Invalid Syntax Error

mdnirish,

Hi! and welcome to the Daniweb forums :).

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - blank (file missing)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11a14fc...ip/RdxIE601.cab

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting your PC, post back a new log and let me know how everything goes.

-

crunchie.

Hello Crunchie
Thanks for your help. I like this site.
I believe I did everything by the numbers as you recommended. I also did a new Hijack log. That invalid syntax error continues to pop up though. The spyblaster gave me a clean slate, said I was clean.This is a good one, I really appreciate your trying to help me fix it. Here is the new log.
Thanks again for your time and trouble. Mike
Logfile of HijackThis v1.99.1
Scan saved at 6:44:00 PM, on 4/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Free Surfer\fs20.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.com/index.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.smarter.com/index.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Winsys] C:\desktop\..\\winsys.hta
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Passport Classes - http://www.elanguage.com/eng/VocabularyBuilder/VB/passport.cab
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093908100109
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.com/downloads/DownloadPhotos.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F89D69D2-0C80-11D4-B67E-0050DA271F38} (eStreamIE Class) - http://www.elanguage.com/media/eStream/eStream.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD2FA89-9973-4EC1-BD3D-849EB0A72B6B}: NameServer = 65.173.52.9,65.173.52.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C582333-608D-494B-81E7-88E4ADEA220F}: NameServer = 65.173.52.9,65.173.52.11
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Please go here and have these files scanned.

C:\WINDOWS\System32\mshta.exe
C:\desktop\..\\winsys.hta

Post back the results please.

Also, what is the exact error message you are getting and what are you doing/using when it happens?
Have you recently installed SP2?

Hi Crunchie, I went to the site and scanned both files, it found "Nothing" on both files. I downloaded SP2 right after it came out,so thats been awhile.There doesn't seem to be a pattern as to where I am at on the internet. It pops up when I boot up, when I am sitting idle and not on the internet or it may come up at anytime sporadically, no particular site.

This is the address:
http://e0fce04e9f0ad427ff866dabe93b56cae0fce04e9f0ad427ff866dabe93b56cae0fce04e9f0ad427ff866dabe93b56cae0fce04e9f0ad427ff866dabe93b56cae0fce04e9f0ad427ff866dabe93b56cae0fce04e9f0ad427ff866dabe93b56ca@sts.fuckingfree.net/

This is the whole page:
The page cannot be displayed
The page you are looking for might have been removed or had its name changed.

--------------------------------------------------------------------------------

Please try the following:

Open the [email]e0fce04e9f0ad427ff866dabe93b56cae0fce04e9f0ad427ff866dabe93b56cae0fce04e9f0ad427ff866dabe93b56cae0fce04e9f0ad427ff866dabe93b56cae0fce04e9f0ad427ff866dabe93b56cae0fce04e9f0ad427ff866dabe93b56ca@sts.fuckingfree.net[/email] home page, and then look for links to the information you want.

If you typed the page address in the Address bar, make sure that it is spelled correctly.

If you still cannot open the page, click the Internet Explorer
Search button to look for similar sites.

Internet Explorer

What I am forced to do is downsizing the page and opening a new page and then it just sits in the tray and no more pop up. If I could determine where the beast was hiding couldn't I delete it from the registry??
Mike

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.
There may be something hiding that hijackthis cannot see.

Hi Crunchie, I went to Silent Runners, and ran the program. I didn't get a file, but I did get a Norton Warning

Malicious Script Detected
High Risk
Your computer is halted and needs to do something about this script.
Object... Files System Object
Activity.. GetSpecialFolder
File.. C/; Documents.. Silent %20 Runners (1).vbs

I turned off my Norton auto protect and ran the program again and this same warning came up again.
Mike

Crunchie, I allowed the entire script through Norton, and the progam worked, here is the file. Maybe that automatic download (it was right after that the problem started) caused this beast. The thing is I can't remember what was downloaded.Could be windows?

Mike

"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun {++}
"Winsys" = "C:desktop..winsys.hta" [null data]
"ATI Launchpad" = (no data)

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun {++}
"ccApp" = ""C:Program FilesCommon FilesSymantec SharedccApp.exe"" ["Symantec Corporation"]
"WorksFUD" = "C:Program FilesMicrosoft Workswkfud.exe" ["Microsoft® Corporation"]
"ViewMgr" = "C:Program FilesViewpointViewpoint ManagerViewMgr.exe" ["Viewpoint Corporation"]
"TkBellExe" = ""C:Program FilesCommon FilesRealUpdate_OBrealsched.exe"  -osboot" ["RealNetworks, Inc."]
"SpeedTouch USB Diagnostics" = ""C:Program FilesAlcatelSpeedTouch USBDragdiag.exe" /icon" ["Alcatel Bell"]
"Share-to-Web Namespace Daemon" = "C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exe" ["Hewlett-Packard"]
"QuickTime Task" = ""C:Program FilesQuickTimeqttask.exe" -atboottime" ["Apple Computer, Inc."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"Microsoft Works Portfolio" = "C:Program FilesMicrosoft WorksWksSb.exe /AllUsers" ["Microsoft® Corporation"]
"KernelFaultCheck" = "%systemroot%system32dumprep 0 -k" [MS]
"IW Controlcenter" = "C:PROGRA~1VOBINSTAN~1IWCTRL.EXE" ["VOB Computersysteme GmbH"]
"HPHUPD04" = ""C:Program FilesHP Photosmart 11hphinstallUniPatchhphupd04.exe"" ["Hewlett-Packard"]
"HPHmon04" = "C:WINDOWSsystem32hphmon04.exe" ["Hewlett-Packard"]
"HPDJ Taskbar Utility" = "C:WINDOWSsystem32spooldriversw32x863hpztsb05.exe" ["HP"]
"GWMDMMSG" = "GWMDMMSG.exe" ["GTW"]
"freesurfer" = "C:Program FilesFree Surferfs20.exe" ["EMS-Project 2002 (c)"]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"ATIPTA" = "C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe" ["ATI Technologies, Inc."]
"Symantec NetDriver Monitor" = "C:PROGRA~1SYMNET~1SNDMon.exe" ["Symantec Corporation"]

HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}InProcServer32(Default) = "C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)
  -> {CLSID}InProcServer32(Default) = "C:Program FilesSpybot - Search & DestroySDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = "NAV Helper"
  -> {CLSID}InProcServer32(Default) = "C:Program FilesNorton AntiVirusNavShExt.dll" ["Symantec Corporation"]

HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}InProcServer32(Default) = "C:Program FilesRealRealPlayerrpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}InProcServer32(Default) = "C:PROGRA~1WINZIPWZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}InProcServer32(Default) = "C:PROGRA~1WINZIPWZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}InProcServer32(Default) = "C:PROGRA~1WINZIPWZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}InProcServer32(Default) = "C:PROGRA~1WINZIPWZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
  -> {CLSID}InProcServer32(Default) = "C:Program FilesCommon FilesKODAKIFSCorekodakshx.dll" ["Eastman Kodak Company"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}InProcServer32(Default) = "C:WINDOWSsystem32Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}InProcServer32(Default) = "C:WINDOWSsystem32Audiodev.dll" [MS]

HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
INFECTION WARNING! AtiExtEventDLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


Enabled Screen Saver:
---------------------

HKCUControl PanelDesktop
"SCRNSAVE.EXE" = "C:WINDOWSSystem32ssmypics.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCUControl PanelDesktop
"Wallpaper" = "C:Documents and SettingsmikeLocal SettingsApplication DataMicrosoftWallpaper1.bmp"


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - mike" -> launches: "C:PROGRA~1NORTON~1Navw32.exe /task:"C:Documents and SettingsAll UsersApplication DataSymantecNorton AntiVirusTasksmycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:Program FilesSymantecLiveUpdateNDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

Transport Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%system32mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%system32rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCUSoftwareMicrosoftInternet ExplorerToolbarShellBrowser
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
  -> {CLSID}(Default) = "Norton AntiVirus"
  -> {CLSID}InProcServer32(Default) = "C:Program FilesNorton AntiVirusNavShExt.dll" ["Symantec Corporation"]

HKLMSoftwareMicrosoftInternet ExplorerToolbar
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
  -> {CLSID}(Default) = "Norton AntiVirus"
  -> {CLSID}InProcServer32(Default) = "C:Program FilesNorton AntiVirusNavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKCUSoftwareMicrosoftInternet ExplorerExplorer Bars
{44226DFF-747E-4EDC-B30C-78752E50CD0C}
  -> {CLSID}(Default) = "&ATI TV"
  -> {CLSID}InProcServer32(Default) = "C:Program FilesATI MultimediaTVEXPLBAR.DLL" ["ATI Technologies Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKCUSoftwareMicrosoftInternet ExplorerExtensions
{6685509E-B47B-4F47-8E16-9A5F3A62F683}

HKLMSoftwareMicrosoftInternet ExplorerExtensions
{44226DFF-747E-4EDC-B30C-78752E50CD0C}
"ButtonText" = "ATI TV"

{AFC3FA82-AD07-45CD-8B57-983435B9899E}
"ButtonText" = "Free Surfer"
"MenuText" = "Free Surfer"
"Exec" = "C:Program FilesFree SurferFS20.exe" ["EMS-Project 2002 (c)"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:Program FilesMessengermsmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:WINDOWSSystem32Ati2evxx.exe" ["ATI Technologies Inc."]
Intel(R) NMS, NMSSvc, "C:WINDOWSSystem32NMSSvc.exe" ["Intel Corporation"]
Kodak Camera Connection Software, KodakCCS, "C:WINDOWSsystem32driversKodakCCS.exe" ["Eastman Kodak Company"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:Program FilesNorton AntiVirusnavapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:Program FilesNorton AntiVirusIWPNPFMntor.exe"" ["Symantec Corporation"]
Pml Driver HPH11, Pml Driver HPH11, "C:WINDOWSsystem32HPHipm11.exe" ["HP"]
Symantec Core LC, Symantec Core LC, "C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:Program FilesCommon FilesSymantec SharedSNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:Program FilesCommon FilesSymantec SharedccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:WINDOWSsystem32wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

I don't see anything there either :(. Let's try something else. May work, may not.

Download this program.
http://downloads.subratam.org/DllCompare.exe

Now open DllCompare.exe and click the "Run Locate.com" button.
Then click the "Compare" button (this will take a few minutes)
When it finishes click the "Make Log...." button.
save the log to desktop.

Next copy and paste the contents of the DllCompare log in your
reply along with a fresh HijackThis log.

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Ok Crunchie, Here is the information.

*    DLLCompare Log  version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________


C:\WINDOWS\SYSTEM32\msrdo20.dll    Thu May 11 2000  12:00:00a  A.S..        397,312   388.00 K
C:\WINDOWS\SYSTEM32\rdocurs.dll    Tue Mar 14 2000  12:00:00a  A.S..        151,552   148.00 K
________________________________________________


1,710 items found:  1,710 files (2 H/S), 0 directories.
Total of file sizes:  367,895,635 bytes    350.85 M


Administrator Account =  True


--------------------End log---------------------


Logfile of HijackThis v1.99.1Scan saved at 8:34:58 AM, on 4/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Free Surfer\fs20.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HIJACK THIS\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.com/index.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.smarter.com/index.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Winsys] C:\desktop\..\\winsys.hta
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Passport Classes - http://www.elanguage.com/eng/VocabularyBuilder/VB/passport.cab
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093908100109
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.com/downloads/DownloadPhotos.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F89D69D2-0C80-11D4-B67E-0050DA271F38} (eStreamIE Class) - http://www.elanguage.com/media/eStream/eStream.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD2FA89-9973-4EC1-BD3D-849EB0A72B6B}: NameServer = 65.173.52.9,65.173.52.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C582333-608D-494B-81E7-88E4ADEA220F}: NameServer = 65.173.52.9,65.173.52.11
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


FindIt
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


Find.bat is running from: C:\desktop\Find It NT-2K-XP


------- System Files in System32 Directory -------


Volume in drive C has no label.
Volume Serial Number is 6C11-21D4


Directory of C:\WINDOWS\System32


02/11/2005  04:34 PM    <DIR>          dllcache
01/20/2003  07:27 PM    <DIR>          Microsoft
05/11/2000  12:00 AM           397,312 Msrdo20.dll
03/14/2000  12:00 AM           151,552 Rdocurs.dll
2 File(s)        548,864 bytes
2 Dir(s)  78,402,367,488 bytes free


------- Hidden Files in System32 Directory -------


Volume in drive C has no label.
Volume Serial Number is 6C11-21D4


Directory of C:\WINDOWS\System32


02/11/2005  04:34 PM    <DIR>          dllcache
08/31/2004  09:49 AM            29,828 fiz0
08/30/2004  08:46 PM            30,046 fiz1
08/30/2004  06:44 PM            30,022 fiz2
08/29/2004  09:44 PM            30,077 fiz3
08/29/2004  01:00 PM            30,095 fiz4
08/29/2004  08:55 AM            30,026 fiz5
08/28/2004  07:39 PM            30,127 fiz6
08/28/2004  02:20 PM            30,027 fiz7
08/28/2004  11:42 AM            30,004 fiz8
08/27/2004  09:54 PM            30,074 fiz9
08/27/2004  07:32 PM            30,232 fiz10
08/27/2004  04:09 PM            30,034 fiz11
08/26/2004  10:54 PM            30,007 fiz12
08/26/2004  04:25 PM            30,034 fiz13
08/26/2004  01:49 PM            30,059 fiz14
08/26/2004  08:09 AM            30,115 fiz15
08/25/2004  08:10 PM            30,031 fiz16
08/25/2004  04:31 PM            30,051 fiz17
08/25/2004  09:10 AM            30,060 fiz18
08/24/2004  08:53 AM            30,156 fiz19
06/24/2004  09:15 AM             4,212 zllictbl.dat
04/04/2002  01:57 AM               488 WindowsLogon.manifest
04/04/2002  01:57 AM               488 logonui.exe.manifest
04/04/2002  01:57 AM               749 sapi.cpl.manifest
04/04/2002  01:57 AM               749 nwc.cpl.manifest
04/04/2002  01:57 AM               749 wuaucpl.cpl.manifest
04/04/2002  01:57 AM               749 cdplayer.exe.manifest
04/04/2002  01:57 AM               749 ncpa.cpl.manifest
28 File(s)        610,038 bytes
1 Dir(s)  78,402,363,392 bytes free


------------ Files Named "Guard" ---------------


Volume in drive C has no label.
Volume Serial Number is 6C11-21D4


Directory of C:\WINDOWS\System32



------ Temp Files in System32 Directory ------


Volume in drive C has no label.
Volume Serial Number is 6C11-21D4


Directory of C:\WINDOWS\System32


08/18/2001  03:00 PM             2,577 CONFIG.TMP
1 File(s)          2,577 bytes
0 Dir(s)  78,402,363,392 bytes free


------------------ User Agent ----------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""



------------- Keys Under Notify -------------


REGEDIT4


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



------------- Locate.com Results -------------


No matches found.


-------- Strings.exe Qoologic Results --------



--------- Strings.exe Aspack Results ---------


C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack


-------------- HKLM Run Key ----------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"IW Controlcenter"="C:\\PROGRA~1\\VOB\\INSTAN~1\\IWCTRL.EXE"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\system32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"freesurfer"="C:\\Program Files\\Free Surfer\\fs20.exe"
"CHotkey"="mHotkey.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Well, I have to say that this one has me beat :(. Unless you get any other responses, I suggest that you either reformat or system restore back to before this started happening. Sorry.

Hi Crunchie. I want to thank you VERY MUCH for all your help. What I did was go back to system restore. That cured it. Remember I said I thought it started happening right after an update. You asked me about SP2. Well since I went back to restore it removed my updates, so I wanted to find out which one it was. I turned of automatic updates and started custom updating, one at a time and giving the system a reboot and surfing and such to try to get the Invalid Syntax Error to show it's ugly head. There were a total of 6 updates available, and after doing that for everyone it was the last one that caused the problem. It is Cumulative Security Update for Internet Explorer Windows XP Service Pack 2 KB890923. Will it be ok if I don't update that particular one or is there a way to get it cleaned up?? Again Thanks for your help.
Mike

I have that one on my comp too with no probs. On investigating, it looks like that particular update is for users with SP1, not SP2.

http://www.softwarepatch.com/internet/ie6sp1fixes.html