Please update your hijackthis to version 1.99 and post a new log.

Sorry for the slow response, been busy here lately.

c:/windows/explorer.exe is a legitimate file. Sounds like you may have to reconfigure blackice.

thanks for your attention. i need to add :

after clicking 'continue' when blackice asked whether i should terminate the unknown application a bunch of urls (e.g hidden spy cam) got into my favorites folder (problem 1) and my home page was reset to bestfind4u.com (problem 2)...the next time i switched on the computer, i got the message 'c:\windows\explorer.exe is attempting to change internet protection settings' (problem 3). everytime i shut down, i would get a window saying 'win min' was not properly closed, so i needed to click 'end now' to complete the shutdown process (problem 4). problems 1,2 and 4 have been resolved by running adaware and spybot and following advice on the internet that suggested running msconfig and removing suspicious files from the registry and C:/windows folder (e.g. nlutawm.exe).

problem 3 is the one that is still bugging me. whilst its easy to get around (i just click 'no' at the yes/no option), i am wary about something nasty happening should anyone using the machine accidentally click 'yes')

help appreciated.


Logfile of HijackThis v1.99.0
Scan saved at 14:04:35, on 31/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\BlackICE\blackd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\BlackICE\rapapp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\BlackICE\blackice.exe
C:\Program Files\iOpus-AC-Plug\acplug.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft OfficeXP\Office10\msoffice.exe
C:\Documents and Settings\LS\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\LS\Application Data\Mozilla\Profiles\default\jvbb5odr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\LS\Application Data\Mozilla\Profiles\default\jvbb5odr.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: 42 AC Plug.lnk = C:\Program Files\iOpus-AC-Plug\acplug.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\BlackICE\blackice.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI812F~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {047CE197-F3B0-40EE-B4BD-D8B388AB5EFD} - file://C:\Recycled\193350.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.248/326//main.chm::/update.exe
O21 - SSODL: SecurityUpdate - {7CF8254B-B9CA-4B78-B552-75A770C98EDA} - C:\WINDOWS\System32\RSVPMPOS.DLL
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\BlackICE\blackd.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\BlackICE\rapapp.exe
O23 - Service: X10 Device Network Service - Unknown - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

BlackIce has a rather poor reputation as a "firewall". It used to have a lot of holes while at the same time reporting nonexistent attacks to make people think it was doing its job.

I'd suggest you get another firewall to replace it.

That screensaver sounds dubious. MANY "free" screensavers will in fact install spyware and backdoors, allowing their creators access to your system (usually for nothing more sinister than having a look at your browsercache for things to spam you which is still spyware).
You may want to get rid of all Webshots stuff.

O16 - DPF: {047CE197-F3B0-40EE-B4BD-D8B388AB5EFD} - file://C:\Recycled\193350.exe

you got a program running from inside your recycling bin. NEVER good news.

O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A

don't know what that is. Could be a hidden dialer trying to connect you to expensive 0900 dialup services.

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

and all other flashget crap. Just about every download manager is spyware. Get rid of them.

O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

did you install this? If you have a Brother printer it's probably genuine, but it could be something trying to hide as a printer spooler.

O16 - DPF: {047CE197-F3B0-40EE-B4BD-D8B388AB5EFD} - file://C:\Recycled\193350.exe

DPF=Downloaded Program Files. That is where the 016 entry is. All 016 entries are safe to delete. They are active X controls that will be reinstalled at your next visit to the relevant site.

================

O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A

SupaNet.com modem driver related

================

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

I use Flashget myself. I have run those entries through the tools I use and they come up clean. The free version of flashget is adware.

================

O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

Is the genuine article.

================

Do you have anything in Msconfig disabled? If so, re-enable all of them, reboot and post another log. I see nothing bad in this log .

thanks for the quick response.

i have gotten rid of the O16 entries but still getting that request for changes to internet protection settings at startup. :mad:

the brother printer is mine; Tiny/Time computers sold in the UK usually come with a dialer that is locked to supanet (which was a pain to disable, i might add); i've never had problems with the webshots and flashget before (but may uninstall at a later date when i get desperate).

everything in msconfig is enabled.

if the hjt log is looking clean then i'm not sure what to do next. it could be a genuinely clean process by windows explorer to change my settings, but i've got a hunch it'll probably give me all the problems i mentioned before (dodgy stuff in my favorites/change homepage).

i shall keep you updated as to any resolution/changes i find. and as always, any ideas appreciated.

Happy New Year guys!! :mrgreen:

Logfile of HijackThis v1.99.0
Scan saved at 17:22:15, on 31/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BlackICE\blackd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\BlackICE\rapapp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\BlackICE\blackice.exe
C:\WINDOWS\webshots.scr
C:\Program Files\iOpus-AC-Plug\acplug.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft OfficeXP\Office10\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\LS\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\LS\Application Data\Mozilla\Profiles\default\jvbb5odr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\LS\Application Data\Mozilla\Profiles\default\jvbb5odr.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: 42 AC Plug.lnk = C:\Program Files\iOpus-AC-Plug\acplug.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\BlackICE\blackice.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI812F~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{915BC35D-9926-4372-A181-BB5E1DF67C4B}: NameServer = 195.92.195.94 195.92.195.95
O21 - SSODL: SecurityUpdate - {7CF8254B-B9CA-4B78-B552-75A770C98EDA} - C:\WINDOWS\System32\RSVPMPOS.DLL
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\BlackICE\blackd.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\BlackICE\rapapp.exe
O23 - Service: X10 Device Network Service - Unknown - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Just so you know, this is part of webshots and it does monitor your browsing habits:
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
(http://www.liutilities.com/products/...rary/launcher/)

If Freeserve is not your ISP, have HJT fix these two:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
(Remember to close all browser windows before fixinging anything with HJT)

Your win min problem may be resolved by updating IE (Internet Explorer) at http://windowsupdate.microsoft.com, or you can get the free security update CD from Microsoft:
http://www.microsoft.com/security/protect/cd/order.asp

You may also find more suggestions here:
http://search.experts-exchange.com/s...=13&Submit.y=6

HAPPY NEW YEAR (10 minutes to go!!)