View Full Version : IE Closes & Products keep being cked to ignore in scan and slow
j-escalader72
2006-10-22, 04:22
Hi,
I have 3 computer quirks :sad: that has slowly come up in the last 4-6 weeks.
They are:
* Computer is extremely SLOW to start up and shut down.
* Sporadically, there is delayed times from my actions.... (clicking, typing, or etc)... It can be when I am typing into the search box, preparing a post or closing a window.
* Approx 1 - 2 minutes after opening IE, it suddenly closes. After I reopen IE, it runs great.....Strangely IE only closes on the initial IE opening.
Both Ad-Aware SE Personal Build 1.06r1 and Spybot-S&D 1.4 were run & cleaned if any found.
I have a few questions about my Spybot S&D 1.4 settings......
There are a few ignore product check marks that i DID NOT check....
I unchk them but next time they are chked again.
CDilla PUPS
CDilla Revision sbi
SideStep PUPS
I Don't understand, why I cant keep them uncked and what are they?
I would like advice on where to proceed since these problems remain.
Thank you so kindly for any & all assistance.:)
J-escalader72
___________________________________
Here is my Spybot S&D log
--- Search result list ---
--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Windows Media Player: Windows Media Player Hotfix [See KB837272 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP0: Windows Media Player Hotfix [See KB837272 for more information]
/ Windows XP / SP1: Windows XP Service Pack 1a
/ Windows XP / SP2: Windows XP Hotfix - KB810217
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See KB810243 for more information]
/ Windows XP / SP2: Windows XP Hotfix - KB820291
/ Windows XP / SP2: Windows XP Hotfix - KB821253
/ Windows XP / SP2: Windows XP Hotfix - KB821557
/ Windows XP / SP2: Windows XP Hotfix - KB822603
/ Windows XP / SP2: Windows XP Hotfix - KB823182
/ Windows XP / SP2: Windows XP Hotfix - KB823559
/ Windows XP / SP2: Windows XP Hotfix - KB824105
/ Windows XP / SP2: Windows XP Hotfix - KB824141
/ Windows XP / SP2: Windows XP Hotfix - KB824146
/ Windows XP / SP2: Windows XP Hotfix - KB825119
/ Windows XP / SP2: Windows XP Hotfix - KB828028
/ Windows XP / SP2: Windows XP Hotfix - KB828035
/ Windows XP / SP2: Windows XP Hotfix - KB828741
/ Windows XP / SP2: Windows XP Hotfix - KB833998
/ Windows XP / SP2: Windows XP Hotfix - KB835409
/ Windows XP / SP2: Windows XP Hotfix - KB835732
/ Windows XP / SP2: Windows XP Hotfix - KB837001
/ Windows XP / SP2: Windows XP Hotfix - KB839645
/ Windows XP / SP2: Windows XP Hotfix - KB840315
/ Windows XP / SP2: Windows XP Hotfix - KB840374
/ Windows XP / SP2: Windows XP Hotfix - KB841873
/ Windows XP / SP2: Windows XP Hotfix - KB842773
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q322011
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q327979
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q328310
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329048 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329170
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329390 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q329441
/ Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329834 for more information]
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810565
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810577
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q810833
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811493
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q811630
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q814033
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q814995
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q815021
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817287
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q817606
/ Windows XP / SP2: Windows XP Hotfix (SP2) Q819696
/ Windows XP / SP3: Windows XP Hotfix - KB885626
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
--- Startup entries list ---
Located: HK_LM:Run, _AntiSpyware
command: C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
file: C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
size: 114688
MD5: e75d193fc5f228b11e2c7b115320ef34
Located: HK_LM:Run, blpgvyqlphz
command: C:\WINDOWS\System32\tpttvtx.exe
file:
Located: HK_LM:Run, dla
command: C:\WINDOWS\system32\dla\tfswctrl.exe
file: C:\WINDOWS\system32\dla\tfswctrl.exe
size: 106549
MD5: 6d21f9202a24b36e7cb10e8ed9f9de37
Located: HK_LM:Run, MCUpdateExe
command: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
file: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
size: 25600
MD5: b1babd95db16dfea7cd7206169b71cbb
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 31744
MD5: 0fb22dd37c17f80ad71316049f725170
Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
size: 25600
MD5: b1babd95db16dfea7cd7206169b71cbb
Located: HK_LM:Run, ViewMgr
command: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
file: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
size: 25600
MD5: b1babd95db16dfea7cd7206169b71cbb
Located: HK_LM:Run, HP Software Update (DISABLED)
command: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
file: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
size: 25600
MD5: b1babd95db16dfea7cd7206169b71cbb
Located: HK_LM:Run, MCAgentExe (DISABLED)
command: c:\PROGRA~1\mcafee.com\agent\McAgent.exe
file: c:\PROGRA~1\mcafee.com\agent\McAgent.exe
size: 25600
MD5: b1babd95db16dfea7cd7206169b71cbb
Located: HK_LM:Run, Microsoft Works Portfolio (DISABLED)
command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
file:
Located: HK_LM:Run, Microsoft Works Update Detection (DISABLED)
command: C:\Program Files\Microsoft Works\WkDetect.exe
file: C:\Program Files\Microsoft Works\WkDetect.exe
size: 28739
MD5: 3141750fad211c6dadf7c2dc2ec74da8
Located: HK_LM:Run, nwiz (DISABLED)
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 364544
MD5: fa537c72dc6d4f74b3d8a87f7cfbb6ac
Located: HK_LM:Run, Share-to-Web Namespace Daemon (DISABLED)
command: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
file: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
size: 69632
MD5: d5bc63d2822b8e244e53d2ff8078cc6b
Located: HK_LM:Run, Show missed alarms (DISABLED)
command: C:\Program Files\Alarm\Alarm.exe
file: C:\Program Files\Alarm\Alarm.exe
size: 225704
MD5: 03166938b9183861a323cc79469feafa
Located: HK_LM:Run, TkBellExe (DISABLED)
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 25600
MD5: b1babd95db16dfea7cd7206169b71cbb
Located: HK_LM:Run, VirusScan Online (DISABLED)
command: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
file: c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
size: 163840
MD5: 3fe1e841ed8483f7a75a1e86f6fc2216
Located: HK_LM:Run, VSOCheckTask (DISABLED)
command: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
file: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
size: 122880
MD5: 90cf41e5d4e8d3a88d8630da5c3b7a3a
Located: HK_LM:Run, WildTangent CDA (DISABLED)
command: RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
file: C:\WINDOWS\system32\RUNDLL32.exe
size: 31744
MD5: 0fb22dd37c17f80ad71316049f725170
Located: HK_LM:Run, WinTools (DISABLED)
command: C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
file:
Located: HK_LM:Run, WorksFUD (DISABLED)
command: C:\Program Files\Microsoft Works\wkfud.exe
file: C:\Program Files\Microsoft Works\wkfud.exe
size: 24576
MD5: 9d05d00e8631b7874d164d6dedd6d801
Located: HK_CU:Run, Weather (DISABLED)
command: C:\Program Files\AWS\WeatherBug\Weather.exe 1
file:
Located: HK_CU:Run, Yahoo! Pager (DISABLED)
command: "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
file:
Located: Startup (common), Google Updater.lnk (DISABLED)
command: C:\Program Files\Google\Google Updater\GoogleUpdater.exe
file: C:\Program Files\Google\Google Updater\GoogleUpdater.exe
size: 114616
MD5: f6a23759e3ad31c8537244f4e7b28f1d
Located: Startup (common), ymetray.lnk (DISABLED)
command: C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
file: C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
size: 49152
MD5: 92200938d2a67a41b334b2dcaf55e674
Located: Startup (disabled), Adobe Reader Speed Launch.lnk (DISABLED)
command: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
file:
Located: Startup (disabled), Alarm Clock Icon.lnk (DISABLED)
command: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Alarm Clock Icon.lnk.disabled
file:
Located: Startup (disabled), America Online 7.0 Tray Icon (DISABLED)
command: C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
file: C:\PROGRA~1\AMERIC~1.0\aoltray.exe
size: 32839
MD5: 383f838bcc2b44152b5e2f5046d3108a
Located: Startup (disabled), Enable Labtec Wireless Desktop (DISABLED)
command: C:\PROGRA~1\LABTEC~1\MagicKey.exe
file: C:\PROGRA~1\LABTEC~1\MagicKey.exe
size: 258048
MD5: 16cdc77415303f87fd617c5aaf9348c7
Located: Startup (disabled), Microsoft Office (DISABLED)
command: C:\PROGRA~1\MICROS~4\Office\OSA9.EXE -b -l
file: C:\PROGRA~1\MICROS~4\Office\OSA9.EXE
size: 65588
MD5: ffdc3bcba32d5947cb628086193eba19
Located: Startup (disabled), Microsoft Works Calendar Reminders (DISABLED)
command: C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe
file: C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe
size: 24633
MD5: 7084b58a098d2f83b304832251a8c6a8
Located: Startup (disabled), msoffice (DISABLED)
command: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msoffice.exe
file:
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, igfxcui
command: igfxsrvc.dll
file: igfxsrvc.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, WRNotifier
command: WRLogonNTF.dll
file: WRLogonNTF.dll
Hi j-escalader72 and welcome to the Safer Networking Forums :)
You got some infections there...
Post a HijackThis log to here: Please download HijackThis to your desktop -> HijackThis 1.99.1 (http://downloads.malwareremoval.com/HijackThis.exe)
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on Do a system scan and save a logfile
Wait for the scan to end, a logfile will popup in a notepad document
Please copy that log and paste it to you thread
Then we'll continue :bigthumb:
j-escalader72
2006-10-23, 05:29
Mr Jak,
Thank you for the welcome and your quick response.
Here is my HJT Log.
Let me know what to do next.
Take Care,
J-escalader72
_________________________________
Logfile of HijackThis v1.99.1
Scan saved at 8:44:59 PM, on 10/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\ie.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [blpgvyqlphz] C:\WINDOWS\System32\tpttvtx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: ymetray.lnk.disabled
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://usmilitary.about.com
O15 - Trusted Zone: http://www.la.ngb.army.mil
O15 - Trusted Zone: http://www.armyonesource.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://www.juno.com
O15 - Trusted Zone: www.militaryonesource.com
O15 - Trusted Zone: http://www.hotmail.msn.com
O15 - Trusted Zone: groups.msn.com
O15 - Trusted Zone: www.msnusers.com
O15 - Trusted Zone: http://vil.nai.com
O15 - Trusted Zone: *.nextel.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://*.subratam.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Hi again :)
One or more of the identified infections has backdoor capabilities.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post :bigthumb:
j-escalader72
2006-10-23, 16:14
Thank you for the info.
I am wondering when this happened.... cause lately when i was updating my security stuff to the updated version, i noticed my mcafee was stopped from my lower toolbar as active..... dont know where it went.
I dont do any banking or financial transactions on the PC. I am currently changing all passwords. I guess i need to isolate and get rid of the bug.
Id like to inform you that i have various personal challanges due to a serious accident. As far as reformatting or redoing my puter, i would become too overwhelmed. My finances are very limited..... I can follow most directions pretty well but if too extensive i just shut down. Please advise my next step to get rid of bug...If you would like you can IM for quicker info.
Thank you so very kindly for your assistance.
J-escalader
Hi again and sorry for the delay, I've been busy.
I'll be happy to help you with the cleaning process :)
Some of the McAfee's startups have been disabled, you should enable these again.
Start -> Run -> type the following without quotes and hit Ok, "msconfig"
Click on the "Startup" tab and checkmark all the following entries:
MCAgentExe
VirusScan Online
VSOCheckTask
Hit Apply and Ok, close the window.
Reboot the computer, McAfee should be enabled now.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Please post an uninstall list to here. Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad here on your next reply.
Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as: Name the file peek.bat Save as Type: All files Select the desktop icon on the left to save it on the desktop.
Double click on peek.bat and let it run.
When finished it will open a file in Notepad.
That file will be named startup.txt
Please post the contents of startup.txt into your next reply here.
if not exist Files MkDir Files
regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type peek1.txt >> startup.txt
type peek2.txt >> startup.txt
del peek*.txt
start notepad startup.txt
Copy files\*.txt = startup.txt
rmdir /s /q files
Start Notepad startup.txt
Then we'll continue :)
j-escalader72
2006-10-24, 15:04
Mr Jak,
Thank you.....
I am confused on what you really wanted me to do with new notepad stuff....
I was unsure how long it would take to run the peek.bat. (after waiting 10 min. i figiured i had done something incorrect)....so i restarted instructions again..... took me about an hour to figure out the instructions in what to do.... and it only took a few seconds to give peek.bat results and i hope this is what you need.
but here goes
uninstall list
Ad-Aware SE Personal
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
America Online
AOL Coach Version 1.0(Build:20020605.1)
AOL Instant Messenger
ArcSoft Software Suite
Belarc Advisor 6.0
BellSouth FastAccess DSL WEB Controls
BellSouth® Communications Suite
BroadJump Client Foundation
Calc98
Creative WebCam Instant Driver (1.01.02.0729)
Detto IntelliMover Demo
DirectX 9 Hotfix - KB839643
Disney's Lilo and Stitch Pinball
DLA
ewido security suite
FileAlyzer 1.1i
FoneSync
Google Earth
Google Toolbar for Internet Explorer
Google Updater
Hemera Products
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
hp center
hp deskjet 3320 series (Remove only)
hp instant support
HP Memories Disc
HP Photo and Imaging 1.0 - Scanjet 3500c Series
HP Photo and Imaging 1.1 - Photosmart Cameras
HP Photo and Imaging 2.0 - Scanners
HP Photosmart Essential
HP Software Update
hp toolkit
ImageMixer
Inactive HP Printer Drivers (Remove only)
Intel(R) Extreme Graphics Driver
Intel® Create & Share® Software
InterActual Player
Internet Explorer Q867801
InterVideo WinDVD
iPod Update 2004-04-28
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_05
JD Secure 3.1
Juno 6
Kaspersky On-line Scanner
KBD
Labtec Wireless Desktop
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire 4.12.3
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Flash MX 2004
Macromedia Flash Player 8
Macromedia Shockwave Player
MathPlayer
McAfee AntiSpyware
McAfee SecurityCenter
McAfee VirusScan Professional
Microsoft Chat 2.5
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 5 PowerTweaks Web Accessory
Microsoft Office Excel Viewer 2003
Microsoft PowerPoint Viewer 97
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MicroStaff WINASPI
Moffsoft FreeCalc
Mozilla Firefox (1.5.0.7)
MSN Add-in for Windows Messenger
MSN Gaming Zone
MSN Messenger 7.5
MSN Toolbar
MUSICMATCH Jukebox
NVIDIA Windows 2000/XP Display Drivers
Outlook Express Q823353
PC-Doctor for Windows
PigPen
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken Financial Center
QuickTime
RealPlayer
RTC Client API v1.2
SabreWing 2
Snowboard Extreme
Space Rocks
Speedway
Spy Sweeper
Spybot - Search & Destroy 1.4
Talking Alarm Clock
Ultra WinCleaner One Click! Version 8.0
upapp
Virtual Warfare
Westell Firmware Upgrade
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player Hotfix [See KB837272 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB820291
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833998
Windows XP Hotfix - KB835409
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB885626
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q322011
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
Windows XP Hotfix (SP2) Q819696
WordPerfect Productivity Pack
WordPerfect Productivity Pack
Yahoo! Address AutoComplete
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Startup list
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
Hi again, good work :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
At first we'll take handle the disabled startups....
Please open Spybot S&D -> Mode -> Advanced mode
Select Tools -> System startup
Enable (checkmark) the following entries:
MCAgentExe
VirusScan Online
VSOCheckTask
Then, delete the following entries (select the entry with mouse and hit Delete)
WinTools
Weather
Close Spybot S&D.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Go to virustotal.com (http://www.virustotal.com)
Click on the Browse button
Browse to the following file: C:\WINDOWS\ie.exe
Click Open and then on Send
Wait for the scan to end.
Please RIGHT-CLICK HERE (http://www.silentrunners.org/Silent%20Runners.vbs) and Save As (in IE it's "Save Target As") to download Silent Runners.
Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
================
When you're ready, post the following logs to here:
- silentrunners log
- a fresh HijackThis log
- results from virustotal scan
j-escalader72
2006-10-25, 05:32
Mr Jak,
Thank you so much for your prompt assistance.
As you requested, I am posting the following logs for you.
- silent runners log
:rolleyes:Jay Escalader
"Silent Runners .vbs", revision 49,
OS: Windows XP
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"ie.exe" = "C:\WINDOWS\ie.exe" [null data]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet" [file not found]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Acme.PCHButton" = "C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe" ["Motive Communications, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [null data]
"_AntiSpyware" = "C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe" ["Network Associates, Inc."]
"blpgvyqlphz" = "C:\WINDOWS\System32\tpttvtx.exe" [file not found]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [null data]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [null data]
"StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" [file not found]
"Share-to-Web Namespace Daemon" = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"Propel Accelerator" = "C:\PROGRA~1\BELLSO~1\PropelAC.exe" [file not found]
"LTMSG" = "LTMSG.exe 7" ["Agere Systems"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" ["HP"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"CamMonitor" = "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [empty string]
"BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."]
"BellSouthSyn" = "C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize" ["BellSouth"]
"BellSouthScheduler" = "C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler" ["BellSouth"]
"VirusScan Online" = ""c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["Networks Associates Technology, Inc"]
"VSOCheckTask" = ""c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["Networks Associates Technology, Inc"]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "UberButton Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled" [file not found]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = (no title provided)
-> {HKLM...CLSID} = "YahooTaggedBM Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll__BHODemonDisabled" [file not found]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ST"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MSNToolBandBHO"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
-> {HKLM...CLSID} = "America Online"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
-> {HKLM...CLSID} = "McAfee AntiSpyware Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll" ["Network Associates, Inc."]
"{51550900-DCAC-11d4-AA0F-0080C87C465B}" = "WayTech MultiMouse"
-> {HKLM...CLSID} = "WayTech MultiMouse Extension"
\InProcServer32\(Default) = "C:\Program Files\Labtec Wireless Desktop\CPDll.dll" [null data]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
-> {HKLM...CLSID} = "McAfee AntiSpyware Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll" ["Network Associates, Inc."]
<<!>> "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\System\CurrentControlSet\Control\SecurityProviders\
<<!>> ("zwebauth.dll" [MS]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"
HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"SsiEfr.e" [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> application/xhtml+xml\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
-> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
\InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
<<!>> text/xml\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
-> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
\InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
<<!>> text/xml; charset=iso-8859-1\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
-> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
\InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
<<!>> text/xml; charset=utf-8\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
-> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
\InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Group Policies {policy setting}:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\My Documents\My Pictures\Gif & jpg pictures\PhotoImpression4.bmp"
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]
Startup items in "Owner" & "All Users" startup folders:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
<<!>> "Adobe Reader Speed Launch.lnk.disabled" [null data]
<<!>> "Alarm Clock Icon.lnk.disabled" [null data]
"America Online 7.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 7.0\aoltray.exe -check" ["America Online, Inc."]
"Enable Labtec Wireless Desktop" -> shortcut to: "C:\Program Files\Labtec Wireless Desktop\MagicKey.exe" [empty string]
<<!>> "Google Updater.lnk.disabled" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]
<<!>> "ymetray.lnk.disabled" [null data]
Enabled Scheduled Tasks:
"Chancy 's School time" -> launches: "C:\Program Files\Alarm\Alarm.exe "Chancy 's School time"" ["Cinnamon Software Inc."]
"McAfee.com Update Check (FAMILY-CHANCY)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [null data]
"McAfee.com Update Check (FAMILY-GUESS WHO)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [null data]
"McAfee.com Update Check (FAMILY-Hanson2)" -> launches: "C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe /Schedule" [null data]
"McAfee.com Update Check (FAMILY-Owner)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [null data]
"McAfee.com Update Check (FAMILY-rhino)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [null data]
"Yahoo" -> launches: "C:\Program Files\Alarm\Alarm.exe Yahoo" ["Cinnamon Software Inc."]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = (no title provided)
-> {HKLM...CLSID} = "hp toolkit"
\InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {HKLM...CLSID} = "McAfee VirusScan"
\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["Networks Associates Technology, Inc"]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" [file not found]
{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "hp toolkit"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]
HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\(Default) = "hp toolkit"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "UberButton Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled" [file not found]
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]
{DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF}\
"ButtonText" = "Messenger"
"Exec" = "C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe" ["BellSouth"]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]
Miscellaneous IE Hijack Points
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Lexar JD31, LxrJD31s, "LxrJD31s.exe" [null data]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt05\Driver = "hpzsnt05.dll" ["HP"]
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
---------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
......
j-escalader72
2006-10-25, 05:45
Mr Jak,
The following logs exceeded the maximum post length to put all together in one post. Heres the other logs you requested.
- a fresh HijackThis log
- results from virustotal scan
I hope i did this correctly.
:)Thank you so kindly for the assistance.
Jay-escalader
HiJack This Log
Logfile of HijackThis v1.99.1
Scan saved at 8:00:16 PM, on 10/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\WINDOWS\ie.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: C:\WINDOWS\System32\tpttvtx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\BELLSO~1\PropelAC.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Alarm Clock Icon.lnk.disabled
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ymetray.lnk.disabled
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://usmilitary.about.com
O15 - Trusted Zone: http://www.la.ngb.army.mil
O15 - Trusted Zone: http://www.armyonesource.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://www.juno.com
O15 - Trusted Zone: www.militaryonesource.com (http://www.militaryonesource.com)
O15 - Trusted Zone: http://www.hotmail.msn.com
O15 - Trusted Zone: groups.msn.com
O15 - Trusted Zone: www.msnusers.com (http://www.msnusers.com)
O15 - Trusted Zone: http://vil.nai.com
O15 - Trusted Zone: *.nextel.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://*.subratam.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
[B]VirusTotal 24 October 2006
Antivirus Version Update Result
AntiVir 7.2.0.32 10.24.2006 R/Delphi.Downloader.Gen
Authentium 4.93.8 10.24.2006 W32/Backdoor.OKB
Avast 4.7.892.0 10.24.2006 no virus found
AVG 386 10.25.2006 Downloader.Agent.GNR
BitDefender 7.2 10.24.2006 no virus found
CAT-QuickHeal 8.00 10.23.2006 TrojanDownloader.Agent.azn
ClamAV devel-20060426 10.24.2006 no virus found
DrWeb 4.33 10.24.2006 no virus found
eTrust-InoculateIT 23.73.34 10.23.2006 no virus found
eTrust-Vet 30.3.3154 10.24.2006 no virus found
Ewido 4.0 10.24.2006 no virus found
Fortinet 2.82.0.0 10.24.2006 W32/Agent.ESM!tr
F-Prot 3.16f 10.24.2006 security risk named W32/Backdoor.OKB
F-Prot4 4.2.1.29 10.24.2006 W32/Backdoor.OKB
Ikarus 0.2.65.0 10.24.2006 no virus found
Kaspersky 4.0.2.24 10.25.2006 Trojan-Downloader.Win32.Agent.azn
McAfee 4880 10.24.2006 no virus found
Microsoft 1.1609 10.25.2006 no virus found
NOD32v2 1.1831 10.24.2006 no virus found
Norman 5.80.02 10.24.2006 W32/Agent.APCO
Panda 9.0.0.4 10.24.2006 Suspicious file
Sophos 4.10.0 10.24.2006 Mal/Packer
TheHacker 6.0.1.104 10.23.2006 no virus found
UNA 1.83 10.25.2006 no virus found
VBA32 3.11.1 10.24.2006 no virus found
VirusBuster 4.3.7:9 10.24.2006 no virus found
Aditional Information
File size: 8080 bytes
MD5: c9ee6c9b7033d4f7dfa6da06e6b7a718
SHA1: a4d28397684b2827325f02b19a60e22fc9bc365d
packers: UPACK
Hi again :)
Before we'll continue I would like you to do something for me...
I need you to upload a file for further inspection.
Please go to thespykiller.co.uk (http://www.thespykiller.co.uk/forum/index.php?board=1.0)
Read the instructions for uploading a file from this thread (http://www.thespykiller.co.uk/forum/index.php?topic=5.0)
Create a topic and name it to File for Lonny
Remember to include the link to this topic in your post.
Upload the following file to your topic:
C:\Windows\ie.exe
When you've done this, please post a link to the thread you just created to me.
Then:
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
j-escalader72
2006-10-25, 16:29
Mr Jak,
I was unsure if you wanted a private posting of link. so....i am sending.
As you requested, the link to my posting of the uploaded file is
http://www.thespykiller.co.uk/forum/index.php?topic=2893.0
I am presently doing the remainder of your request and will be posting log for you in a few.
Thank you so very much for all assistance.
jay esclader
j-escalader72
2006-10-25, 17:11
Mr Jak,
Per your request, heres the Combofix Log.
I will be waiting for my next instructions from you.
Thank you so very much.....
_________________________________
Owner - 06-10-25 8:49:22.48 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Program Files\Corel\WordPerfect Office 2002\Template"
((((((((((((((((((((((((((((((( Files Created from 2006-09-25 to 2006-10-25 ))))))))))))))))))))))))))))))))))
No new files created in this timespan
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-25 07:02 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-23 09:31 -------- d-a------ C:\Program Files\Common Files
2006-10-23 09:30 -------- d-------- C:\Program Files\Yahoo!
2006-10-23 09:29 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-10-23 09:29 -------- d-------- C:\Program Files\Windows Media Player
2006-10-23 09:26 -------- d-------- C:\Program Files\Sudoku Assistenten
2006-10-17 00:53 -------- d-------- C:\Program Files\Google
2006-10-13 08:05 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-10-02 13:26 -------- d-------- C:\Program Files\HP
2006-10-02 13:26 -------- d-------- C:\Program Files\Hewlett-Packard
2006-10-02 13:25 -------- d-------- C:\Documents and Settings\Owner\Application Data\Image Zone Express
2006-10-02 12:45 -------- d-------- C:\Program Files\Common Files\HP
2006-10-02 12:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Printer Info Cache
2006-09-24 21:04 -------- d-------- C:\Program Files\illiminable
2006-09-13 22:08 -------- d-------- C:\Documents and Settings\Owner\Application Data\Google
2006-09-13 11:58 77016 --a------ C:\WINDOWS\us2installer2.8.49.exe
2006-09-13 11:58 55512 --a------ C:\WINDOWS\system32\ipv6monr.dll
2006-09-13 11:58 12204 --a------ C:\WINDOWS\s.exe
2006-09-11 00:08 55512 --a------ C:\WINDOWS\system32\ipv6mons.dll
2006-09-03 21:32 8080 --a------ C:\WINDOWS\ie.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1\\plugin\\bin\\PCHButton.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"_AntiSpyware"="C:\\Program Files\\McAfee\\McAfee AntiSpyware\\MssCli.exe"
"blpgvyqlphz"="C:\\WINDOWS\\System32\\tpttvtx.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"Propel Accelerator"="C:\\PROGRA~1\\BELLSO~1\\PropelAC.exe"
"LTMSG"="LTMSG.exe 7"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"BellSouthSyn"="C:\\Program Files\\BellSouth\\Application Center\\BsnAppCenter.exe /Synchronize"
"BellSouthScheduler"="C:\\Program Files\\BellSouth\\Application Center\\BsnAppCenter.exe /Scheduler"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,34,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,34,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,34,02,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"="McAfee AntiSpyware Shell Extension"
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"ie.exe"="C:\\WINDOWS\\ie.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Show missed alarms"="C:\\Program Files\\Alarm\\Alarm.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"nwiz"="nwiz.exe /install"
"WildTangent CDA"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Chancy 's School time.job
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\McAfee AntiSpyware.job
C:\WINDOWS\tasks\McAfee.com Update Check (FAMILY-CHANCY).job
C:\WINDOWS\tasks\McAfee.com Update Check (FAMILY-GUESS WHO).job
C:\WINDOWS\tasks\McAfee.com Update Check (FAMILY-Hanson2).job
C:\WINDOWS\tasks\McAfee.com Update Check (FAMILY-Owner).job
C:\WINDOWS\tasks\McAfee.com Update Check (FAMILY-rhino).job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\Yahoo.job
Completion time: 06-10-25 8:51:33.98
C:\ComboFix.txt ... 06-10-25 08:51
Hi again, good work :)
We'll remove the old version of Ewido. (We'll install the latest version, AVG Anti-Spyware)
We'll remove the old versions of Java. (We'll install the latest version later)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Open Control Panel -> Add/Remove programs -> Remove all the of the following programs if found:
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_05
ewido security suite
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
==================
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
ie.exe
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"blpgvyqlphz"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"ie.exe"=-
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: C:\WINDOWS\System32\tpttvtx.exe
O20 - AppInit_DLLs:
Please run Killbox.
Select "Delete on Reboot".
Select "All Files".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\System32\tpttvtx.exe
C:\WINDOWS\us2installer2.8.49.exe
C:\WINDOWS\system32\ipv6monr.dll
C:\WINDOWS\s.exe
C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\ie.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
C:\Program Files\Viewpoint
C:\Program Files\Common Files\WinTools
C:\Program Files\AWS
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick [b]Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, post the following logs to here:
- AVG's report
- a fresh HijackThis log
j-escalader72
2006-10-26, 05:08
Mr Jak,
Per your request, i am posting the following logs in 3 posts because together they exceed the maximum.
- AVG's report
- a fresh HijackThis log
Thank you for all your assistance.
Jay Escalader
AVG Anti-Spyware - Scan Report
+ Created at: 8:02:29 PM 10/25/2006
+ Scan result:
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\McAfee.com\Agent\McAgent.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\McAfee.com\Agent\mcupdate.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP475\A0054397.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057019.rbf -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ddayw.dll -> Downloader.ConHook.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\geebc.dll -> Downloader.ConHook.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssqpp.dll -> Downloader.ConHook.r : Cleaned with backup (quarantined).
C:\!KillBox\s.exe -> Logger.Agent.ow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057037.exe -> Logger.Agent.ow : Cleaned with backup (quarantined).
C:\!KillBox\ipv6monr.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\!KillBox\ipv6mons.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\!KillBox\us2installer2.8.49.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050187.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050192.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050193.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050198.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050199.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050223.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050224.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050228.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050229.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050240.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050241.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050254.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050260.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050261.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP448\A0050264.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050271.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050272.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050280.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050297.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050298.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050313.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050327.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050328.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050346.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050347.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050369.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050370.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050385.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050386.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050394.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050417.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050418.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050424.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050425.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050432.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050438.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050439.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050460.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050461.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP449\A0050462.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050465.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050466.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050473.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050486.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050487.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050496.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050497.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050502.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050533.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050534.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050545.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP450\A0050546.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP451\A0050691.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP451\A0050693.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057035.exe -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057036.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057038.dll -> Logger.Goldun.lw : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N56M0311NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5_0001_N56M0311NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5_0001_N56M0311NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5_0001_N56M0311NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.165:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.100:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.100:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.101:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.101:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.102:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.102:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.103:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.104:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.97:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.98:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.99:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.18:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.21:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.22:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.30:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.37:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.39:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.40:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.41:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.6:C:\Documents and Settings\rhino\Application Data\Mozilla\Firefox\Profiles\o8ckj752.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.7:C:\Documents and Settings\rhino\Application Data\Mozilla\Firefox\Profiles\o8ckj752.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\rhino\Application Data\Mozilla\Firefox\Profiles\o8ckj752.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Documents and Settings\rhino\Application Data\Mozilla\Firefox\Profiles\o8ckj752.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.15:C:\Documents and Settings\rhino\Application Data\Mozilla\Firefox\Profiles\o8ckj752.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.33:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.69:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.55:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.67:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.107:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.108:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.109:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.145:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.46:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.47:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.48:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.49:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.50:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
_____ REMAINDER of AVG Log is in next post ________
j-escalader72
2006-10-26, 05:19
Mr Jak,
Per your request, i am posting
- the remainder of AVG's report from prior post.
and a
- fresh HijackThis log will be in the next post.
Thank you for all your assistance.
Jay Escalader
_______________________________
*remainder of AVG Anti-Spyware Scan Report
+ Created at: 8:02:29 PM 10/25/2006
+ Scan result:
:mozilla.51:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.52:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.57:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.58:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.59:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.60:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.61:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.116:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.117:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.118:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.119:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.16:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.19:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.113:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.114:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.115:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.64:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.65:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.67:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.70:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.71:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.72:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.73:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.74:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.113:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.114:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.17:C:\Documents and Settings\rhino\Application Data\Mozilla\Firefox\Profiles\o8ckj752.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.85:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.86:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.108:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.147:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.148:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.149:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.150:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.96:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.97:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.98:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.99:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.120:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.122:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.123:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.88:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.89:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.110:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.111:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.73:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.74:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.75:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.76:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.124:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.135:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.136:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.137:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.121:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.146:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.41:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.42:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.43:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.44:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.45:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.46:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.49:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.50:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.51:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.84:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.85:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.86:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.87:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.88:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.89:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.90:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.91:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.107:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.39:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.40:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.152:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.153:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.154:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.155:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.157:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.158:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.110:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.111:C:\Documents and Settings\GUESS WHO\Application Data\Mozilla\Firefox\Profiles\gbevv0qh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.47:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.48:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.52:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.68:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.69:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.70:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.71:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.72:C:\Documents and Settings\CHANCY\Application Data\Mozilla\Firefox\Profiles\tawf13vl.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
::Report end
_______ next post for HJT LOG ________
j-escalader72
2006-10-26, 05:25
Mr Jak,
Per your request, i am posting a
- fresh HijackThis log.
This completes the logs you needed to further assist me. :bigthumb:
Thank you for all your assistance.
Jay Escalader
My fresh HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 8:22:56 PM, on 10/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\BELLSO~1\PropelAC.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Alarm Clock Icon.lnk.disabled
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ymetray.lnk.disabled
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://usmilitary.about.com
O15 - Trusted Zone: http://www.la.ngb.army.mil
O15 - Trusted Zone: http://www.armyonesource.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://www.juno.com
O15 - Trusted Zone: www.militaryonesource.com (http://www.militaryonesource.com)
O15 - Trusted Zone: http://www.hotmail.msn.com
O15 - Trusted Zone: groups.msn.com
O15 - Trusted Zone: www.msnusers.com (http://www.msnusers.com)
O15 - Trusted Zone: http://vil.nai.com
O15 - Trusted Zone: *.nextel.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://*.subratam.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Hi again looks better :)
We still have some work to do. You have an infection which replaces legitimate files with infected ones. We need to locate the legitimate backups and restore those...
Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
Also, please run Silent Runners again an post it's log to here (do the same thing as earlier)
Then we'll continue :bigthumb:
j-escalader72
2006-10-26, 16:42
Mr Jak,
Per your request, I am posting the contents of AWF report file.
Also, I will run Silent Runners and post the new log for you in a few.
Thank you for your guidance to chomp away at these buggers.......
I appreciate it.:)
Jay Escalader
__________________________________
Find AWF report by noahdfear ©2006
21K files found
~~~~~~~~~
21K files found with strings
~~~~~~~~~~~~~~~~
25K files found
~~~~~~~~~
25K files found with strings
~~~~~~~~~~~~~~~~
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK
08/17/2004 07:26 PM 245,760 McAgent.exe
10/25/2004 12:08 PM 184,320 mcupdate.exe
2 File(s) 430,080 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
05/06/2005 02:04 AM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\11720~1.567\BAK
09/13/2006 10:07 PM 157,944 GoogleToolbarNotifier.exe
1 File(s) 157,944 bytes
Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK
04/13/2005 03:48 AM 36,975 jusched.exe
1 File(s) 36,975 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
245760 Aug 17 2004 "C:\Program Files\McAfee.com\Agent\bak\McAgent.exe"
184320 Oct 25 2004 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
end of report
j-escalader72
2006-10-26, 17:12
Mr Jak,
Per your request, I am posting a new Silent Runners Log which will be in 2 postings due to length.
Thank you for your guidance. :) I appreciate it.
Jay Escalader
__________________________________________
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet" [file not found]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Acme.PCHButton" = "C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe" ["Motive Communications, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"_AntiSpyware" = "C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe" ["Network Associates, Inc."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" [file not found]
"Share-to-Web Namespace Daemon" = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"Propel Accelerator" = "C:\PROGRA~1\BELLSO~1\PropelAC.exe" [file not found]
"LTMSG" = "LTMSG.exe 7" ["Agere Systems"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" ["HP"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"CamMonitor" = "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [empty string]
"BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."]
"BellSouthSyn" = "C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize" ["BellSouth"]
"BellSouthScheduler" = "C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler" ["BellSouth"]
"VirusScan Online" = ""c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["Networks Associates Technology, Inc"]
"VSOCheckTask" = ""c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["Networks Associates Technology, Inc"]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "UberButton Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled" [file not found]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = (no title provided)
-> {HKLM...CLSID} = "YahooTaggedBM Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll__BHODemonDisabled" [file not found]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ST"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MSNToolBandBHO"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
-> {HKLM...CLSID} = "America Online"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
-> {HKLM...CLSID} = "McAfee AntiSpyware Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll" ["Network Associates, Inc."]
"{51550900-DCAC-11d4-AA0F-0080C87C465B}" = "WayTech MultiMouse"
-> {HKLM...CLSID} = "WayTech MultiMouse Extension"
\InProcServer32\(Default) = "C:\Program Files\Labtec Wireless Desktop\CPDll.dll" [null data]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
-> {HKLM...CLSID} = "McAfee AntiSpyware Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll" ["Network Associates, Inc."]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\System\CurrentControlSet\Control\SecurityProviders\
<<!>> ("zwebauth.dll" [MS]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"
HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"SsiEfr.e" [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> application/xhtml+xml\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
-> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
\InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
<<!>> text/xml\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
-> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
\InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
<<!>> text/xml; charset=iso-8859-1\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
-> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
\InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
<<!>> text/xml; charset=utf-8\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
-> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
\InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\My Documents\My Pictures\Gif & jpg pictures\PhotoImpression4.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]
Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
<<!>> "Adobe Reader Speed Launch.lnk.disabled" [null data]
<<!>> "Alarm Clock Icon.lnk.disabled" [null data]
"America Online 7.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 7.0\aoltray.exe -check" ["America Online, Inc."]
"Enable Labtec Wireless Desktop" -> shortcut to: "C:\Program Files\Labtec Wireless Desktop\MagicKey.exe" [empty string]
<<!>> "Google Updater.lnk.disabled" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]
<<!>> "ymetray.lnk.disabled" [null data]
Enabled Scheduled Tasks:
------------------------
"Chancy 's School time" -> launches: "C:\Program Files\Alarm\Alarm.exe "Chancy 's School time"" ["Cinnamon Software Inc."]
"McAfee.com Update Check (FAMILY-CHANCY)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [file not found]
"McAfee.com Update Check (FAMILY-GUESS WHO)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [file not found]
"McAfee.com Update Check (FAMILY-Hanson2)" -> launches: "C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe /Schedule" [file not found]
"McAfee.com Update Check (FAMILY-Owner)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [file not found]
"McAfee.com Update Check (FAMILY-rhino)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [file not found]
"Yahoo" -> launches: "C:\Program Files\Alarm\Alarm.exe Yahoo" ["Cinnamon Software Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = (no title provided)
-> {HKLM...CLSID} = "hp toolkit"
\InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {HKLM...CLSID} = "McAfee VirusScan"
\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["Networks Associates Technology, Inc"]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" [file not found]
{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "hp toolkit"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]
HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\(Default) = "hp toolkit"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "UberButton Class"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled" [file not found]
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]
{DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF}\
"ButtonText" = "Messenger"
"Exec" = "C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe" ["BellSouth"]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]
j-escalader72
2006-10-26, 17:20
Mr Jak,
This is the Remainder of Silent Runners Log from prior post.
I have completed all you requested and waiting for my next assignments. Thank you for your guidance. :) I appreciate it.
Jay Escalader
____________ continuation of Silent Runners Log _____________
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
Lexar JD31, LxrJD31s, "LxrJD31s.exe" [null data]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt05\Driver = "hpzsnt05.dll" ["HP"]
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 264 seconds, including 18 seconds for message boxes)
Ok great, now we'll move the clean files back to the places they belong...
Go to My Computer and browse to the following folder:
C:\Program Files\HP\HPSoftware\BAK
Inside the BAK folder is a file named HPWuSchd2.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\HP\HPSoftware
Click the background with your mouse, choose Paste
Now you should have the HPWuSchd2.exe file in the C:\Program Files\HP\HPSoftware folder.
Now go ahead and delete the BAK folder
The same thing for other files:
C:\Program Files\MCAFEE.COM\AGENT\BAK
Inside the BAK folder are files named McAgent.exe & mcupdate.exe
Select the files with you mouse, right click it wiht your mouse and choose Cut
The go back to the main folder, C:\Program Files\MCAFEE.COM\AGENT
Click the background with your mouse, choose Paste
Now you should have the files in the C:\Program Files\MCAFEE.COM\AGENT folder
Now go ahead and delete the BAK folder
Two more to go:
C:\Program Files\Common Files\Real\Update_OB\BAK
Inside the BAK folder is a file named realsched.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\Common Files\Real\Update_OB
Click the background with your mouse, choose Paste
Now you should have the realsched.exe file in the C:\Program Files\Common Files\RealUpdate_OB folder.
Now go ahead and delete the BAK folder
One more:
C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674BAK
Inside the BAK folder is a file named GoogleToolbarNotifier.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674
Click the background with your mouse, choose Paste
Now you should have the GoogleToolbarNotifier.exe file in the C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674 folder.
Now go ahead and delete the BAK folder
Finally, delete the following folder:
C:\Program Files\Java
Restart the computer normally.
Then we'll run one more scanner in order to make sure that we got everything:
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a one more HijackThis log.
j-escalader72
2006-10-27, 02:23
Mr Jak,
I did all you requested to move the clean files. Also, I did the Kaspersky Online Scan & HJT scan and I am posting the Logs in 3 posts due to size.
Thank you for your guidance.
Seems we are successfully knocking them bugz down.
:D: I very much appreciate it.
Jay Escalader
P.S. Now my wireless mouse & keyboard delays. yuckie!!!
_________________________________
Kaspersky Online Scan
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 26, 2006 4:49:37 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/10/2006
Kaspersky Anti-Virus database records: 235264
--------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 94022
Number of viruses found: 10
Number of infected objects: 20 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:04:44
Infected Object Name / Virus Name / Last Action
C:\!KillBox\ie.exe Infected: Trojan-Downloader.Win32.Agent.azn skipped
C:\2e31c488aa90f34d15450acf38e5de\common\spcustom.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\common\spmsg.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\common\spuninst.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\common\update.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\browser.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\callcont.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\EvTgProv.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\gdi32.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\H323.TSP Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\H323msp.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\HelpCtr.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\ipnathlp.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\lsasrv.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\mf3216.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\msasn1.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\msgina.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\mst120.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\netapi32.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\nmcom.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\RTCDLL.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\schannel.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\update\KB835732.cat Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\update\update.inf Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\update\update.ver Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\callcont.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\evtgprov.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\gdi32.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\h323.tsp Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\h323msp.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\helpctr.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\ipnathlp.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\lsasrv.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\mf3216.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\msasn1.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\msgina.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\mst120.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\netapi32.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\nmcom.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\rtcdll.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\schannel.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\spmsg.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\spuninst.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\update\KB835732.cat Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\update\spcustom.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\update\update.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\update\update.inf Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\update\update.ver Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\xpsp2res.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\xpsp1hfm.exe Object is locked skipped
C:\antispyware\backups\backup-20040829-134927-259.dll Infected: Trojan-Clicker.Win32.VB.br skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Motive\Acme\plugin\log\pchbtn.log Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\Intel\Createshare\inetcam\INSTALL.LOG Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\logs\iserver_access.log Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\logs\iserver_error.log Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\Audio.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\Audiops.dll Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\conf\magic Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\conf\mime.types Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\conf\usersdef.conf Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\conf\wireless.conf Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ftpproc.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\iconfig.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\InetcamServer.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\InetMotDet.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\InetResp.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\inst_util.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ipproc.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ivista-ex.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ivista.chm Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\iVista.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\IVistaACapture.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\IVistaVCapture.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ivrec.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ivrsmon.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\iws.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\IWSCore.dll Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\mfc42.dll Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\modules\mod_rewrite.so Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\msgproc.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\msvcrt.dll Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\template.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\aonlybase.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\framedapplet.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\main.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\motdet.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\tableframe.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\tableindex.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\videoclip.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\users\users Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\Win9xConHook.dll Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\sounds\alarm1.wav Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\sounds\alarm2.wav Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\sounds\alarm3.wav Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\Uninstall.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\avmail.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\avmail.jar Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-au.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-clip.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-gif.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-jpeg.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-mdlog.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-setparam.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\aonlybase.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\abottom.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\aleft.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\alert.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\aonly.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\aright.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\arrow.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\atop.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\audclip.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\avleft.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\avright.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\back.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\bottom.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\bottom2.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\clipbottom.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\clipleft.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\clips.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\clipside.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\cliptop.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\left.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\logo.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\menubottomcap.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\menuclip.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\menuhome.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\menumotdet.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\menutopcap.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetclip.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetlogs.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetnext.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetpic.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetprev.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetprofile.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\noclips.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\nomotdet.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\notavail.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\right.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\top.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\voleft.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\voright.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\jsaonlybase.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\jstableframe.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\jstableindex.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\jstemplate.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\tableframe.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\tableindex.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\template.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\FTPCam.class Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\ijava.htm Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\ijpeg.htm Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcam.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcam.jar Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\InetcamAudio.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\InetcamAudio.jar Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\InetcamBase.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\InetcamBase.jar Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcams.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcams.jar Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcam_av.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcam_av.jar Object is locked skipped
Remainder of Kaspersky Scan "continued on next post"
j-escalader72
2006-10-27, 02:31
Mr Jak,
Heres the remainder of the Kaspersky Online Scan from the previous post.
My HJT Scan Log will be in the next post. .
Thank you for your guidance.
Kaspersky Scan "continued from prior post”
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_ar_SA.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_de_DE.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_en_GB.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_es_ES.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_fi_FI.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_fr_FR.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_he_IS.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_it_IT.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_ja_JP.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_ko_KR.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_nl_NL.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_no_NO.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_pt_PT.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_ru_RU.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_sv_SE.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_zh_CN.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_zh_TW.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_ar_SA.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_de_DE.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_en_GB.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_es_ES.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_fi_FI.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_fr_FR.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_he_IS.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_it_IT.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_ja_JP.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_ko_KR.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_nl_NL.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_no_NO.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_pt_PT.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_ru_RU.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_sv_SE.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_zh_CN.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_zh_TW.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Readme.txt Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\vmail.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\vmail.jar Object is locked skipped
C:\sti.log Object is locked skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP451\A0050692.exe Infected: Trojan-Downloader.Win32.Agent.azn skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057039.exe Infected: Trojan-Downloader.Win32.Agent.azn skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057055.dll Infected: Trojan-Spy.Win32.Goldun.lw skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057056.dll Infected: Trojan-Spy.Win32.Goldun.lw skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057057.exe Infected: Trojan-Spy.Win32.Goldun.lw skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057058.exe Infected: Trojan-Spy.Win32.Agent.ow skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057059.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057060.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057061.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057062.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057063.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057064.dll Infected: Trojan-Downloader.Win32.ConHook.r skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057065.dll Infected: Trojan-Downloader.Win32.ConHook.r skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057066.dll Infected: Trojan-Downloader.Win32.ConHook.r skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\km_install.exe Infected: Trojan.Win32.SecondThought.h skipped
C:\WINDOWS\system32\sccmgr.exe Infected: Trojan-Downloader.Win32.Qoologic.m skipped
C:\WINDOWS\system32\t69l4fj8.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed
j-escalader72
2006-10-27, 02:40
Mr Jak,
Here's my HJT Scan Log which is the completion of your request.
I'll be waiting for my next assignment.
Thank you for your guidance.
Jay Escalader
HJT scan
Logfile of HijackThis v1.99.1
Scan saved at 5:15:38 PM, on 10/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\BELLSO~1\PropelAC.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Alarm Clock Icon.lnk.disabled
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ymetray.lnk.disabled
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://usmilitary.about.com
O15 - Trusted Zone: http://www.la.ngb.army.mil
O15 - Trusted Zone: http://www.armyonesource.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://www.juno.com
O15 - Trusted Zone: www.militaryonesource.com (http://www.militaryonesource.com)
O15 - Trusted Zone: http://www.hotmail.msn.com
O15 - Trusted Zone: groups.msn.com
O15 - Trusted Zone: www.msnusers.com (http://www.msnusers.com)
O15 - Trusted Zone: http://vil.nai.com
O15 - Trusted Zone: *.nextel.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://*.subratam.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
End of HJT Scan
Hi again, looks quite good now :)
Delete the following files:
C:\WINDOWS\system32\km_install.exe
C:\WINDOWS\system32\sccmgr.exe
C:\WINDOWS\system32\t69l4fj8.ini ´
Empty the recycle bin. (Let me know if you had problems)
You said via pm that your McAfee subscription is outdated. It won't protect you from new viruses.
Let's get you a replacement.
At first, please download one firewall and one antivirus to your desktop.
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)
Then, unplug your computer from the internet.
Uninstall McAfee via Control Panel, Add/Remove Programs
Install the firewall and antivirus you earlier downloaded.
Reboot the computer.
Reconnect to the internet.
Update the latest definitions to your antivirus and run a full system scan with it.
Then the first priority is to visit Windows Update (http://windowsupdate.microsoft.com) and get your system updated
-> At first, install Win XP Service Pack 2 Update
-> Reboot and get back to the Windows Update
-> Install all remaining important updates
(NOTE: You'll propably have to reboot and get back to the update several times before all of them are installed)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools that we used during the cleaning process.
You can remove the following backup folder. C:\!Killbox
Now you can download and install the latest version of Java, Java Runtime Environment (JRE) 5.0 Update 9 (https://java.sun.com/javase/downloads/index.jsp)
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
If everything is running ok, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
j-escalader72
2006-10-29, 09:06
Mr Jak,
Questions....... Help!!!
When i deleted Mcafee programs, it asked me about the mcafee quarantined files and i didnt know what to do, so i told it 'no action'. I deleted all 3 mcafee programs from C/Program files & have rebooted 3 times, but it still shows 2 mcafee programs remaining. One is empty and the other looks like the install for mcafee spyware. What will happen to the 2 files and the Mcafee quarantined files.
I emptied Recycle bin and DL & installed Zone Alarm & AVG.... All went well.
Also, the zone alarm gave me notice that theese were trying to come in ... I denied all of them til i can talk to you.
They were
- CFD.exe
- mcinfo.exe
- mcafee 'something'
- Server program- Messenger is trying to act as a server ... msmsgs.exe
I have not DL Windows SP2 yet or Java
My Keyboard still has a long delay before showing up on monitor .... It seems to be at the same time the light for the CD drive (i think E drive) stays lite like its doing something. There is no CD in the drive. The light stays on for a few hours then just goes off. My computer wont shut down while the light is on. I didnt have that problen til i started deleting......
I am on DSL but it takes a long time to open a website.
It takes a long time to turn on & off as well as log on & log off.
Please guide me..... ill be up late.
Thank You,
Jay Escalader
Hi again :)
Maybe the McAfee uninstall process was not succesfull, please post a fresh HijackThis log and we'll have a look :)
The cd-drive problem sounds quite odd...
j-escalader72
2006-10-29, 17:18
Hi,
Thank you for your prompt attention.
HJT Per your request ........
Jay Escalader
_______________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 9:09:49 AM, on 10/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\2006102816592_mcinfo.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\BELLSO~1\PropelAC.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\2006102816592_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Alarm Clock Icon.lnk.disabled
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ymetray.lnk.disabled
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://usmilitary.about.com
O15 - Trusted Zone: http://www.la.ngb.army.mil
O15 - Trusted Zone: http://www.armyonesource.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://www.juno.com
O15 - Trusted Zone: www.militaryonesource.com (http://www.militaryonesource.com)
O15 - Trusted Zone: http://www.hotmail.msn.com
O15 - Trusted Zone: groups.msn.com
O15 - Trusted Zone: www.msnusers.com (http://www.msnusers.com)
O15 - Trusted Zone: http://vil.nai.com
O15 - Trusted Zone: *.nextel.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://*.subratam.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Ok, we'll continue :)
There seems to be one McAfee leftover...
You should print these instructions or save these to a text file. Follow these instructions carefully.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\2006102816592_mcinfo.exe /insfin
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Restart your computer normally.
Then, please do the following...
To generate a HijackThis Startup list:
1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:
* List also minor sections (Full)
* List empty sections (Complete)
4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here
j-escalader72
2006-10-29, 19:42
Mr Jak,
Here is My HJT Startup List which is in 2 posts due to length.
Thanks,
Jay Escalader
________________________________________________
StartupList report, 10/29/2006, 11:25:12 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk.disabled
Alarm Clock Icon.lnk.disabled
America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
Google Updater.lnk.disabled
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Microsoft Works Calendar Reminders.lnk = ?
ymetray.lnk.disabled
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
Share-to-Web Namespace Daemon = c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
Propel Accelerator = C:\PROGRA~1\BELLSO~1\PropelAC.exe
LTMSG = LTMSG.exe 7
KBD = C:\HP\KBD\KBD.EXE
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
CamMonitor = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
BellSouthSyn = C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
BellSouthScheduler = C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Acme.PCHButton = C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
*
StubPath = C:\WINDOWS\System32\lqxxpw.exe
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{44BBA844-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\CChat25.inf,PerUserAdd.NT
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser
[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}
(no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Chancy 's School time.job
Disk Cleanup.job
Symantec NetDetect.job
Yahoo.job
--------------------------------------------------
Enumerating Download Program Files:
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[Yahoo! Chat]
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Chat.osd
[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
[Support.com Configuration Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlcm.dll
CODEBASE = http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
[DownloadManager Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\DOWNLO~2.OCX
CODEBASE = http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
[Yahoo! Audio Conferencing]
InProcServer32 = C:\PROGRA~1\Yahoo!\MESSEN~1\yacscom.dll
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
[{32505657-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
[{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}]
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
[MSN File Upload Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MsnUpld.dll
CODEBASE = http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
[YahooYMailTo Class]
InProcServer32 = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
[YAddBook Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yaddbook.dll
CODEBASE = http://download.yahoo.com/dl/mail/autocomplete.cab
[{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]
CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
[iTunesDetector Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ITDetector.ocx
CODEBASE = http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://chat.msn.com/controls/msnchat45.cab
--------------------------------------------------
[B]_________ HJT Startup List continued on next post _________
j-escalader72
2006-10-29, 19:47
Continuation of My HJT Startup List.
Thanks,
Jay Escalader
____ HJT Startup List continued from prior post _____
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
TRUST SPYC@M 300S: System32\Drivers\SQcaptur.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for Avance AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Belarc SMBios Access: \SystemRoot\System32\Drivers\BANTExt.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Dual-Mode DSC(2770): System32\Drivers\SQcaptur.sys (manual start)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
drvmcdb: system32\drivers\drvmcdb.sys (system)
drvnddm: system32\drivers\drvnddm.sys (autostart)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
Intel(r) PC Camera CS331: System32\Drivers\ICAM3D2.SYS (manual start)
InstallDriver Table Manager: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (manual start)
%imapi_ServiceDesc%: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Agere Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
LxrJD31d: \??\C:\WINDOWS\System32\Drivers\LxrJD31d.sys (autostart)
Lexar JD31: LxrJD31s.exe (autostart)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Pcdr CPU Helper Driver: system32\drivers\PCDRDRV.sys (manual start)
PcdrNt: \SystemRoot\System32\drivers\PcdrNt.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Creative WebCam Instant: System32\DRIVERS\P0620Vid.sys (manual start)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGP.sys (system)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
srescan: System32\ZoneLabs\srescan.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
sscdbhk5: system32\drivers\sscdbhk5.sys (system)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SSI: system32\Drivers\SSI.SYS (system)
ssrtln: system32\drivers\ssrtln.sys (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{13C56707-A75E-427F-A3E7-375956BFF577} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TVICHW32: \??\C:\WINDOWS\System32\DRIVERS\TVICHW32.SYS (manual start)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (system)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
End of report, 39,910 bytes
Report generated in 0.671 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Hi again, there is something suspicious...
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Go to virustotal.com (http://www.virustotal.com)
Click on the Browse button
Browse to the following file: C:\WINDOWS\System32\lqxxpw.exe
Click Open and then on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
j-escalader72
2006-10-30, 09:40
Mr Jak,
You are so appreciated. Thank you for your time and knowledge.
The settings to show the hiddens files were already exactly as you want them ..... So i didnt have to change any of the settings.
I went to Virustotal but COULD NOT find the file you requested.
[bcb906ec-1e6c-4b15-bdb0-02c645fb4a61] *
StubPath = C:\WINDOWS\System32\lqxxpw.exe
I did numerous searches but to no avail.:sick:
I have no idea......
Sorry.
Make A Difference,
Jay Escalader
Hi again :)
Please download Registry Search Tool (http://www.billsway.com/vbspage) (in the middle of the page)
Unzip it to your desktop
Double click the file that was extracted and run a search with the following keyword: bcb906ec-1e6c-4b15-bdb0-02c645fb4a61
Save the results and post those to here
j-escalader72
2006-10-30, 22:08
Question??????
I want My search as bellsouth google.....
but WHY it has the following?
In MY HiJack This..... Main tab....
below url will be used when fixing hijacked..... MSIE pages:
Default Start page ........... about:blank
Default Search page...... .microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Default search Assistant //ie.search.msn.com/(SUB_RFC1766)/srchasst/srchasst.htm
Default search Customize //ie.search.msn.com/(SUB_RFC1766)/srchasst/srchcust.htm
*******I am so pissed off with these bugs......
BTW....WHY & WHO puts them in the systems, ads, or whatever?????
They should be Court-Marshalled!!! Or Maybe sentenced to using all that pinned up knowledge & boredom to helping 'MAKE A DIfference In This World' thru fighting hunger, helping the disabled, educating less fortunate and striving for peace among us all.
j-escalader72
2006-10-30, 23:21
Mr Jak,
TY for your time to assist me.
At times my puter has much improvement, but then my keyboard gets so delayed that it takes 20 minutes to type a short paragraph for posting.
I am trying to use only my firefox browser for everything, but dont know how to get to msn log on with allowing all these cookies. :sad: I want to ck my email but cant without allowing cookies. ow do i handle accepting cookies & etc? How do i allow cookies or trusted sites in my Firefox, like i gad in IE? Thank you for all.
I DL'ed & ran Registry Search tool.
I saved the scan results.... and posting here for you.
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "bcb906ec-1e6c-4b15-bdb0-02c645fb4a61" 10/30/2006 2:35:30 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]
[HKEY_USERS\S-1-5-21-240772092-448486026-72185382-1003\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]
j-escalader72
2006-10-31, 03:29
Mr Jak,
I was doing my Adaware scan and suddenly My AVG resident popped up saying A Trojan was in a file.
I quarantined the stuff but could barely copy info for you.....
:sad: BTW ...... What is easy way to copy the AVGFree quarantined info?
Thanks,
Jay Escalader
P.S. I'm sorry, Pl excuse my prior post ranting about the villans, but i am so frustrated about all these bugs. Please let me know when i can do my windows, IE, JAVA, & etc updates.
_____________________________
This is trojan info........ Please advise me what to do with it.
"","","Trojan horse Downloader.Generic.KWN","C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057066.dll","10/30/2006 6:05:36 PM","A0057066.dll","27.51 KB"
_____________________________
AdAware Info
ADAWARE object Details
Name:Windows
Category:Vulnerability
Object Type:RegData
Size:4 Bytes
Location:...\software\policies\microsoft\internet explorer\control panel "Homepage" ()
Last Activity:10-30-2006
Relevance:Low
TAC index:3
Comment:
Description:General Windows Security Issue. Your system security may be compromised. The specifics of the possible compromised item are listed in the comments section.
________ Full ADAWARE Scan is my next post ___________
j-escalader72
2006-10-31, 04:54
Ad-Aware log not requested...
Hi again :)
Don't worry about the HijackThis Main tab entries. Those are used when restoring the default search/homepage sites...
Then trojan is located inside the system restore, it can be easily cleaned later...
You should print these instructions or save these to a text file. Follow these instructions carefully.
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]
[-HKEY_USERS\S-1-5-21-240772092-448486026-72185382-1003\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the filename box and press OK; C:\WINDOWS\System32\lqxxpw.exe
Answer Yes
The computer will reboot, if not , restart it yourself.
Please try to re-install your keyboard software. That may solve the delay problem.
Please let me know how it went and post a one more HijackThis log :bigthumb:
j-escalader72
2006-10-31, 16:36
Mr Jak,
The regedit went fine to merge.
For HJT, i copied the following line in the delete NT service filename box; C:\WINDOWS\System32\lqxxpw.exe but says 'Service not found in registry. Make sure you entered the sort name of the service.' I didnt do anything in HJT. It did not reboot...... i did scan for new HJT log.
I have no idea about reinstalling the wireless keyboard.
Ill have to wait for my son to come by for that.
thankyou and heres my log.
Logfile of HijackThis v1.99.1
Scan saved at 8:30:49 AM, on 10/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\wanmpsvc.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\BELLSO~1\PropelAC.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Alarm Clock Icon.lnk.disabled
O4 - Global Startup: America Online 7.0 Tray Icon.lnk.disabled
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
O4 - Global Startup: ymetray.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://usmilitary.about.com
O15 - Trusted Zone: http://www.la.ngb.army.mil
O15 - Trusted Zone: http://www.armyonesource.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://www.juno.com
O15 - Trusted Zone: www.militaryonesource.com (http://www.militaryonesource.com)
O15 - Trusted Zone: http://www.hotmail.msn.com
O15 - Trusted Zone: groups.msn.com
O15 - Trusted Zone: www.msnusers.com (http://www.msnusers.com)
O15 - Trusted Zone: http://vil.nai.com
O15 - Trusted Zone: *.nextel.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://*.subratam.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Hi again :)
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
You can fix the following leftovers with HijackThis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
Ohh that was my bad (too many things at the same time), this is how it should be:
Then, open HijackThis. Open the Misc Tools section
Delete a file on Reboot
Copy the following line to the filename box and press Open; C:\WINDOWS\System32\lqxxpw.exe
Answer Yes to the reboot prompt
The computer will reboot, if not , restart it yourself.
Then you seem to be clean :)
The first priority is to visit Windows Update (http://windowsupdate.microsoft.com) and get your system updated
-> At first, install Win XP Service Pack 2 Update
-> Reboot and get back to the Windows Update
-> Install all remaining important updates
(NOTE: You'll propably have to reboot and get back to the update several times before all of them are installed)
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
If everything is running ok, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
j-escalader72
2006-11-01, 09:57
Hi Mr Jak,
:D:
I am rolling right along.......TY :bigthumb:
I did Windows XP updates & Installed SP2 with lil problems.
After i DL'ed & installed MS updates & SP 2, I cked 4 times for any additional updates Each time it revealed more updates to DL & install; i think i finally got them all.
Questions.......
1. Is there anything that is not necessary on my puter?; Ill gladly delete it.
2. What is and do I need Spy Sweeper? Should i delete it?
3. Re: HJT, What does it mean my yahoo is ‘disabled by BHODemon’?
4. What are your feelings about IE 7. If so, when should i DL?
5. What is this??? C:\WINDOWS\system32\dla\tfswctrl.exe ?
....Per my Task manager, tfswctrl.exe is very active (sometimes high) on list..
...Thats when my E Drive (cd/dvd) light is lit and I can not shut down.
6. RE: My Zone Alarm,
....How can i chk to see what business that address is? or how do i know if its my puter looking for security updates ?
I received 2 Security alert saying it had
1. blocked internet access to (net bios) from your computer (TCP Flags: S)
Your computer attempted to access file or printer shares on another computer, located at address '2_.2_4._2.5_1'.
(I Changed the numbers that were listed, but it shows address)
2. Your computer attempted to access file or printer shares on another computer, located at address '2_.2_4._2.5_1'.
If "6_6.1_7.2.1_8" (I Changed the numbers, but it shows IP address) is an address or subnet on your local network, you should add it to your Trusted Zone.
If "6_6.1_7.2.1_8" is not on your local network, it is possible that your computer connected to the Internet as part of a network-based attack. Perform an updated anti-virus sweep of your computer.
Thank you for all assistance......
You & the staff are the :crowned: (kings) and :angel:(angels).
j-escalader72
2006-11-01, 11:49
Mr Jak,
I am totally confused about the updates for JAVA. :sad:
Do i need that update or program?...
I cant figure out which JAVA and how to do the DL? :red:
Something about file size and checking my remaining space or something..... Please help or direct me where to go for this JAVE stuff assistance...
Their page is too confusing for my head. :sick:
Thank you so very much,
Jay Escalader
Hi again :)
If you want, you can download the latest Java (5.0 update 9)
Go to --> Java Runtime Environment (JRE) 5.0 Update 9 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Here is information about tfswctrl.exe, LINK (http://www.castlecops.com/s959-dla.html)
Have you checked for Hewlett Packard homepage for driver updates ?
You can scan your computer with SpySweeper regularly if it is the paid version. If not,you may remove it.
You can download IE 7.0 but I recommend that you use eg FireFox for browsing.
If you're interested in IP adresses, you can find info from here -> DNSstuff (http://www.dnsstuff.com)
Just copy the adress to the "IPWHOIS Lookup" box and hit "WHOIS"-button.
Don't allow unknown programs to connect the internet or act as servers.
Hope this helps :)
j-escalader72
2006-11-01, 22:38
Mr Jak,
TY for your great instructions.... :bigthumb:
I have updated all MS win XP, downloaded & updated JAVA, and Hid my System Files.....all went smoothly.
Prior to my doing a resettting of System Restore, I decided to do scans of Adaware, Spybot S&D, & AVG.
Spybot S&D scan had 13 bugs and I'm unsure what to do about them.
I usually allow it to fix everything but curious if these are needed.
So what should i do with the following results???
Also, in the future, How will i know whether to fix, delete, or ignore cause its needed for my computer operating?
Thank you in advance for all assistance.
Jay Escalader
--- Spybot S&D Search result list ---
WildTangent: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM\ClassPath=...;C:\Program Files\WildTangent\Apps\DRM0302Java.jar...
WildTangent: Program directory (Directory, nothing done)
C:\WINDOWS\wt\
WildTangent: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{1FAD572E-1A3D-44D9-9C23-A87F922DA8C0}
WildTangent: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{7946205B-FEF7-494F-A64B-3E992A780866}
WildTangent: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WildTangent CDA
WildTangent: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Logger.LogSession
WildTangent: Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\Logger.LogSession.1
WildTangent: Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A62FA99E-922E-4ECA-A1D9-B54EF294A3CC}
WildTangent: Library (File, nothing done)
C:\WINDOWS\wt\webdriver.dll
WildTangent: Program directory (Directory, nothing done)
C:\WINDOWS\wt\wtupdates\
WildTangent: Program directory (Directory, nothing done)
C:\WINDOWS\wt\updater\
WildTangent: Program directory (Directory, nothing done)
C:\WINDOWS\wt\webdriver\
Microsoft.WindowsSecurityCenter.FirewallOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0
Hi again, nice to hear that everything went smoothly :)
Then the Spybot log, just checkmark the entries and hit the "Fix selected problems"-button.
Remember that HijackThis creates backups so the cleaning can be reversed if needed...
Also, in the future, How will i know whether to fix, delete, or ignore cause its needed for my computer operating?
Are you speaking from Spybot or generally ?
If the scanners find malware you should clean/quarantine it.
(make sure that backups are created)
If you think that findings are false positives, you need to do some research or eg ask on the forums :bigthumb:
j-escalader72
2006-11-04, 14:27
Mr Jak,
Help me!!
I have been experiencing many problems the past few days. I cannot turn off computer without unplugging. I have a frozen ‘my desktop’ screen with no icons or start button and can not proceed to shut down or anything else. I have to unplug computer for a few sec to clear screen and restart.
:eek: Possibly, there is a conflict since my DL & installing of XP SP2, Zone alarm, AVG and updates of all my programs. Now, my ‘E’ (CD) drive stays lit almost all the time. I cant shut down my computer unless I unplug. I did have Spybot S&D fix those selected selected problems.
I apologize for any delay in responding to you but I could not get online.
I am so frustrated cause I feel I am digging a bigger hole.
Please HELP me........ and Thank you in advance for any & all assistance.
Ms Jay
Ok, hmm...
Maybe it is best to run a oner more scanner just in case.
Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols3.shtml#)
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction Here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.
j-escalader72
2006-11-05, 01:56
I just noticed you posted a reply for my next work.:)
?? I assume you mean for me to close all windows and open IE browser window to DL and do an F-Secure Online Scanner. Ill do that a lil later.
:eek:I wanted to show you that i got some bugs again and can't figure out how it happened since i am trying to use only Firefox, DL'ed ZoneAlarm firewall & AVG...... WHY ???? i thought i was gonna be more secure.... so frustrating for me. :mad:
Thank you..... Ill do the new scan a lil later cause i need to get out & eat Dinner.
Jan Escalader
___________________________________________________________
---SPYBOT S&D Report generated: 2006-11-04 16:59 ---
WildTangent: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM\ClassPath=...;C:\WINDOWS\wt\webdriver\wtdmmpi.jar...
TelekomBill.Fake: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\cmpid
TelekomBill.Fake: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\h
TelekomBill.Fake: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\kyrpa
TelekomBill.Fake: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load\worg
Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, fixed)
Hi :)
I meant that it would be good to use firefox generally but you can use IE for scanning your computer with F-Secure.
The spybot findings have been mostly just registry leftovers. AVG and ZoneAlarm are protecting you, without those you would be badly infected again.
I won't assume F-Secure to find anything bad but just in case...
So when your ready with F-Secure, post it's log to here :bigthumb:
j-escalader72
2006-11-07, 20:18
Mr Jak,
I am still here on & off but unable to do a complete scan...... :sad:
It is still taking about 8 minutes with my DSL frrom the time i turn on computer till i can begin doing anything because its still opening things or something.....
I'll have to wait til i return from my moms visit probably in a day or two to run a complete scan...... So Sorry for my delay.....Thank you for your patience.
J-Escalader
Hi again :)
We can use another scanner if you have problems with that online scanner.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
You should print these instructions or save these to a text file. Follow these instructions carefully.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a can with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report
j-escalader72
2006-11-09, 20:33
Mr. Jak,
Hi there. Hope all is well with u.
Right now i am soooo discouraged. :sad: I am trying to stay with it.
F-Secure Online Scanner: I never could accept license agreement to install 'F Secure Online Scanner'. There was no box to accept.
Dr.Web CureIt: I DL'ed Dr.Web CureIt and nothing was found.
I removed AVG Quarintined files.
I deleted a few programs that i DL'ed & used from your earlier instructions to me.
When i turn on my computer, it STILL takes about 7-8 minutes to load up Windows to begin using my puter.
In order to help the speed, i am trying to delete/ remove any unneccesary startup stuff and Desktop icons.
I also have new icons in the lower right side toolbar that i cant send away to places .... like my Labtec Wireless Desktop (my mouse & board) and Intel Extreme Graphics. Where did they come from & why? If i dont need to have them visible i dont want them to be there.
I felt i had duplicate programs downloaded so i went thru my programs & looked for duplicates. I deleted one of my FireFox Browsers but NOW I can't use my firefox . it still shows the program in my files..I am sooo lost. please Help . guess ill post a HJT log for you just let me know to what extent you need.
Thank you again.
jay-escalader
Hi again.
I'm fine, thanks :)
Ok, if you want to make your computer to load faster, we can remove unnecessary programs from loading with windows.
You can fix the following entries with HijackThis (not required programs):
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\BELLSO~1\PropelAC.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Alarm Clock Icon.lnk.disabled
O4 - Global Startup: America Online 7.0 Tray Icon.lnk.disabled
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
O4 - Global Startup: ymetray.lnk.disabled
Reboot and see if it loads faster :)
Hmm you propably have to uninstall and re-install you Firefox if some part of it is missing.
Some of the icons on your lower right side toolbar will be disabled when you fix the HijackThis entries above.
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb:
Re-opened upon request. :)
j-escalader72
2007-01-04, 01:32
Jak,
Hope you have a blessed and peaceful New Year.
I recently did some IE and windows updates and sometimes i am experiencing extended time to open up computer.....
To open, it has the black Microsoft Windows XP for 25 minutes and it would not even shut down.... I had to unplug computer to close it and reopen in safe mode.
I did Spybot S&D and Adaware SE scan and none found.
I did AVG and noticed i also had problems after the updates and scan.
Please assist me....
Thank you in advance for any & all help.....
Jay
_____________________________________________
My HJT log
Logfile of HijackThis v1.99.1
Scan saved at 5:14:34 PM, on 1/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\hh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Corel\WordPerfect Office 2002\Programs\Wpwin10.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://usmilitary.about.com
O15 - Trusted Zone: http://www.arng.army.mil
O15 - Trusted Zone: http://www.la.ngb.army.mil
O15 - Trusted Zone: http://www.armyonesource.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://www.juno.com
O15 - Trusted Zone: www.militaryonesource.com (http://www.militaryonesource.com)
O15 - Trusted Zone: http://vil.nai.com
O15 - Trusted Zone: http://*.subratam.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162326797656
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Hi again :)
Ok the HijackThis log looks clean...
Just in case that there is momething lurking you could run the following:
Download WinPFind3U.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
In the Files Created Within group click 30 days
In the Files Modified Within group select 30 days
In the File String Search group select Non-Microsoft
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.
j-escalader72
2007-01-04, 21:37
Mr. Jak,
Hi there. ;)
In the WinPFind3u program, in the 2 following sections
---o In the Files Created Within group click 30 days
---o In the Files Modified Within group select 30 days
there was also a check mark for (Non Microsoft only) which i left as was for the scan.
Thank you for help.....Heres the scan results for you.
Jay-
________________________________________________
WinPFind3 logfile created on: 1/4/2007 12:53:05 PM
WinPFind3 logfile created on: 1/4/2007 12:53:05 PM
WinPFind3U by OldTimer - Version 1.0.8 Folder = C:\Documents and Settings\Owner\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
260080 Kb Total Physical Memory | 133632 Kb Available Physical Memory | 51.38% Memory free
1014684 Kb Paging File | 839732 Kb Available in Paging File | 82.76% Paging File free
%SystemDrive% = C:
Drive C: | 53335796 Kb Total Space | 33483664 Kb Free Space | 62.78% Free Space
Drive D: | 5259000 Kb Total Space | 1220528 Kb Free Space | 23.21% Free Space
E: Drive not present or media not loaded
F: Drive not present or media not loaded
[Processes - Non-Microsoft Only]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 343552 bytes | Modified Date = 10/28/2006 4:14:14 PM | Attr = ]
avgcc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.418 | Size = 406016 bytes | Modified Date = 10/28/2006 4:14:14 PM | Attr = ]
avgemc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.429 | Size = 322560 bytes | Modified Date = 11/1/2006 10:56:34 PM | Attr = ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 10/28/2006 4:14:18 PM | Attr = ]
bsnappcenter.exe -> %ProgramFiles%\BellSouth\Application Center\BsnAppCenter.exe -> BellSouth [Ver = 3, 1, 3049, 0 | Size = 507904 bytes | Modified Date = 8/2/2004 11:05:06 PM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 9/28/2006 8:13:20 AM | Attr = ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3,0,0,1607 | Size = 114688 bytes | Modified Date = 5/15/2002 4:20:50 AM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_09\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 49263 bytes | Modified Date = 10/12/2006 3:10:54 AM | Attr = ]
kbd.exe -> %SystemDrive%\hp\KBD\KBD.EXE -> Hewlett-Packard Company [Ver = 1.0.2.0 | Size = 61440 bytes | Modified Date = 7/6/2001 10:56:56 PM | Attr = ]
ltmsg.exe -> %SystemRoot%\ltmsg.exe -> Agere Systems [Ver = 3, 0, 0, 4 | Size = 40960 bytes | Modified Date = 7/14/2003 9:52:44 AM | Attr = ]
lxrjd31s.exe -> %System32%\LxrJD31s.exe -> [Ver = | Size = 71168 bytes | Modified Date = 6/12/2005 6:52:20 PM | Attr = ]
wanmpsvc.exe -> %SystemRoot%\wanmpsvc.exe -> America Online, Inc. [Ver = 7, 0, 0, 2 | Size = 65536 bytes | Modified Date = 1/31/2002 8:56:40 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> Oldtimer Tools [Ver = 1.0.8.0 | Size = 306176 bytes | Modified Date = 12/31/2006 7:47:16 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 9/28/2006 8:13:20 AM | Attr = ]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 343552 bytes | Modified Date = 10/28/2006 4:14:14 PM | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 10/28/2006 4:14:18 PM | Attr = ]
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.429 | Size = 322560 bytes | Modified Date = 11/1/2006 10:56:34 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 1:56:48 AM | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 4/3/2005 11:41:10 PM | Attr = ]
(iPodService) iPodService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 4.5.0.31 | Size = 401408 bytes | Modified Date = 4/23/2004 5:10:10 PM | Attr = ]
(LxrJD31s) Lexar JD31 [Win32_Own | Auto | Running] -> %System32%\LxrJD31s.exe -> [Ver = | Size = 71168 bytes | Modified Date = 6/12/2005 6:52:20 PM | Attr = ]
(Macromedia Licensing Service) Macromedia Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macromedia Shared\Service\Macromedia Licensing.exe -> [Ver = 2.42.000 | Size = 68096 bytes | Modified Date = 3/24/2004 9:03:00 PM | Attr = ]
(NVSvc) NVIDIA Driver Helper Service [Win32_Own | Auto | Stopped] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.13.10.2942 | Size = 61440 bytes | Modified Date = 5/3/2002 6:06:00 PM | Attr = ]
(vsmon) TrueVector Internet Monitor [Win32_Own | On_Demand | Stopped] -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 6.5.737.000 | Size = 75768 bytes | Modified Date = 8/23/2006 10:38:26 PM | Attr = ]
(WANMiniportService) WAN Miniport (ATW) Service [Win32_Own | Auto | Running] -> %SystemRoot%\wanmpsvc.exe -> America Online, Inc. [Ver = 7, 0, 0, 2 | Size = 65536 bytes | Modified Date = 1/31/2002 8:56:40 AM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AVG7_CC -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.418 | Size = 406016 bytes | Modified Date = 10/28/2006 4:14:14 PM | Attr = ]
BellSouthScheduler -> %ProgramFiles%\BellSouth\Application Center\BsnAppCenter.exe -> BellSouth [Ver = 3, 1, 3049, 0 | Size = 507904 bytes | Modified Date = 8/2/2004 11:05:06 PM | Attr = ]
BellSouthSyn -> %ProgramFiles%\BellSouth\Application Center\BsnAppCenter.exe -> BellSouth [Ver = 3, 1, 3049, 0 | Size = 507904 bytes | Modified Date = 8/2/2004 11:05:06 PM | Attr = ]
HotKeysCmds -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3,0,0,1607 | Size = 114688 bytes | Modified Date = 5/15/2002 4:20:50 AM | Attr = ]
IgfxTray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3,0,0,1607 | Size = 155648 bytes | Modified Date = 5/15/2002 4:29:02 AM | Attr = ]
KBD -> %SystemDrive%\hp\KBD\KBD.EXE -> Hewlett-Packard Company [Ver = 1.0.2.0 | Size = 61440 bytes | Modified Date = 7/6/2001 10:56:56 PM | Attr = ]
LTMSG -> %SystemRoot%\ltmsg.exe -> Agere Systems [Ver = 3, 0, 0, 4 | Size = 40960 bytes | Modified Date = 7/14/2003 9:52:44 AM | Attr = ]
Recguard -> %SystemRoot%\SMINST\Recguard.exe -> [Ver = 1, 0, 0, 1 | Size = 212992 bytes | Modified Date = 12/19/2001 12:39:26 AM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_09\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 49263 bytes | Modified Date = 10/12/2006 3:10:54 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
updateMgr -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe -> Adobe Systems Incorporated [Ver = 3.1.0.10 | Size = 313472 bytes | Modified Date = 3/30/2006 4:45:08 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 9/24/2005 12:05:26 AM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 9/28/2006 8:13:28 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
zwebauth.dll -> %System32%\ZWebAuth.dll -> [Ver = | Size = 16973 bytes | Modified Date = 9/18/2001 5:37:34 PM | Attr = ]
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
Control_RunDLL -> -> File not found
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
igfxcui -> %System32%\igfxsrvc.dll -> Intel Corporation [Ver = 3,0,0,1607 | Size = 307200 bytes | Modified Date = 5/15/2002 4:20:14 AM | Attr = ]
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\ -> ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ -> ->
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\\Homepage -> 0 ->
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\
0 -> [Key] ->
0 -> FriendlyName = My Current Home Page ->
0 -> Source = about:Home ->
0 -> SubscribedURL = about:Home ->
< HOSTS File > -> C:\WINDOWS\System32\drivers\etc\Hosts
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar -> http://srch-us6.hpwis.com/ ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://www.google.com/ ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ ->
HKCU: Default_Page_URL -> http://www.google.com/ ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://home.bellsouth.net/ ->
HKCU: ProxyEnable -> 0 ->
HKCU: ProxyOverride -> 127.0.0.1;localhost;vpsd7.vrml.k12.la.us ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
usmilitary_about.com [http] -> ->
owcp.dol_acs-inc.com [https] -> ->
www_aol.com [https] -> ->
uit.gordon_army.mil [https] -> ->
webmail.us_army.mil [https] -> ->
www.arng_army.mil (http://www.arng_army.mil) [http] -> ->
www.la.ngb_army.mil (http://www.la.ngb_army.mil) [http] -> ->
www.us_army.mil (http://www.us_army.mil) [https] -> ->
www_armyonesource.com [http] -> ->
home_bellsouth.net [http] -> ->
www_bellsouth.net [https] -> ->
www_hotmail.com [https] -> ->
www_juno.com [http] -> ->
windowsupdate_microsoft.com [http] -> ->
www_militaryonesource.com
-> ->
vil_nai.com [http] -> ->
subratam.org [http] -> ->
*****continued on next posting*****
j-escalader72
2007-01-04, 21:47
1st Continuation from prior post of the WinPFind3 logfile
WinPFind3 logfile created on: 1/4/2007 12:53:05 PM
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.7.2006011200 | Size = 63128 bytes | Modified Date = 1/12/2006 8:38:22 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 12:04:00 AM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [UberButton Class] -> Yahoo! [Ver = 2005, 5, 26, 1 | Size = 181352 bytes | Modified Date = 5/26/2005 10:38:44 AM | Attr = ]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A} [HKLM] -> %ProgramFiles%\Yahoo!\Common\YIeTagBm.dll [YahooTaggedBM Class] -> Yahoo! Inc. [Ver = 2005, 1, 24, 1 | Size = 115832 bytes | Modified Date = 1/24/2005 8:55:32 AM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_09\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 434279 bytes | Modified Date = 10/12/2006 3:25:44 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1020, 2544 | Size = 2108480 bytes | Modified Date = 10/12/2006 10:38:04 AM | Attr = R ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> %SystemDrive%\PROGRA~1\Yahoo!\Common\yhexbmesus.dll [&Yahoo! Messenger] -> File not found
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> %SystemDrive%\PROGRA~1\Yahoo!\Common\yhexbmesus.dll [&Yahoo! Messenger] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [&Google] -> Google Inc. [Ver = 4, 0, 1020, 2544 | Size = 2108480 bytes | Modified Date = 10/12/2006 10:38:04 AM | Attr = R ]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} [HKLM] -> %SystemDrive%\hp\EXPLOREBAR\HPTOOLKT.DLL [hp toolkit] -> Hewlett-Packard Company [Ver = 1.0.0.3 | Size = 86016 bytes | Modified Date = 6/4/2002 11:03:12 PM | Attr = ]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 8/4/2005 8:54:42 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [&Google] -> Google Inc. [Ver = 4, 0, 1020, 2544 | Size = 2108480 bytes | Modified Date = 10/12/2006 10:38:04 AM | Attr = R ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [&Google] -> Google Inc. [Ver = 4, 0, 1020, 2544 | Size = 2108480 bytes | Modified Date = 10/12/2006 10:38:04 AM | Attr = R ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 8/4/2005 8:54:42 PM | Attr = ]
< Internet Explorer CmdMapping [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -> 8193 - Sun Java Console ->
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> 8194 - Reg Data - Value does not exist ->
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> 8195 - Reg Data - Value does not exist ->
{DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} -> 8196 - Reg Data - Value does not exist ->
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> 8197 - Windows Messenger ->
NextId -> 8198 ->
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_09\bin\npjpi150_09.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 69746 bytes | Modified Date = 10/12/2006 3:25:44 AM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_09\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 434279 bytes | Modified Date = 10/12/2006 3:25:44 AM | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> Reg Data - Value does not exist [ButtonText: Yahoo! Services] -> File not found
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> %ProgramFiles%\AIM\aim.exe [ButtonText: AIM] -> America Online, Inc. [Ver = 5.9.3861 | Size = 67160 bytes | Modified Date = 8/5/2005 2:08:26 PM | Attr = ]
{DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} -> %ProgramFiles%\BellSouth\Communications Suite\BstMessenger.exe [ButtonText: Messenger] -> BellSouth [Ver = 3, 1, 1918, 0 | Size = 114688 bytes | Modified Date = 8/30/2004 11:06:18 PM | Attr = ]
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
&Copy Location -> %SystemRoot%\Web\graburl.htm -> [Ver = | Size = 281 bytes | Modified Date = 2/18/1999 1:52:42 PM | Attr = ]
&Yahoo! Search -> %ProgramFiles%\Yahoo!\Common\YCSRCH.HTM -> [Ver = | Size = 605 bytes | Modified Date = 6/3/2005 6:07:38 PM | Attr = ]
Yahoo! &Dictionary -> %ProgramFiles%\Yahoo!\Common\YCDICT.HTM -> [Ver = | Size = 616 bytes | Modified Date = 6/3/2005 6:07:16 PM | Attr = ]
Yahoo! &Maps -> %ProgramFiles%\Yahoo!\Common\ycmap.htm -> [Ver = | Size = 690 bytes | Modified Date = 6/3/2005 6:07:44 PM | Attr = ]
Yahoo! &SMS -> %ProgramFiles%\Yahoo!\Common\YCsms.htm -> [Ver = | Size = 1006 bytes | Modified Date = 8/1/2005 5:43:00 PM | Attr = ]
< Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{0DF44EAA-FF21-4412-828E-260A8728E7F1} [HKLM] -> Reg Data - Key not found [Taskbar and Start Menu] -> File not found
{1CDB2949-8F65-4355-8456-263E7C208A5D} [HKLM] -> %System32%\nvshell.dll [Desktop Explorer] -> NVIDIA Corporation [Ver = 6.13.10.2942 | Size = 331847 bytes | Modified Date = 5/3/2002 6:06:00 PM | Attr = ]
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} [HKLM] -> %System32%\nvshell.dll [Desktop Explorer Menu] -> NVIDIA Corporation [Ver = 6.13.10.2942 | Size = 331847 bytes | Modified Date = 5/3/2002 6:06:00 PM | Attr = ]
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Media Band] -> File not found
{42071714-76d4-11d1-8b24-00a0c9068ff3} [HKLM] -> deskpan.dll [Display Panning CPL Extension] -> File not found
{51550900-DCAC-11d4-AA0F-0080C87C465B} [HKLM] -> %ProgramFiles%\Labtec Wireless Desktop\CPDll.dll [WayTech MultiMouse] -> [Ver = | Size = 344064 bytes | Modified Date = 2/12/2004 7:18:00 PM | Attr = ]
{5464D816-CF16-4784-B9F3-75C0DB52B499} [HKLM] -> %ProgramFiles%\Yahoo!\Common\ymmapi20041123.dll [Yahoo! Mail] -> Yahoo! Inc. [Ver = 2004, 11, 23, 1 | Size = 180848 bytes | Modified Date = 11/23/2004 8:59:58 AM | Attr = ]
{5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> %System32%\dla\tfswshx.dll [DriveLetterAccess] -> VERITAS Software, Inc. [Ver = 1.03.37a | Size = 81972 bytes | Modified Date = 7/16/2002 9:03:00 AM | Attr = ]
{764BF0E1-F219-11ce-972D-00AA00A14F56} [HKLM] -> Reg Data - Key not found [Shell extensions for file compression] -> File not found
{7A9D77BD-5403-11d2-8785-2E0420524153} [HKLM] -> Reg Data - Key not found [User Accounts] -> File not found
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} [HKLM] -> Reg Data - Key not found [Encryption Context Menu] -> File not found
{88895560-9AA2-1069-930E-00AA0030EBC8} [HKLM] -> %System32%\hticons.dll [HyperTerminal Icon Ext] -> Hilgraeve, Inc. [Ver = 5.1.2600.0 | Size = 44544 bytes | Modified Date = 8/18/2001 6:00:00 AM | Attr = ]
{955B7B84-5308-419c-8ED8-0B9CA3C56985} [HKLM] -> %CommonProgramFiles%\aolshare\shell\us\shellext.dll [America Online] -> America Online, Inc. [Ver = 1, 0, 0, 1 | Size = 106496 bytes | Modified Date = 10/25/2001 6:40:38 PM | Attr = H ]
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT, s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 10/28/2006 4:14:14 PM | Attr = ]
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Find Extension] -> GRISOFT, s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 10/28/2006 4:14:14 PM | Attr = ]
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} [HKLM] -> %ProgramFiles%\Real\RealPlayer\rpshell.dll [Shell Extensions for RealOne Player] -> RealNetworks, Inc. [Ver = 1.0.1.2004 | Size = 49198 bytes | Modified Date = 5/6/2005 1:05:08 AM | Attr = ]
< ContextMenuHandlers - * [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 49 | Size = 98304 bytes | Modified Date = 10/6/2006 5:40:48 AM | Attr = ]
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT, s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 10/28/2006 4:14:14 PM | Attr = ]
{5464D816-CF16-4784-B9F3-75C0DB52B499} [HKLM] -> %ProgramFiles%\Yahoo!\Common\ymmapi20041123.dll [Yahoo! Mail] -> Yahoo! Inc. [Ver = 2004, 11, 23, 1 | Size = 180848 bytes | Modified Date = 11/23/2004 8:59:58 AM | Attr = ]
< ContextMenuHandlers - Directory [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\
{8934FCEF-F5B8-468f-951F-78A921CD3920} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\context.dll [AVG Anti-Spyware] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 49 | Size = 98304 bytes | Modified Date = 10/6/2006 5:40:48 AM | Attr = ]
< ContextMenuHandlers - Directory\Background [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\
{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} [HKLM] -> %System32%\igfxpph.dll [igfxcui] -> Intel Corporation [Ver = 3,0,0,1607 | Size = 200704 bytes | Modified Date = 5/15/2002 4:28:20 AM | Attr = ]
< ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} [HKLM] -> %ProgramFiles%\Grisoft\AVG Free\avgse.dll [AVG7 Shell Extension] -> GRISOFT, s.r.o. [Ver = 7.5.0.409 | Size = 50688 bytes | Modified Date = 10/28/2006 4:14:14 PM | Attr = ]
< ColumnHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll [PDF Shell Extension] -> Adobe Systems, Inc. [Ver = 7.0.0.0 | Size = 110592 bytes | Modified Date = 12/14/2004 1:20:02 AM | Attr = ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
MathPlayer 2.0 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{540ACAF4-5F3C-497E-A04D-266BA7B4FB96} -> (Realtek RTL8139 Family PCI Fast Ethernet NIC) ->
{FC0BE571-B8BA-4D24-9160-A1FF74A180F0} -> () ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
belarc -> %ProgramFiles%\Belarc\Advisor\System\BAVoilaX.dll -> Belarc, Inc. [Ver = 6.0m | Size = 36864 bytes | Modified Date = 11/17/2003 10:36:10 AM | Attr = ]
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Protocol Filters [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\
application/xhtml+xml -> %ProgramFiles%\Design Science\MathPlayer\MathMLMimer.dll -> Design Science, Inc. [Ver = 2004.8.26.0 | Size = 168015 bytes | Modified Date = 8/26/2004 4:59:40 PM | Attr = ]
text/xml -> %ProgramFiles%\Design Science\MathPlayer\MathMLMimer.dll -> Design Science, Inc. [Ver = 2004.8.26.0 | Size = 168015 bytes | Modified Date = 8/26/2004 4:59:40 PM | Attr = ]
text/xml; charset=iso-8859-1 -> %ProgramFiles%\Design Science\MathPlayer\MathMLMimer.dll -> Design Science, Inc. [Ver = 2004.8.26.0 | Size = 168015 bytes | Modified Date = 8/26/2004 4:59:40 PM | Attr = ]
text/xml; charset=utf-8 -> %ProgramFiles%\Design Science\MathPlayer\MathMLMimer.dll -> Design Science, Inc. [Ver = 2004.8.26.0 | Size = 168015 bytes | Modified Date = 8/26/2004 4:59:40 PM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{00B71CFB-6864-4346-A978-C0A14556272C} -> Checkers Class - CodeBase = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab ->
{01113300-3E00-11D2-8470-0060089874ED} -> Support.com Configuration Class - CodeBase = http://support.fastaccess.com/sdccommon/download/tgctlcm.cab ->
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 ->
{200B3EE9-7242-4EFD-B1E4-D97EE825BA53} -> VerifyGMN Class - CodeBase = http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab ->
{215B8138-A3CF-44C5-803F-8226143CFC0A} -> Trend Micro ActiveX Scan Agent 6.6 - CodeBase = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab ->
{2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} -> DownloadManager Control - CodeBase = http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab ->
{2B323CD9-50E3-11D3-9466-00A0C9700498} -> Yahoo! Audio Conferencing - CodeBase = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab ->
{32505657-9980-0010-8000-00AA00389B71} -> - CodeBase = http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab ->
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -> - CodeBase = http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab ->
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} -> MSN Photo Upload Tool - CodeBase = http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162326797656 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab ->
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -> MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab ->
{9A54032D-31F7-400D-B184-83B33BDE65FA} -> MSN File Upload Control - CodeBase = http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab ->
{A17E30C4-A9BA-11D4-8673-60DB54C10000} -> YahooYMailTo Class - CodeBase = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll ->
{AB86CE53-AC9F-449F-9399-D8ABCA09EC09} -> Get_ActiveX Control - CodeBase = https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx ->
{B9191F79-5613-4C76-AA2A-398534BB8999} -> YAddBook Class - CodeBase = http://download.yahoo.com/dl/mail/autocomplete.cab ->
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -> - CodeBase = http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab ->
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
{D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -> iTunesDetector Class - CodeBase = http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab ->
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -> McFreeScan Class - CodeBase = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab ->
{F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -> MSN Chat Control 4.5 - CodeBase = http://chat.msn.com/controls/msnchat45.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->
Yahoo! Chat -> - CodeBase = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab ->
WinPFind3 logfile continued on next posting
j-escalader72
2007-01-04, 21:51
2nd Continuation from prior post of the WinPFind3 logfile ***********
WinPFind3 logfile created on: 1/4/2007 12:53:05 PM
[Files - Created Wihin 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 266391552 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr = HS]
igfxres.dll -> %System32%\igfxres.dll -> Intel Corporation [Ver = 3,0,0,1607 | Size = 151552 bytes | Created Date = 12/30/2006 1:25:27 PM | Attr = ]
[Files - Modified Wihin 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 266391552 bytes | Modified Date = 1/4/2007 11:13:48 AM | Attr = HS]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 1/4/2007 11:13:52 AM | Attr = S]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1355 bytes | Modified Date = 1/1/2007 8:19:00 AM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 12/30/2006 5:45:48 PM | Attr = H ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 1/1/2007 8:19:10 AM | Attr = ]
[File String Scan - Non-Microsoft Only]
abetterinternet.com , web-nex , ad-w-a-r-e.com , -> %SystemDrive%\AVG7QT.DAT -> [Ver = | Size = 11929475 bytes | Modified Date = 10/28/2006 6:02:58 PM | Attr = ]
UPX0 , -> %SystemDrive%\WPO2002SP3.exe -> [Ver = | Size = 87708691 bytes | Modified Date = 5/16/2005 11:05:14 PM | Attr = ]
Thawte Consulting , -> %CommonProgramFiles%\Java\Update\Base Images\jre1.5.0.b64\core3.zip -> [Ver = | Size = 3290841 bytes | Modified Date = 10/12/2006 3:41:56 AM | Attr = ]
USERTRUST , -> %CommonProgramFiles%\Java\Update\Base Images\jre1.5.0.b64\patch-jre1.5.0_09.b03\patchjre.exe -> Sun Microsystems, Inc. [Ver = 1, 0, 0, 1 | Size = 4490872 bytes | Modified Date = 10/12/2006 3:41:58 AM | Attr = ]
FSG! , -> %CommonProgramFiles%\Microsoft Shared\Shoebox\standard.SBT -> [Ver = | Size = 19954310 bytes | Modified Date = 8/8/2000 2:00:00 PM | Attr = ]
PECompact2 , -> %SystemRoot%\LPT$VPN.170 -> [Ver = | Size = 9706936 bytes | Modified Date = 9/10/2004 5:10:38 AM | Attr = ]
qoologic , abetterinternet.com , -> %SystemRoot%\ngkkae.dll -> [Ver = | Size = 3690 bytes | Modified Date = 11/29/2004 6:44:56 AM | Attr = ]
PECompact2 , -> %SystemRoot%\VPTNFILE.170 -> [Ver = | Size = 9706936 bytes | Modified Date = 9/10/2004 5:10:38 AM | Attr = ]
UPX! , aspack , -> %SystemRoot%\vsapi32.dll -> Trend Micro Inc. [Ver = 7.000-1004 | Size = 1036800 bytes | Modified Date = 8/19/2004 11:54:46 AM | Attr = ]
WSUD , -> %SystemRoot%\webshots.bmp -> [Ver = | Size = 1440054 bytes | Modified Date = 3/25/2004 12:30:30 PM | Attr = ]
WSUD , -> %System32%\ALSNDMGR.CPL -> Realtek Semiconductor Corp. [Ver = 2.2.0.34 | Size = 16121856 bytes | Modified Date = 9/20/2004 3:20:44 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41399 bytes | Modified Date = 8/23/2004 6:47:40 PM | Attr = ]
SAHAgent , -> %System32%\e0fv57mo.ini -> [Ver = | Size = 3485 bytes | Modified Date = 6/3/2005 5:49:24 AM | Attr = ]
SAHAgent , -> %System32%\ol3rvrrg.ini -> [Ver = | Size = 35 bytes | Modified Date = 6/3/2005 2:01:52 AM | Attr = ]
Thawte Consulting , -> %System32%\VXBLOCK.dll -> Sonic Solutions [Ver = 1.00.69a | Size = 38568 bytes | Modified Date = 8/14/2006 10:43:24 AM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/18/2001 6:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/18/2001 6:00:00 AM | Attr = ]
UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.429 | Size = 816672 bytes | Modified Date = 11/1/2006 10:56:16 PM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/3/2004 11:41:38 PM | Attr = ]
< End of report >
THE END
Hi and sorry for the delay :)
OK there was something...
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\ngkkae.dll
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
Download F-Secure Blacklight (http://www.f-secure.com/blacklight/try_blacklight.html) and save it to your desktop.
Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next
You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).
DON'T choose Rename if something was found!
Post the contents of fsbl.xxxx.log to here (blacklight log from your desktop)
j-escalader72
2007-01-06, 07:40
My "VirusTotal"
Complete scanning result of "ngkkae.dll", received in VirusTotal at 01.06.2007, 05:09:56 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 01.05.2007 no virus found
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 01.05.2007 no virus found
BitDefender 7.2 01.06.2007 no virus found
CAT-QuickHeal 9.00 01.05.2007 no virus found
ClamAV devel-20060426 01.06.2007 no virus found
DrWeb 4.33 01.05.2007 no virus found
eSafe 7.0.14.0 01.05.2007 no virus found
eTrust-InoculateIT 23.73.107 01.06.2007 no virus found
eTrust-Vet 30.3.3306 01.06.2007 no virus found
Ewido 4.0 01.05.2007 no virus found
Fortinet 2.82.0.0 01.06.2007 no virus found
F-Prot 3.16f 01.05.2007 no virus found
F-Prot4 4.2.1.29 01.05.2007 no virus found
Ikarus T3.1.0.27 01.05.2007 no virus found
Kaspersky 4.0.2.24 01.06.2007 no virus found
McAfee 4933 01.05.2007 no virus found
Microsoft 1.1904 01.06.2007 no virus found
NOD32v2 1959 01.05.2007 no virus found
Norman 5.80.02 12.31.2007 no virus found
Panda 9.0.0.4 01.05.2007 no virus found
Prevx1 V2 01.06.2007 no virus found
Sophos 4.13.0 01.05.2007 no virus found
Sunbelt 2.2.907.0 01.05.2007 no virus found
TheHacker 6.0.3.143 01.05.2007 no virus found
UNA 1.83 01.04.2007 no virus found
VBA32 3.11.1 01.06.2007 no virus found
VirusBuster 4.3.19:9 01.05.2007 no virus found
Aditional Information
File size: 3690 bytes
MD5: a982a19d8c3dc8c6dfd305720ed19cd2
SHA1: 6e9916947e2d5d4c6f4d8929dcc9d503ce3ccd41
VirusTotal is a free service offered by Hispasec Sistemas.
___________xxxxxxxxxxxxxxxxxx_____________
My "F-Secure Blacklight"
My Scan with F-Secure Blacklight reflected 0 (zero) found.
Hmm I can't see anything wrong there...
Has this startup freeze happened more than once ?
Does the computer have any other issues at the moment ?
j-escalader72
2007-01-06, 16:20
Probably 50% of the time I have to close a page or shut down by unplugging my computer.
Daily, I have freezing or lengthy delays. As I type this sentence, half will show up about 7-9 second later.
Question please.....
I am unfamiliar with AVG and wonder if there is a conflict with my configuration.
This was listed within a few seconds into my scan, so I decided to stop the scan. I did not want to delete any necessary files til I spoke with you.
AVG Virus Results
Object
c\Windows\System32\kernel32.dll
c\Windows\System32\wsock32.dll
c\Windows\System32\user32.dll
c\Windows\System32\shell32.dll
c\Windows\System32\ntoskml.exe
c\Windows\System32\drivers\etc\hosts
***The above was healed.
This was in my AVG Vault from my previous scan; I think the following was quarantined.
AVG Virus Vault
Trojan horse DownloaderAgent.GNR
Trojan horse Clicker.OA
Trojan horse Downloader.Generic.KWN
Hmm I recommend that you run a full scan with AVG and let it clean what it finds...
Then the freezing and other problems may be some physical too.
You could try to create a new user account to the computer and see if it has issues too. How to create and configure user accounts in Windows XP (http://support.microsoft.com/kb/279783)
:bigthumb:
j-escalader72
2007-01-13, 22:37
Hi,
Sorry for my delay but I have been very ill and away from my computer for sometime.
The computer freezing up seems to be abated.
My problems with lengthy starting up and shutting down is less frequent than before but periodically still happens. When browsing, some pages start to come up then abruptly says error occured and must close down. I am unsure as to why because i have been to those sites before.. (cbsnews.com)
AVG full scan reflected nothing found.
I set up a new user and it operates like the other user accts having periodic slow startup or shut downs.
Once, upon startup, I received a message that it could not continue because I was ‘missing config’ :scratch: and I needed to reload from my original disks for a new system. I shut down, waited a few minutes, then started up again and all was fine. I have no idea what, where, and why that appeared.
Is there anyway I can check on & correct any registry and application errors that may be slowing down my system??
Last year I did receive faulty application errors about
faulty application iexplore.exe version 6.0.2900.2180
faulty application iexplore.exe version 6.0.2800.1106
faulty application firefox -----------------------I don’t know if my AV & A-malware runs behind the other programs to slow things down or what.
Is smitfraud a legit program for my computer?
Thank you for your assistance.
Hi again :)
Sounds like something is corrupted. Maybe a repair installation or prehaps a complete reformat & reinstall will help. I can give you instructions if you want to try.
Of course this could be a physical problem too...In that case a reinstall won't help...
Let me know what you think :bigthumb:
j-escalader72
2007-01-15, 00:43
Mr. Jak,
After you assisted me in cleaning my computer, all things were going well. The lengthy start up became worse after I did all my hardware & software driver updates, Firefox, Internet Explorer, and Windows update to 7, then JAVA, microsoft spy defender, AVG antispyware, Adobe, and Google, etc. updates.....:sad:
Maybe too much updates at one time. Then, my Java updates were wierdly incomplete and I had to delete the JAVA program 3 times and try to reinstall. This made all of my Notepad txt became weird symbols and apparently corrupted. Maybe some conflicts with certain configurations.
Somehow my updates were changed to automatic DL & install and were running constantly...... I changed the settings to let me know prior to installing them cause I want to be selective. I will never have them set to automatic again.....
I’ll keep pondering on a solution and I’ll let you know.
Thanks so kindly for your time and knowledge.
I may be away for a few, but I shall return.
Thanks,
Jay
Hi again :)
You could post a one more HijackThis log. After the updating the programs might have added themselves to the startup. We may disable those in order to improve the performance.
Have you defragged your harddrives ?
Still there j-escalader72 ?
j-escalader72
2007-01-23, 05:26
Mr Jak,
:bigthumb: I can get my computer to start now.
Although a few lil quirks remain, things are good with no freezing and a quicker start up.
I did a restore and then slowly did my updates.
I suspect the google Earth with updates caused a huge CPU overload.
I also fixed JAVA updates, (as per site there were problems and given a new update to fix).
I had some microsoft updates that were auto DL'ed & installed but didnt need cause didnt have the software that it went with, so i deleted.
I decided not to auto install updates..... ill do them weekly so i can notice if there are any conflicts.
Thanks for all you have done.......I appreciate your assistance.
Please continue your efforts to rid viruses & malware.
Jay-Escalader
***Here is my HJT log.....Let me know if any problems to correct.
___________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 8:12:40 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Owner\Desktop\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://usmilitary.about.com
O15 - Trusted Zone: http://www.arng.army.mil
O15 - Trusted Zone: http://www.la.ngb.army.mil
O15 - Trusted Zone: http://www.armyonesource.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://www.juno.com
O15 - Trusted Zone: www.militaryonesource.com (http://www.militaryonesource.com)
O15 - Trusted Zone: http://vil.nai.com
O15 - Trusted Zone: http://*.subratam.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162326797656
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Hi :)
Nice to hear that the things are running now, HjT looks clean :)
You may fix these unnecessary startups if you want:
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
:bigthumb:
j-escalader72
2007-01-24, 23:35
Mr Jak,
:crowned: Thank you, thank you, & thank you.
Unsure if I mentioned, but my 2 disk drives (floppy & CD) mysteriously returned. ;)
-------Your suggestion to fix the 2 unnecessary startups, helped everything run faster.
-------I also did another AVG Anti-Spyware; found & fixed 4 med risk items.
-------Which cleanup programs can I delete now, since things are fixed? Do I just transfer to recycle bin?
Things are really great. Thanks for everything.....
You are so kind & generous to share your knowledge to assist others.:angel:
Thanks,
J-escalader
Hi :)
Nice to hear. You may remove all the small tools like WinPFind by just deleting the folder/file.
AVG AntiSpyware and ATF-cleaner are tools that are worth keeping in my opinion :bigthumb:
j-escalader72
2007-01-25, 22:12
Mr. Jak,
:cool: Thanks a bunch for your assistance and patience til my computer got all cleaned to run quicker and free of bugs. Hopefully, i wont be needing your expertise in the near future.
:bow: Much Gratitude,
J-escalader
That's great news and you're very welcome :D:
Here is also some speed up hints -> Link (http://www.castlecops.com/postitle175256-0-0-.html)
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: