Hijacked by mrhop.dll Have I got rid of it?

Using a combination of Merijn's website and search info from this forum, I used CWShredder, Adaware and Spybot in combinations of safe mode and full boot to try and get rid of an about:blank hijack which I think came from a mrhop.dll file.

I had clashing problems installing a firewall with Freeserve and Norton so took it off. Guess who's wishing they'd persevered now!!

Just before I switched the pc off, I searched for all dll's . mrhop.dll was gone, and I couldn't see any other obvious ones that looked unusual.

I also searched for all .exe's and there were a few I didn't recognise, including ntload.exe and nsys.exe.

The first question is, should I keep these?

I also ran hijack this just before switch off and the log is included below.

Logfile of HijackThis v1.97.7
Scan saved at 19:40:41, on 10/05/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\THRUSTMASTER\THRUSTMAPPER\TMTMTSR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\USBDRIVE\SHWICON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\GARY\VIRUS STUFF\HIJACKTHIS1977\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir.dll?p....5&plcid=0x0809
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Search - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ShowIcon_Justrams_USB Drives Driver v1.19r020] "C:\Program Files\USBDRIVE\shwicon.exe" -t"Justrams\USB Drives Driver v1.19r020"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_.../ActiveData.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8111.4283333333
O19 - User stylesheet: (file missing)



I've tried to do as much as I can but have now got to the stage where I need expert advice on whether this needs further work. I got a bit confused on the order of doing things!!

Your help is much appreciated and thanks in advance.

Gary.

 

After a little more investigation, it turns out that whatever hijacked my system has also been dialling premium rate numbers through my modem since last February. I didn't spot the dialling because it has also disabled the modem speaker!

Anyone got any comments on the HJT log?

Gary

 

Many thanks. I'll get onto this asap and get back to you.

Gary.

 

I tried a fully updated version of TDS3 three times last night.

Each time the scan was well underway then I got a blue screen windows error and then when I continued, TDS3 had closed!

I rebooted afterwards and tried again, in between running the CWS smart killer removal tool, which didn't find anything.

I have Norton AV which still runs, as does adaware and spybot, but Stinger now also crashes.

Ah, it's just occurred to me that I didn't do it in safe mode. Would this make any difference? Where do I go from here?

Thanks,
Gary.

 

Hi major_bodger, Can you disable the "Scan Zip/RAR files & try again.
Sometimes a corrupt or over large archive file can cause such problems in ME

Please let us know what happens - Thanks Pilli

 

Hi Gary,

About the TDS stopping, does it happen each time in the same place?
Did you have all your other scanners disabled, also their resident protection, during the process?

Do you remember the kind of error message on the blue screen?
I suppose after so many retries you rebooted after installing TDS by now, which is important, but should not be a reason for blue screens.

Do you have only one drive and one partition or do you have more partitions?
It could be if TDS falls over on the same place each time, there is a corrupt file for instance in rar format in that place; normally you would get a normal windows error and TDS close; solution is then to exclude that particular folder from scanning and try again. No blue screen situation normally.

You could also have a look at the required system files on the TDS site, if you have the same or newer versions. I would expect TDS not to load or error messages, no blue screen situation normally either.

What might help is (i prefer in safe mode) do a windows scandisk first a general and after an advanced one whioch could put files back in place etc if anything is not all nice there. Helps in lots of cases too.
After that reboot and try your scans again.

Besides the HJT log you created already, also get the AutoStartViewer from the free products site at DiamondCS and withj all options checked post that log too, it might show more things which mioght not be in HJT.

Please post back if any of those things helps here!

For your internet connection, please also get the free evaluation of Port Explorer (install when off line with all scanners and maybe also your firewall closed and reboot afterwards). this tool shows in one blink of the eye all connections with your system, you can see which application is responsible for it and you might locate a logger or dialer, which you can stop sending/receiving immediately and kill while you look deeper into the application and the data packets which are being send (before you kill it of course). Such hidden processes show up as red, which does not mean all red processes are trojans (we'll explain that later)

Looking forward to your next experiences, as they might help others tremendously too!

 

Okay guys, here's an update. It seems the scans stopped because Norton AV was running.

I ran TDS3 four more times last night, two in safe mode, (so Norton AV is off , I assume) one with 'zip/rar files' on and one without. Then I ran two more in normal boot, with Norton AV disabled, and 'zip/rar files' on and off.

I forgot to mention before that TDS3 doesn't let me select 'scan NTFS ADS hidden streams' saying the're not supported on any hard drives on my system. (I have no idea what it is so don't know if this is good or bad!)

All of the scans finished this time, and gave no alarms at all!

This surprised me, since Derek said that nsys.exe is part of a netspy keylogger and a quick search on google confirmed it.

Am I okay to just delete it if I can?
Are there any other files with it?
More importantly, why didn't it trigger an alarm since it is still there?

In answer to some of the other questions, I only have a single hard disk with nothing fancy done to it, so I assume it's single partition.

I forgot to run the autostart viewer so I'll post that log tomorrow, along with another hijackthis log if anyone thinks it'll help.

Anyone have any comments on progress so far?
Continued thanks for all of your help,
Gary

 

Hi major_bodger, That particular keylogger may be a commercial legitmate one which is not Trojanic in behaviour though Gavin will confirm that.
If you can copy the files and .zip them up please send to submit@diamoncs.com.au Then Gavin can verify them.
TDS3 is anti Trojan program first and formost

NTFS is the file system used by NT ie. XP, W2k etc. Your file system is FAT32 so NTFS is not applicable.

Pilli

 

I have zipped and tried to send nsys.exe to Gavin this morning but it bounced back.

Should the email address be submit@diamondcs.com.au?

Heres the autostart viewer log that was asked for. It's a good job you guys know what your doing because it means nothing to me!!:-

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for default@OEMCOMPUTER, 05-13-2004
c:\autoexec.bat
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
C:\WINDOWS\winstart.bat
@C:\WINDOWS\tmpcpyis.bat
c:\windows\win.ini [windows]\run
hpfsched
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKCR\htafile\shell\open\command\
C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry
C:\WINDOWS\scanregw.exe /autorun
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMonitor
C:\WINDOWS\taskmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PCHealth
C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
C:\WINDOWS\system\SysTray.Exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadPowerProfile
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WorksFUD
C:\Program Files\Microsoft Works\wkfud.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Works Portfolio
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Adaptec DirectCD
C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ThrustTSR
C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RegShave
C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV DefAlert
C:\PROGRA~1\NORTON~1\DEFALERT.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Auto-Protect
C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton eMail Protect
C:\Program Files\Norton AntiVirus\POPROXY.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowIcon_Justrams_USB Drives Driver v1.19r020
C:\Program Files\USBDRIVE\shwicon.exe" -t"Justrams\USB Drives Driver v1.19r020
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CreateCD
C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\LoadPowerProfile
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SchedulingAgent
C:\WINDOWS\system\mstask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SSDPSRV
C:\WINDOWS\SYSTEM\ssdpsrv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\*StateMgr
C:\WINDOWS\System\Restore\StateMgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ScriptBlocking
C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\SYSTEM\WEBCHECK.DLL
C:\WINDOWS\SYSTEM\UPNPUI.DLL
C:\WINDOWS\SYSTEM\AUHOOK.DLL
C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job
C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
C:\WINDOWS\Tasks\Scan for Viruses.job
C:\Program Files\Norton AntiVirus\NAVW32.EXE
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE
C:\WINDOWS\Tasks\Virus Scan.job
C:\Program Files\Norton AntiVirus\SCNHNDLR.EXE
C:\WINDOWS\Tasks\Maintenance-Defragment programs.job
C:\WINDOWS\DEFRAG.EXE
C:\WINDOWS\Tasks\Maintenance-ScanDisk.job
C:\WINDOWS\SCANDSKW.EXE
C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job
C:\WINDOWS\CLEANMGR.EXE
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Works Calendar Reminders.lnk
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\Start Menu\Programs\StartUp\Exif Launcher.lnk
C:\Program Files\FinePixViewer\QuickDCF.exe
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\SYSTEM\mswsosp.dll
C:\WINDOWS\SYSTEM\msafd.dll
C:\WINDOWS\SYSTEM\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\VNETSUP\
C:\WINDOWS\system\vnetsup.vxd
HKLM\System\CurrentControlSet\Services\VxD\NDIS\
C:\WINDOWS\system\ndis.vxd
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\VxD\DFS\
C:\WINDOWS\system\dfs.vxd
HKLM\System\CurrentControlSet\Services\VxD\VREDIR\
C:\WINDOWS\system\vredir.vxd
HKLM\System\CurrentControlSet\Services\VxD\VNETBIOS\
C:\WINDOWS\system\vnetbios.vxd
HKLM\System\CurrentControlSet\Services\VxD\ASPIENUM\
C:\WINDOWS\system\ASPIENUM.VXD
HKLM\System\CurrentControlSet\Services\VxD\NAVAP\
C:\PROGRA~1\NORTON~1\NAVAP.VXD
HKLM\System\CurrentControlSet\Services\VxD\SYMEVNT\
C:\PROGRA~1\SYMANTEC\SYMEVNT.386


I also did another hijackthis log to see if anything had changed:-


Logfile of HijackThis v1.97.7
Scan saved at 19:54:51, on 13/05/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\THRUSTMASTER\THRUSTMAPPER\TMTMTSR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\USBDRIVE\SHWICON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\GARY\VIRUS STUFF\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Search - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ShowIcon_Justrams_USB Drives Driver v1.19r020] "C:\Program Files\USBDRIVE\shwicon.exe" -t"Justrams\USB Drives Driver v1.19r020"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38111.4283333333
O19 - User stylesheet: (file missing)


Thanks for your continued collective help and support,
Gary

 

Anyone got any info on these latest logs?

Gary

 

Sorry for the typo, submit@diamondcs.com.au with the "d" inside it is right; hope you managed to send it in in the meantime.
I'm sure the experts will be back with you asap!

 

Thanks. I assumed that was the case and sent it to Gavin on that address. I haven't heard anything back yet on the result, though.

Can anyone tell me if these latest readouts above are okay?

Gary.

 

Thanks for that, Derek. I'll do it tonight. I have noticed one problem, possibly as a result of all this clearing out. In Windows Explorer, if I select 'folders' for the left hand window, I only get an empty grey window with no display. All the other settings (search, history etc) for this window seem to work okay. Is there an easy way to fix this?

Gary.

 

It might help in Add/remove to do a repair install on Internet Explorer which is integrated with windows explorer and outlook express. Make sure all anti-virus is closed; after the repair you'll have to reboot and look if it's all ok again. Not sure if a system restore could disturb the repair again!

 

I've now tidied up my hijackthis log and installed some of the suggested software but I still have my problem with Win Explorer not displaying 'folders' correctly. I have also now got a new problem where Norton AV won't finish a scan and gives me an error message :-

"Navw32 has caused an error in V32SCAN.DLL and will now close" This doesn't seem to be covered in Symantec's error messages for NAV2001!!

Whenever I get one thing sorted something else seems to crop up and I'm starting to think I'd be better off reformatting my hard disk and starting again!!

Any suggestions?

Gary