I've been Hijacked! Please help!

Download ewido from the link http://www.ewido.net/en/
install it and update it

Update ur McAfee Antivirus and Ad-Aware.

Disable ur computer from Lan.

Restart ur computer go to safe mode by hitting F8 key at boot up

Disable System Restore (MyComputer-Properties-System Restore Check Turn off System Restore on all Drives)
Perform a complete System scan with Mcafee, ewido, Ad-Aware, and also with Spybot Search and Destroy.

Delete all the temporary internet files, empty recycle bin and restart ur computer

And don't 4get to post a reply

Thanks for you help, but I can't get into system restore to change the settings. The "My Computer" icon did not respond when I tried to get into its properties, and when I finally made my way to system restore settings, I had got a message saying that this function no longer exists and that I should contact my administrator. What does this mean. Help me please!

Thanks for you help, but I can't get into system restore to change the settings. The "My Computer" icon did not respond when I tried to get into its properties, and when I finally made my way to system restore settings, I had got a message saying that this function no longer exists and that I should contact my administrator. What does this mean. Help me please!

When u enter into safe mode by default there will another account i.e., the Administrator account. Enter into it and try to disable system restore and scan

I opened my computer in safe mode with the administrator and I still could not access system restore. However, I did run full systems scans with all of my scan programs including Ewido-Malware and I deleted all of my temporary internet files. Yet, my computer is still in a vegetative state, so I'm still in desperate need of help.

I opened my computer in safe mode with the administrator and I still could not access system restore. However, I did run full systems scans with all of my scan programs including Ewido-Malware and I deleted all of my temporary internet files. Yet, my computer is still in a vegetative state, so I'm still in desperate need of help.

If the system is not infected with virus any more then try to repair it with the Window XP cd if u have one. As repairing sets the system to its default settings. You wont loose any of ur data or programs

Disable ur Antivirus, Boot from Windows XP CD, now press enter to continue setup and the F8 to accept the license agreement, now the setup will search for the previous versions of Operating System, select "Microsoft Windows XP Professional" from the list displayed and press 'r' to repair

What can I do if I don't have a Windows XP cd. My computer already had Windows XP installled on it, and no cd was provided. Can I get a cd from a website?

What can I do if I don't have a Windows XP cd. My computer already had Windows XP installled on it, and no cd was provided. Can I get a cd from a website?

Either u have to purchase from u nearest computer store if u can afford it or have to borrow from ur friend

Hi walton,

A couple of things, before you resort to an entire system restore or reformat:

1.

This problem began after I blocked something that popped up on my Ad-Watch monitor

Can you tell us anything more specific about that? "Something that popped up" doesn't give us very much to go on at all.

2. The list of running processes at the top of your HijackThis log looks rather "light on content" for a normal XP system. Did you run that HijackThis scan in Safe Mode? If so (and if possible), run HijackThis while booted into Windows normally and post the log from that scan. The log you posted definitely shows signs of infections, but I'd expect to see more information in a log than exists in yours.

3. If you can access your Administrative Tools control panel, open the Event Viewer utility in that control panel and look through your System and Application logs for entries flagged with "Error" or "Warning". Double-clicking on such an entry will open a window with more detailed information on the error; post that info here.

This is a lengthy report. I used a Windows XP cd (Microsoft Windows XP Professional for OS 5.1.2600, which is compatible/identical with the original program on my PC) to reinstall Windows XP on my computer. However, when the startup wizard appeared which read "Welcome to Microsoft Windows XP, What do you want to do", I clicked "Install Windows XP", but nothing happened because my computer only responds to certain links now, which is all confusing to me. Since it responds to some links and not others, I've been having trouble connecting to shortcuts, programs, etc. and I definitely can't connect to my system restore settings option.

Here is a short story of how my computer came to be in the state that it's in: Before the Lavasoft Ad-watch pop-up encounter, I was trying to install my EA Sports MVP Baseball 2004 Demo (this is a demo of a baseball game for PC). However, One of the .exe files in the games folder read "MVP 2005", a newer edition so I decided to double click on it. It started to load the game's opening screen because a loading bar showed, but then it crashed (probably because it was trying to run all of the older version's applications since the games were in the same folder). This caused my computer to crash as well, so I rebooted my computer with a restart. I feared that this game cause a potential problem to my PC so I uninstalled it completely. Shortly after this incident (about 5-10 minutes later), "something" was detected on my Lavasoft Ad-watch monitor. I am unsure if there is any correlation between the two, but I'm just telling you the sequence of events of what happened.

As far as what happened with the Lavasoft Ad-watch pop-up, I can't really describe what happened. All I remember is that "something" was detected, which I don't have a name for, and the program asked me if I would like to block it or accept it. However, I was prompted to read more about this detection, before making a decision. I did not read because the report was somewhat lengthy like this one :D , and I chose to block whatever was detected to be on the safe side. Shortly after this, my computer started acting a fool, and it has remained in this vegetative state. I then ran a system restore at this time because this function was working propely at the time, but it did not change the functioning of my shortcuts, or programs back to normal.

You can see my HijackThis log below. I ran HijackThis again in Windows, normally (not Safe Mode) and my report probably is the exact same thing. Why it is short, I cannot explain.

As for the Administrative Tools control panel, I can get all the way to the Event Viewer, but it is a .LNK file like everything else is now. I have figured out a way to access other .LNK files/shortcuts by creating a shortcut for the file and then finding the program in a default list or its subfolder, by going through "My Computer". However, I can't get this procedure to work for the Event Viewer program, therefore I can't access any log info from it.

Thanks for the help thus far and I'm sorry for the lengthy detail, but I felt that this might be of some use, or not.

Logfile of HijackThis v1.99.1
Scan saved at 12:43:32 PM, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:///??
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130266793890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132318523125
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SVCLOAD - Unknown owner - c:\windows\system32\dllcache\sys32\winlogon.exe
O23 - Service: SVCMGR - Unknown owner - c:\windows\system32\dllcache\sys32\winlogon.exe

OK- your latest log looks more "normal", but I'm not sure A) how much of the following you can do, given the unstable state of your system, and B) how much of the damage was due to malicious infections and how much was due to the problems during the EA game installation. Let's see what kind of headway we can make...

1. Click on the "Run..." option in your Start menu, enter the following in the resulting "Open:" box, and hit OK:

services.msc

That should open the Services utility.

- In the list of services, locate the service named "Remote Packet Capture Protocol" or "rpcapd" and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button if the service is not already stopped.

- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK.

- Repeat the above steps for the SVCLOAD and SVCMGR
services. Close the Services utility after that.

2. Run HijackThis again and have it fix:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SVCLOAD - Unknown owner - c:\windows\system32\dllcache\sys32\winlogon.exe
O23 - Service: SVCMGR - Unknown owner - c:\windows\system32\dllcache\sys32\winlogon.exe

- Once HJT finishes the fix, click on the "Config" button in the lower right corner of HijackThis' main window. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

rpcapd

Repeat the above deletion for SVCLOAD and SVCMGR.

3. Reboot into Safe Mode and run ewido again.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for and delete the following file if found:

c:\windows\system32\dllcache\sys32\winlogon.exe

- If there are other files in the c:\windows\system32\dllcache\sys32\ folder, please take note of their names and post those in your next response here.

- Delete the following folder entirely:

C:\ProgramFiles\WinPcap

- Empty your Recycle Bin, reboot normally, and run HijackThis again.

4. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated and the names of the files found in the c:\windows\system32\dllcache\sys32\ folder.

Whoa. Thanks for the help. I really feel like I'm actually making progress now. I also want to know if I have to do this process for the other user(s) on this computer which consist of: 1. The default administrator in safe mode and 2. My brother who has a separate log in user file than mine at Windows startup (none of his programs or shortcuts are working properly either). By any means, here is my HijackThis log, Ewido log, and sys32 additional files.

1. HIJACKTHIS LOG


Logfile of HijackThis v1.99.1
Scan saved at 5:51:30 PM, on 12/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:///??
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPFEXE] "C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130266793890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132318523125
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


2. EWIDO


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           5:16:00 PM, 12/26/2005
+ Report-Checksum:      C431A8BD


+ Scan result:


C:\Documents and Settings\Gordon\Cookies\gordon@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Gordon\Cookies\gordon@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Walton\Cookies\walton@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Walton\Cookies\walton@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup



::Report End


3. C:\WINDOWS\system32\dllcache\sys32


Here are the Additional Files that were found in C:\WINDOWS\system32\dllcache\sys32:


upload (a folder with nothing in it)
hide.EXE
libeay32.dll
psshutdown.exe
ServUStartUpLog.txt
sys.dll
winmgtr.dll
cygcrypt-0.dll
hide.RBO
nfo.nfo (MSInfo document)
run.bat
spooldc.log
TzoLibr.dll
cygwin1.dll
hydrant.bat
pshut.bat
ServUDaemon.ini (Configuration Settings)
ssleay32.dll
welcome.txt

I cleaned out those files on my PC but it's still not back to normal. Help me please.

1. The "sys32" folder and its contents are/were the work of backdoor trojan, but I doubt that the infection was the cause of your program and shortcut problems. Regardless, the entire folder should be deleted if you haven't done so already.

2. It would still be worth seeing if the Event Viewer holds any clues. See if you can access the utility this way:

- Click on the "Run..." option in your Start menu.
- In the resulting "Open:" dialog box, type the following and then click OK: eventvwr

If that works, look through the logs for errors and warnings and tell us if you find anything which might be relevant.

3. Run the System File Checker utility to see if Windows detects any inconsistencies in its system files:

- Click on the "Run..." option in your Start menu.
- In the resulting "Open:" dialog box, type the following and then click OK: cmd
- In the resulting DOS window, type the following at the command prompt and then hit enter: sfc /scannow

Part One of Long Document:

I deleted the "sys32 folder from the dllcache directory. I also ran the sfc/scannow, but it told me to insert my Windows XP Professional Cd 2 in order for files to be copied to the DLL Cache so that XP could run properly "???". I tried my Windows XP Cd for version 5.1.2600 which it asked for, but it told me that I have the wrong cd (I guess I only have disc #1 or something that is not compatible).

The good news is that I was able to access the event viewer and here is the lengthy log for the applications:
Applications log:

Type Date Time Source Category Event User Computer
Error 12/27/2005 6:34:26 PM Application Error None 1000 N/A FLASHGORDON
Error 12/27/2005 6:33:24 PM Application Error None 1001 N/A FLASHGORDON
Error 12/27/2005 6:33:18 PM Application Error None 1000 N/A FLASHGORDON
Warning 12/27/2005 3:26:55 AM Userenv None 1517 SYSTEM FLASHGORDON
Error 12/26/2005 10:02:30 AM Application Hang None 1001 N/A FLASHGORDON
Error 12/26/2005 10:02:28 AM Application Hang None 1001 N/A FLASHGORDON
Error 12/26/2005 10:02:18 AM Application Hang (101) 1002 N/A FLASHGORDON
Error 12/26/2005 10:02:16 AM Application Hang (101) 1002 N/A FLASHGORDON
Error 12/25/2005 1:21:04 PM Application Error None 1001 N/A FLASHGORDON
Error 12/25/2005 1:20:57 PM Application Error None 1000 N/A FLASHGORDON
Warning 12/25/2005 12:30:44 PM Userenv None 1517 SYSTEM FLASHGORDON
Error 12/25/2005 10:41:42 AM Application Error None 1001 N/A FLASHGORDON
Error 12/25/2005 10:41:36 AM Application Error None 1000 N/A FLASHGORDON
Error 12/25/2005 5:09:38 AM Application Error None 1000 N/A FLASHGORDON
Error 12/25/2005 5:08:19 AM Application Error None 1000 N/A FLASHGORDON
Warning 12/24/2005 9:01:07 PM Userenv None 1517 SYSTEM FLASHGORDON
Warning 12/24/2005 2:23:16 PM Userenv None 1517 SYSTEM FLASHGORDON
Error 12/24/2005 9:51:34 AM Application Hang (101) 1002 N/A FLASHGORDON
Error 12/24/2005 1:32:27 AM McLogEvent None 5022 SYSTEM FLASHGORDON
Error 12/24/2005 12:34:31 AM McLogEvent None 5022 SYSTEM FLASHGORDON
Error 12/23/2005 8:34:46 PM McLogEvent None 5022 SYSTEM FLASHGORDON
Error 12/23/2005 8:16:03 PM McLogEvent None 5022 SYSTEM FLASHGORDON
Warning 12/23/2005 4:56:29 PM Userenv None 1517 SYSTEM FLASHGORDON
Error 12/23/2005 3:47:38 PM MpfService None 2 Walton FLASHGORDON
Error 12/23/2005 11:53:14 AM Application Error None 1000 N/A FLASHGORDON
Error 12/23/2005 11:51:10 AM Application Error None 1001 N/A FLASHGORDON
Error 12/23/2005 11:51:03 AM Application Error None 1000 N/A FLASHGORDON
Error 12/23/2005 11:50:35 AM Application Error None 1000 N/A FLASHGORDON
Error 12/23/2005 11:50:06 AM Application Error None 1000 N/A FLASHGORDON
Error 12/23/2005 11:49:49 AM Application Error None 1000 N/A FLASHGORDON
Error 12/23/2005 11:45:35 AM Application Error None 1000 N/A FLASHGORDON
Error 12/23/2005 11:32:37 AM Application Hang None 1001 N/A FLASHGORDON
Error 12/23/2005 11:32:35 AM Application Hang (101) 1002 N/A FLASHGORDON
Error 12/23/2005 11:31:33 AM Application Error None 1001 N/A FLASHGORDON
Error 12/23/2005 11:31:29 AM Application Error None 1000 N/A FLASHGORDON
Error 12/23/2005 11:27:29 AM Application Hang (101) 1002 N/A FLASHGORDON
Error 12/23/2005 11:25:47 AM Application Error None 1001 N/A FLASHGORDON
Error 12/23/2005 11:25:42 AM Application Error None 1000 N/A FLASHGORDON
Error 12/23/2005 1:16:47 AM Application Hang None 1001 N/A FLASHGORDON
Error 12/23/2005 1:16:43 AM Application Hang (101) 1002 N/A FLASHGORDON
Error 12/23/2005 12:30:58 AM Application Hang (101) 1002 N/A FLASHGORDON
Error 12/22/2005 11:46:33 PM Application Hang None 1001 N/A FLASHGORDON
Error 12/22/2005 11:46:29 PM Application Hang (101) 1002 N/A FLASHGORDON
Warning 12/22/2005 5:27:08 PM Userenv None 1517 SYSTEM FLASHGORDON
Error 12/22/2005 3:37:05 PM Application Hang (101) 1002 N/A FLASHGORDON
Error 12/22/2005 1:57:05 PM Application Error None 1001 N/A FLASHGORDON
Error 12/22/2005 1:56:32 PM Application Error (100) 1000 N/A FLASHGORDON
Error 12/22/2005 4:17:29 AM Application Error None 1001 N/A FLASHGORDON
Error 12/22/2005 4:17:26 AM Application Error None 1000 N/A FLASHGORDON
Warning 12/22/2005 3:53:34 AM Userenv None 1517 SYSTEM FLASHGORDON
Error 12/21/2005 5:52:00 AM Application Error None 1000 N/A FLASHGORDON
Error 12/21/2005 5:49:11 AM Application Error None 1000 N/A FLASHGORDON
Error 12/21/2005 5:48:53 AM Application Error None 1000 N/A FLASHGORDON
Error 12/21/2005 5:48:48 AM Application

[Mod's note: log snipped for brevity]

Yoiks! :eek: :eek:

I wasn't after the entire log, just the details from some of the entries flagged with "error" or "warning":

... look through your System and Application logs for entries flagged with "Error" or "Warning". Double-clicking on such an entry will open a window with more detailed information on the error; post that info here.

Your log shows entries with application errors 1000, 1001, and 1002, as well as error entries related to DCOM; I'd like to see the details of one of each of those. Here's how to post the full details of a given entry:

- Double-click on an entry to open the entry's Properties window.

- In the Properties window, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard.

- You can then paste the details into your next post in the same way that you paste your HijackThis log- by choosing "Paste" from the "File" menu or by hitting CTRL+V.

I included the activity before and after my MVP Baseball mishap.

Here are the new logs for my System and Application from Eventviewer:

System Log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Date: 12/24/2005
Time: 1:32:43 AM
User: N/A
Computer: FLASHGORDON
Description:
The McAfee.com McShield service terminated with service-specific error 5022 (0x139E).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/24/2005
Time: 1:31:19 AM
User: NT AUTHORITY\SYSTEM
Computer: FLASHGORDON
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 12/24/2005
Time: 12:38:37 AM
User: N/A
Computer: FLASHGORDON
Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Aspi32
Fips
intelppm
IPSec
MPFIREWL
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 12/24/2005
Time: 12:38:37 AM
User: N/A
Computer: FLASHGORDON
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 12/24/2005
Time: 12:38:37 AM
User: N/A
Computer: FLASHGORDON
Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 12/24/2005
Time: 12:38:37 AM
User: N/A
Computer: FLASHGORDON
Description:
The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 12/24/2005
Time: 12:38:37 AM
User: N/A
Computer: FLASHGORDON
Description:
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/24/2005
Time: 12:37:32 AM
User: NT AUTHORITY\SYSTEM
Computer: FLASHGORDON
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/24/2005
Time: 12:37:22 AM
User: FLASHGORDON\Walton
Computer: FLASHGORDON
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service netman with arguments "" in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 12/24/2005
Time: 12:34:19 AM
User: N/A
Computer: FLASHGORDON
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00123F7769BE. The following error occurred:
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 12/23/2005
Time: 8:43:52 PM
User: FLASHGORDON\Walton
Computer: FLASHGORDON
Description:
The server {692E988D-1057-4C57-8078-26CF7AE54263} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 12/23/2005
Time: 8:37:23 PM
User: FLASHGORDON\Walton
Computer: FLASHGORDON
Description:
The server {692E988D-1057-4C57-8078-26CF7AE54263} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 12/23/2005
Time: 8:31:40 PM
User: NT AUTHORITY\SYSTEM
Computer: FLASHGORDON
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 12/23/2005
Time: 8:27:38 PM
User: N/A
Computer: FLASHGORDON
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ......
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 12/23/2005
Time: 8:11:27 PM
User: N/A
Computer: FLASHGORDON
Description:
The following boot-start or system-start driver(s) failed to load:
AFD
Aspi32
Fips
intelppm
IPSec
MPFIREWL
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 12/23/2005
Time: 8:11:27 PM
User: N/A
Computer: FLASHGORDON
Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
A device attached to the system is not functioning.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 12/22/2005
Time: 4:09:46 AM
User: N/A
Computer: FLASHGORDON
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ......
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 12/21/2005
Time: 10:48:47 AM
User: N/A
Computer: FLASHGORDON
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ......
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 12/19/2005
Time: 8:42:59 AM
User: N/A
Computer: FLASHGORDON
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ......
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 12/18/2005
Time: 3:20:29 PM
User: N/A
Computer: FLASHGORDON
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ......
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 12/18/2005
Time: 11:47:33 AM
User: FLASHGORDON\Gordon
Computer: FLASHGORDON
Description:
The server {D0AAD3D6-EB93-4363-A24E-2C3D80CDBAC7} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Cdrom
Event Category: None
Event ID: 7
Date: 12/17/2005
Time: 7:55:24 PM
User: N/A
Computer: FLASHGORDON
Description:
The device, \Device\CdRom0, has a bad block.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0e 00 68 00 01 00 b8 00 ..h...¸.
0008: 00 00 00 00 07 00 04 c0 .......À
0010: 00 01 00 00 9c 00 00 c0 ......À
0018: 00 00 00 00 3e 40 02 00 ....>@..
0020: 00 00 00 00 00 00 00 00 ........
0028: 2a 9d 01 00 00 00 00 00 *......
0030: ff ff ff ff 00 00 00 00 ÿÿÿÿ....
0038: 40 00 00 c4 02 00 00 00 @..Ä....
0040: 00 00 0c 12 48 00 00 00 ....H...
0048: 00 00 00 00 88 13 00 00 .......
0050: 28 d0 d0 08 88 0d 8c 83 (..
0058: 00 00 00 00 98 74 c1 83 ....t
0060: 02 00 00 00 00 00 00 00 ........
0068: be 04 00 04 ec 5b 00 00 ¾...ì[..
0070: 13 f0 00 00 00 00 00 00 .ð......
0078: 70 00 03 00 00 00 00 0a p.......
0080: 00 00 00 00 11 06 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: Cdrom
Event Category: None
Event ID: 7
Date: 12/17/2005
Time: 7:54:06 PM
User: N/A
Computer: FLASHGORDON
Description:
The device, \Device\CdRom0, has a bad block.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0e 00 68 00 01 00 b8 00 ..h...¸.
0008: 00 00 00 00 07 00 04 c0 .......À
0010: 00 01 00 00 9c 00 00 c0 ......À
0018: 00 00 00 00 3e 40 02 00 ....>@..
0020: 00 00 00 00 00 00 00 00 ........
0028: d5 89 01 00 00 00 00 00 Õ......
0030: ff ff ff ff 00 00 00 00 ÿÿÿÿ....
0038: 40 00 00 c4 02 00 00 00 @..Ä....
0040: 00 00 0c 12 48 00 00 00 ....H...
0048: 00 00 00 00 88 13 00 00 .......
0050: 28 d0 d0 08 b0 77 af 83 (.°w¯
0058: 00 00 00 00 b8 4d 9d 83 ....¸M
0060: 02 00 00 00 00 00 00 00 ........
0068: be 04 00 04 ec 5b 00 00 ¾...ì[..
0070: 13 f0 00 00 00 00 00 00 .ð......
0078: 70 00 03 00 00 00 00 0a p.......
0080: 00 00 00 00 11 06 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

Application Log

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 12/24/2005
Time: 9:01:07 PM
User: NT AUTHORITY\SYSTEM
Computer: FLASHGORDON
Description:
Windows saved user FLASHGORDON\Walton registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 12/24/2005
Time: 2:23:16 PM
User: NT AUTHORITY\SYSTEM
Computer: FLASHGORDON
Description:
Windows saved user FLASHGORDON\Walton registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 12/24/2005
Time: 9:51:34 AM
User: N/A
Computer: FLASHGORDON
Description:
Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 72 75 6e 64 6c 6c rundll
0018: 33 32 2e 65 78 65 20 35 32.exe 5
0020: 2e 31 2e 32 36 30 30 2e .1.2600.
0028: 32 31 38 30 20 69 6e 20 2180 in
0030: 68 75 6e 67 61 70 70 20 hungapp
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 12/23/2005
Time: 4:56:29 PM
User: NT AUTHORITY\SYSTEM
Computer: FLASHGORDON
Description:
Windows saved user FLASHGORDON\Walton registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/23/2005
Time: 11:53:14 AM
User: N/A
Computer: FLASHGORDON
Description:
Faulting application mvp.exe, version 0.0.0.0, faulting module mvp.exe, version 0.0.0.0, fault address 0x0031d0e8.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 76 70 ure mvp
0018: 2e 65 78 65 20 30 2e 30 .exe 0.0
0020: 2e 30 2e 30 20 69 6e 20 .0.0 in
0028: 6d 76 70 2e 65 78 65 20 mvp.exe
0030: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0038: 61 74 20 6f 66 66 73 65 at offse
0040: 74 20 30 30 33 31 64 30 t 0031d0
0048: 65 38 0d 0a e8..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 12/23/2005
Time: 11:51:10 AM
User: N/A
Computer: FLASHGORDON
Description:
Fault bucket 253363698.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 32 35 33 33 36 33 36 39 25336369
0010: 38 0d 0a 8..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/23/2005
Time: 11:51:03 AM
User: N/A
Computer: FLASHGORDON
Description:
Faulting application mvp.exe, version 0.0.0.0, faulting module mvp.exe, version 0.0.0.0, fault address 0x0013fbd9.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 76 70 ure mvp
0018: 2e 65 78 65 20 30 2e 30 .exe 0.0
0020: 2e 30 2e 30 20 69 6e 20 .0.0 in
0028: 6d 76 70 2e 65 78 65 20 mvp.exe
0030: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0038: 61 74 20 6f 66 66 73 65 at offse
0040: 74 20 30 30 31 33 66 62 t 0013fb
0048: 64 39 0d 0a d9..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/23/2005
Time: 11:50:35 AM
User: N/A
Computer: FLASHGORDON
Description:
Faulting application mvp2005.exe, version 0.0.0.0, faulting module mvp2005.exe, version 0.0.0.0, fault address 0x003d8a55.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 76 70 ure mvp
0018: 32 30 30 35 2e 65 78 65 2005.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 6d 76 70 32 in mvp2
0030: 30 30 35 2e 65 78 65 20 005.exe
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 33 64 38 61 t 003d8a
0050: 35 35 0d 0a 55..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/23/2005
Time: 11:50:06 AM
User: N/A
Computer: FLASHGORDON
Description:
Faulting application mvp2005.exe, version 0.0.0.0, faulting module mvp2005.exe, version 0.0.0.0, fault address 0x0013fbd9.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 76 70 ure mvp
0018: 32 30 30 35 2e 65 78 65 2005.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 6d 76 70 32 in mvp2
0030: 30 30 35 2e 65 78 65 20 005.exe
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 31 33 66 62 t 0013fb
0050: 64 39 0d 0a d9..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/23/2005
Time: 11:49:49 AM
User: N/A
Computer: FLASHGORDON
Description:
Faulting application mvp2005.exe, version 0.0.0.0, faulting module mvp2005.exe, version 0.0.0.0, fault address 0x0013fbd9.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 76 70 ure mvp
0018: 32 30 30 35 2e 65 78 65 2005.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 6d 76 70 32 in mvp2
0030: 30 30 35 2e 65 78 65 20 005.exe
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 31 33 66 62 t 0013fb
0050: 64 39 0d 0a d9..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/23/2005
Time: 11:45:35 AM
User: N/A
Computer: FLASHGORDON
Description:
Faulting application mvp2005.exe, version 0.0.0.0, faulting module mvp2005.exe, version 0.0.0.0, fault address 0x003d8a55.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 76 70 ure mvp
0018: 32 30 30 35 2e 65 78 65 2005.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 6d 76 70 32 in mvp2
0030: 30 30 35 2e 65 78 65 20 005.exe
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 33 64 38 61 t 003d8a
0050: 35 35 0d 0a 55..

Event Type: Error
Event Source: Application Hang
Event Category: None
Event ID: 1001
Date: 12/23/2005
Time: 11:32:37 AM
User: N/A
Computer: FLASHGORDON
Description:
Fault bucket 45558392.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 34 35 35 35 38 33 39 32 45558392
0010: 0d 0a ..

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 12/23/2005
Time: 11:32:35 AM
User: N/A
Computer: FLASHGORDON
Description:
Hanging application pztrain.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 70 7a 74 72 61 69 pztrai
0018: 6e 2e 65 78 65 20 30 2e n.exe 0.
0020: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0028: 20 68 75 6e 67 61 70 70 hungapp
0030: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0038: 20 61 74 20 6f 66 66 73 at offs
0040: 65 74 20 30 30 30 30 30 et 00000
0048: 30 30 30 000

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 12/23/2005
Time: 11:31:33 AM
User: N/A
Computer: FLASHGORDON
Description:
Fault bucket 91625455.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 39 31 36 32 35 34 35 35 91625455
0010: 0d 0a ..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/23/2005
Time: 11:31:29 AM
User: N/A
Computer: FLASHGORDON
Description:
Faulting application mvp2004.exe, version 0.0.0.0, faulting module mvp2004.exe, version 0.0.0.0, fault address 0x0031d4d8.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 76 70 ure mvp
0018: 32 30 30 34 2e 65 78 65 2004.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 6d 76 70 32 in mvp2
0030: 30 30 34 2e 65 78 65 20 004.exe
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 33 31 64 34 t 0031d4
0050: 64 38 0d 0a d8..

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 12/23/2005
Time: 11:27:29 AM
User: N/A
Computer: FLASHGORDON
Description:
Hanging application pztrain.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 70 7a 74 72 61 69 pztrai
0018: 6e 2e 65 78 65 20 30 2e n.exe 0.
0020: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0028: 20 68 75 6e 67 61 70 70 hungapp
0030: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0038: 20 61 74 20 6f 66 66 73 at offs
0040: 65 74 20 30 30 30 30 30 et 00000
0048: 30 30 30 000

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 12/23/2005
Time: 11:25:47 AM
User: N/A
Computer: FLASHGORDON
Description:
Fault bucket 91625455.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 39 31 36 32 35 34 35 35 91625455
0010: 0d 0a ..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/23/2005
Time: 11:25:42 AM
User: N/A
Computer: FLASHGORDON
Description:
Faulting application mvp2004.exe, version 0.0.0.0, faulting module mvp2004.exe, version 0.0.0.0, fault address 0x0031d4d8.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 76 70 ure mvp
0018: 32 30 30 34 2e 65 78 65 2004.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 6d 76 70 32 in mvp2
0030: 30 30 34 2e 65 78 65 20 004.exe
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 33 31 64 34 t 0031d4
0050: 64 38 0d 0a d8..

Event Type: Error
Event Source: Application Hang
Event Category: None
Event ID: 1001
Date: 12/23/2005
Time: 1:16:47 AM
User: N/A
Computer: FLASHGORDON
Description:
Fault bucket 131907350.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 31 33 31 39 30 37 33 35 13190735
0010: 30 0d 0a 0..

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 12/23/2005
Time: 1:16:43 AM
User: N/A
Computer: FLASHGORDON
Description:
Hanging application CTCMS.exe, version 2.2.31.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 43 54 43 4d 53 2e CTCMS.
0018: 65 78 65 20 32 2e 32 2e exe 2.2.
0020: 33 31 2e 30 20 69 6e 20 31.0 in
0028: 68 75 6e 67 61 70 70 20 hungapp
0030: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0038: 61 74 20 6f 66 66 73 65 at offse
0040: 74 20 30 30 30 30 30 30 t 000000
0048: 30 30 00

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 12/22/2005
Time: 5:27:08 PM
User: NT AUTHORITY\SYSTEM
Computer: FLASHGORDON
Description:
Windows saved user FLASHGORDON\Walton registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Thanks for the help thus far. Here is some more supplemental info for the MVP Baseball time frame with different explanations:

12/24/2005 9:01:07 PM Userenv Warning None 1517 NT AUTHORITY\SYSTEM FLASHGORDON Windows saved user FLASHGORDON\Walton registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
12/24/2005 5:26:37 PM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/24/2005 5:26:15 PM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167703 viruses.
Engine version : 4.4.00
.DAT version : 4658

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/24/2005 5:26:15 PM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/24/2005 3:55:39 PM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/24/2005 3:55:14 PM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167703 viruses.
Engine version : 4.4.00
.DAT version : 4658

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/24/2005 3:55:13 PM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/24/2005 2:23:16 PM Userenv Warning None 1517 NT AUTHORITY\SYSTEM FLASHGORDON Windows saved user FLASHGORDON\Walton registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
12/24/2005 9:51:34 AM Application Hang Error (101) 1002 N/A FLASHGORDON Hanging application rundll32.exe, version 5.1.2600.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
12/24/2005 9:24:12 AM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/24/2005 9:23:56 AM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167703 viruses.
Engine version : 4.4.00
.DAT version : 4658

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/24/2005 9:23:50 AM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/24/2005 1:33:37 AM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167703 viruses.
Engine version : 4.4.00
.DAT version : 4658

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/24/2005 1:32:39 AM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/24/2005 1:32:27 AM McLogEvent Error None 5022 NT AUTHORITY\SYSTEM FLASHGORDON MCSCAN32 Engine Initialisation failed. Engine returned error : The DAT files failed or are missing.
12/24/2005 1:32:24 AM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/24/2005 12:34:45 AM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/24/2005 12:34:31 AM McLogEvent Error None 5022 NT AUTHORITY\SYSTEM FLASHGORDON MCSCAN32 Engine Initialisation failed. Engine returned error : The DAT files failed or are missing.
12/24/2005 12:34:28 AM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/23/2005 8:35:01 PM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/23/2005 8:34:46 PM McLogEvent Error None 5022 NT AUTHORITY\SYSTEM FLASHGORDON MCSCAN32 Engine Initialisation failed. Engine returned error : The DAT files failed or are missing.
12/23/2005 8:34:43 PM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/23/2005 8:26:31 PM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/23/2005 8:26:05 PM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167703 viruses.
Engine version : 4.4.00
.DAT version : 4658

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/23/2005 8:26:04 PM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/23/2005 8:23:35 PM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167703 viruses.
Engine version : 4.4.00
.DAT version : 4658

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/23/2005 8:16:16 PM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/23/2005 8:16:03 PM McLogEvent Error None 5022 NT AUTHORITY\SYSTEM FLASHGORDON MCSCAN32 Engine Initialisation failed. Engine returned error : The DAT files failed or are missing.
12/23/2005 8:15:59 PM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/23/2005 7:54:33 PM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167703 viruses.
Engine version : 4.4.00
.DAT version : 4658

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/23/2005 7:53:37 PM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/23/2005 7:53:14 PM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167439 viruses.
Engine version : 4.4.00
.DAT version : 4657

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/23/2005 7:53:11 PM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/23/2005 7:24:57 PM Winlogon Information None 1002 N/A FLASHGORDON The shell stopped unexpectedly and Explorer.exe was restarted.
12/23/2005 6:13:31 PM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/23/2005 6:13:04 PM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167703 viruses.
Engine version : 4.4.00
.DAT version : 4658

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/23/2005 6:13:03 PM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/23/2005 6:02:06 PM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/23/2005 6:02:05 PM SecurityCenter Information None 1801 N/A FLASHGORDON The Windows Security Center Service has stopped.
12/23/2005 5:25:28 PM Winlogon Information None 1002 N/A FLASHGORDON The shell stopped unexpectedly and Explorer.exe was restarted.
12/23/2005 4:56:29 PM Userenv Warning None 1517 NT AUTHORITY\SYSTEM FLASHGORDON Windows saved user FLASHGORDON\Walton registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
12/23/2005 4:45:37 PM Winlogon Information None 1002 N/A FLASHGORDON The shell stopped unexpectedly and Explorer.exe was restarted.
12/23/2005 4:28:31 PM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167703 viruses.
Engine version : 4.4.00
.DAT version : 4658

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/23/2005 4:20:56 PM Winlogon Information None 1002 N/A FLASHGORDON The shell stopped unexpectedly and Explorer.exe was restarted.
12/23/2005 3:47:38 PM MpfService Error None 2 FLASHGORDON\Walton FLASHGORDON The description for Event ID ( 2 ) in Source ( MpfService ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: The service process could not connect to the service controller..
12/23/2005 3:25:19 PM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/23/2005 3:24:54 PM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167439 viruses.
Engine version : 4.4.00
.DAT version : 4657

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/23/2005 3:24:53 PM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/23/2005 3:13:12 PM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/23/2005 3:12:31 PM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167439 viruses.
Engine version : 4.4.00
.DAT version : 4657

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/23/2005 3:12:27 PM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/23/2005 11:53:14 AM Application Error Error None 1000 N/A FLASHGORDON Faulting application mvp.exe, version 0.0.0.0, faulting module mvp.exe, version 0.0.0.0, fault address 0x0031d0e8.
12/23/2005 11:51:10 AM Application Error Error None 1001 N/A FLASHGORDON Fault bucket 253363698.
12/23/2005 11:51:03 AM Application Error Error None 1000 N/A FLASHGORDON Faulting application mvp.exe, version 0.0.0.0, faulting module mvp.exe, version 0.0.0.0, fault address 0x0013fbd9.
12/23/2005 11:50:35 AM Application Error Error None 1000 N/A FLASHGORDON Faulting application mvp2005.exe, version 0.0.0.0, faulting module mvp2005.exe, version 0.0.0.0, fault address 0x003d8a55.
12/23/2005 11:50:06 AM Application Error Error None 1000 N/A FLASHGORDON Faulting application mvp2005.exe, version 0.0.0.0, faulting module mvp2005.exe, version 0.0.0.0, fault address 0x0013fbd9.
12/23/2005 11:49:49 AM Application Error Error None 1000 N/A FLASHGORDON Faulting application mvp2005.exe, version 0.0.0.0, faulting module mvp2005.exe, version 0.0.0.0, fault address 0x0013fbd9.
12/23/2005 11:45:35 AM Application Error Error None 1000 N/A FLASHGORDON Faulting application mvp2005.exe, version 0.0.0.0, faulting module mvp2005.exe, version 0.0.0.0, fault address 0x003d8a55.
12/23/2005 11:32:37 AM Application Hang Error None 1001 N/A FLASHGORDON Fault bucket 45558392.
12/23/2005 11:32:35 AM Application Hang Error (101) 1002 N/A FLASHGORDON Hanging application pztrain.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
12/23/2005 11:31:33 AM Application Error Error None 1001 N/A FLASHGORDON Fault bucket 91625455.
12/23/2005 11:31:29 AM Application Error Error None 1000 N/A FLASHGORDON Faulting application mvp2004.exe, version 0.0.0.0, faulting module mvp2004.exe, version 0.0.0.0, fault address 0x0031d4d8.
12/23/2005 11:27:29 AM Application Hang Error (101) 1002 N/A FLASHGORDON Hanging application pztrain.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
12/23/2005 11:25:47 AM Application Error Error None 1001 N/A FLASHGORDON Fault bucket 91625455.
12/23/2005 11:25:42 AM Application Error Error None 1000 N/A FLASHGORDON Faulting application mvp2004.exe, version 0.0.0.0, faulting module mvp2004.exe, version 0.0.0.0, fault address 0x0031d4d8.
12/23/2005 8:06:49 AM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/23/2005 8:05:53 AM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167439 viruses.
Engine version : 4.4.00
.DAT version : 4657

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/23/2005 8:05:48 AM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/23/2005 2:07:06 AM SecurityCenter Information None 1800 N/A FLASHGORDON The Windows Security Center Service has started.
12/23/2005 2:06:36 AM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167439 viruses.
Engine version : 4.4.00
.DAT version : 4657

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/23/2005 2:06:30 AM Creative Service for CDROM Access Information None 105 N/A FLASHGORDON The service was started.
12/23/2005 1:58:33 AM McLogEvent Information None 5000 NT AUTHORITY\SYSTEM FLASHGORDON McAfee McShield service started - scanning for 167439 viruses.
Engine version : 4.4.00
.DAT version : 4657

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None
12/23/2005 1:16:47 AM Application Hang Error None 1001 N/A FLASHGORDON Fault bucket 131907350.
12/23/2005 1:16:43 AM Application Hang Error (101) 1002 N/A FLASHGORDON Hanging application CTCMS.exe, version 2.2.31.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
12/23/2005 12:30:58 AM Application Hang Error (101) 1002 N/A FLASHGORDON Hanging application ShowTime.exe, version 2.1.0.4, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
csx2.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

OK- I have to log off for the night fairly soon, but I'll repost tomorrow after I've had a chance to chew through the event history you posted.

By the way, my regedit.exe doesn't work at all. When I follow the path of Start\Run\regedit, I get a flash of something on my screen, and then the program just quits with an error report. Can you help me get this working because I think I might be able to fix the problem. I have visited other forums and made posts as well, and I discovered someone who had a similar problem. Below is the potential solution which came from another forum and it is in verbatim form:

Response Number 11

Name: thepcguy
Date: December 09, 2005 at 11:03:33 Pacific
Subject: .exe have changed to .lnk

Reply:
I just came accross this problem and let me tell you, it is a heck of a thing to fix. Here is how you do it though, it involves a little timing and a little luck.
1) Download and save this file to a floppy or CD http://www.kellys-korner-xp.com/regs_edits/exefix.reg

2) Boot into XP and check if you have Outlook Express active on your start menu. Hopefully you have Outlook Express still listed there. If you don't, you are probably hooped.

3) Copy regedit.exe from your c:\windows\ directory to your c:\program files\outlook express\ folder

4) Here is the tricky part; you have to rename MSIMN.EXE to MSIMN.OLD. Then rename REGEDIT.EXE to MSIMN.EXE -- on my system I the MSIMN.EXE kept regenerating itself after being deleted or renamed so you have to be very quick about it. What I did was rename REGEDIT.EXE to MSIMN.EX so I can just add and "E" at the end quickly before MSIMN.EXE regenerates itself. WHEW!

5) Start Regedit from you start menu

6) change permissions on your HKEY_CLASSES_ROOT to allow "EVERYONE" Complete control

7) Import the reg file you saved to disk or cd

8) exit regedit and you should see all your icons re-appear.

9) delete msimn.exe from the outlook express folder and rename MSIMN.OLD ot MSIMN.EXE

DONE!

I booted my computer in safe mode with command prompt (DOS) and I followed the nine steps I mentioned in the last post. I then restarted my computer normally and the icons on the desktop showed normally as once before! Their names were changed back to .exe and everything. However, when I clicked on them, nothing happened. I wasn't even prompted to open them with another program. If I can find a way to open up the registry editor, I feel that I will be able to solve the problem. I checked out another post on this forum called "RE: Another HotOffers Hijack (HJT log inci)", and I felt like this info was vital to my computer's survival. Can you help me please?

Earlier I said that I had a system crash with MVP Baseball 2004/2005. I also had a warning message with the Ad-watch monitor/system protector. So, out of curiosity, I logged into the PC with my brother's user login and opened up Ad-Aware SE Plus. The Ad-watch featured was disabled so I opened it up (Ad-watch System Protector). When it loaded, the same exact warning popped up on his user login too; the Message read:

!Warning! 8:56:28 PM
An attempt to alter a protected object hasbeen detected.
(Attempt to delete a registry value)
Root: HKEY_LOCAL_MACHINE
Key: Software\Classes\.exe
Value: Content Type
Data: application/x-msdownload
New Data:
Please choose how to proceed.
Click here for Advice
Accept or block were the options.

When this happened to me a few days ago, I clicked the advice suggestion, but I did not feel like reading the advice info, so I just went back and chose "block" and I think that this may be a cause for my problems as well.

This time on my brother's login, however, I couldn't access the "Click here for Advice" option because it did not respond when I clicked it (my computer is jacked up). So I used CTRL + ALT + DEL to exit the program because I feared that I could've caused more of a problem if I clicked "Accept" this time. The program shut down, I opened it up again, and the same message showed up so I used CTRL + ALT + DEL again to get out safely. What do you think of this?

Earlier I said that I had a system crash with MVP Baseball 2004/2005

Walton i would suggest never USE Win2k or WinXP for gaming, Win98 is a best and recommended for playing Games

Ever since my computer has been acting up, I've noticed that just before my login screeen, where it ask which user I want to use, a box shows up. The box has some strange characters on it (looks like unicode nonsense) and sometimes directory paths are written in it. The box also has an "OK" button, so I just ignore the scribbles/characters in the box and click "OK" to continue to the log in screen. Recently, I did not click OK to proceed to the login window and eventually, the log in window just came up. So far, I've seen two legible directories in the box and they were:

1. C:\windows\system32\mui\041b\xpsp2res.dll
(5.1.2600.2180 Hlasenia Balika Service Pack 2)

2. C:\windows\system32\mui\0414\xpob2res.dll
(5.1.2600.2180 00B-meldinger for Service Pack 2)

After logging in, I scanned both of these files for viruses with Mcafee Virus Scan and Lavasoft Ad-aware, and they were found to be clean. Then, I deleted these files, but they just regenerated. Any suggestions?

By the way, here is my latest log report for HijackThis.

Logfile of HijackThis v1.99.1
Scan saved at 1:59:32 PM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130266793890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132318523125
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by108fd.bay108.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

OK- quite honestly, finding/borrowing/stealing the correct Windows install CD would be the quickest way to go right now. Being that many of the system/application errors you've posted are the result of other program errors (that is, the errors "cascade"), it makes is pretty difficult to sort out where the root of the problem lies. Also, I've got the feeling that you may have more than one thing wrong at the core of all of this.

But, working with what we've got:

1.

C:\windows\system32\mui\041b\xpsp2res.dll
(5.1.2600.2180 Hlasenia Balika Service Pack 2)

2. C:\windows\system32\mui\0414\xpob2res.dll
(5.1.2600.2180 00B-meldinger for Service Pack 2)

After logging in, I scanned both of these files for viruses...

I have never seen the box you describe, but the above files are valid Win XP files, not malicious files. Sorry I can't offer anything beyond that.

2.

An attempt to alter a protected object hasbeen detected.
(Attempt to delete a registry value)
Root: HKEY_LOCAL_MACHINE
Key: Software\Classes\.exe
Value: Content Type
Data: application/x-msdownload

Although I can't tell what is causing the message to pop up, that Ad Aware warning might tell us something about your inability to run programs, as the particular ".exe" subkey is one of the Reg entries which tells Windows how to handle executable files. The warning also gives me an idea that may allow you to run the Registry Editor:

If you can open Windows Explorer in any way, locate the C:\Windows\regedit.exe file and rename it to regedit.com. Windows will barf warning messages regarding the filename change; tell Winodws to allow the change. Files with a .com extention are also executable (but are governed by different Registry keys than .exe files), so Windows will run regedit.com just as it would run regeidt.exe. If you can open the Registry Editor this way:

- Disable AdWatch so it doesn't interfere with any intentional changes you make.

- In RegEdit, verify that the values under HKEY_LOCAL_MACHINE\Software\Classes\.exe are as follows:

.exe
Name: (Default) Type: REG_SZ Data:exefile
Name: Content Type Type: REG_SZ Data:application/x-msdownload
In the PersistentHandler subkey:
Name: (Default) Type: REG_SZ Data:{098f2470-bae0-11cd-b579-08002b30bfeb}

If one of the entries is incorrect, double-click on it and edit the value accordingly. Make a backup of your entire Registry before making any changes to it!!:

- In the Registry Editor, click on "My Computer"
- On the File menu, click Export.
- In the Save in box, select a location where you want to save the Registration Entries (.reg) file, type a file name in the File name box, and then click Save.

* If you can't open Windows Explorer, rename regedit.exe by booting into Safe Mode (Command Prompt only) and typing the following command at the prompt:

ren C:\windows\regedit.exe C:\windows\regedit.com

PROBLEM SOLVED! Here's how.

I used these steps from another forum:

The specific locations for the files:

http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

http://www.dougknox.com/xp/fileassoc/linkfile_fix.zip

For the benefit of others:
When double clicking the xp_exe_fix.reg file, windows asks what to use to open it. Go to select from list, then browse and find C:\Windows\regedit.exe, select it and click ok, then double click xp_exe_fix.reg again and it'll ask you if you want to add the info to the registry. Click yes and reboot your computer. You should notice that by going Start->my computer->C:\ and opening any one of the folders, all of the programs appear normal again and will function correctly.

If your desktop icons still have the *.lnk extension, run the linkfile_fix.reg by double clicking it, then reboot again. make sure everything seems back to normal and your all done!

Note: if winzip/winrar or whatever isn't working on your machine, either extract the files on another computer or associate the zip files with the appropriate program exe (winzip/winrar) as done for the xp_exe_fix.reg file.

As you see, these files will restore icons back to .exe and programs should work again. I also rebooted my computer afterward and pressed F2. This took me to the screen where I could do a lot of configurations and I just selected the option of "restore my computer to defaults". I also used my Registry Mechanic Version 5.1 to clean my registry, which really helped.

Thanks for your time jaishankar and DMR.

PROBLEM SOLVED! Here's how.

I used these steps from another forum...

Lol. I found that exact site just yesterday while looking for a solution to a similar problem, and I bookmarked that puppy right away. Those are some very handy reg files. :)