Bear, would you be kind enough to take a look at this HJT log? The line with
"O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe" looks suspicious. I recently saw an AV notice about a program called 'boot.inx' trying to connect, and it looked odd.
Another thing...when I tried to call up the task manager, I got a window saying that it had been disabled by my administrator. I'M the admin on my home 'puter, and I don't remember disabling that function. How do I turn it back on?
Thanx.





Logfile of HijackThis v1.99.1
Scan saved at 5:23:46 PM, on 2/1/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\JI-Net\JI-Net Accelerator\3.52.0105.14\IACLiM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
c:\boot.inx
C:\WINDOWS\explorer.exe
D:\Net Software\HiJackThis\HijackThis.exe

O2 - BHO: eCATRegistrar Class - {02336F51-24CA-4422-AB63-18841ADF35E6} - C:\Program Files\JI-Net\JI-Net Accelerator\3.52.0105.14\eCATBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: JI-Net Accelerator - {4BC3AC04-3E56-411D-B465-4FEA06654611} - C:\Program Files\JI-Net\JI-Net Accelerator\3.52.0105.14\ThinClientToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IAClient] C:\Program Files\JI-Net\JI-Net Accelerator\3.52.0105.14\IACLiM.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A398FE80-6A9D-4C9A-B600-52470F15E272}: NameServer = 203.147.0.3 203.147.0.2
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Goodbye -> " O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm"


Unless this beloongs to your isp kill this as well " O17 - HKLM\System\CCS\Services\Tcpip\..\{A398FE80-6A9D-4C9A-B600-52470F15E272}: NameServer = 203.147.0.3 203.147.0.2"

Think thats about it.

Oh do you use net accellarators? If not kill thesse O4 - HKLM\..\Run: [IAClient] C:\Program Files\JI-Net\JI-Net Accelerator\3.52.0105.14\IACLiM.exe


C:\Program Files\JI-Net\JI-Net Accelerator\3.52.0105.14\IACLiM.exe Check with an antivirus scanner First ;).

Might want to hang on a minute before following those instructions. I'm reading the log now..

And we have some winners:

c:\boot.inx
Naughty. Looks like a trojan, have HJT fix this

O4 - HKLM\..\Run: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
[b]If you're not using any bluetooth devices (PDA, phone, mouse, etc) you should see about disabling this service.

O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
You were right to suspect it, it's another trojan. Have HJT fix this

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
You should disable this.
http://www.wbhelp.com/showthread.php?t=123

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
These may or may not be removed when you disable Messenger. No harm to leave them

O17 - HKLM\System\CCS\Services\Tcpip\..\{A398FE80-6A9D-4C9A-B600-52470F15E272}: NameServer = 203.147.0.3 203.147.0.2
These are from Jasmine internet, and probably needed for your ISP

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
Looks like this AV program isn't working too well. Probably best to find another.
Being locked out of the admin may be related to the infection, although I could find no reference to that. Let's see what the fix does, ok? Fix, reboot, post a fresh log, please.

Yuu da man...no, wait a minute...ohh, yeah..

Yu da BEAR!! :P !

Will do, Capt. Progress report coming soon....

Morning people...*bleh*...:poke:
of course, in your neck of the world, it's about supper time, no?

Morning people...*bleh*...:poke:
of course, in your neck of the world, it's about supper time, no?

What's that old saying...something about "[anything]' being better than a poke in the eye with a stick?"

I'm exactly twelve hours ahead of you, Bear. If it's noon on Monday there, it's Monday night, midnight-going-onto-Tuesday here.

Keeps life interesting...:tiredcoff

New HJT log to come soon.

Kuhn-paht-pong-mahk. ( Take it (very) easy.) :D

Bear, the c:\boot.inx doesn't show up on the log of 'fixable' items. The log only starts with the '02' numbered items. When I did a 'search' from the Windows start menu, I found an INX application and a windows prefetch file. The PF file I was able to delete but the other, even though it is only listed at 7kb, says "Cannot delete boot" . Looks like I'll have to run a AV scan tonight, then do the HJT log again tomorrow.

Know what I miss this time of year? \
http://i21.photobucket.com/albums/b299/jweston/OyandJamesUK20052012.jpg

Hope you all appreciate that sweet, virginal, pure white, nasty freezing sh*t for the wonderful life-experience it is. :D
"Don't it always seem to go...that you don't know what you got, till it's gone?" ;)

Back soon.

"c:\boot.inx"
It's listed in the running processes, so it's probably loading as a service. You need to find where it's loading from and stop that from happening. As long as you can get it to stop loading when Windows does, it's simpler to fix.

You feel like trying a registry search?
Go to start -> run -> type regedit and hit ok/enter.
In the window, look for 'edit' at the top, and locate "find".
Type in the file name boot.inx and see if it's found (might be more than one place, so keep looking until you've searched the entire thing. If so, let me know exactly where it was found.

Bear, I did the 'regedit', and it gave me some locations...I'm trying to find a way to 'paste' them here (I've been typing all day at school and the ol' digits are dogged...)

Can't do it...here they are...


Name.....................Type...................Da ta
[ab].(default).........REG_SZ.............(value not set)
[ab]000.................REG_SZ..............boot.inx
[ab]001.................REG_SZ..............boot.
[ab]002.................REG_SZ..............system
[ab]003.................REG_SZ..............system maintenance

The [ab] is a little icon, shaped like Ohio and with the letters 'ab' in it. In the list on the left, I think they were found in Search Assistant/ACMru/5603 & 5604.
Should I delete 'em all?

PS I ran my AV last night, and it only seemed to find one item.
Here's a fresh HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 3:47:36 PM, on 2/3/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\JI-Net\JI-Net Accelerator\3.52.0105.14\IACLiM.exe
C:\WINDOWS\system32\cmd32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Net Software\HiJackThis\HijackThis.exe

O2 - BHO: eCATRegistrar Class - {02336F51-24CA-4422-AB63-18841ADF35E6} - C:\Program Files\JI-Net\JI-Net Accelerator\3.52.0105.14\eCATBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: JI-Net Accelerator - {4BC3AC04-3E56-411D-B465-4FEA06654611} - C:\Program Files\JI-Net\JI-Net Accelerator\3.52.0105.14\ThinClientToolbar.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IAClient] C:\Program Files\JI-Net\JI-Net Accelerator\3.52.0105.14\IACLiM.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A398FE80-6A9D-4C9A-B600-52470F15E272}: NameServer = 203.147.0.3 203.147.0.2
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Thanx, guy.

That log looks clean (although Messenger is still running...), and I notice that "boot.inx" is no longer listed as a running process. It's possible it was being called by the trojan program we had you removed.
Good news there.

To get rid of the registry key, I think you should first export it, in case it's something legitimate (I could find not references to that name that were, but it's better to be safe). Search for it once more, and when it's located, in the left column, right click the containing folder and choose "export" (just the folder that actually contains the file, not any higher). When you export, it will create a file with a .reg extension. Stick the backup somewhere easy to find (desktop, My Documents...easy).

After exporting, right click the same folder in the left side of regedit, take a deep breath and choose delete.

Restart the computer. Things should be just fine.
If not, you would then start in safe mode and restore this reg key by double clicking it. I seriously doubt it's anything useful, though.

Bear, thanx. I hate to sound dense, but I don't understand this:

To get rid of the registry key, I think you should first export it, in case it's something legitimate (I could find not references to that name that were, but it's better to be safe). Search for it once more, and when it's located, in the left column, right click the containing folder and choose "export" (just the folder that actually contains the file, not any higher). When you export, it will create a file with a .reg extension. Stick the backup somewhere easy to find (desktop, My Documents...easy).

After exporting, right click the same folder in the left side of regedit, take a deep breath and choose delete.

Restart the computer. Things should be just fine.
If not, you would then start in safe mode and restore this reg key by double clicking it. I seriously doubt it's anything useful, though.

What is a 'registry 'key' '? Is it the portion of a program (or fragment of a program, whatever) which 'calls-up' or activates another, possibly a virus program? And which item is this referring to: that one called 'boot.inx' ?
If it was a bad program, why do I need to create a back-up? Also, why was it listed in 5 locations with one as the 'default'? Doesn't 'default' mean it was a needed program? :confused:

Thanx for your patience. I thought teachers had it bad...

OK, I went back to regedit. The part of the window on the right that displays the results of the search automatically popped back up with the 5 locations of the boot.inx. ( I can't seem to clear it.) They appeared to be in the folder labeled 5603, since it was displaying a color. I followed your steps, exported the folder, saved it in another folder I have called 'Net Software' on my 'D' drive. When I then went back to the regedit and hit delete, the 'numbered' locations disappeared except the one labeled as 'default' That one then appeared to be in the folder labeled 5604, so I repeated the steps, saving this one as boot.inx2. When I hit delete this time, the folder disappeared, but the default listing remained. I repeated the steps with the folder ACMru, and the damn thing's STILL there. I don't want to progress up the 'chain' any further. I just hope that when I turn this thing off, I can restart it.

Hope I (can) talk to you again soon.....

A "default" value is fine (a placeholder), leave them alone. Did you clear the one that contained the instance of that 'boot.inx' file? As long as that entry doesn't exist, you're fine...don't delete anything else.

To answer your question, a registry "key" is an entry into the registry (sometimes called the "hive" file) for Windows. There are keys and values...keys on the left, values on the right.
Need something to help you sleep?
Microsoft's explanation of the Windows registry:
http://support.microsoft.com/kb/256986/EN-US/

Did you clear the one that contained the instance of that 'boot.inx' file? As long as that entry doesn't exist, you're fine...don't delete anything else.

:confused: :confused: :confused:

...The 'one'????? The 'one' what? Folder? or actual numbered location of the file?
Bear, it listed 5 times.
Default, 000,001,002,003,004. I managed to delete all but the default one.


And, I just found out before opening this site again, I NOW cannot open Microsoft Word. Maybe that's what the damn thing was for...??
When I click on my desktop icon for Word, it gives me the MS Office Install window, then shuts down. When I try to open a MS Word doc in one of my folders, same thing.

Such fun, eh?? :hammer3: :hammer3: :hammer3:













































Oh, and BTW, :hammer3:

It might be related to the additonal keys (folders) you nuked. Go to the 'extra' ones, and one at a time, double click. You will be asked if you want to merge this into the registry. Say yes, test Word.
Still not working, Restore the next reg file you nuked, test again.
And so on.

When you deleted it...was it the folder on the left, or the values on the right you removed? It should have been the folder on the left...

Bear, thanx. I hate to sound dense, but I don't understand this:



What is a 'registry 'key' '?..
registry key hard to expl;ain realli its moew like a part of the program that registers itself with windows bah i can't explain it but this can. (http://www.vsft.com/oberon/keys.htm)

Just for the record, that site copied that word for word from Microsoft, here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/predefined_keys.asp

When you deleted it...was it the folder on the left, or the values on the right you removed? It should have been the folder on the left...

Bear, There was the folder marked ACMru, then the little dotted lines beneath it (indicating sub-folders, I reckon) and these were the ones labeled 5603/5604, but they were not 'folder' icons, just the numbers. I deleted the 5603 first, and got rid of all but the location labeled (default) showing in the right half of the regedit window. Then deleting the 5604 'folder' did nothing, so I deleted the ACMru folder, again with no changes. But do you think I should 'restore' the ACMru folder? Also, what's the difference between 'move' and 'export' on these folders?

However, this morning, I opened Word as a test, and the damn thing works. (Perhaps my 'puter saw all those 'bash' emoticons I posted yesterday and got worried...I TOLD ya the @#$&*@ thing's sentient)...:D

Plus, I'm sorry if my message last night 'read' as somewhat tense. I'm hyperactive (medically) to begin with, plus being somewhat tense by temperment, and I worry that someday I'll stroke-out here. Then that worry compounds every little stress-inducing item I encounter. I just want to make sure you understand that I am never less than grateful for your tireless and patient assistance. ;)

Wera, thanx. I appreciate all the help I can get. Got yourself an apprentice, Bear? ;)

However, this morning, I opened Word as a test, and the damn thing works. (Perhaps my 'puter saw all those 'bash' emoticons I posted yesterday and got worried...I TOLD ya the @#$&*@ thing's sentient)...:D
Dang, mystery fixes...at least it works.
Plus, I'm sorry if my message last night 'read' as somewhat tense.
Not to worry, I'm used to computers stressing people out. All in a day's work.

As for an apprentice?
Anyone that feels they know an answer is more than welcome to respond. It's all about the help people need, not about me doing it all. Happy to have folks participating. :D

Really though i am happy bear pointed that out :) btw u r welcome and thz rocker :).

But do you think I should 'restore' the ACMru folder? Also, what's the difference between 'move' and 'export' on these folders?

The first, I'm hesitant to try. The second, I'm curious.

Not to worry, I'm used to computers stressing people out. All in a day's work. ...It's all about the help people need, not about me doing it all. Happy to have folks participating.

Waitress, another jar of honey for the furry guy at the end of the bar!! On MY tab!


PS...GO STEELERS!! 21-10!! YEAH, BABY!!! FINALLY, ONE FOR THE THUMB!!!:D :D :D

Move vs Export:
Moving allows you to well...move the entry to another place in the registry, removing it from the original location.
Export creates a backup file (xxx.reg) that can later be recovered back into the registry if needed. The original entry is left in place when exporting.

You saw the game? If not, I taped it for you, if you need it. I'd just have to copy it off to DVD and would need the mailing address (by PM).

Waitress, another jar of honey for the furry guy at the end of the bar!! On MY tab!
Honey is good.....

You saw the game? If not, I taped it for you, if you need it. I'd just have to copy it off to DVD and would need the mailing address (by PM).
No but amazingly enough, they put it on Thai TV (with voice-over announcers, of course) and my wife called me at school to tell me. By then it was in the last quarter of the last quarter, but I could hear our TV, hear the fans screaming, and got the score, as it went from 14-10 to 21-10. The kids saw me walking up and down along the upper 'porch' of our school, trying to keep from screaming TOO loudly, phone glued to my head, pacing like I was waiting outside a delivery room. If you could send a copy on DVD (or ****, even VCD), I would owe you mucho. (I'll pack a sweet little bar-girl in a box and send her Express mail!!) I'll send you my address IMMEDIATELY!!!

THANX A ZILLION, BEAR!!!!:beer: :beer:

(PS You chould create an emoticon with a raised mug of honey!! :D )

If you could send a copy on DVD (or ****, even VCD), I would owe you mucho. (I'll pack a sweet little bar-girl in a box and send her Express mail!!) I'll send you my address IMMEDIATELY!!!
Don't forget to poke a few air holes in the package. ;)
I'll copy this off to DVD today (convoluted process, but I think I can manage it), and mail it ASAP. PM the address.