    Scan saved at 19:42:30, on 10/04/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\PhotoEd\PHOTOED.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ie/0SEENIE/SAOS01?FORM=TOOLBR
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ie\msntabres.dll.mui/229?b622a8f99562439b87123b0104486bcb
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ie\msntabres.dll.mui/230?b622a8f99562439b87123b0104486bcb
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://pcskills.intuition.com/lms/content/imported_1553/player/authorware_web_player/authorware_web_player_installers/cab/awswaxd.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - [url]
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2694C355-756E-4637-BE1F-0B42C690E548}: NameServer = 159.134.237.6 159.134.248.17
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe[/url]


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Yes you use HijackThis to fix your problems, the logfile you posted is for me to analyze. I think I know what may be the problem.

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Reboot your pc, run HijackThis, click "Do a system scan only" and check this entry if present :

    O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe

    If its there, go to Search > All files and folders > More advanced options > Search hidden files and folders > Search for scrtkfg.exe > Delete it

    Please tell me if the 04 entry was there when you rebooted.

    You now need to update your Java and remove your older versions.
    Please follow these steps to remove older version Java components.

    * Click Start > Control Panel.
    * Click Add/Remove Programs.
    * Check any item with Java Runtime Environment (JRE) in the name.
    * Click the Remove or Change/Remove button.

    Download the latest version of Java Runtime Environment (JRE) 6, and install it to your computer.
    http://java.sun.com/javase/downloads/index.jsp
    Go to Java Runtime Environment (JRE) 6u1 > Download > Accept the license agreement > Download Windows Offline Installation, Multi-language jre-6u1-windows-i586-p.exe 13.16 MB

    Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
    http://www.adobe.com/products/acrobat/readstep2.html

    Tell me how all this goes, and post back a new HijackThis log and the combofix log.


  • Registered Users, Registered Users 2 Posts: 4,468 ✭✭✭matt-dublin


    is it possible your pressing the ctrl key then typing the letter "t"
    or is your ctrl key stuck??

    sure fire way to find out if its stuck is to press escape on the keyboard and the windows start menu should display (ie ctrl-esc)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,462 ✭✭✭TheBazman


    Cheers guys for the help so far

    the ctrl key isnt stuck anyway so its obviously a bit more of a prob

    ActorSeeksJobs - I'll download the other files etc this evening (after 6pm) - unfortunately im still in dial up land!!


  • Registered Users, Registered Users 2 Posts: 6,462 ✭✭✭TheBazman


    Ok I ran combofix - logs posted below

    Also I reran Hijack this - the file you mention scrtkfg.exe was there so I have searched for it as you suggest. The search did not find the file



    "xxxxxxxxx" - 07-04-11 18:49:16 Service Pack 2
    ComboFix 07-04-05 - Running from: "C:\Documents and Settings\xxxxxxxx\Desktop"


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\install.log


    ((((((((((((((((((((((((((((((( Files Created from 2007-03-11 to 2007-04-11 ))))))))))))))))))))))))))))))))))


    2007-04-11 18:48 <DIR> d
    C:\Program Files\Red Kawa
    2007-04-10 14:29 558,592 --a
    C:\WINDOWS\SYSTEM32\x264vfw.dll
    2007-04-10 14:29 10,752 --a
    C:\WINDOWS\SYSTEM32\ff_vfw.dll
    2007-04-10 14:29 <DIR> d
    C:\Program Files\K-Lite Codec Pack
    2007-04-10 14:25 <DIR> d
    C:\Program Files\XP Codec Pack
    2007-04-10 14:24 <DIR> d
    C:\Program Files\DScaler5
    2007-04-10 14:23 <DIR> d
    C:\Program Files\DivX_3.1alpha
    2007-04-10 14:20 <DIR> d
    C:\Program Files\WinAVIVideoConverter
    2007-04-10 14:19 3,082 --a
    C:\WINDOWS\SYSTEM32\affv208325p1now.sys
    2007-04-06 21:18 <DIR> d
    C:\Program Files\Microsoft ActiveSync
    2007-04-05 23:41 <DIR> d
    C:\Program Files\Conversion & Burning
    2007-04-04 18:54 <DIR> d
    C:\Program Files\ffdshow
    2007-04-04 18:54 <DIR> d
    C:\Program Files\AC3Filter
    2007-03-29 20:39 <DIR> d
    C:\Program Files\FrostWire
    2007-03-29 20:39 <DIR> d
    C:\DOCUME~1\xxxxxx~1\APPLIC~1\FrostWire
    2007-03-27 08:55 524,288 --a
    C:\WINDOWS\SYSTEM32\DivXsm.exe
    2007-03-27 08:55 3,596,288 --a
    C:\WINDOWS\SYSTEM32\qt-dx331.dll
    2007-03-27 08:55 200,704 --a
    C:\WINDOWS\SYSTEM32\ssldivx.dll
    2007-03-27 08:55 1,044,480 --a
    C:\WINDOWS\SYSTEM32\libdivx.dll
    2007-03-27 08:49 73,728 --a
    C:\WINDOWS\SYSTEM32\dpl100.dll
    2007-03-27 08:49 593,920 --a
    C:\WINDOWS\SYSTEM32\dpuGUI11.dll
    2007-03-27 08:49 57,344 --a
    C:\WINDOWS\SYSTEM32\dpv11.dll
    2007-03-27 08:49 53,248 --a--c--- C:\WINDOWS\SYSTEM32\dpuGUI10.dll
    2007-03-27 08:49 344,064 --a
    C:\WINDOWS\SYSTEM32\dpus11.dll
    2007-03-27 08:49 294,912 --a
    C:\WINDOWS\SYSTEM32\dpu11.dll
    2007-03-27 08:49 294,912 --a
    C:\WINDOWS\SYSTEM32\dpu10.dll
    2007-03-27 08:49 196,608 --a
    C:\WINDOWS\SYSTEM32\dtu100.dll
    2007-03-27 08:48 823,296 --a
    C:\WINDOWS\SYSTEM32\divx_xx0c.dll
    2007-03-27 08:48 823,296 --a
    C:\WINDOWS\SYSTEM32\divx_xx07.dll
    2007-03-27 08:48 802,816 --a
    C:\WINDOWS\SYSTEM32\divx_xx11.dll
    2007-03-27 08:48 639,066 --a
    C:\WINDOWS\SYSTEM32\DivX.dll
    2007-03-27 02:39 20,480 --a
    C:\WINDOWS\SYSTEM32\ac3config.exe
    2007-03-21 21:52 <DIR> d
    C:\Program Files\Settings
    2007-03-19 16:40 <DIR> d
    C:\Program Files\Xvid
    2007-03-19 15:34 <DIR> d
    C:\DOCUME~1\xxxxx~1\APPLIC~1\DivX
    2007-03-19 15:26 129,784
    C:\WINDOWS\SYSTEM32\pxafs.dll
    2007-03-19 15:26 118,520
    C:\WINDOWS\SYSTEM32\pxinsi64.exe
    2007-03-19 15:26 116,472
    C:\WINDOWS\SYSTEM32\pxcpyi64.exe
    2007-03-19 15:24 <DIR> d
    C:\Program Files\Lang
    2007-03-19 15:24 <DIR> d
    C:\Program Files\Docs
    2007-03-19 15:23 43,602 --a
    C:\WINDOWS\SYSTEM32\xvid-uninstall.exe
    2007-03-19 15:22 <DIR> d
    C:\Program Files\Gabest
    2007-03-19 15:22 <DIR> d
    C:\Program Files\AutoGK
    2007-03-18 12:06 87,608 --a
    C:\DOCUME~1\xxxxx~1\APPLIC~1\ezpinst.exe
    2007-03-18 12:06 47,360 --a
    C:\DOCUME~1\xxxxx~1\APPLIC~1\pcouffin.sys
    2007-03-17 01:16 <DIR> d
    C:\Program Files\Konvertor
    2007-03-16 20:04 <DIR> d
    C:\Program Files\Norton Internet Security
    2007-03-16 20:03 48,776 --a
    C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
    2007-03-16 20:03 115,000 --a
    C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
    2007-03-15 23:47 31,744 -r-hs---- C:\WINDOWS\SYSTEM32\msfDX.dll
    2007-03-12 18:45 262,144 --ah
    C:\DOCUME~1\xxxx~1\ntuser.dat
    2007-03-11 23:32 <DIR> d
    C:\DOCUME~1\xxxx~1\Phone Browser
    2007-03-11 20:44 <DIR> d
    C:\Program Files\QuickTime


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-04-10 16:28
    d--h
    C:\Program Files\installshield installation information
    2007-04-10 14:52
    d
    C:\DOCUME~1\xxxxx~1\APPLIC~1\vso
    2007-04-09 12:40 559 --a
    C:\DOCUME~1\xxxxx~1\APPLIC~1\autogk.ini
    2007-04-09 09:47 120 --a
    C:\DOCUME~1\xxxxx~1\APPLIC~1\fixvts.ini
    2007-04-09 09:18
    d
    C:\DOCUME~1\xxxxx~1\APPLIC~1\ripit4me
    2007-04-05 23:45
    d
    C:\Program Files\movie maker
    2007-04-04 18:55
    d
    C:\Program Files\google
    2007-04-04 18:55
    d
    C:\Program Files\divx
    2007-03-19 15:23
    d
    C:\Program Files\avisynth 2.5
    2007-03-18 12:06 47360 --a
    C:\WINDOWS\SYSTEM32\DRIVERS\pcouffin.sys
    2007-03-18 12:06 34 --a
    C:\DOCUME~1\xxxxx~1\APPLIC~1\pcouffin.log
    2007-03-18 12:06 1144 --a
    C:\DOCUME~1\xxxxx~1\APPLIC~1\pcouffin.inf
    2007-03-18 12:06 1074 --a
    C:\DOCUME~1\xxxxxM~1\APPLIC~1\pcouffin.cat
    2007-03-17 14:43 292864 --a
    C:\WINDOWS\SYSTEM32\winsrv.dll
    2007-03-16 20:08
    d
    C:\Program Files\symantec
    2007-03-11 20:50
    d
    C:\Program Files\itunes
    2007-03-11 20:49
    d
    C:\Program Files\ipod
    2007-03-09 23:06
    d
    C:\DOCUME~1\xxxxxM~1\APPLIC~1\symantec
    2007-03-08 16:36 577536 --a
    C:\WINDOWS\SYSTEM32\user32.dll
    2007-03-08 16:36 40960 --a
    C:\WINDOWS\SYSTEM32\mf3216.dll
    2007-03-08 16:36 281600 --a
    C:\WINDOWS\SYSTEM32\gdi32.dll
    2007-03-08 14:47 1843584 --a
    C:\WINDOWS\SYSTEM32\win32k.sys
    2007-02-23 05:29 36624
    C:\WINDOWS\SYSTEM32\DRIVERS\pxhelp20.sys
    2007-02-23 05:29 2560
    C:\WINDOWS\SYSTEM32\DRIVERS\cdralw2k.sys
    2007-02-23 05:29 2432
    C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
    2007-02-16 02:40 124472 --a
    C:\WINDOWS\SYSTEM32\divxcodecupdatechecker.exe
    2007-02-05 21:17 185344 --a
    C:\WINDOWS\SYSTEM32\upnphost.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
    "Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "System CSRSS Patch"="scrtkfg.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BlueSoleil.lnk"
    "backup"="C:\\WINDOWS\\pss\\BlueSoleil.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\IVTCOR~1\\BLUESO~1\\BLUESO~1.EXE "
    "item"="BlueSoleil"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Date Manager.lnk"
    "backup"="C:\\WINDOWS\\pss\\Date Manager.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\DATEMA~1\\DATEMA~1.EXE "
    "item"="Date Manager"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\GStartup.lnk"
    "backup"="C:\\WINDOWS\\pss\\GStartup.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\Program Files\\Common Files\\GMT\\GMT.exe /startup"
    "item"="GStartup"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
    "backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
    "item"="HP Digital Imaging Monitor"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Image Zone Fast Start.lnk"
    "backup"="C:\\WINDOWS\\pss\\HP Image Zone Fast Start.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
    "item"="HP Image Zone Fast Start"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Image Transfer.lnk"
    "backup"="C:\\WINDOWS\\pss\\Image Transfer.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\SONYCO~1\\IMAGET~1\\SonyTray.exe "
    "item"="Image Transfer"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Office Startup.lnk"
    "backup"="C:\\WINDOWS\\pss\\Office Startup.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\MI8CAC~1\\Office\\OSA.EXE -b"
    "item"="Office Startup"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Picture Package Menu.lnk"
    "backup"="C:\\WINDOWS\\pss\\Picture Package Menu.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\SONYCO~1\\PICTUR~1\\PICTUR~4\\SonyTray.exe "
    "item"="Picture Package Menu"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Picture Package VCD Maker.lnk"
    "backup"="C:\\WINDOWS\\pss\\Picture Package VCD Maker.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\SONYCO~1\\PICTUR~1\\PICTUR~1\\RESIDE~1.EXE -h"
    "item"="Picture Package VCD Maker"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^xxxxx Moran^Start Menu^Programs^Startup^Qtopia Tray.lnk]
    "path"="C:\\Documents and Settings\\xxxxx Moran\\Start Menu\\Programs\\Startup\\Qtopia Tray.lnk"
    "backup"="C:\\WINDOWS\\pss\\Qtopia Tray.lnkStartup"
    "location"="Startup"
    "command"="C:\\PROGRA~1\\TROLLT~1\\QTOPIA~1\\QTOPIA~1.EXE --nosplash --tray"
    "item"="Qtopia Tray"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="DirectCD"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="Ati2mdxx"
    "hkey"="HKLM"
    "command"="Ati2mdxx.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="atiptaxx"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="BCMSMMSG"
    "hkey"="HKLM"
    "command"="BCMSMMSG.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ccApp"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ccRegVfy"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMESys]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="CMESys"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Common Files\\CMEII\\CMESys.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ctfmon"
    "hkey"="HKCU"
    "command"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="DataLayer"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Nokia\\Nokia PC Suite 5\\DataLayer.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="diagent"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="DSentry"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\System32\\DSentry.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="gcasServ"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="HPWuSchd2"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="iTunesHelper"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="lxbbbmgr"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Lexmark X74-X75\\lxbbbmgr.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="LVCOMS"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Common Files\\Logitech\\QCDriver\\LVCOMS.EXE"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="MediaAccK"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Media Access\\MediaAccK.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="mmtask"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="mm_tray"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoodLogic Updater]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="Updater"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\MoodLogic\\Service\\Updater.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msmsgs"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msnmsgr"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="NclTray"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Common Files\\Nokia\\NCLTools\\NclTray.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="LAUNCH~1"
    "hkey"="HKLM"
    "command"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -onlytray"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="PcSync2"
    "hkey"="HKCU"
    "command"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="qttask"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="RealPlay"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="UsrPrmpt"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="jusched"
    "hkey"="HKLM"
    "command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sureshotpopupkiller]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="stopthepop"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Stop-the-Pop-Up\\stopthepop.exe\" -minimized"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="SNDMon"
    "hkey"="HKLM"
    "command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System CSRSS Patch]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="scrtkfg"
    "hkey"="HKLM"
    "command"="scrtkfg.exe"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="realsched"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPP Auto Loader]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="TPPALDR"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\TPPALDR.EXE"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="UpdReg"
    "hkey"="HKLM"
    "command"="C:\\WINDOWS\\UpdReg.EXE"
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="Save"
    "hkey"="HKLM"
    "command"="\"C:\\Program Files\\Save\\Save.exe\""
    "inimapping"="0"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="ypager"
    "hkey"="HKCU"
    "command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
    "inimapping"="0"


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    @=&quot;"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages REG_MULTI_SZ msv1_0\0\0
    Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages REG_MULTI_SZ scecli\0\0

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
    Usnsvc REG_MULTI_SZ usnsvc\0\0

    *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - xxxxx yyyyy.job


    ********************************************************************

    catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-04-11 18:57:48
    C:\ComboFix-quarantined-files.txt ... 07-04-11 18:57



    03-05-18 19:36      723    --a--c---    C:\Qoobox\Quarantine\Program Files\INSTALL.LOG.vir 
    
    
    Folder PATH listing
    Volume serial number is 4C17-D55E
    C:\QOOBOX
    \---Quarantine
        +---Program Files
        |       INSTALL.LOG.vir
        |       
        \---Registry_backups
    

    HIJACK THIS LOG

    Logfile of HijackThis v1.99.1
    Scan saved at 19:57:11, on 11/04/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ie/0SEENIE/SAOS01?FORM=TOOLBR
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ie\msntabres.dll.mui/229?b622a8f99562439b87123b0104486bcb
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ie\msntabres.dll.mui/230?b622a8f99562439b87123b0104486bcb
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://pcskills.intuition.com/lms/content/imported_1553/player/authorware_web_player/authorware_web_player_installers/cab/awswaxd.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2694C355-756E-4637-BE1F-0B42C690E548}: NameServer = 159.134.237.6 159.134.248.17
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    You sure you searched properly for "scrtkfg.exe" ?

    Run HijackThis, put a check beside this entry :

    O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe

    Try it one more time please.
    When you click on 'All files and folders' on the left panel, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Then search for "scrtkfg.exe" and "scrtkfg"
    Delete it if it's there.

    Also make sure you run update java and adobe acrobat reader. Post a new HJT log when you do all the steps please :)


  • Registered Users, Registered Users 2 Posts: 6,462 ✭✭✭TheBazman


    Hi again

    when I tick the box beside

    O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe


    do I then click "Fix Checked" ?

    Yep I have searched again as you said - I will try again once you confirm the "Fix Checked" above

    (As an aside when I run msconfig and go into start up items the scrtkfg.exe is in there but it is not ticked)

    I am in the process of downloading the other files (Adobe & Java) - dial up is a real pain!

    I appreciate your patience on this


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    yes sorry click Fix checked. Do the search after that, I dont know why that thing is still coming up in ur HJT log. You can leave the updates for adobe/java if you want..
    We gotta fix scrtkfg.exe though. So have a good search for it, make sure you do it the way I said in my previous post, post a new log after u clicked "fix checked" and searched for it.

    yea id imagine dial-up is a pain!! 3mb line for the win ;)


  • Advertisement
  • Moderators, Education Moderators, Music Moderators Posts: 10,686 Mod ✭✭✭✭melekalikimaka


    i reformatted
    <cries>


  • Registered Users, Registered Users 2 Posts: 6,462 ✭✭✭TheBazman


    Ok I have "Fixed Checked" and re-ran HJT - new log attached below

    I am in the process of searching for that file but so far not finding it anyway

    Logfile of HijackThis v1.99.1
    Scan saved at 22:40:58, on 11/04/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ie/0SEENIE/SAOS01?FORM=TOOLBR
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [dlmMgr] "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ie\msntabres.dll.mui/229?b622a8f99562439b87123b0104486bcb
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ie\msntabres.dll.mui/230?b622a8f99562439b87123b0104486bcb
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://pcskills.intuition.com/lms/content/imported_1553/player/authorware_web_player/authorware_web_player_installers/cab/awswaxd.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2694C355-756E-4637-BE1F-0B42C690E548}: NameServer = 159.134.237.6 159.134.248.17
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Search for and delete these files in bold
    C:\iesetup.exe
    C:\Windows\System32\scrtkfg.exe


  • Registered Users, Registered Users 2 Posts: 6,462 ✭✭✭TheBazman


    my pc is still searching for those files - I ran the Registry Editor and searched for scrtkfg.exe and it came up that it is in the System32 folder alright. However when I go in through explorer I cant see it in there ( I have made sure that the hidden file option is unticked in the view options as well as unticking the Hide protected operating system files. This file really doesnt want to be found

    As regards the iesetup.exe - cant find that either GRRRRR


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    Do this

    Go to Start > Run > type regedit > click ok > click File > click export > save it somewhere safe

    Search for scrtkfg.exe in regedit

    Delete and instances of the key (highlight the instance in right hand
    panel, right-click and delete)
    Tip - use F3 to search for more instances of scrtkfg.exe

    Please download CCleaner from here:
    http://www.ccleaner.com
    Install and run it. Click Cleaner, click all the boxes under the Advanced tab, click Run cleaner. Reboot your pc.

    Once this is all done your pc will be fine hopefully.


  • Registered Users, Registered Users 2 Posts: 6,462 ✭✭✭TheBazman


    Will do

    just one final thing before I hit the hay

    in Reg editor when searching for scrtkfg.exe

    on the right hand pane on some searches it might bring up say 10 items. There are 3 columns Name, Type and Data. On only 1 or 2 of these 10 items does it mention scrtkfg.

    Do I delete just the items with scrtkfg or do I delete all 10 items in this example?


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    just delete the things which mention scrtkfg.exe
    also when you get the chance, boot into safe mode and do a full system scan with Norton Internet Security


  • Registered Users, Registered Users 2 Posts: 6,462 ✭✭✭TheBazman


    All looks okay now

    I will keep an eye on the tab issue and hopefully it is gone

    Really appreciate your help on all of this


Advertisement