IE Closes & Products keep being cked to ignore in scan and slow

j-escalader72 · Oct 26, 2006

Mr Jak,

This is the Remainder of Silent Runners Log from prior post.

I have completed all you requested and waiting for my next assignments. Thank you for your guidance. I appreciate it.

Jay Escalader

____________ continuation of Silent Runners Log _____________

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
Lexar JD31, LxrJD31s, "LxrJD31s.exe" [null data]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt05\Driver = "hpzsnt05.dll" ["HP"]
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 264 seconds, including 18 seconds for message boxes)

Mr_JAk3 · Oct 26, 2006

Ok great, now we'll move the clean files back to the places they belong...

Go to My Computer and browse to the following folder:
C:\Program Files\HP\HPSoftware\BAK
Inside the BAK folder is a file named HPWuSchd2.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\HP\HPSoftware
Click the background with your mouse, choose Paste
Now you should have the HPWuSchd2.exe file in the C:\Program Files\HP\HPSoftware folder.
Now go ahead and delete the BAK folder

The same thing for other files:
C:\Program Files\MCAFEE.COM\AGENT\BAK
Inside the BAK folder are files named McAgent.exe & mcupdate.exe
Select the files with you mouse, right click it wiht your mouse and choose Cut
The go back to the main folder, C:\Program Files\MCAFEE.COM\AGENT
Click the background with your mouse, choose Paste
Now you should have the files in the C:\Program Files\MCAFEE.COM\AGENT folder
Now go ahead and delete the BAK folder

Two more to go:
C:\Program Files\Common Files\Real\Update_OB\BAK
Inside the BAK folder is a file named realsched.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\Common Files\Real\Update_OB
Click the background with your mouse, choose Paste
Now you should have the realsched.exe file in the C:\Program Files\Common Files\RealUpdate_OB folder.
Now go ahead and delete the BAK folder

One more:
C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674BAK
Inside the BAK folder is a file named GoogleToolbarNotifier.exe
Right click it with your mouse and choose Cut
The go back to the main folder, C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674
Click the background with your mouse, choose Paste
Now you should have the GoogleToolbarNotifier.exe file in the C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674 folder.
Now go ahead and delete the BAK folder

Finally, delete the following folder:
C:\Program Files\Java

Restart the computer normally.

Then we'll run one more scanner in order to make sure that we got everything:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a one more HijackThis log.

j-escalader72 · Oct 27, 2006

Mr Jak,

I did all you requested to move the clean files. Also, I did the Kaspersky Online Scan & HJT scan and I am posting the Logs in 3 posts due to size.

Thank you for your guidance.
Seems we are successfully knocking them bugz down.
: I very much appreciate it.

Jay Escalader
P.S. Now my wireless mouse & keyboard delays. yuckie!!!
_________________________________

Kaspersky Online Scan
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 26, 2006 4:49:37 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/10/2006
Kaspersky Anti-Virus database records: 235264
--------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 94022
Number of viruses found: 10
Number of infected objects: 20 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:04:44

Infected Object Name / Virus Name / Last Action
C:\!KillBox\ie.exe Infected: Trojan-Downloader.Win32.Agent.azn skipped
C:\2e31c488aa90f34d15450acf38e5de\common\spcustom.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\common\spmsg.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\common\spuninst.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\common\update.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\browser.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\callcont.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\EvTgProv.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\gdi32.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\H323.TSP Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\H323msp.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\HelpCtr.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\ipnathlp.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\lsasrv.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\mf3216.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\msasn1.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\msgina.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\mst120.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\netapi32.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\nmcom.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\RTCDLL.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\schannel.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\update\KB835732.cat Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\update\update.inf Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp1\update\update.ver Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\callcont.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\evtgprov.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\gdi32.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\h323.tsp Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\h323msp.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\helpctr.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\ipnathlp.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\lsasrv.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\mf3216.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\msasn1.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\msgina.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\mst120.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\netapi32.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\nmcom.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\rtcdll.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\schannel.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\spmsg.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\spuninst.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\update\KB835732.cat Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\update\spcustom.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\update\update.exe Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\update\update.inf Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\update\update.ver Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\sp2\xpsp2res.dll Object is locked skipped
C:\2e31c488aa90f34d15450acf38e5de\xpsp1hfm.exe Object is locked skipped
C:\antispyware\backups\backup-20040829-134927-259.dll Infected: Trojan-Clicker.Win32.VB.br skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Motive\Acme\plugin\log\pchbtn.log Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\Intel\Createshare\inetcam\INSTALL.LOG Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\logs\iserver_access.log Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\logs\iserver_error.log Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\Audio.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\Audiops.dll Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\conf\magic Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\conf\mime.types Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\conf\usersdef.conf Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\conf\wireless.conf Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ftpproc.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\iconfig.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\InetcamServer.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\InetMotDet.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\InetResp.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\inst_util.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ipproc.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ivista-ex.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ivista.chm Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\iVista.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\IVistaACapture.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\IVistaVCapture.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ivrec.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\ivrsmon.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\iws.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\IWSCore.dll Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\mfc42.dll Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\modules\mod_rewrite.so Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\msgproc.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\msvcrt.dll Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\template.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\aonlybase.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\framedapplet.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\main.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\motdet.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\tableframe.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\tableindex.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\templates\videoclip.tpl Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\users\users Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\programs\Win9xConHook.dll Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\sounds\alarm1.wav Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\sounds\alarm2.wav Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\sounds\alarm3.wav Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\Uninstall.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\avmail.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\avmail.jar Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-au.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-clip.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-gif.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-jpeg.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-mdlog.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\cgi\nph-setparam.exe Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\aonlybase.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\abottom.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\aleft.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\alert.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\aonly.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\aright.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\arrow.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\atop.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\audclip.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\avleft.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\avright.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\back.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\bottom.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\bottom2.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\clipbottom.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\clipleft.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\clips.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\clipside.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\cliptop.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\left.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\logo.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\menubottomcap.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\menuclip.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\menuhome.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\menumotdet.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\menutopcap.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetclip.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetlogs.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetnext.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetpic.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetprev.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\motdetprofile.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\noclips.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\nomotdet.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\notavail.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\right.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\top.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\voleft.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\images\voright.gif Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\jsaonlybase.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\jstableframe.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\jstableindex.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\jstemplate.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\tableframe.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\tableindex.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\dynamicindex\template.html Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\FTPCam.class Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\ijava.htm Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\ijpeg.htm Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcam.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcam.jar Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\InetcamAudio.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\InetcamAudio.jar Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\InetcamBase.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\InetcamBase.jar Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcams.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcams.jar Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcam_av.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Inetcam_av.jar Object is locked skipped

Remainder of Kaspersky Scan "continued on next post"

j-escalader72 · Oct 27, 2006

Mr Jak,

Heres the remainder of the Kaspersky Online Scan from the previous post.

My HJT Scan Log will be in the next post. .

Thank you for your guidance.

Kaspersky Scan "continued from prior post”

C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_ar_SA.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_de_DE.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_en_GB.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_es_ES.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_fi_FI.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_fr_FR.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_he_IS.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_it_IT.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_ja_JP.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_ko_KR.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_nl_NL.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_no_NO.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_pt_PT.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_ru_RU.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_sv_SE.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_zh_CN.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundleS_zh_TW.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_ar_SA.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_de_DE.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_en_GB.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_es_ES.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_fi_FI.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_fr_FR.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_he_IS.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_it_IT.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_ja_JP.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_ko_KR.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_nl_NL.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_no_NO.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_pt_PT.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_ru_RU.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_sv_SE.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_zh_CN.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\locales\InetcamBundle_zh_TW.properties Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\Readme.txt Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\vmail.cab Object is locked skipped
C:\Program Files\Intel\Createshare\inetcam\webcast\vmail.jar Object is locked skipped
C:\sti.log Object is locked skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP451\A0050692.exe Infected: Trojan-Downloader.Win32.Agent.azn skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057039.exe Infected: Trojan-Downloader.Win32.Agent.azn skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057055.dll Infected: Trojan-Spy.Win32.Goldun.lw skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057056.dll Infected: Trojan-Spy.Win32.Goldun.lw skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057057.exe Infected: Trojan-Spy.Win32.Goldun.lw skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057058.exe Infected: Trojan-Spy.Win32.Agent.ow skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057059.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057060.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057061.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057062.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057063.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057064.dll Infected: Trojan-Downloader.Win32.ConHook.r skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057065.dll Infected: Trojan-Downloader.Win32.ConHook.r skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057066.dll Infected: Trojan-Downloader.Win32.ConHook.r skipped
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\km_install.exe Infected: Trojan.Win32.SecondThought.h skipped
C:\WINDOWS\system32\sccmgr.exe Infected: Trojan-Downloader.Win32.Qoologic.m skipped
C:\WINDOWS\system32\t69l4fj8.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed

j-escalader72 · Oct 27, 2006

Mr Jak,

Here's my HJT Scan Log which is the completion of your request.
I'll be waiting for my next assignment.

Thank you for your guidance.
Jay Escalader

HJT scan

Logfile of HijackThis v1.99.1
Scan saved at 5:15:38 PM, on 10/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\BELLSO~1\PropelAC.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Alarm Clock Icon.lnk.disabled
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ymetray.lnk.disabled
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://usmilitary.about.com
O15 - Trusted Zone: http://www.la.ngb.army.mil
O15 - Trusted Zone: http://www.armyonesource.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://www.juno.com
O15 - Trusted Zone: www.militaryonesource.com
O15 - Trusted Zone: http://www.hotmail.msn.com
O15 - Trusted Zone: groups.msn.com
O15 - Trusted Zone: www.msnusers.com
O15 - Trusted Zone: http://vil.nai.com
O15 - Trusted Zone: *.nextel.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://*.subratam.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

End of HJT Scan

Mr_JAk3 · Oct 27, 2006

Hi again, looks quite good now

Delete the following files:
C:\WINDOWS\system32\km_install.exe
C:\WINDOWS\system32\sccmgr.exe
C:\WINDOWS\system32\t69l4fj8.ini ´

Empty the recycle bin. (Let me know if you had problems)

You said via pm that your McAfee subscription is outdated. It won't protect you from new viruses.
Let's get you a replacement.

At first, please download one firewall and one antivirus to your desktop.

These are good (free) firewalls:

These are good (free) antiviruses:

Then, unplug your computer from the internet.
Uninstall McAfee via Control Panel, Add/Remove Programs

Install the firewall and antivirus you earlier downloaded.
Reboot the computer.
Reconnect to the internet.

Update the latest definitions to your antivirus and run a full system scan with it.

Then the first priority is to visit Windows Update and get your system updated
-> At first, install Win XP Service Pack 2 Update
-> Reboot and get back to the Windows Update
-> Install all remaining important updates
(NOTE: You'll propably have to reboot and get back to the update several times before all of them are installed)

Now you can clean AVG's Quarantine:

Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program

You can remove the tools that we used during the cleaning process.
You can remove the following backup folder. C:\!Killbox

Now you can download and install the latest version of Java, Java Runtime Environment (JRE) 5.0 Update 9

Now you can make your hidden files hidden again.

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

If everything is running ok, please follow these simple steps in order to keep your computer clean and secure:

Clear your system restore
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware
Update it and scan your computer regularly with it.
Use Spybot S&D
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file
This prevents your computer from connecting to harmful sites.
Use Firefox browser
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein
So how did I get infected in the first place?
Stand Up and Be Counted !
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

j-escalader72 · Oct 29, 2006

Mr Jak,
Questions....... Help!!!

When i deleted Mcafee programs, it asked me about the mcafee quarantined files and i didnt know what to do, so i told it 'no action'. I deleted all 3 mcafee programs from C/Program files & have rebooted 3 times, but it still shows 2 mcafee programs remaining. One is empty and the other looks like the install for mcafee spyware. What will happen to the 2 files and the Mcafee quarantined files.

I emptied Recycle bin and DL & installed Zone Alarm & AVG.... All went well.

Also, the zone alarm gave me notice that theese were trying to come in ... I denied all of them til i can talk to you.
They were

- CFD.exe
- mcinfo.exe
- mcafee 'something'
- Server program- Messenger is trying to act as a server ... msmsgs.exe

I have not DL Windows SP2 yet or Java

My Keyboard still has a long delay before showing up on monitor .... It seems to be at the same time the light for the CD drive (i think E drive) stays lite like its doing something. There is no CD in the drive. The light stays on for a few hours then just goes off. My computer wont shut down while the light is on. I didnt have that problen til i started deleting......

I am on DSL but it takes a long time to open a website.

It takes a long time to turn on & off as well as log on & log off.

Please guide me..... ill be up late.

Thank You,
Jay Escalader

Mr_JAk3 · Oct 29, 2006

Hi again

Maybe the McAfee uninstall process was not succesfull, please post a fresh HijackThis log and we'll have a look

The cd-drive problem sounds quite odd...

j-escalader72 · Oct 29, 2006

Hi,
Thank you for your prompt attention.
HJT Per your request ........
Jay Escalader

_______________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 9:09:49 AM, on 10/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\2006102816592_mcinfo.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\BELLSO~1\PropelAC.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\2006102816592_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Alarm Clock Icon.lnk.disabled
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ymetray.lnk.disabled
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://usmilitary.about.com
O15 - Trusted Zone: http://www.la.ngb.army.mil
O15 - Trusted Zone: http://www.armyonesource.com
O15 - Trusted Zone: http://home.bellsouth.net
O15 - Trusted Zone: http://www.juno.com
O15 - Trusted Zone: www.militaryonesource.com
O15 - Trusted Zone: http://www.hotmail.msn.com
O15 - Trusted Zone: groups.msn.com
O15 - Trusted Zone: www.msnusers.com
O15 - Trusted Zone: http://vil.nai.com
O15 - Trusted Zone: *.nextel.com
O15 - Trusted Zone: http://loginnet.passport.com
O15 - Trusted Zone: http://*.subratam.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Mr_JAk3 · Oct 29, 2006

Ok, we'll continue

There seems to be one McAfee leftover...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\2006102816592_mcinfo.exe /insfin

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Restart your computer normally.

Then, please do the following...

To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

* List also minor sections (Full)
* List empty sections (Complete)

4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here

j-escalader72 · Oct 29, 2006

Mr Jak,
Here is My HJT Startup List which is in 2 posts due to length.
Thanks,
Jay Escalader

________________________________________________

StartupList report, 10/29/2006, 11:25:12 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Labtec Wireless Desktop\OSD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk.disabled
Alarm Clock Icon.lnk.disabled
America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
Google Updater.lnk.disabled
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Microsoft Works Calendar Reminders.lnk = ?
ymetray.lnk.disabled

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

dla = C:\WINDOWS\system32\dla\tfswctrl.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
Share-to-Web Namespace Daemon = c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
Propel Accelerator = C:\PROGRA~1\BELLSO~1\PropelAC.exe
LTMSG = LTMSG.exe 7
KBD = C:\HP\KBD\KBD.EXE
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
CamMonitor = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
BellSouthSyn = C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
BellSouthScheduler = C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Acme.PCHButton = C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[bcb906ec-1e6c-4b15-bdb0-02c645fb4a61] *
StubPath = C:\WINDOWS\System32\lqxxpw.exe

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{44BBA844-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\CChat25.inf,PerUserAdd.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser

[{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath = rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}
(no name) - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Chancy 's School time.job
Disk Cleanup.job
Symantec NetDetect.job
Yahoo.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Yahoo! Chat]
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Chat.osd

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

[Support.com Configuration Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlcm.dll
CODEBASE = http://support.fastaccess.com/sdccommon/download/tgctlcm.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

[DownloadManager Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\DOWNLO~2.OCX
CODEBASE = http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\PROGRA~1\Yahoo!\MESSEN~1\yacscom.dll
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

[{32505657-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

[{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}]
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

[MSN File Upload Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MsnUpld.dll
CODEBASE = http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab

[YahooYMailTo Class]
InProcServer32 = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

[YAddBook Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yaddbook.dll
CODEBASE = http://download.yahoo.com/dl/mail/autocomplete.cab

[{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]
CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[iTunesDetector Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ITDetector.ocx
CODEBASE = http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://chat.msn.com/controls/msnchat45.cab

--------------------------------------------------

_________ HJT Startup List continued on next post _________

j-escalader72 · Oct 29, 2006

Continuation of My HJT Startup List.
Thanks,
Jay Escalader

____ HJT Startup List continued from prior post _____

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
TRUST SPYC@M 300S: System32\Drivers\SQcaptur.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for Avance AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Belarc SMBios Access: \SystemRoot\System32\Drivers\BANTExt.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Dual-Mode DSC(2770): System32\Drivers\SQcaptur.sys (manual start)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
drvmcdb: system32\drivers\drvmcdb.sys (system)
drvnddm: system32\drivers\drvnddm.sys (autostart)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
Intel(r) PC Camera CS331: System32\Drivers\ICAM3D2.SYS (manual start)
InstallDriver Table Manager: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (manual start)
%imapi_ServiceDesc%: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Agere Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
LxrJD31d: \??\C:\WINDOWS\System32\Drivers\LxrJD31d.sys (autostart)
Lexar JD31: LxrJD31s.exe (autostart)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Pcdr CPU Helper Driver: system32\drivers\PCDRDRV.sys (manual start)
PcdrNt: \SystemRoot\System32\drivers\PcdrNt.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Creative WebCam Instant: System32\DRIVERS\P0620Vid.sys (manual start)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGP.sys (system)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
srescan: System32\ZoneLabs\srescan.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
sscdbhk5: system32\drivers\sscdbhk5.sys (system)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SSI: system32\Drivers\SSI.SYS (system)
ssrtln: system32\drivers\ssrtln.sys (system)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Webroot Spy Sweeper Engine: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{13C56707-A75E-427F-A3E7-375956BFF577} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TVICHW32: \??\C:\WINDOWS\System32\DRIVERS\TVICHW32.SYS (manual start)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (system)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 39,910 bytes
Report generated in 0.671 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Mr_JAk3 · Oct 30, 2006

Hi again, there is something suspicious...

Make your hidden files visible:

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

Go to virustotal.com
Click on the Browse button
Browse to the following file: C:\WINDOWS\System32\lqxxpw.exe
Click Open and then on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

j-escalader72 · Oct 30, 2006

Mr Jak,
You are so appreciated. Thank you for your time and knowledge.

The settings to show the hiddens files were already exactly as you want them ..... So i didnt have to change any of the settings.
I went to Virustotal but COULD NOT find the file you requested.

[bcb906ec-1e6c-4b15-bdb0-02c645fb4a61] *
StubPath = C:\WINDOWS\System32\lqxxpw.exe

I did numerous searches but to no avail.

I have no idea......
Sorry.
Make A Difference,
Jay Escalader

Mr_JAk3 · Oct 30, 2006

Hi again

Please download Registry Search Tool (in the middle of the page)

Unzip it to your desktop
Double click the file that was extracted and run a search with the following keyword: bcb906ec-1e6c-4b15-bdb0-02c645fb4a61
Save the results and post those to here

j-escalader72 · Oct 30, 2006

Question??????
I want My search as bellsouth google.....

but WHY it has the following?

In MY HiJack This..... Main tab....
below url will be used when fixing hijacked..... MSIE pages:
Default Start page ........... about:blank
Default Search page...... .microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Default search Assistant //ie.search.msn.com/(SUB_RFC1766)/srchasst/srchasst.htm
Default search Customize //ie.search.msn.com/(SUB_RFC1766)/srchasst/srchcust.htm

*******I am so pissed off with these bugs......
BTW....WHY & WHO puts them in the systems, ads, or whatever?????
They should be Court-Marshalled!!! Or Maybe sentenced to using all that pinned up knowledge & boredom to helping 'MAKE A DIfference In This World' thru fighting hunger, helping the disabled, educating less fortunate and striving for peace among us all.

j-escalader72 · Oct 30, 2006

Mr Jak,
TY for your time to assist me.
At times my puter has much improvement, but then my keyboard gets so delayed that it takes 20 minutes to type a short paragraph for posting.

I am trying to use only my firefox browser for everything, but dont know how to get to msn log on with allowing all these cookies. :sad: I want to ck my email but cant without allowing cookies. ow do i handle accepting cookies & etc? How do i allow cookies or trusted sites in my Firefox, like i gad in IE? Thank you for all.

I DL'ed & ran Registry Search tool.
I saved the scan results.... and posting here for you.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "bcb906ec-1e6c-4b15-bdb0-02c645fb4a61" 10/30/2006 2:35:30 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]

[HKEY_USERS\S-1-5-21-240772092-448486026-72185382-1003\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]

j-escalader72 · Oct 31, 2006

Mr Jak,
I was doing my Adaware scan and suddenly My AVG resident popped up saying A Trojan was in a file.
I quarantined the stuff but could barely copy info for you.....
:sad: BTW ...... What is easy way to copy the AVGFree quarantined info?

Thanks,
Jay Escalader

P.S. I'm sorry, Pl excuse my prior post ranting about the villans, but i am so frustrated about all these bugs. Please let me know when i can do my windows, IE, JAVA, & etc updates.
_____________________________

This is trojan info........ Please advise me what to do with it.

"","","Trojan horse Downloader.Generic.KWN","C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP479\A0057066.dll","10/30/2006 6:05:36 PM","A0057066.dll","27.51 KB"
_____________________________

AdAware Info
ADAWARE object Details
Name:Windows
Category:Vulnerability
Object Type:RegData
Size:4 Bytes
Location:...\software\policies\microsoft\internet explorer\control panel "Homepage" ()
Last Activity:10-30-2006
Relevance:Low
TAC index:3
Comment:
Description:General Windows Security Issue. Your system security may be compromised. The specifics of the possible compromised item are listed in the comments section.
________ Full ADAWARE Scan is my next post ___________

j-escalader72 · Oct 31, 2006

Ad-Aware log not requested...

Mr_JAk3 · Oct 31, 2006

Hi again

Don't worry about the HijackThis Main tab entries. Those are used when restoring the default search/homepage sites...
Then trojan is located inside the system restore, it can be easily cleaned later...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]

[-HKEY_USERS\S-1-5-21-240772092-448486026-72185382-1003\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]

[-HKEY_USERS\S-1-5-18\Software\Microsoft\Active Setup\Installed Components\bcb906ec-1e6c-4b15-bdb0-02c645fb4a61]

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then, open HijackThis.

Open the Misc Tools section
Delete an NT service
Copy the following line to the filename box and press OK; C:\WINDOWS\System32\lqxxpw.exe
Answer Yes

The computer will reboot, if not , restart it yourself.

Please try to re-install your keyboard software. That may solve the delay problem.

Please let me know how it went and post a one more HijackThis log :bigthumb:

IE Closes & Products keep being cked to ignore in scan and slow

New member

Security Expert-Emeritus

New member

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

New member

New member

Security Expert-Emeritus