spyware nasty

Hi KLaura, welcome to DaniWeb :D

Please follow the suggestions and instructions in the links below to help prevent reinfections, start the cleanup process, and to find out a bit about HijackThis (like putting it in its own permanent folder).

After you've finished the first post (about HijackThis), follow the instructions in post #4 (HotOffers), and then go to post #8 for links to fixes for SpySherrif.

When you've completed all that, and moved HJT, please post a new log.

Thanks for the reply. I did all you said and the red circule has now gone from my start bar. I still can not change my back ground. Also when I start up my computer I get this message. Error loading EGDACCESS_1061.dll The specified module could not be found.

I have run a new HJT report

Thanks Klaura

Logfile of HijackThis v1.99.1
Scan saved at 1:09:49 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Messenger\msmsgs.exe
C:\web.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\AOL 9.0\aoltray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Kaye\Desktop\hijack this\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1061.dll,InstantAccess
O4 - HKCU\..\Run: [SNInstall] C:\web.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} - http://akamai.downloadv3.com/binaries/IA/sysnetsvc32_EN_XP.cab
O20 - AppInit_DLLs: FHook.dll
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\en2ql1f51.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Download the file I have attached by right clicking on it and selecting 'Save As.' Save, then unzip it to your desktop.
Reboot into Safe Mode and double click RunThis.Bat. It will do a good cleanup on this.

==

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Ok done all that you said but the red circule is back in my start bar and I seem to have lost windows xp set up and it has gone back to windows classic. Still can not change background.
Here is the 12mfix log

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en2ql1f51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D765933E-A24B-B39E-0EC2-45E7FE09AB6B}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{27C64877-9EA4-46FD-A36F-4155B31B583B}"=""
"{52EE63D1-7A0B-4529-A036-FCF7677E2D64}"=""
"{5DDF97B0-17DF-43BE-878B-7DFB4799536C}"=""
"{C8A82603-C2E3-4B35-BA32-1196F8E0689C}"=""
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{0491A573-E2F9-44B2-9AFC-EC0857056641}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{27C64877-9EA4-46FD-A36F-4155B31B583B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{27C64877-9EA4-46FD-A36F-4155B31B583B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{27C64877-9EA4-46FD-A36F-4155B31B583B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{27C64877-9EA4-46FD-A36F-4155B31B583B}\InprocServer32]
@="C:\\WINDOWS\\system32\\cffgnt.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{52EE63D1-7A0B-4529-A036-FCF7677E2D64}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52EE63D1-7A0B-4529-A036-FCF7677E2D64}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52EE63D1-7A0B-4529-A036-FCF7677E2D64}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52EE63D1-7A0B-4529-A036-FCF7677E2D64}\InprocServer32]
@="C:\\WINDOWS\\system32\\kadit142.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{5DDF97B0-17DF-43BE-878B-7DFB4799536C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5DDF97B0-17DF-43BE-878B-7DFB4799536C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5DDF97B0-17DF-43BE-878B-7DFB4799536C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{5DDF97B0-17DF-43BE-878B-7DFB4799536C}\InprocServer32]
@="C:\\WINDOWS\\system32\\lHr00i9me8.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C8A82603-C2E3-4B35-BA32-1196F8E0689C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8A82603-C2E3-4B35-BA32-1196F8E0689C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8A82603-C2E3-4B35-BA32-1196F8E0689C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C8A82603-C2E3-4B35-BA32-1196F8E0689C}\InprocServer32]
@="C:\\WINDOWS\\system32\\wqcsvc.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0491A573-E2F9-44B2-9AFC-EC0857056641}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0491A573-E2F9-44B2-9AFC-EC0857056641}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0491A573-E2F9-44B2-9AFC-EC0857056641}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0491A573-E2F9-44B2-9AFC-EC0857056641}\InprocServer32]
@="C:\\WINDOWS\\system32\\dzraw.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   en2ql1~1.dll   Fri Jun 17 2005   9:05:52a  ..S.R              0     0.00 K
   jtro07~1.dll   Thu May 26 2005   6:02:14p  A....              0     0.00 K

2 items found:  2 files (1 H/S), 0 directories.
   Total of file sizes:  0 bytes      0.00 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 0CA7-DC71

 Directory of C:\WINDOWS\System32

08/03/2005  03:43 PM    <DIR>          dllcache
06/17/2005  09:05 AM                 0 en2ql1f51.dll
10/23/2003  08:28 AM    <DIR>          Microsoft
               1 File(s)              0 bytes
               2 Dir(s)       4,694,016 bytes free

Thats because that was not a fix, just a scan :).

=

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

Ok done that and here are the two reports (cant you tell your dealing with a computer novis) :o

Logfile of HijackThis v1.99.1
Scan saved at 11:27:03 AM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\web.exe
C:\Program Files\AOL 9.0\aoltray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kaye\Desktop\hijack this\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1061.dll,InstantAccess
O4 - HKCU\..\Run: [SNInstall] C:\web.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} - http://akamai.downloadv3.com/binaries/IA/sysnetsvc32_EN_XP.cab
O20 - AppInit_DLLs: FHook.dll
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\en2ql1f51.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Kaye\Desktop\12smfix 1

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Kaye\Desktop\12smfix 1
System Rebooted!

Running From:
C:\Documents and Settings\Kaye\Desktop\12smfix 1

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'
Killing PID 232 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1280 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (164 bytes security) (deflated 56%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 84%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 64%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (deflated 37%)
adding: test3.txt (164 bytes security) (deflated 37%)
adding: test5.txt (164 bytes security) (deflated 37%)
adding: backregs/0491A573-E2F9-44B2-9AFC-EC0857056641.reg (164 bytes security) (deflated 70%)
adding: backregs/27C64877-9EA4-46FD-A36F-4155B31B583B.reg (164 bytes security) (deflated 70%)
adding: backregs/52EE63D1-7A0B-4529-A036-FCF7677E2D64.reg (164 bytes security) (deflated 70%)
adding: backregs/5DDF97B0-17DF-43BE-878B-7DFB4799536C.reg (164 bytes security) (deflated 70%)
adding: backregs/C8A82603-C2E3-4B35-BA32-1196F8E0689C.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en2ql1f51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{27C64877-9EA4-46FD-A36F-4155B31B583B}"=-
"{52EE63D1-7A0B-4529-A036-FCF7677E2D64}"=-
"{5DDF97B0-17DF-43BE-878B-7DFB4799536C}"=-
"{C8A82603-C2E3-4B35-BA32-1196F8E0689C}"=-
"{0491A573-E2F9-44B2-9AFC-EC0857056641}"=-
[-HKEY_CLASSES_ROOT\CLSID\{27C64877-9EA4-46FD-A36F-4155B31B583B}]
[-HKEY_CLASSES_ROOT\CLSID\{52EE63D1-7A0B-4529-A036-FCF7677E2D64}]
[-HKEY_CLASSES_ROOT\CLSID\{5DDF97B0-17DF-43BE-878B-7DFB4799536C}]
[-HKEY_CLASSES_ROOT\CLSID\{C8A82603-C2E3-4B35-BA32-1196F8E0689C}]
[-HKEY_CLASSES_ROOT\CLSID\{0491A573-E2F9-44B2-9AFC-EC0857056641}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Thanks Klaura

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.

Save the logfile from the scan. Restart your computer in normal mode and please post a log from the Ewido scan.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\web.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1061.dll,InstantAccess
O4 - HKCU\..\Run: [SNInstall] C:\web.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\en2ql1f51.dll

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\web.exe
C:\WINDOWS\system32\en2ql1f51.dll

Search for...

gglib.exe
EGDACCESS_1061.dll

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

cant seem to install ewido suite keep getting this message

Extract:Error wrighting to file
C:\DOCUME-1\kaye\Locals-1\Temp\nsy21.tmp\download_ini

I followed all the instructions.

manged to do all you asked but still no change.Couldn't find

C:\web.exe
gglib.exe
EGDACCESS_1061.dll

here are the two log reports

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          6:44:28 PM, 8/11/2005
 + Report-Checksum:     E0E475FF

 + Scan result:

    C:\Documents and Settings\Kaye\Cookies\kaye@122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Kaye\Cookies\kaye@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Kaye\Cookies\kaye@e-2dj6wfkowhc5alp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Kaye\Cookies\kaye@e-2dj6wjkogld5igq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Kaye\Cookies\kaye@e-2dj6wjlikpdpmeq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Kaye\Cookies\kaye@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Kaye\Cookies\kaye@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Kaye\Cookies\kaye@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\web.exe -> Not-A-Virus.Hoax.Renos.j : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 7:33:03 PM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\aoltray.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Kaye\Desktop\hijack this\HijackThis\HijackThis.exe

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [url]http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab[/url]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - [url]http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab[/url]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - [url]http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab[/url]
O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} - [url]http://akamai.downloadv3.com/binaries/IA/sysnetsvc32_EN_XP.cab[/url]
O20 - AppInit_DLLs: FHook.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

Thanks for your help. I still can not change my background back, it appears when I first sign on then disappears to a blank screen. Also I cant seem to get windows xp in the appearance it is all in classic windows, my son also has an area on the computer but he still has the xp setting (eg the start bar and window boxs)

Try this;

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan it will prompt you to clean files, click OK
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Here are all the logs you asked for.Still can not change desktop. The original picture comes up whilst desktop loads then disappears once loaded.

smitRem log file
version 2.3


by noahdfear


The current date is: Sun 08/14/2005
The current time is: 23:34:34.10


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Pre-run Files Present



~~~ Program Files ~~~


~~~ Shortcuts ~~~


~~~ Favorites ~~~


~~~ system32 folder ~~~


~~~ Icons in System32 ~~~


~~~ Windows directory ~~~


~~~ Drive root ~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Post-run Files Present



~~~ Program Files ~~~


~~~ Shortcuts ~~~


~~~ Favorites ~~~


~~~ system32 folder ~~~


~~~ Icons in System32 ~~~


~~~ Windows directory ~~~


~~~ Drive root ~~~


~~~ Wininet.dll ~~~


CLEAN! :)



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           9:46:49 PM, 8/14/2005
+ Report-Checksum:      D8F182C


+ Scan result:


C:\Documents and Settings\Kaye\Cookies\kaye@122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kaye\Cookies\kaye@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kaye\Cookies\kaye@e-2dj6wfkowhc5alp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Kaye\Cookies\kaye@microsoftuk.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Kaye\Cookies\kaye@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Kaye\Cookies\kaye@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Kaye\Cookies\kaye@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup



::Report End


Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, August 14, 2005 10:42:32 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R61 10.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):12 total references
Tracking Cookie(TAC index:3):12 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file


Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects



8-14-2005 10:42:33 PM - Scan started. (Full System Scan)


MRU List Object Recognized!
Location:          : C:\Documents and Settings\Administrator\recent
Description        : list of recently opened documents



MRU List Object Recognized!
Location:          : software\microsoft\direct3d\mostrecentapplication
Description        : most recent application to use microsoft direct3d



MRU List Object Recognized!
Location:          : software\microsoft\direct3d\mostrecentapplication
Description        : most recent application to use microsoft direct X



MRU List Object Recognized!
Location:          : software\microsoft\directdraw\mostrecentapplication
Description        : most recent application to use microsoft directdraw



MRU List Object Recognized!
Location:          : S-1-5-21-343818398-1677128483-1708537768-500\software\microsoft\internet explorer\typedurls
Description        : list of recently entered addresses in microsoft internet explorer



MRU List Object Recognized!
Location:          : S-1-5-21-343818398-1677128483-1708537768-500\software\microsoft\microsoft management console\recent file list
Description        : list of recent snap-ins used in the microsoft management console



MRU List Object Recognized!
Location:          : S-1-5-21-343818398-1677128483-1708537768-500\software\microsoft\search assistant\acmru
Description        : list of recent search terms used with the search assistant



MRU List Object Recognized!
Location:          : S-1-5-21-343818398-1677128483-1708537768-500\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description        : list of recent programs opened



MRU List Object Recognized!
Location:          : S-1-5-21-343818398-1677128483-1708537768-500\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description        : list of recently saved files, stored according to file extension



MRU List Object Recognized!
Location:          : S-1-5-21-343818398-1677128483-1708537768-500\software\microsoft\windows\currentversion\explorer\recentdocs
Description        : list of recent documents opened



MRU List Object Recognized!
Location:          : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description        : windows media sdk



MRU List Object Recognized!
Location:          : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description        : windows media sdk



Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


#:1 [smss.exe]
FilePath           : \SystemRoot\System32\
ProcessID          : 140
ThreadCreationTime : 8-14-2005 9:38:57 PM
BasePriority       : Normal



#:2 [csrss.exe]
FilePath           : \??\C:\WINDOWS\system32\
ProcessID          : 188
ThreadCreationTime : 8-14-2005 9:39:18 PM
BasePriority       : Normal



#:3 [winlogon.exe]
FilePath           : \??\C:\WINDOWS\system32\
ProcessID          : 212
ThreadCreationTime : 8-14-2005 9:39:21 PM
BasePriority       : High



#:4 [services.exe]
FilePath           : C:\WINDOWS\system32\
ProcessID          : 256
ThreadCreationTime : 8-14-2005 9:39:26 PM
BasePriority       : Normal
FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion     : 5.1.2600.2180
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : Services and Controller app
InternalName       : services.exe
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : services.exe


#:5 [lsass.exe]
FilePath           : C:\WINDOWS\system32\
ProcessID          : 268
ThreadCreationTime : 8-14-2005 9:39:26 PM
BasePriority       : Normal
FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion     : 5.1.2600.2180
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : LSA Shell (Export Version)
InternalName       : lsass.exe
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : lsass.exe


#:6 [svchost.exe]
FilePath           : C:\WINDOWS\system32\
ProcessID          : 424
ThreadCreationTime : 8-14-2005 9:39:31 PM
BasePriority       : Normal
FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion     : 5.1.2600.2180
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : Generic Host Process for Win32 Services
InternalName       : svchost.exe
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : svchost.exe


#:7 [svchost.exe]
FilePath           : C:\WINDOWS\system32\
ProcessID          : 488
ThreadCreationTime : 8-14-2005 9:39:32 PM
BasePriority       : Normal
FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion     : 5.1.2600.2180
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : Generic Host Process for Win32 Services
InternalName       : svchost.exe
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : svchost.exe


#:8 [svchost.exe]
FilePath           : C:\WINDOWS\system32\
ProcessID          : 532
ThreadCreationTime : 8-14-2005 9:39:34 PM
BasePriority       : Normal
FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion     : 5.1.2600.2180
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : Generic Host Process for Win32 Services
InternalName       : svchost.exe
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : svchost.exe


#:9 [explorer.exe]
FilePath           : C:\WINDOWS\
ProcessID          : 672
ThreadCreationTime : 8-14-2005 9:39:49 PM
BasePriority       : Normal
FileVersion        : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion     : 6.00.2900.2180
ProductName        : Microsoft® Windows® Operating System
CompanyName        : Microsoft Corporation
FileDescription    : Windows Explorer
InternalName       : explorer
LegalCopyright     : © Microsoft Corporation. All rights reserved.
OriginalFilename   : EXPLORER.EXE


#:10 [ad-aware.exe]
FilePath           : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID          : 984
ThreadCreationTime : 8-14-2005 9:41:56 PM
BasePriority       : Normal
FileVersion        : 6.2.0.236
ProductVersion     : SE 106
ProductName        : Lavasoft Ad-Aware SE
CompanyName        : Lavasoft Sweden
FileDescription    : Ad-Aware SE Core application
InternalName       : Ad-Aware.exe
LegalCopyright     : Copyright © Lavasoft AB Sweden
OriginalFilename   : Ad-Aware.exe
Comments           : All Rights Reserved


Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12



Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12



Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»



Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12


Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@2o7[2].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@2o7[2].txt


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@advertising[2].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@advertising[2].txt


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@apmebf[1].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@apmebf[1].txt


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@atdmt[2].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@atdmt[2].txt


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@bluestreak[1].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@bluestreak[1].txt


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@casalemedia[1].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@casalemedia[1].txt


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@doubleclick[1].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@doubleclick[1].txt


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@mediaplex[1].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@mediaplex[1].txt


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@questionmarket[1].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@questionmarket[1].txt


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@servedby.advertising[2].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@servedby.advertising[2].txt


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@tribalfusion[1].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@tribalfusion[1].txt


Tracking Cookie Object Recognized!
Type               : IECache Entry
Data               : [email]alex@zedo[2].txt[/email]
TAC Rating         : 3
Category           : Data Miner
Comment            :
Value              : C:\Documents and Settings\Alex\Cookies\alex@zedo[2].txt


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 24



Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
107 entries scanned.
New critical objects:0
Objects found so far: 24



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 24


11:05:20 PM Scan Complete


Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:22:47.286
Objects scanned:101446
Objects identified:12
Objects ignored:0
New critical objects:12



Logfile of HijackThis v1.99.1
Scan saved at 12:15:44 AM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\aoltray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Documents and Settings\Kaye\Desktop\hijack this\HijackThis\HijackThis.exe


O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EE.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123846808853
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {C6760A07-A574-4705-B113-7856315922C3} - http://akamai.downloadv3.com/binaries/IA/sysnetsvc32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB1A43BB-C3BF-4401-9004-61E7078452CA}: NameServer = 205.188.146.145
O20 - AppInit_DLLs: FHook.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Sorry couldnt seem to get the Panda scan to work at all kept coming up with error

Did you do this bit? Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

==

Download the following file and double click to run it. Set a system restore point first!!
The file is for Windows XP only!!

http://www.kellys-korner-xp.com/regs_edits/desktoptab.reg

Tried Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present. There was no part that said security info.

Did you try the reg fix from my previous post?

Yes I did try that reg . When I go into display now the only background I can put up is colours, I can change the colour no prob. Its like my original desk top picture is behind it, so when I log on or off the colour goes away to reveal my picture for a breif second.
Also when I go into appearances and click on WINDOWS AND BUTTONS the only selection I have there now is WINDOWS CLASSIC STYLE, no XP setting other than that XP is in use apart from appearance.

Have you got any restore points you can use to go back to a time previous to when this happened? If so, try that, then post another log from hijackthis.

No system restore before the problem because I originaly tried that but the last one seems to be on the day the computer got the virus. Sorry about that.

Do you have your Windows XP CD? If so, you should be able to install over the top of your system. This will not remove any of your programs, but may replace any missing or corrupt files.

Instructions for Crunchie's suggestion can be found here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315341&Product=winxp

Big thanks XP working properly now and computer working quicker. Still got problem with putting a picture on my desk top. My sons area is fine he still has his picture and can still change it, it seems to be just in my area.
The picture is there but only breifly when log on and off and if I move a box around in my area.

Go to Run --> regedit

Then go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Look for the entries NoDispAppearancePage and NoDispBackgroundPage. If they have 1 as their values, set them to 0.

Please set a system restore point first, or make a backup of your registry :).

did as you said but their values were 0 any way

Hi,
Open NotePad, and copy the contents of the below "Quote" box:-

regedit /e test1.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit /e test2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.

Double-Click on the file Test.bat, a small DOS type window should open and close immediately.
After this, there would be two files called test1.txt and test2.txt in the same location where Test.bat was present. Open these (test1.txt and test2.txt) files and post their contents here.

Test1
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

Test 2
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"="C:\\WINDOWS\\desktop.html"
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

Hi,
Open NotePad, and copy the contents of the below "Quote" box:-

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=-

Go to File Menu > Save As, and save the file with the name Fix.REG and exit from NotePad.

Double-click on the file Fix.REG and click "Yes" to merge it to Registry.

Restart the PC, and check whether the background is back to normal or not, and post back the results.

Delete this file, if found:-
C:\WINDOWS\desktop.html

Thank you so much that has seemed to have fixed it. You have saved my sanity. I have seemed to of lost the XP setting for windows and buttons again but XP is still working it is just the appearance of windows classic, I can live with that as long as its working.
Thanks again

Hi,
You can try this to get the back the XP "modern" theme. Click on the below link and download the ZIP file.
http://www.kellys-korner-xp.com/regs_edits/Resources.zip
Next, backup the folder named Resources which is present inside C:\Windows folder. Next, extract the downloaded ZIP file to C:\Windows folder. (If WinZip (or any compression tool) says "folder already exists", choose "Yes" to overwrite it.)
Then check whether you have the XP theme in the Display Properties.