TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Jarcy on October 18, 2005, 05:15:14 PM

Title: SmartSecurity and other problems
Post by: Jarcy on October 18, 2005, 05:15:14 PM

May main problem is I've been aflicted with SmartSecurity and after a search of the web, seem to have similar symtons to other patients. The symtons are:
Red and black wallpaper, which can't be removed.
Doubling up of new icons.
Right-click on desktop inoperative (a real pain!) /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

I've had this problem for a little while, but now new problems persist:
- MS Word fails to open, producing a windows error report.
Reinstalling Office does not correct this problem. /mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />
- McAfee Virus scan does not open with same problem as above.
Reinstalled McAfee Internet Security (5.0) and updated firewall. Virus scan worked at first, but then failed to open again once updated.
- Explorer home page has just been hijacked (sorry will need to reboot to get IP address). I managed to fix a similar problem here some time ago, but I'm being attacked again. /mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' />
- Notepad doesn't seem to open.  /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
- Excel crashes when opening a previously saved document.

I've run Ad-aware and Spybot, and fixed anything that came up.

Please can anyone help me with these problems? Help would be really gratefully received.
I've run HijackThis and got a huge list of processes that seem to be running. I save the log, but now am unable to open or access it, so I can't even post the results here. Tried attaching the log, but don't know how that works. I really don't know where else to start! /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

P.S. I'm new to this  techy stuff, so please bear with me. Thanks.
P.P.S. I also have Kazaa (the "pop-up free" version you pay for) plus associated P2P, but I believe this is a big no-no. Will happily get rid of, if advised.

Managed to copy HijackThis log using wordpad:
Logfile of HijackThis v1.99.1
Scan saved at 11:03:46 PM, on 10/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Xi\NetTransport 2\NetTransport.exe
C:\Program Files\LeechGet 2005\LeechGet.exe
C:\PROGRA~1\McAfee.com\Agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/1076/sp.php (http://\"http://69.50.191.52/1076/sp.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/1076/ (http://\"http://69.50.191.52/1076/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com (http://\"http://www.meshcomputers.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/1076/ (http://\"http://69.50.191.52/1076/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/1076/sp.php (http://\"http://69.50.191.52/1076/sp.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/1076/search.php?qq= (http://\"http://bestsearch.cc/1076/search.php?qq=\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Qbf] C:\WINDOWS\System32\Oek.exe
O4 - HKLM\..\Run: [Bln] C:\WINDOWS\Tnf.exe
O4 - HKLM\..\Run: [Ijs] C:\WINDOWS\System32\Rto.exe
O4 - HKLM\..\Run: [Hds] C:\WINDOWS\System32\Som.exe
O4 - HKLM\..\Run: [Eun] C:\WINDOWS\System32\Utb.exe
O4 - HKLM\..\Run: [Mrd] C:\WINDOWS\Vor.exe
O4 - HKLM\..\Run: [Jvt] C:\WINDOWS\System32\Lot.exe
O4 - HKLM\..\Run: [Mhd] C:\WINDOWS\System32\Lnb.exe
O4 - HKLM\..\Run: [Inp] C:\WINDOWS\Fmj.exe
O4 - HKLM\..\Run: [Ivk] C:\WINDOWS\System32\Ndb.exe
O4 - HKLM\..\Run: [Ksu] C:\WINDOWS\System32\Vde.exe
O4 - HKLM\..\Run: [Eha] C:\WINDOWS\Lcv.exe
O4 - HKLM\..\Run: [Rhj] C:\WINDOWS\System32\Jlf.exe
O4 - HKLM\..\Run: [Iha] C:\WINDOWS\System32\Ajv.exe
O4 - HKLM\..\Run: [Klq] C:\WINDOWS\System32\Ptf.exe
O4 - HKLM\..\Run: [Lot] C:\WINDOWS\System32\Mjo.exe
O4 - HKLM\..\Run: [Scm] C:\WINDOWS\System32\Dkm.exe
O4 - HKLM\..\Run: [Esk] C:\WINDOWS\System32\Niu.exe
O4 - HKLM\..\Run: [Bcc] C:\WINDOWS\Jcd.exe
O4 - HKLM\..\Run: [Tmj] C:\WINDOWS\Mlq.exe
O4 - HKLM\..\Run: [Mva] C:\WINDOWS\System32\Crb.exe
O4 - HKLM\..\Run: [Iea] C:\WINDOWS\Stk.exe
O4 - HKLM\..\Run: [Tpe] C:\WINDOWS\System32\Umd.exe
O4 - HKLM\..\Run: [Jdp] C:\WINDOWS\Gbb.exe
O4 - HKLM\..\Run: [Fhn] C:\WINDOWS\Atd.exe
O4 - HKLM\..\Run: [Omc] C:\WINDOWS\Hlu.exe
O4 - HKLM\..\Run: [Ohq] C:\WINDOWS\System32\Afp.exe
O4 - HKLM\..\Run: [Tos] C:\WINDOWS\Bcv.exe
O4 - HKLM\..\Run: [Nfe] C:\WINDOWS\System32\Uuj.exe
O4 - HKLM\..\Run: [Vgv] C:\WINDOWS\Lpq.exe
O4 - HKLM\..\Run: [Ihk] C:\WINDOWS\System32\Lve.exe
O4 - HKLM\..\Run: [Pva] C:\WINDOWS\Mvp.exe
O4 - HKLM\..\Run: [Jpo] C:\WINDOWS\Ljv.exe
O4 - HKLM\..\Run: [Eqo] C:\WINDOWS\System32\Gbp.exe
O4 - HKLM\..\Run: [Iid] C:\WINDOWS\Pue.exe
O4 - HKLM\..\Run: [Tnb] C:\WINDOWS\Evb.exe
O4 - HKLM\..\Run: [Ver] C:\WINDOWS\System32\Ndc.exe
O4 - HKLM\..\Run: [Dct] C:\WINDOWS\System32\Sds.exe
O4 - HKLM\..\Run: [Kqi] C:\WINDOWS\Kss.exe
O4 - HKLM\..\Run: [Opj] C:\WINDOWS\System32\Ibr.exe
O4 - HKLM\..\Run: [Hht] C:\WINDOWS\System32\Mki.exe
O4 - HKLM\..\Run: [Gst] C:\WINDOWS\System32\Rhf.exe
O4 - HKLM\..\Run: [Nbp] C:\WINDOWS\System32\Vre.exe
O4 - HKLM\..\Run: [Ujc] C:\WINDOWS\Chc.exe
O4 - HKLM\..\Run: [Pju] C:\WINDOWS\Fsk.exe
O4 - HKLM\..\Run: [Hig] C:\WINDOWS\System32\Hgm.exe
O4 - HKLM\..\Run: [Vim] C:\WINDOWS\System32\Ufn.exe
O4 - HKLM\..\Run: [Obt] C:\WINDOWS\Aas.exe
O4 - HKLM\..\Run: [Qfo] C:\WINDOWS\Bjd.exe
O4 - HKLM\..\Run: [Nnh] C:\WINDOWS\Fhp.exe
O4 - HKLM\..\Run: [Qmt] C:\WINDOWS\System32\Hgf.exe
O4 - HKLM\..\Run: [Hvl] C:\WINDOWS\System32\Kef.exe
O4 - HKLM\..\Run: [Fsn] C:\WINDOWS\Fic.exe
O4 - HKLM\..\Run: [Kpd] C:\WINDOWS\Evn.exe
O4 - HKLM\..\Run: [Ocr] C:\WINDOWS\System32\Por.exe
O4 - HKLM\..\Run: [Hdv] C:\WINDOWS\Rrf.exe
O4 - HKLM\..\Run: [Erk] C:\WINDOWS\System32\Jsb.exe
O4 - HKLM\..\Run: [Cng] C:\WINDOWS\Ffj.exe
O4 - HKLM\..\Run: [Fcb] C:\WINDOWS\Kpq.exe
O4 - HKLM\..\Run: [Frf] C:\WINDOWS\System32\Rpe.exe
O4 - HKLM\..\Run: [Bvr] C:\WINDOWS\Fun.exe
O4 - HKLM\..\Run: [Pma] C:\WINDOWS\System32\Gdt.exe
O4 - HKLM\..\Run: [Etr] C:\WINDOWS\Mep.exe
O4 - HKLM\..\Run: [Rjp] C:\WINDOWS\Igd.exe
O4 - HKLM\..\Run: [Boj] C:\WINDOWS\System32\Pnu.exe
O4 - HKLM\..\Run: [Obl] C:\WINDOWS\System32\Nli.exe
O4 - HKLM\..\Run: [Nem] C:\WINDOWS\System32\Pdh.exe
O4 - HKLM\..\Run: [Nnj] C:\WINDOWS\Nog.exe
O4 - HKLM\..\Run: [Lar] C:\WINDOWS\System32\Vvk.exe
O4 - HKLM\..\Run: [Npm] C:\WINDOWS\Mst.exe
O4 - HKLM\..\Run: [Tmq] C:\WINDOWS\System32\Uam.exe
O4 - HKLM\..\Run: [Kct] C:\WINDOWS\Hkk.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\Vea.exe
O4 - HKLM\..\Run: [Hfu] C:\WINDOWS\System32\Cft.exe
O4 - HKLM\..\Run: [Fef] C:\WINDOWS\Nff.exe
O4 - HKLM\..\Run: [Dao] C:\WINDOWS\System32\Sld.exe
O4 - HKLM\..\Run: [Csc] C:\WINDOWS\System32\Jtc.exe
O4 - HKLM\..\Run: [Hpn] C:\WINDOWS\Ehf.exe
O4 - HKLM\..\Run: [Tnc] C:\WINDOWS\System32\Rnl.exe
O4 - HKLM\..\Run: [Tkd] C:\WINDOWS\System32\Tfq.exe
O4 - HKLM\..\Run: [Cuf] C:\WINDOWS\Ijl.exe
O4 - HKLM\..\Run: [Ebk] C:\WINDOWS\System32\Vqr.exe
O4 - HKLM\..\Run: [Vep] C:\WINDOWS\System32\Rih.exe
O4 - HKLM\..\Run: [Odr] C:\WINDOWS\System32\Fti.exe
O4 - HKLM\..\Run: [Vsr] C:\WINDOWS\Ptp.exe
O4 - HKLM\..\Run: [Ker] C:\WINDOWS\System32\Olh.exe
O4 - HKLM\..\Run: [Oaa] C:\WINDOWS\System32\Ukl.exe
O4 - HKLM\..\Run: [Tod] C:\WINDOWS\Buc.exe
O4 - HKLM\..\Run: [Eed] C:\WINDOWS\System32\Lpi.exe
O4 - HKLM\..\Run: [Oae] C:\WINDOWS\System32\Geq.exe
O4 - HKLM\..\Run: [Sfb] C:\WINDOWS\System32\Fem.exe
O4 - HKLM\..\Run: [Vmp] C:\WINDOWS\Fve.exe
O4 - HKLM\..\Run: [Hba] C:\WINDOWS\Tpm.exe
O4 - HKLM\..\Run: [Chs] C:\WINDOWS\Pjf.exe
O4 - HKLM\..\Run: [Tup] C:\WINDOWS\Hcu.exe
O4 - HKLM\..\Run: [Blg] C:\WINDOWS\System32\Vae.exe
O4 - HKLM\..\Run: [Ljh] C:\WINDOWS\Bun.exe
O4 - HKLM\..\Run: [Jom] C:\WINDOWS\System32\Tov.exe
O4 - HKLM\..\Run: [Mlm] C:\WINDOWS\System32\Fdt.exe
O4 - HKLM\..\Run: [Ehp] C:\WINDOWS\System32\Fnf.exe
O4 - HKLM\..\Run: [Jsr] C:\WINDOWS\System32\Uem.exe
O4 - HKLM\..\Run: [Sit] C:\WINDOWS\System32\Gjr.exe
O4 - HKLM\..\Run: [Erm] C:\WINDOWS\Min.exe
O4 - HKLM\..\Run: [Flc] C:\WINDOWS\System32\Lre.exe
O4 - HKLM\..\Run: [Rar] C:\WINDOWS\System32\Vba.exe
O4 - HKLM\..\Run: [Mej] C:\WINDOWS\System32\Ftg.exe
O4 - HKLM\..\Run: [Vkl] C:\WINDOWS\Jfo.exe
O4 - HKLM\..\Run: [Hns] C:\WINDOWS\System32\Mta.exe
O4 - HKLM\..\Run: [Ukv] C:\WINDOWS\System32\Gqr.exe
O4 - HKLM\..\Run: [Oaf] C:\WINDOWS\Rfj.exe
O4 - HKLM\..\Run: [Ace] C:\WINDOWS\Jjn.exe
O4 - HKLM\..\Run: [Jag] C:\WINDOWS\Ldj.exe
O4 - HKLM\..\Run: [Llq] C:\WINDOWS\Nat.exe
O4 - HKLM\..\Run: [Qce] C:\WINDOWS\Uoj.exe
O4 - HKLM\..\Run: [Pmg] C:\WINDOWS\Erc.exe
O4 - HKLM\..\Run: [Jog] C:\WINDOWS\Dvd.exe
O4 - HKLM\..\Run: [Pba] C:\WINDOWS\System32\Iol.exe
O4 - HKLM\..\Run: [Vau] C:\WINDOWS\System32\Mpf.exe
O4 - HKLM\..\Run: [Gub] C:\WINDOWS\Rtf.exe
O4 - HKLM\..\Run: [Sjt] C:\WINDOWS\System32\Luc.exe
O4 - HKLM\..\Run: [Mel] C:\WINDOWS\Tch.exe
O4 - HKLM\..\Run: [Nal] C:\WINDOWS\System32\Ipc.exe
O4 - HKLM\..\Run: [Nok] C:\WINDOWS\Ial.exe
O4 - HKLM\..\Run: [Pto] C:\WINDOWS\Dda.exe
O4 - HKLM\..\Run: [Tko] C:\WINDOWS\Bfi.exe
O4 - HKLM\..\Run: [Ugl] C:\WINDOWS\System32\Vbg.exe
O4 - HKLM\..\Run: [Brm] C:\WINDOWS\System32\Oaq.exe
O4 - HKLM\..\Run: [Fio] C:\WINDOWS\Agb.exe
O4 - HKLM\..\Run: [Ohe] C:\WINDOWS\Rvu.exe
O4 - HKLM\..\Run: [Gut] C:\WINDOWS\Qbj.exe
O4 - HKLM\..\Run: [Iuu] C:\WINDOWS\Lkp.exe
O4 - HKLM\..\Run: [Cre] C:\WINDOWS\System32\Adk.exe
O4 - HKLM\..\Run: [Oqe] C:\WINDOWS\System32\Qut.exe
O4 - HKLM\..\Run: [Nci] C:\WINDOWS\Ejj.exe
O4 - HKLM\..\Run: [Fmn] C:\WINDOWS\Hnu.exe
O4 - HKLM\..\Run: [Pni] C:\WINDOWS\Uve.exe
O4 - HKLM\..\Run: [Qak] C:\WINDOWS\System32\Joo.exe
O4 - HKLM\..\Run: [Gpk] C:\WINDOWS\Fpn.exe
O4 - HKLM\..\Run: [Ntr] C:\WINDOWS\Fpc.exe
O4 - HKLM\..\Run: [Fjv] C:\WINDOWS\System32\Nbn.exe
O4 - HKLM\..\Run: [Fce] C:\WINDOWS\Hph.exe
O4 - HKLM\..\Run: [Gjs] C:\WINDOWS\System32\Jld.exe
O4 - HKLM\..\Run: [Rfb] C:\WINDOWS\System32\Vhh.exe
O4 - HKLM\..\Run: [Ihq] C:\WINDOWS\Uvh.exe
O4 - HKLM\..\Run: [Tvk] C:\WINDOWS\Llv.exe
O4 - HKLM\..\Run: [Afe] C:\WINDOWS\System32\Api.exe
O4 - HKLM\..\Run: [Pkd] C:\WINDOWS\Hor.exe
O4 - HKLM\..\Run: [Gvc] C:\WINDOWS\Lnc.exe
O4 - HKLM\..\Run: [Uub] C:\WINDOWS\Ark.exe
O4 - HKLM\..\Run: [Ugp] C:\WINDOWS\Mbo.exe
O4 - HKLM\..\Run: [Rbb] C:\WINDOWS\Eug.exe
O4 - HKLM\..\Run: [Udk] C:\WINDOWS\Opa.exe
O4 - HKLM\..\Run: [Htk] C:\WINDOWS\System32\Atd.exe
O4 - HKLM\..\Run: [Gsd] C:\WINDOWS\Scd.exe
O4 - HKLM\..\Run: [Bdm] C:\WINDOWS\System32\Lev.exe
O4 - HKLM\..\Run: [Utp] C:\WINDOWS\System32\Ikf.exe
O4 - HKLM\..\Run: [Qqf] C:\WINDOWS\Oun.exe
O4 - HKLM\..\Run: [Nuf] C:\WINDOWS\Rhp.exe
O4 - HKLM\..\Run: [Jji] C:\WINDOWS\Cjc.exe
O4 - HKLM\..\Run: [Aki] C:\WINDOWS\System32\Sbg.exe
O4 - HKLM\..\Run: [Jcl] C:\WINDOWS\System32\Ihv.exe
O4 - HKLM\..\Run: [Mcc] C:\WINDOWS\Vmq.exe
O4 - HKLM\..\Run: [Kui] C:\WINDOWS\Bjh.exe
O4 - HKLM\..\Run: [Unk] C:\WINDOWS\Kqc.exe
O4 - HKLM\..\Run: [Fgv] C:\WINDOWS\System32\Usr.exe
O4 - HKLM\..\Run: [Stv] C:\WINDOWS\System32\Egl.exe
O4 - HKLM\..\Run: [Sth] C:\WINDOWS\System32\Pro.exe
O4 - HKLM\..\Run: [Pei] C:\WINDOWS\Bqp.exe
O4 - HKLM\..\Run: [Men] C:\WINDOWS\System32\Mfs.exe
O4 - HKLM\..\Run: [Qmb] C:\WINDOWS\System32\Prs.exe
O4 - HKLM\..\Run: [Jlq] C:\WINDOWS\Kpp.exe
O4 - HKLM\..\Run: [Avp] C:\WINDOWS\Nlp.exe
O4 - HKLM\..\Run: [Lpi] C:\WINDOWS\Dqo.exe
O4 - HKLM\..\Run: [Iar] C:\WINDOWS\System32\Chb.exe
O4 - HKLM\..\Run: [Igo] C:\WINDOWS\System32\Ctt.exe
O4 - HKLM\..\Run: [Aak] C:\WINDOWS\Efv.exe
O4 - HKLM\..\Run: [Son] C:\WINDOWS\Ghd.exe
O4 - HKLM\..\Run: [Dep] C:\WINDOWS\Vpi.exe
O4 - HKLM\..\Run: [Lto] C:\WINDOWS\Naj.exe
O4 - HKLM\..\Run: [Svh] C:\WINDOWS\Nht.exe
O4 - HKLM\..\Run: [Hou] C:\WINDOWS\Bcn.exe
O4 - HKLM\..\Run: [Isj] C:\WINDOWS\Upu.exe
O4 - HKLM\..\Run: [Bsn] C:\WINDOWS\Imj.exe
O4 - HKLM\..\Run: [Qcc] C:\WINDOWS\Hvn.exe
O4 - HKLM\..\Run: [Vvp] C:\WINDOWS\Hct.exe
O4 - HKLM\..\Run: [Ttn] C:\WINDOWS\Bpv.exe
O4 - HKLM\..\Run: [Gah] C:\WINDOWS\Qvt.exe
O4 - HKLM\..\Run: [Pjv] C:\WINDOWS\Ebg.exe
O4 - HKLM\..\Run: [Qgl] C:\WINDOWS\Bhb.exe
O4 - HKLM\..\Run: [Evd] C:\WINDOWS\Fik.exe
O4 - HKLM\..\Run: [Vfd] C:\WINDOWS\Gha.exe
O4 - HKLM\..\Run: [Qol] C:\WINDOWS\Jid.exe
O4 - HKLM\..\Run: [Fag] C:\WINDOWS\System32\Sme.exe
O4 - HKLM\..\Run: [Peo] C:\WINDOWS\Bms.exe
O4 - HKLM\..\Run: [Lhd] C:\WINDOWS\System32\Ktc.exe
O4 - HKLM\..\Run: [Mjr] C:\WINDOWS\Dch.exe
O4 - HKLM\..\Run: [Knl] C:\WINDOWS\System32\Qlg.exe
O4 - HKLM\..\Run: [Emp] C:\WINDOWS\System32\Ord.exe
O4 - HKLM\..\Run: [Aru] C:\WINDOWS\Hpk.exe
O4 - HKLM\..\Run: [Jcn] C:\WINDOWS\System32\Iqg.exe
O4 - HKLM\..\Run: [Rlf] C:\WINDOWS\System32\Knn.exe
O4 - HKLM\..\Run: [Kjv] C:\WINDOWS\Mqq.exe
O4 - HKLM\..\Run: [Vda] C:\WINDOWS\Gqi.exe
O4 - HKLM\..\Run: [Tfk] C:\WINDOWS\System32\Vjl.exe
O4 - HKLM\..\Run: [Eob] C:\WINDOWS\System32\Tms.exe
O4 - HKLM\..\Run: [Eav] C:\WINDOWS\System32\Nnr.exe
O4 - HKLM\..\Run: [Vil] C:\WINDOWS\Npt.exe
O4 - HKLM\..\Run: [Fvi] C:\WINDOWS\Tik.exe
O4 - HKLM\..\Run: [Ifl] C:\WINDOWS\Kln.exe
O4 - HKLM\..\Run: [Old] C:\WINDOWS\Lol.exe
O4 - HKLM\..\Run: [Jao] C:\WINDOWS\System32\Ehi.exe
O4 - HKLM\..\Run: [Mte] C:\WINDOWS\Rtl.exe
O4 - HKLM\..\Run: [Qrm] C:\WINDOWS\System32\Lrk.exe
O4 - HKLM\..\Run: [Dfi] C:\WINDOWS\Usa.exe
O4 - HKLM\..\Run: [Tih] C:\WINDOWS\Nio.exe
O4 - HKLM\..\Run: [Ssc] C:\WINDOWS\Idp.exe
O4 - HKLM\..\Run: [Uqt] C:\WINDOWS\Ton.exe
O4 - HKLM\..\Run: [Bjd] C:\WINDOWS\System32\Qch.exe
O4 - HKLM\..\Run: [Uhb] C:\WINDOWS\System32\Ktt.exe
O4 - HKLM\..\Run: [Eti] C:\WINDOWS\System32\Qae.exe
O4 - HKLM\..\Run: [Gpb] C:\WINDOWS\System32\Vsq.exe
O4 - HKLM\..\Run: [Olf] C:\WINDOWS\Bfc.exe
O4 - HKLM\..\Run: [Ecp] C:\WINDOWS\Giu.exe
O4 - HKLM\..\Run: [Ere] C:\WINDOWS\System32\Fua.exe
O4 - HKLM\..\Run: [Jhb] C:\WINDOWS\System32\Bro.exe
O4 - HKLM\..\Run: [Sqv] C:\WINDOWS\System32\Pts.exe
O4 - HKLM\..\Run: [Aso] C:\WINDOWS\Gdd.exe
O4 - HKLM\..\Run: [Obq] C:\WINDOWS\System32\Kvc.exe
O4 - HKLM\..\Run: [Odf] C:\WINDOWS\Mki.exe
O4 - HKLM\..\Run: [Kaj] C:\WINDOWS\Ivn.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [Mhd] C:\WINDOWS\System32\Lnb.exe
O4 - HKCU\..\Run: [Inp] C:\WINDOWS\Fmj.exe
O4 - HKCU\..\Run: [Ivk] C:\WINDOWS\System32\Ndb.exe
O4 - HKCU\..\Run: [Ksu] C:\WINDOWS\System32\Vde.exe
O4 - HKCU\..\Run: [Eha] C:\WINDOWS\Lcv.exe
O4 - HKCU\..\Run: [Rhj] C:\WINDOWS\System32\Jlf.exe
O4 - HKCU\..\Run: [Iha] C:\WINDOWS\System32\Ajv.exe
O4 - HKCU\..\Run: [Klq] C:\WINDOWS\System32\Ptf.exe
O4 - HKCU\..\Run: [Lot] C:\WINDOWS\System32\Mjo.exe
O4 - HKCU\..\Run: [Scm] C:\WINDOWS\System32\Dkm.exe
O4 - HKCU\..\Run: [Esk] C:\WINDOWS\System32\Niu.exe
O4 - HKCU\..\Run: [Bcc] C:\WINDOWS\Jcd.exe
O4 - HKCU\..\Run: [Tmj] C:\WINDOWS\Mlq.exe
O4 - HKCU\..\Run: [Mva] C:\WINDOWS\System32\Crb.exe
O4 - HKCU\..\Run: [Iea] C:\WINDOWS\Stk.exe
O4 - HKCU\..\Run: [Tpe] C:\WINDOWS\System32\Umd.exe
O4 - HKCU\..\Run: [Jdp] C:\WINDOWS\Gbb.exe
O4 - HKCU\..\Run: [Fhn] C:\WINDOWS\Atd.exe
O4 - HKCU\..\Run: [Omc] C:\WINDOWS\Hlu.exe
O4 - HKCU\..\Run: [Ohq] C:\WINDOWS\System32\Afp.exe
O4 - HKCU\..\Run: [Tos] C:\WINDOWS\Bcv.exe
O4 - HKCU\..\Run: [Nfe] C:\WINDOWS\System32\Uuj.exe
O4 - HKCU\..\Run: [Vgv] C:\WINDOWS\Lpq.exe
O4 - HKCU\..\Run: [Ihk] C:\WINDOWS\System32\Lve.exe
O4 - HKCU\..\Run: [Pva] C:\WINDOWS\Mvp.exe
O4 - HKCU\..\Run: [Jpo] C:\WINDOWS\Ljv.exe
O4 - HKCU\..\Run: [Eqo] C:\WINDOWS\System32\Gbp.exe
O4 - HKCU\..\Run: [Iid] C:\WINDOWS\Pue.exe
O4 - HKCU\..\Run: [Tnb] C:\WINDOWS\Evb.exe
O4 - HKCU\..\Run: [Ujc] C:\WINDOWS\Chc.exe
O4 - HKCU\..\Run: [Hig] C:\WINDOWS\System32\Hgm.exe
O4 - HKCU\..\Run: [Obt] C:\WINDOWS\Aas.exe
O4 - HKCU\..\Run: [Nnh] C:\WINDOWS\Fhp.exe
O4 - HKCU\..\Run: [Hvl] C:\WINDOWS\System32\Kef.exe
O4 - HKCU\..\Run: [Vmp] C:\WINDOWS\Fve.exe
O4 - HKCU\..\Run: [Chs] C:\WINDOWS\Pjf.exe
O4 - HKCU\..\Run: [Blg] C:\WINDOWS\System32\Vae.exe
O4 - HKCU\..\Run: [Jom] C:\WINDOWS\System32\Tov.exe
O4 - HKCU\..\Run: [Ehp] C:\WINDOWS\System32\Fnf.exe
O4 - HKCU\..\Run: [Sit] C:\WINDOWS\System32\Gjr.exe
O4 - HKCU\..\Run: [Flc] C:\WINDOWS\System32\Lre.exe
O4 - HKCU\..\Run: [Mej] C:\WINDOWS\System32\Ftg.exe
O4 - HKCU\..\Run: [Hns] C:\WINDOWS\System32\Mta.exe
O4 - HKCU\..\Run: [Oaf] C:\WINDOWS\Rfj.exe
O4 - HKCU\..\Run: [Jag] C:\WINDOWS\Ldj.exe
O4 - HKCU\..\Run: [Jhb] C:\WINDOWS\System32\Bro.exe
O4 - HKCU\..\Run: [Aso] C:\WINDOWS\Gdd.exe
O4 - HKCU\..\Run: [Odf] C:\WINDOWS\Mki.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2005\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2005\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2005\\Parser.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {9646D4D8-EAA9-43AC-BD57-FC13D25381EE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9646D4D8-EAA9-43AC-BD57-FC13D25381EE} - (no file) (HKCU)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab (http://\"http://members14.clubphoto.com/_img/uploader/atl_uploader.cab\")
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab (http://\"http://down.plaxo.com/down/release/PlaxoInstall.cab\")
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab\")
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TE.cab\")
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab (http://\"http://launch.gamespyarcade.com/software/launch/alaunch.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: MSMserv - {06FAF956-6F4E-4861-92AD-6B990F0E9205} - C:\WINDOWS\System32\nvapopen.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)

Title: SmartSecurity and other problems
Post by: guestolo on October 18, 2005, 10:22:38 PM

I would uninstall P2Pnetworking from Add/remove programs

Afterwards, do the following

==Download and save too desktop or a folder
The Standalone version of CWShredder.exe (http://\"http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe\")
We'll need this later

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Don't run this yet, we'll need it in a bit

==Download smitRem.exe (http://\"http://noahdfear.geekstogo.com/click%20counter/click.php?id=1\") and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

==Download and Install the free version of Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
After it is updated, close it down, we'll run it later

==Download and then Install
Ewido Security Suite (http://\"http://www.ewido.net/en/download/\")

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")


Now that you have the tools
Please print this out or save these instructions to notepad for reference
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\") without networking
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.

==Open the SmitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Open Ad-Aware>>Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

==Open CWShredder.exe and click on the FIX button, let it finish it's scan

Reboot back to Normal mode

Afterwards
Come back here and supply a few logs
Supply a fresh hijackthis log and the Report from Ewidos
Also include the log SmitRem.txt

Title: SmartSecurity and other problems
Post by: Guest_Jarcy_* on October 20, 2005, 02:53:06 AM

Hi Guestolo,

Many thanks for your help! It's so much appreciated. /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

I've followed all of the directions so far.
I couldn't open your link to smitRem, so searched the net for an alternative link and downloaded from there. Hope that's ok. Only problem is that I couldn't seem to find a log once finished running. I didn't complete the Disk Cleanup utility that it launches once complete.

I've now got rid of the SmartSecurity Red and Black screen  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />  - but right click & double icons still broken.

I was surprised that my version of Ad-Aware 6 appears to be out of date, as no updates were available and previously I was getting clean scans. Ad-aware SE found 72 bugs!

My notepad doesn't work and when I looked at the log from Ewido, I'm guessing that this has been hijacked as well. Notepad.exe appears to be missing.

I had saved the Ewido log to desktop, but it now appears to be missing. Do you want me to run this again?

Here's my new HijackThis log (amazingly captured from a Notepad window produced):

Thanks again!  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Logfile of HijackThis v1.99.1
Scan saved at 8:42:19 AM, on 10/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com (http://\"http://www.meshcomputers.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/1076/search.php?qq= (http://\"http://bestsearch.cc/1076/search.php?qq=\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Qbf] C:\WINDOWS\System32\Oek.exe
O4 - HKLM\..\Run: [Bln] C:\WINDOWS\Tnf.exe
O4 - HKLM\..\Run: [Ijs] C:\WINDOWS\System32\Rto.exe
O4 - HKLM\..\Run: [Hds] C:\WINDOWS\System32\Som.exe
O4 - HKLM\..\Run: [Eun] C:\WINDOWS\System32\Utb.exe
O4 - HKLM\..\Run: [Mrd] C:\WINDOWS\Vor.exe
O4 - HKLM\..\Run: [Jvt] C:\WINDOWS\System32\Lot.exe
O4 - HKLM\..\Run: [Mhd] C:\WINDOWS\System32\Lnb.exe
O4 - HKLM\..\Run: [Inp] C:\WINDOWS\Fmj.exe
O4 - HKLM\..\Run: [Ivk] C:\WINDOWS\System32\Ndb.exe
O4 - HKLM\..\Run: [Ksu] C:\WINDOWS\System32\Vde.exe
O4 - HKLM\..\Run: [Eha] C:\WINDOWS\Lcv.exe
O4 - HKLM\..\Run: [Rhj] C:\WINDOWS\System32\Jlf.exe
O4 - HKLM\..\Run: [Iha] C:\WINDOWS\System32\Ajv.exe
O4 - HKLM\..\Run: [Klq] C:\WINDOWS\System32\Ptf.exe
O4 - HKLM\..\Run: [Lot] C:\WINDOWS\System32\Mjo.exe
O4 - HKLM\..\Run: [Scm] C:\WINDOWS\System32\Dkm.exe
O4 - HKLM\..\Run: [Esk] C:\WINDOWS\System32\Niu.exe
O4 - HKLM\..\Run: [Bcc] C:\WINDOWS\Jcd.exe
O4 - HKLM\..\Run: [Tmj] C:\WINDOWS\Mlq.exe
O4 - HKLM\..\Run: [Mva] C:\WINDOWS\System32\Crb.exe
O4 - HKLM\..\Run: [Iea] C:\WINDOWS\Stk.exe
O4 - HKLM\..\Run: [Tpe] C:\WINDOWS\System32\Umd.exe
O4 - HKLM\..\Run: [Jdp] C:\WINDOWS\Gbb.exe
O4 - HKLM\..\Run: [Fhn] C:\WINDOWS\Atd.exe
O4 - HKLM\..\Run: [Omc] C:\WINDOWS\Hlu.exe
O4 - HKLM\..\Run: [Ohq] C:\WINDOWS\System32\Afp.exe
O4 - HKLM\..\Run: [Tos] C:\WINDOWS\Bcv.exe
O4 - HKLM\..\Run: [Nfe] C:\WINDOWS\System32\Uuj.exe
O4 - HKLM\..\Run: [Vgv] C:\WINDOWS\Lpq.exe
O4 - HKLM\..\Run: [Ihk] C:\WINDOWS\System32\Lve.exe
O4 - HKLM\..\Run: [Pva] C:\WINDOWS\Mvp.exe
O4 - HKLM\..\Run: [Jpo] C:\WINDOWS\Ljv.exe
O4 - HKLM\..\Run: [Eqo] C:\WINDOWS\System32\Gbp.exe
O4 - HKLM\..\Run: [Iid] C:\WINDOWS\Pue.exe
O4 - HKLM\..\Run: [Tnb] C:\WINDOWS\Evb.exe
O4 - HKLM\..\Run: [Ver] C:\WINDOWS\System32\Ndc.exe
O4 - HKLM\..\Run: [Dct] C:\WINDOWS\System32\Sds.exe
O4 - HKLM\..\Run: [Kqi] C:\WINDOWS\Kss.exe
O4 - HKLM\..\Run: [Opj] C:\WINDOWS\System32\Ibr.exe
O4 - HKLM\..\Run: [Hht] C:\WINDOWS\System32\Mki.exe
O4 - HKLM\..\Run: [Gst] C:\WINDOWS\System32\Rhf.exe
O4 - HKLM\..\Run: [Nbp] C:\WINDOWS\System32\Vre.exe
O4 - HKLM\..\Run: [Ujc] C:\WINDOWS\Chc.exe
O4 - HKLM\..\Run: [Pju] C:\WINDOWS\Fsk.exe
O4 - HKLM\..\Run: [Hig] C:\WINDOWS\System32\Hgm.exe
O4 - HKLM\..\Run: [Vim] C:\WINDOWS\System32\Ufn.exe
O4 - HKLM\..\Run: [Obt] C:\WINDOWS\Aas.exe
O4 - HKLM\..\Run: [Qfo] C:\WINDOWS\Bjd.exe
O4 - HKLM\..\Run: [Nnh] C:\WINDOWS\Fhp.exe
O4 - HKLM\..\Run: [Qmt] C:\WINDOWS\System32\Hgf.exe
O4 - HKLM\..\Run: [Hvl] C:\WINDOWS\System32\Kef.exe
O4 - HKLM\..\Run: [Fsn] C:\WINDOWS\Fic.exe
O4 - HKLM\..\Run: [Kpd] C:\WINDOWS\Evn.exe
O4 - HKLM\..\Run: [Ocr] C:\WINDOWS\System32\Por.exe
O4 - HKLM\..\Run: [Hdv] C:\WINDOWS\Rrf.exe
O4 - HKLM\..\Run: [Erk] C:\WINDOWS\System32\Jsb.exe
O4 - HKLM\..\Run: [Cng] C:\WINDOWS\Ffj.exe
O4 - HKLM\..\Run: [Fcb] C:\WINDOWS\Kpq.exe
O4 - HKLM\..\Run: [Frf] C:\WINDOWS\System32\Rpe.exe
O4 - HKLM\..\Run: [Bvr] C:\WINDOWS\Fun.exe
O4 - HKLM\..\Run: [Pma] C:\WINDOWS\System32\Gdt.exe
O4 - HKLM\..\Run: [Etr] C:\WINDOWS\Mep.exe
O4 - HKLM\..\Run: [Rjp] C:\WINDOWS\Igd.exe
O4 - HKLM\..\Run: [Boj] C:\WINDOWS\System32\Pnu.exe
O4 - HKLM\..\Run: [Obl] C:\WINDOWS\System32\Nli.exe
O4 - HKLM\..\Run: [Nem] C:\WINDOWS\System32\Pdh.exe
O4 - HKLM\..\Run: [Nnj] C:\WINDOWS\Nog.exe
O4 - HKLM\..\Run: [Lar] C:\WINDOWS\System32\Vvk.exe
O4 - HKLM\..\Run: [Npm] C:\WINDOWS\Mst.exe
O4 - HKLM\..\Run: [Tmq] C:\WINDOWS\System32\Uam.exe
O4 - HKLM\..\Run: [Kct] C:\WINDOWS\Hkk.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\Vea.exe
O4 - HKLM\..\Run: [Hfu] C:\WINDOWS\System32\Cft.exe
O4 - HKLM\..\Run: [Fef] C:\WINDOWS\Nff.exe
O4 - HKLM\..\Run: [Dao] C:\WINDOWS\System32\Sld.exe
O4 - HKLM\..\Run: [Csc] C:\WINDOWS\System32\Jtc.exe
O4 - HKLM\..\Run: [Hpn] C:\WINDOWS\Ehf.exe
O4 - HKLM\..\Run: [Tnc] C:\WINDOWS\System32\Rnl.exe
O4 - HKLM\..\Run: [Tkd] C:\WINDOWS\System32\Tfq.exe
O4 - HKLM\..\Run: [Cuf] C:\WINDOWS\Ijl.exe
O4 - HKLM\..\Run: [Ebk] C:\WINDOWS\System32\Vqr.exe
O4 - HKLM\..\Run: [Vep] C:\WINDOWS\System32\Rih.exe
O4 - HKLM\..\Run: [Odr] C:\WINDOWS\System32\Fti.exe
O4 - HKLM\..\Run: [Vsr] C:\WINDOWS\Ptp.exe
O4 - HKLM\..\Run: [Ker] C:\WINDOWS\System32\Olh.exe
O4 - HKLM\..\Run: [Oaa] C:\WINDOWS\System32\Ukl.exe
O4 - HKLM\..\Run: [Tod] C:\WINDOWS\Buc.exe
O4 - HKLM\..\Run: [Eed] C:\WINDOWS\System32\Lpi.exe
O4 - HKLM\..\Run: [Oae] C:\WINDOWS\System32\Geq.exe
O4 - HKLM\..\Run: [Sfb] C:\WINDOWS\System32\Fem.exe
O4 - HKLM\..\Run: [Vmp] C:\WINDOWS\Fve.exe
O4 - HKLM\..\Run: [Hba] C:\WINDOWS\Tpm.exe
O4 - HKLM\..\Run: [Chs] C:\WINDOWS\Pjf.exe
O4 - HKLM\..\Run: [Tup] C:\WINDOWS\Hcu.exe
O4 - HKLM\..\Run: [Blg] C:\WINDOWS\System32\Vae.exe
O4 - HKLM\..\Run: [Ljh] C:\WINDOWS\Bun.exe
O4 - HKLM\..\Run: [Jom] C:\WINDOWS\System32\Tov.exe
O4 - HKLM\..\Run: [Mlm] C:\WINDOWS\System32\Fdt.exe
O4 - HKLM\..\Run: [Ehp] C:\WINDOWS\System32\Fnf.exe
O4 - HKLM\..\Run: [Jsr] C:\WINDOWS\System32\Uem.exe
O4 - HKLM\..\Run: [Sit] C:\WINDOWS\System32\Gjr.exe
O4 - HKLM\..\Run: [Erm] C:\WINDOWS\Min.exe
O4 - HKLM\..\Run: [Flc] C:\WINDOWS\System32\Lre.exe
O4 - HKLM\..\Run: [Rar] C:\WINDOWS\System32\Vba.exe
O4 - HKLM\..\Run: [Mej] C:\WINDOWS\System32\Ftg.exe
O4 - HKLM\..\Run: [Vkl] C:\WINDOWS\Jfo.exe
O4 - HKLM\..\Run: [Hns] C:\WINDOWS\System32\Mta.exe
O4 - HKLM\..\Run: [Ukv] C:\WINDOWS\System32\Gqr.exe
O4 - HKLM\..\Run: [Oaf] C:\WINDOWS\Rfj.exe
O4 - HKLM\..\Run: [Ace] C:\WINDOWS\Jjn.exe
O4 - HKLM\..\Run: [Jag] C:\WINDOWS\Ldj.exe
O4 - HKLM\..\Run: [Llq] C:\WINDOWS\Nat.exe
O4 - HKLM\..\Run: [Qce] C:\WINDOWS\Uoj.exe
O4 - HKLM\..\Run: [Pmg] C:\WINDOWS\Erc.exe
O4 - HKLM\..\Run: [Jog] C:\WINDOWS\Dvd.exe
O4 - HKLM\..\Run: [Pba] C:\WINDOWS\System32\Iol.exe
O4 - HKLM\..\Run: [Vau] C:\WINDOWS\System32\Mpf.exe
O4 - HKLM\..\Run: [Gub] C:\WINDOWS\Rtf.exe
O4 - HKLM\..\Run: [Sjt] C:\WINDOWS\System32\Luc.exe
O4 - HKLM\..\Run: [Mel] C:\WINDOWS\Tch.exe
O4 - HKLM\..\Run: [Nal] C:\WINDOWS\System32\Ipc.exe
O4 - HKLM\..\Run: [Nok] C:\WINDOWS\Ial.exe
O4 - HKLM\..\Run: [Pto] C:\WINDOWS\Dda.exe
O4 - HKLM\..\Run: [Tko] C:\WINDOWS\Bfi.exe
O4 - HKLM\..\Run: [Ugl] C:\WINDOWS\System32\Vbg.exe
O4 - HKLM\..\Run: [Brm] C:\WINDOWS\System32\Oaq.exe
O4 - HKLM\..\Run: [Fio] C:\WINDOWS\Agb.exe
O4 - HKLM\..\Run: [Ohe] C:\WINDOWS\Rvu.exe
O4 - HKLM\..\Run: [Gut] C:\WINDOWS\Qbj.exe
O4 - HKLM\..\Run: [Iuu] C:\WINDOWS\Lkp.exe
O4 - HKLM\..\Run: [Cre] C:\WINDOWS\System32\Adk.exe
O4 - HKLM\..\Run: [Oqe] C:\WINDOWS\System32\Qut.exe
O4 - HKLM\..\Run: [Nci] C:\WINDOWS\Ejj.exe
O4 - HKLM\..\Run: [Fmn] C:\WINDOWS\Hnu.exe
O4 - HKLM\..\Run: [Pni] C:\WINDOWS\Uve.exe
O4 - HKLM\..\Run: [Qak] C:\WINDOWS\System32\Joo.exe
O4 - HKLM\..\Run: [Gpk] C:\WINDOWS\Fpn.exe
O4 - HKLM\..\Run: [Ntr] C:\WINDOWS\Fpc.exe
O4 - HKLM\..\Run: [Fjv] C:\WINDOWS\System32\Nbn.exe
O4 - HKLM\..\Run: [Fce] C:\WINDOWS\Hph.exe
O4 - HKLM\..\Run: [Gjs] C:\WINDOWS\System32\Jld.exe
O4 - HKLM\..\Run: [Rfb] C:\WINDOWS\System32\Vhh.exe
O4 - HKLM\..\Run: [Ihq] C:\WINDOWS\Uvh.exe
O4 - HKLM\..\Run: [Tvk] C:\WINDOWS\Llv.exe
O4 - HKLM\..\Run: [Afe] C:\WINDOWS\System32\Api.exe
O4 - HKLM\..\Run: [Pkd] C:\WINDOWS\Hor.exe
O4 - HKLM\..\Run: [Gvc] C:\WINDOWS\Lnc.exe
O4 - HKLM\..\Run: [Uub] C:\WINDOWS\Ark.exe
O4 - HKLM\..\Run: [Ugp] C:\WINDOWS\Mbo.exe
O4 - HKLM\..\Run: [Rbb] C:\WINDOWS\Eug.exe
O4 - HKLM\..\Run: [Udk] C:\WINDOWS\Opa.exe
O4 - HKLM\..\Run: [Htk] C:\WINDOWS\System32\Atd.exe
O4 - HKLM\..\Run: [Gsd] C:\WINDOWS\Scd.exe
O4 - HKLM\..\Run: [Bdm] C:\WINDOWS\System32\Lev.exe
O4 - HKLM\..\Run: [Utp] C:\WINDOWS\System32\Ikf.exe
O4 - HKLM\..\Run: [Qqf] C:\WINDOWS\Oun.exe
O4 - HKLM\..\Run: [Nuf] C:\WINDOWS\Rhp.exe
O4 - HKLM\..\Run: [Jji] C:\WINDOWS\Cjc.exe
O4 - HKLM\..\Run: [Aki] C:\WINDOWS\System32\Sbg.exe
O4 - HKLM\..\Run: [Jcl] C:\WINDOWS\System32\Ihv.exe
O4 - HKLM\..\Run: [Mcc] C:\WINDOWS\Vmq.exe
O4 - HKLM\..\Run: [Kui] C:\WINDOWS\Bjh.exe
O4 - HKLM\..\Run: [Unk] C:\WINDOWS\Kqc.exe
O4 - HKLM\..\Run: [Fgv] C:\WINDOWS\System32\Usr.exe
O4 - HKLM\..\Run: [Stv] C:\WINDOWS\System32\Egl.exe
O4 - HKLM\..\Run: [Sth] C:\WINDOWS\System32\Pro.exe
O4 - HKLM\..\Run: [Pei] C:\WINDOWS\Bqp.exe
O4 - HKLM\..\Run: [Men] C:\WINDOWS\System32\Mfs.exe
O4 - HKLM\..\Run: [Qmb] C:\WINDOWS\System32\Prs.exe
O4 - HKLM\..\Run: [Jlq] C:\WINDOWS\Kpp.exe
O4 - HKLM\..\Run: [Avp] C:\WINDOWS\Nlp.exe
O4 - HKLM\..\Run: [Lpi] C:\WINDOWS\Dqo.exe
O4 - HKLM\..\Run: [Iar] C:\WINDOWS\System32\Chb.exe
O4 - HKLM\..\Run: [Igo] C:\WINDOWS\System32\Ctt.exe
O4 - HKLM\..\Run: [Aak] C:\WINDOWS\Efv.exe
O4 - HKLM\..\Run: [Son] C:\WINDOWS\Ghd.exe
O4 - HKLM\..\Run: [Dep] C:\WINDOWS\Vpi.exe
O4 - HKLM\..\Run: [Lto] C:\WINDOWS\Naj.exe
O4 - HKLM\..\Run: [Svh] C:\WINDOWS\Nht.exe
O4 - HKLM\..\Run: [Hou] C:\WINDOWS\Bcn.exe
O4 - HKLM\..\Run: [Isj] C:\WINDOWS\Upu.exe
O4 - HKLM\..\Run: [Bsn] C:\WINDOWS\Imj.exe
O4 - HKLM\..\Run: [Qcc] C:\WINDOWS\Hvn.exe
O4 - HKLM\..\Run: [Vvp] C:\WINDOWS\Hct.exe
O4 - HKLM\..\Run: [Ttn] C:\WINDOWS\Bpv.exe
O4 - HKLM\..\Run: [Gah] C:\WINDOWS\Qvt.exe
O4 - HKLM\..\Run: [Pjv] C:\WINDOWS\Ebg.exe
O4 - HKLM\..\Run: [Qgl] C:\WINDOWS\Bhb.exe
O4 - HKLM\..\Run: [Evd] C:\WINDOWS\Fik.exe
O4 - HKLM\..\Run: [Vfd] C:\WINDOWS\Gha.exe
O4 - HKLM\..\Run: [Qol] C:\WINDOWS\Jid.exe
O4 - HKLM\..\Run: [Fag] C:\WINDOWS\System32\Sme.exe
O4 - HKLM\..\Run: [Peo] C:\WINDOWS\Bms.exe
O4 - HKLM\..\Run: [Lhd] C:\WINDOWS\System32\Ktc.exe
O4 - HKLM\..\Run: [Mjr] C:\WINDOWS\Dch.exe
O4 - HKLM\..\Run: [Knl] C:\WINDOWS\System32\Qlg.exe
O4 - HKLM\..\Run: [Emp] C:\WINDOWS\System32\Ord.exe
O4 - HKLM\..\Run: [Aru] C:\WINDOWS\Hpk.exe
O4 - HKLM\..\Run: [Jcn] C:\WINDOWS\System32\Iqg.exe
O4 - HKLM\..\Run: [Rlf] C:\WINDOWS\System32\Knn.exe
O4 - HKLM\..\Run: [Kjv] C:\WINDOWS\Mqq.exe
O4 - HKLM\..\Run: [Vda] C:\WINDOWS\Gqi.exe
O4 - HKLM\..\Run: [Tfk] C:\WINDOWS\System32\Vjl.exe
O4 - HKLM\..\Run: [Eob] C:\WINDOWS\System32\Tms.exe
O4 - HKLM\..\Run: [Eav] C:\WINDOWS\System32\Nnr.exe
O4 - HKLM\..\Run: [Vil] C:\WINDOWS\Npt.exe
O4 - HKLM\..\Run: [Fvi] C:\WINDOWS\Tik.exe
O4 - HKLM\..\Run: [Ifl] C:\WINDOWS\Kln.exe
O4 - HKLM\..\Run: [Old] C:\WINDOWS\Lol.exe
O4 - HKLM\..\Run: [Jao] C:\WINDOWS\System32\Ehi.exe
O4 - HKLM\..\Run: [Mte] C:\WINDOWS\Rtl.exe
O4 - HKLM\..\Run: [Qrm] C:\WINDOWS\System32\Lrk.exe
O4 - HKLM\..\Run: [Dfi] C:\WINDOWS\Usa.exe
O4 - HKLM\..\Run: [Tih] C:\WINDOWS\Nio.exe
O4 - HKLM\..\Run: [Ssc] C:\WINDOWS\Idp.exe
O4 - HKLM\..\Run: [Uqt] C:\WINDOWS\Ton.exe
O4 - HKLM\..\Run: [Bjd] C:\WINDOWS\System32\Qch.exe
O4 - HKLM\..\Run: [Uhb] C:\WINDOWS\System32\Ktt.exe
O4 - HKLM\..\Run: [Eti] C:\WINDOWS\System32\Qae.exe
O4 - HKLM\..\Run: [Gpb] C:\WINDOWS\System32\Vsq.exe
O4 - HKLM\..\Run: [Olf] C:\WINDOWS\Bfc.exe
O4 - HKLM\..\Run: [Ecp] C:\WINDOWS\Giu.exe
O4 - HKLM\..\Run: [Ere] C:\WINDOWS\System32\Fua.exe
O4 - HKLM\..\Run: [Jhb] C:\WINDOWS\System32\Bro.exe
O4 - HKLM\..\Run: [Sqv] C:\WINDOWS\System32\Pts.exe
O4 - HKLM\..\Run: [Aso] C:\WINDOWS\Gdd.exe
O4 - HKLM\..\Run: [Obq] C:\WINDOWS\System32\Kvc.exe
O4 - HKLM\..\Run: [Odf] C:\WINDOWS\Mki.exe
O4 - HKLM\..\Run: [Kaj] C:\WINDOWS\Ivn.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [Mhd] C:\WINDOWS\System32\Lnb.exe
O4 - HKCU\..\Run: [Inp] C:\WINDOWS\Fmj.exe
O4 - HKCU\..\Run: [Ivk] C:\WINDOWS\System32\Ndb.exe
O4 - HKCU\..\Run: [Ksu] C:\WINDOWS\System32\Vde.exe
O4 - HKCU\..\Run: [Eha] C:\WINDOWS\Lcv.exe
O4 - HKCU\..\Run: [Rhj] C:\WINDOWS\System32\Jlf.exe
O4 - HKCU\..\Run: [Iha] C:\WINDOWS\System32\Ajv.exe
O4 - HKCU\..\Run: [Klq] C:\WINDOWS\System32\Ptf.exe
O4 - HKCU\..\Run: [Lot] C:\WINDOWS\System32\Mjo.exe
O4 - HKCU\..\Run: [Scm] C:\WINDOWS\System32\Dkm.exe
O4 - HKCU\..\Run: [Esk] C:\WINDOWS\System32\Niu.exe
O4 - HKCU\..\Run: [Bcc] C:\WINDOWS\Jcd.exe
O4 - HKCU\..\Run: [Tmj] C:\WINDOWS\Mlq.exe
O4 - HKCU\..\Run: [Mva] C:\WINDOWS\System32\Crb.exe
O4 - HKCU\..\Run: [Iea] C:\WINDOWS\Stk.exe
O4 - HKCU\..\Run: [Tpe] C:\WINDOWS\System32\Umd.exe
O4 - HKCU\..\Run: [Jdp] C:\WINDOWS\Gbb.exe
O4 - HKCU\..\Run: [Fhn] C:\WINDOWS\Atd.exe
O4 - HKCU\..\Run: [Omc] C:\WINDOWS\Hlu.exe
O4 - HKCU\..\Run: [Ohq] C:\WINDOWS\System32\Afp.exe
O4 - HKCU\..\Run: [Tos] C:\WINDOWS\Bcv.exe
O4 - HKCU\..\Run: [Nfe] C:\WINDOWS\System32\Uuj.exe
O4 - HKCU\..\Run: [Vgv] C:\WINDOWS\Lpq.exe
O4 - HKCU\..\Run: [Ihk] C:\WINDOWS\System32\Lve.exe
O4 - HKCU\..\Run: [Pva] C:\WINDOWS\Mvp.exe
O4 - HKCU\..\Run: [Jpo] C:\WINDOWS\Ljv.exe
O4 - HKCU\..\Run: [Eqo] C:\WINDOWS\System32\Gbp.exe
O4 - HKCU\..\Run: [Iid] C:\WINDOWS\Pue.exe
O4 - HKCU\..\Run: [Tnb] C:\WINDOWS\Evb.exe
O4 - HKCU\..\Run: [Ujc] C:\WINDOWS\Chc.exe
O4 - HKCU\..\Run: [Hig] C:\WINDOWS\System32\Hgm.exe
O4 - HKCU\..\Run: [Obt] C:\WINDOWS\Aas.exe
O4 - HKCU\..\Run: [Nnh] C:\WINDOWS\Fhp.exe
O4 - HKCU\..\Run: [Hvl] C:\WINDOWS\System32\Kef.exe
O4 - HKCU\..\Run: [Vmp] C:\WINDOWS\Fve.exe
O4 - HKCU\..\Run: [Chs] C:\WINDOWS\Pjf.exe
O4 - HKCU\..\Run: [Blg] C:\WINDOWS\System32\Vae.exe
O4 - HKCU\..\Run: [Jom] C:\WINDOWS\System32\Tov.exe
O4 - HKCU\..\Run: [Ehp] C:\WINDOWS\System32\Fnf.exe
O4 - HKCU\..\Run: [Sit] C:\WINDOWS\System32\Gjr.exe
O4 - HKCU\..\Run: [Flc] C:\WINDOWS\System32\Lre.exe
O4 - HKCU\..\Run: [Mej] C:\WINDOWS\System32\Ftg.exe
O4 - HKCU\..\Run: [Hns] C:\WINDOWS\System32\Mta.exe
O4 - HKCU\..\Run: [Oaf] C:\WINDOWS\Rfj.exe
O4 - HKCU\..\Run: [Jag] C:\WINDOWS\Ldj.exe
O4 - HKCU\..\Run: [Jhb] C:\WINDOWS\System32\Bro.exe
O4 - HKCU\..\Run: [Aso] C:\WINDOWS\Gdd.exe
O4 - HKCU\..\Run: [Odf] C:\WINDOWS\Mki.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2005\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2005\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2005\\Parser.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {9646D4D8-EAA9-43AC-BD57-FC13D25381EE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9646D4D8-EAA9-43AC-BD57-FC13D25381EE} - (no file) (HKCU)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab (http://\"http://members14.clubphoto.com/_img/uploader/atl_uploader.cab\")
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab (http://\"http://down.plaxo.com/down/release/PlaxoInstall.cab\")
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab\")
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TE.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: MSMserv - {06FAF956-6F4E-4861-92AD-6B990F0E9205} - C:\WINDOWS\System32\nvapopen.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)

Title: SmartSecurity and other problems
Post by: guestolo on October 20, 2005, 11:37:07 PM

I would of really liked to have seen the original logs I asked for
Another scan of any, doesn't help as much right now  /unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

Can you do the following please

==Download and UNZIP to desktop or a folder
HSFIX.zip (http://\"http://www.atribune.org/downloads/HSFix.zip\")
HSFix directory will be created
We'll need this later

==Download and Unzip   The Hoster (http://\"http://www.funkytoad.com/download/hoster.zip\")  to a folder
We'll need this later

==Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
 and double-click on HSFix.bat., a window will open and close, this is normal

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/1076/search.php?qq= (http://\"http://bestsearch.cc/1076/search.php?qq=\")

O4 - HKLM\..\Run: [Qbf] C:\WINDOWS\System32\Oek.exe
O4 - HKLM\..\Run: [Bln] C:\WINDOWS\Tnf.exe
O4 - HKLM\..\Run: [Ijs] C:\WINDOWS\System32\Rto.exe
O4 - HKLM\..\Run: [Hds] C:\WINDOWS\System32\Som.exe
O4 - HKLM\..\Run: [Eun] C:\WINDOWS\System32\Utb.exe
O4 - HKLM\..\Run: [Mrd] C:\WINDOWS\Vor.exe
O4 - HKLM\..\Run: [Jvt] C:\WINDOWS\System32\Lot.exe
O4 - HKLM\..\Run: [Mhd] C:\WINDOWS\System32\Lnb.exe
O4 - HKLM\..\Run: [Inp] C:\WINDOWS\Fmj.exe
O4 - HKLM\..\Run: [Ivk] C:\WINDOWS\System32\Ndb.exe
O4 - HKLM\..\Run: [Ksu] C:\WINDOWS\System32\Vde.exe
O4 - HKLM\..\Run: [Eha] C:\WINDOWS\Lcv.exe
O4 - HKLM\..\Run: [Rhj] C:\WINDOWS\System32\Jlf.exe
O4 - HKLM\..\Run: [Iha] C:\WINDOWS\System32\Ajv.exe
O4 - HKLM\..\Run: [Klq] C:\WINDOWS\System32\Ptf.exe
O4 - HKLM\..\Run: [Lot] C:\WINDOWS\System32\Mjo.exe
O4 - HKLM\..\Run: [Scm] C:\WINDOWS\System32\Dkm.exe
O4 - HKLM\..\Run: [Esk] C:\WINDOWS\System32\Niu.exe
O4 - HKLM\..\Run: [Bcc] C:\WINDOWS\Jcd.exe
O4 - HKLM\..\Run: [Tmj] C:\WINDOWS\Mlq.exe
O4 - HKLM\..\Run: [Mva] C:\WINDOWS\System32\Crb.exe
O4 - HKLM\..\Run: [Iea] C:\WINDOWS\Stk.exe
O4 - HKLM\..\Run: [Tpe] C:\WINDOWS\System32\Umd.exe
O4 - HKLM\..\Run: [Jdp] C:\WINDOWS\Gbb.exe
O4 - HKLM\..\Run: [Fhn] C:\WINDOWS\Atd.exe
O4 - HKLM\..\Run: [Omc] C:\WINDOWS\Hlu.exe
O4 - HKLM\..\Run: [Ohq] C:\WINDOWS\System32\Afp.exe
O4 - HKLM\..\Run: [Tos] C:\WINDOWS\Bcv.exe
O4 - HKLM\..\Run: [Nfe] C:\WINDOWS\System32\Uuj.exe
O4 - HKLM\..\Run: [Vgv] C:\WINDOWS\Lpq.exe
O4 - HKLM\..\Run: [Ihk] C:\WINDOWS\System32\Lve.exe
O4 - HKLM\..\Run: [Pva] C:\WINDOWS\Mvp.exe
O4 - HKLM\..\Run: [Jpo] C:\WINDOWS\Ljv.exe
O4 - HKLM\..\Run: [Eqo] C:\WINDOWS\System32\Gbp.exe
O4 - HKLM\..\Run: [Iid] C:\WINDOWS\Pue.exe
O4 - HKLM\..\Run: [Tnb] C:\WINDOWS\Evb.exe
O4 - HKLM\..\Run: [Ver] C:\WINDOWS\System32\Ndc.exe
O4 - HKLM\..\Run: [Dct] C:\WINDOWS\System32\Sds.exe
O4 - HKLM\..\Run: [Kqi] C:\WINDOWS\Kss.exe
O4 - HKLM\..\Run: [Opj] C:\WINDOWS\System32\Ibr.exe
O4 - HKLM\..\Run: [Hht] C:\WINDOWS\System32\Mki.exe
O4 - HKLM\..\Run: [Gst] C:\WINDOWS\System32\Rhf.exe
O4 - HKLM\..\Run: [Nbp] C:\WINDOWS\System32\Vre.exe
O4 - HKLM\..\Run: [Ujc] C:\WINDOWS\Chc.exe
O4 - HKLM\..\Run: [Pju] C:\WINDOWS\Fsk.exe
O4 - HKLM\..\Run: [Hig] C:\WINDOWS\System32\Hgm.exe
O4 - HKLM\..\Run: [Vim] C:\WINDOWS\System32\Ufn.exe
O4 - HKLM\..\Run: [Obt] C:\WINDOWS\Aas.exe
O4 - HKLM\..\Run: [Qfo] C:\WINDOWS\Bjd.exe
O4 - HKLM\..\Run: [Nnh] C:\WINDOWS\Fhp.exe
O4 - HKLM\..\Run: [Qmt] C:\WINDOWS\System32\Hgf.exe
O4 - HKLM\..\Run: [Hvl] C:\WINDOWS\System32\Kef.exe
O4 - HKLM\..\Run: [Fsn] C:\WINDOWS\Fic.exe
O4 - HKLM\..\Run: [Kpd] C:\WINDOWS\Evn.exe
O4 - HKLM\..\Run: [Ocr] C:\WINDOWS\System32\Por.exe
O4 - HKLM\..\Run: [Hdv] C:\WINDOWS\Rrf.exe
O4 - HKLM\..\Run: [Erk] C:\WINDOWS\System32\Jsb.exe
O4 - HKLM\..\Run: [Cng] C:\WINDOWS\Ffj.exe
O4 - HKLM\..\Run: [Fcb] C:\WINDOWS\Kpq.exe
O4 - HKLM\..\Run: [Frf] C:\WINDOWS\System32\Rpe.exe
O4 - HKLM\..\Run: [Bvr] C:\WINDOWS\Fun.exe
O4 - HKLM\..\Run: [Pma] C:\WINDOWS\System32\Gdt.exe
O4 - HKLM\..\Run: [Etr] C:\WINDOWS\Mep.exe
O4 - HKLM\..\Run: [Rjp] C:\WINDOWS\Igd.exe
O4 - HKLM\..\Run: [Boj] C:\WINDOWS\System32\Pnu.exe
O4 - HKLM\..\Run: [Obl] C:\WINDOWS\System32\Nli.exe
O4 - HKLM\..\Run: [Nem] C:\WINDOWS\System32\Pdh.exe
O4 - HKLM\..\Run: [Nnj] C:\WINDOWS\Nog.exe
O4 - HKLM\..\Run: [Lar] C:\WINDOWS\System32\Vvk.exe
O4 - HKLM\..\Run: [Npm] C:\WINDOWS\Mst.exe
O4 - HKLM\..\Run: [Tmq] C:\WINDOWS\System32\Uam.exe
O4 - HKLM\..\Run: [Kct] C:\WINDOWS\Hkk.exe
O4 - HKLM\..\Run: [Gml] C:\WINDOWS\Vea.exe
O4 - HKLM\..\Run: [Hfu] C:\WINDOWS\System32\Cft.exe
O4 - HKLM\..\Run: [Fef] C:\WINDOWS\Nff.exe
O4 - HKLM\..\Run: [Dao] C:\WINDOWS\System32\Sld.exe
O4 - HKLM\..\Run: [Csc] C:\WINDOWS\System32\Jtc.exe
O4 - HKLM\..\Run: [Hpn] C:\WINDOWS\Ehf.exe
O4 - HKLM\..\Run: [Tnc] C:\WINDOWS\System32\Rnl.exe
O4 - HKLM\..\Run: [Tkd] C:\WINDOWS\System32\Tfq.exe
O4 - HKLM\..\Run: [Cuf] C:\WINDOWS\Ijl.exe
O4 - HKLM\..\Run: [Ebk] C:\WINDOWS\System32\Vqr.exe
O4 - HKLM\..\Run: [Vep] C:\WINDOWS\System32\Rih.exe
O4 - HKLM\..\Run: [Odr] C:\WINDOWS\System32\Fti.exe
O4 - HKLM\..\Run: [Vsr] C:\WINDOWS\Ptp.exe
O4 - HKLM\..\Run: [Ker] C:\WINDOWS\System32\Olh.exe
O4 - HKLM\..\Run: [Oaa] C:\WINDOWS\System32\Ukl.exe
O4 - HKLM\..\Run: [Tod] C:\WINDOWS\Buc.exe
O4 - HKLM\..\Run: [Eed] C:\WINDOWS\System32\Lpi.exe
O4 - HKLM\..\Run: [Oae] C:\WINDOWS\System32\Geq.exe
O4 - HKLM\..\Run: [Sfb] C:\WINDOWS\System32\Fem.exe
O4 - HKLM\..\Run: [Vmp] C:\WINDOWS\Fve.exe
O4 - HKLM\..\Run: [Hba] C:\WINDOWS\Tpm.exe
O4 - HKLM\..\Run: [Chs] C:\WINDOWS\Pjf.exe
O4 - HKLM\..\Run: [Tup] C:\WINDOWS\Hcu.exe
O4 - HKLM\..\Run: [Blg] C:\WINDOWS\System32\Vae.exe
O4 - HKLM\..\Run: [Ljh] C:\WINDOWS\Bun.exe
O4 - HKLM\..\Run: [Jom] C:\WINDOWS\System32\Tov.exe
O4 - HKLM\..\Run: [Mlm] C:\WINDOWS\System32\Fdt.exe
O4 - HKLM\..\Run: [Ehp] C:\WINDOWS\System32\Fnf.exe
O4 - HKLM\..\Run: [Jsr] C:\WINDOWS\System32\Uem.exe
O4 - HKLM\..\Run: [Sit] C:\WINDOWS\System32\Gjr.exe
O4 - HKLM\..\Run: [Erm] C:\WINDOWS\Min.exe
O4 - HKLM\..\Run: [Flc] C:\WINDOWS\System32\Lre.exe
O4 - HKLM\..\Run: [Rar] C:\WINDOWS\System32\Vba.exe
O4 - HKLM\..\Run: [Mej] C:\WINDOWS\System32\Ftg.exe
O4 - HKLM\..\Run: [Vkl] C:\WINDOWS\Jfo.exe
O4 - HKLM\..\Run: [Hns] C:\WINDOWS\System32\Mta.exe
O4 - HKLM\..\Run: [Ukv] C:\WINDOWS\System32\Gqr.exe
O4 - HKLM\..\Run: [Oaf] C:\WINDOWS\Rfj.exe
O4 - HKLM\..\Run: [Ace] C:\WINDOWS\Jjn.exe
O4 - HKLM\..\Run: [Jag] C:\WINDOWS\Ldj.exe
O4 - HKLM\..\Run: [Llq] C:\WINDOWS\Nat.exe
O4 - HKLM\..\Run: [Qce] C:\WINDOWS\Uoj.exe
O4 - HKLM\..\Run: [Pmg] C:\WINDOWS\Erc.exe
O4 - HKLM\..\Run: [Jog] C:\WINDOWS\Dvd.exe
O4 - HKLM\..\Run: [Pba] C:\WINDOWS\System32\Iol.exe
O4 - HKLM\..\Run: [Vau] C:\WINDOWS\System32\Mpf.exe
O4 - HKLM\..\Run: [Gub] C:\WINDOWS\Rtf.exe
O4 - HKLM\..\Run: [Sjt] C:\WINDOWS\System32\Luc.exe
O4 - HKLM\..\Run: [Mel] C:\WINDOWS\Tch.exe
O4 - HKLM\..\Run: [Nal] C:\WINDOWS\System32\Ipc.exe
O4 - HKLM\..\Run: [Nok] C:\WINDOWS\Ial.exe
O4 - HKLM\..\Run: [Pto] C:\WINDOWS\Dda.exe
O4 - HKLM\..\Run: [Tko] C:\WINDOWS\Bfi.exe
O4 - HKLM\..\Run: [Ugl] C:\WINDOWS\System32\Vbg.exe
O4 - HKLM\..\Run: [Brm] C:\WINDOWS\System32\Oaq.exe
O4 - HKLM\..\Run: [Fio] C:\WINDOWS\Agb.exe
O4 - HKLM\..\Run: [Ohe] C:\WINDOWS\Rvu.exe
O4 - HKLM\..\Run: [Gut] C:\WINDOWS\Qbj.exe
O4 - HKLM\..\Run: [Iuu] C:\WINDOWS\Lkp.exe
O4 - HKLM\..\Run: [Cre] C:\WINDOWS\System32\Adk.exe
O4 - HKLM\..\Run: [Oqe] C:\WINDOWS\System32\Qut.exe
O4 - HKLM\..\Run: [Nci] C:\WINDOWS\Ejj.exe
O4 - HKLM\..\Run: [Fmn] C:\WINDOWS\Hnu.exe
O4 - HKLM\..\Run: [Pni] C:\WINDOWS\Uve.exe
O4 - HKLM\..\Run: [Qak] C:\WINDOWS\System32\Joo.exe
O4 - HKLM\..\Run: [Gpk] C:\WINDOWS\Fpn.exe
O4 - HKLM\..\Run: [Ntr] C:\WINDOWS\Fpc.exe
O4 - HKLM\..\Run: [Fjv] C:\WINDOWS\System32\Nbn.exe
O4 - HKLM\..\Run: [Fce] C:\WINDOWS\Hph.exe
O4 - HKLM\..\Run: [Gjs] C:\WINDOWS\System32\Jld.exe
O4 - HKLM\..\Run: [Rfb] C:\WINDOWS\System32\Vhh.exe
O4 - HKLM\..\Run: [Ihq] C:\WINDOWS\Uvh.exe
O4 - HKLM\..\Run: [Tvk] C:\WINDOWS\Llv.exe
O4 - HKLM\..\Run: [Afe] C:\WINDOWS\System32\Api.exe
O4 - HKLM\..\Run: [Pkd] C:\WINDOWS\Hor.exe
O4 - HKLM\..\Run: [Gvc] C:\WINDOWS\Lnc.exe
O4 - HKLM\..\Run: [Uub] C:\WINDOWS\Ark.exe
O4 - HKLM\..\Run: [Ugp] C:\WINDOWS\Mbo.exe
O4 - HKLM\..\Run: [Rbb] C:\WINDOWS\Eug.exe
O4 - HKLM\..\Run: [Udk] C:\WINDOWS\Opa.exe
O4 - HKLM\..\Run: [Htk] C:\WINDOWS\System32\Atd.exe
O4 - HKLM\..\Run: [Gsd] C:\WINDOWS\Scd.exe
O4 - HKLM\..\Run: [Bdm] C:\WINDOWS\System32\Lev.exe
O4 - HKLM\..\Run: [Utp] C:\WINDOWS\System32\Ikf.exe
O4 - HKLM\..\Run: [Qqf] C:\WINDOWS\Oun.exe
O4 - HKLM\..\Run: [Nuf] C:\WINDOWS\Rhp.exe
O4 - HKLM\..\Run: [Jji] C:\WINDOWS\Cjc.exe
O4 - HKLM\..\Run: [Aki] C:\WINDOWS\System32\Sbg.exe
O4 - HKLM\..\Run: [Jcl] C:\WINDOWS\System32\Ihv.exe
O4 - HKLM\..\Run: [Mcc] C:\WINDOWS\Vmq.exe
O4 - HKLM\..\Run: [Kui] C:\WINDOWS\Bjh.exe
O4 - HKLM\..\Run: [Unk] C:\WINDOWS\Kqc.exe
O4 - HKLM\..\Run: [Fgv] C:\WINDOWS\System32\Usr.exe
O4 - HKLM\..\Run: [Stv] C:\WINDOWS\System32\Egl.exe
O4 - HKLM\..\Run: [Sth] C:\WINDOWS\System32\Pro.exe
O4 - HKLM\..\Run: [Pei] C:\WINDOWS\Bqp.exe
O4 - HKLM\..\Run: [Men] C:\WINDOWS\System32\Mfs.exe
O4 - HKLM\..\Run: [Qmb] C:\WINDOWS\System32\Prs.exe
O4 - HKLM\..\Run: [Jlq] C:\WINDOWS\Kpp.exe
O4 - HKLM\..\Run: [Avp] C:\WINDOWS\Nlp.exe
O4 - HKLM\..\Run: [Lpi] C:\WINDOWS\Dqo.exe
O4 - HKLM\..\Run: [Iar] C:\WINDOWS\System32\Chb.exe
O4 - HKLM\..\Run: [Igo] C:\WINDOWS\System32\Ctt.exe
O4 - HKLM\..\Run: [Aak] C:\WINDOWS\Efv.exe
O4 - HKLM\..\Run: [Son] C:\WINDOWS\Ghd.exe
O4 - HKLM\..\Run: [Dep] C:\WINDOWS\Vpi.exe
O4 - HKLM\..\Run: [Lto] C:\WINDOWS\Naj.exe
O4 - HKLM\..\Run: [Svh] C:\WINDOWS\Nht.exe
O4 - HKLM\..\Run: [Hou] C:\WINDOWS\Bcn.exe
O4 - HKLM\..\Run: [Isj] C:\WINDOWS\Upu.exe
O4 - HKLM\..\Run: [Bsn] C:\WINDOWS\Imj.exe
O4 - HKLM\..\Run: [Qcc] C:\WINDOWS\Hvn.exe
O4 - HKLM\..\Run: [Vvp] C:\WINDOWS\Hct.exe
O4 - HKLM\..\Run: [Ttn] C:\WINDOWS\Bpv.exe
O4 - HKLM\..\Run: [Gah] C:\WINDOWS\Qvt.exe
O4 - HKLM\..\Run: [Pjv] C:\WINDOWS\Ebg.exe
O4 - HKLM\..\Run: [Qgl] C:\WINDOWS\Bhb.exe
O4 - HKLM\..\Run: [Evd] C:\WINDOWS\Fik.exe
O4 - HKLM\..\Run: [Vfd] C:\WINDOWS\Gha.exe
O4 - HKLM\..\Run: [Qol] C:\WINDOWS\Jid.exe
O4 - HKLM\..\Run: [Fag] C:\WINDOWS\System32\Sme.exe
O4 - HKLM\..\Run: [Peo] C:\WINDOWS\Bms.exe
O4 - HKLM\..\Run: [Lhd] C:\WINDOWS\System32\Ktc.exe
O4 - HKLM\..\Run: [Mjr] C:\WINDOWS\Dch.exe
O4 - HKLM\..\Run: [Knl] C:\WINDOWS\System32\Qlg.exe
O4 - HKLM\..\Run: [Emp] C:\WINDOWS\System32\Ord.exe
O4 - HKLM\..\Run: [Aru] C:\WINDOWS\Hpk.exe
O4 - HKLM\..\Run: [Jcn] C:\WINDOWS\System32\Iqg.exe
O4 - HKLM\..\Run: [Rlf] C:\WINDOWS\System32\Knn.exe
O4 - HKLM\..\Run: [Kjv] C:\WINDOWS\Mqq.exe
O4 - HKLM\..\Run: [Vda] C:\WINDOWS\Gqi.exe
O4 - HKLM\..\Run: [Tfk] C:\WINDOWS\System32\Vjl.exe
O4 - HKLM\..\Run: [Eob] C:\WINDOWS\System32\Tms.exe
O4 - HKLM\..\Run: [Eav] C:\WINDOWS\System32\Nnr.exe
O4 - HKLM\..\Run: [Vil] C:\WINDOWS\Npt.exe
O4 - HKLM\..\Run: [Fvi] C:\WINDOWS\Tik.exe
O4 - HKLM\..\Run: [Ifl] C:\WINDOWS\Kln.exe
O4 - HKLM\..\Run: [Old] C:\WINDOWS\Lol.exe
O4 - HKLM\..\Run: [Jao] C:\WINDOWS\System32\Ehi.exe
O4 - HKLM\..\Run: [Mte] C:\WINDOWS\Rtl.exe
O4 - HKLM\..\Run: [Qrm] C:\WINDOWS\System32\Lrk.exe
O4 - HKLM\..\Run: [Dfi] C:\WINDOWS\Usa.exe
O4 - HKLM\..\Run: [Tih] C:\WINDOWS\Nio.exe
O4 - HKLM\..\Run: [Ssc] C:\WINDOWS\Idp.exe
O4 - HKLM\..\Run: [Uqt] C:\WINDOWS\Ton.exe
O4 - HKLM\..\Run: [Bjd] C:\WINDOWS\System32\Qch.exe
O4 - HKLM\..\Run: [Uhb] C:\WINDOWS\System32\Ktt.exe
O4 - HKLM\..\Run: [Eti] C:\WINDOWS\System32\Qae.exe
O4 - HKLM\..\Run: [Gpb] C:\WINDOWS\System32\Vsq.exe
O4 - HKLM\..\Run: [Olf] C:\WINDOWS\Bfc.exe
O4 - HKLM\..\Run: [Ecp] C:\WINDOWS\Giu.exe
O4 - HKLM\..\Run: [Ere] C:\WINDOWS\System32\Fua.exe
O4 - HKLM\..\Run: [Jhb] C:\WINDOWS\System32\Bro.exe
O4 - HKLM\..\Run: [Sqv] C:\WINDOWS\System32\Pts.exe
O4 - HKLM\..\Run: [Aso] C:\WINDOWS\Gdd.exe
O4 - HKLM\..\Run: [Obq] C:\WINDOWS\System32\Kvc.exe
O4 - HKLM\..\Run: [Odf] C:\WINDOWS\Mki.exe
O4 - HKLM\..\Run: [Kaj] C:\WINDOWS\Ivn.exe

O4 - HKCU\..\Run: [Mhd] C:\WINDOWS\System32\Lnb.exe
O4 - HKCU\..\Run: [Inp] C:\WINDOWS\Fmj.exe
O4 - HKCU\..\Run: [Ivk] C:\WINDOWS\System32\Ndb.exe
O4 - HKCU\..\Run: [Ksu] C:\WINDOWS\System32\Vde.exe
O4 - HKCU\..\Run: [Eha] C:\WINDOWS\Lcv.exe
O4 - HKCU\..\Run: [Rhj] C:\WINDOWS\System32\Jlf.exe
O4 - HKCU\..\Run: [Iha] C:\WINDOWS\System32\Ajv.exe
O4 - HKCU\..\Run: [Klq] C:\WINDOWS\System32\Ptf.exe
O4 - HKCU\..\Run: [Lot] C:\WINDOWS\System32\Mjo.exe
O4 - HKCU\..\Run: [Scm] C:\WINDOWS\System32\Dkm.exe
O4 - HKCU\..\Run: [Esk] C:\WINDOWS\System32\Niu.exe
O4 - HKCU\..\Run: [Bcc] C:\WINDOWS\Jcd.exe
O4 - HKCU\..\Run: [Tmj] C:\WINDOWS\Mlq.exe
O4 - HKCU\..\Run: [Mva] C:\WINDOWS\System32\Crb.exe
O4 - HKCU\..\Run: [Iea] C:\WINDOWS\Stk.exe
O4 - HKCU\..\Run: [Tpe] C:\WINDOWS\System32\Umd.exe
O4 - HKCU\..\Run: [Jdp] C:\WINDOWS\Gbb.exe
O4 - HKCU\..\Run: [Fhn] C:\WINDOWS\Atd.exe
O4 - HKCU\..\Run: [Omc] C:\WINDOWS\Hlu.exe
O4 - HKCU\..\Run: [Ohq] C:\WINDOWS\System32\Afp.exe
O4 - HKCU\..\Run: [Tos] C:\WINDOWS\Bcv.exe
O4 - HKCU\..\Run: [Nfe] C:\WINDOWS\System32\Uuj.exe
O4 - HKCU\..\Run: [Vgv] C:\WINDOWS\Lpq.exe
O4 - HKCU\..\Run: [Ihk] C:\WINDOWS\System32\Lve.exe
O4 - HKCU\..\Run: [Pva] C:\WINDOWS\Mvp.exe
O4 - HKCU\..\Run: [Jpo] C:\WINDOWS\Ljv.exe
O4 - HKCU\..\Run: [Eqo] C:\WINDOWS\System32\Gbp.exe
O4 - HKCU\..\Run: [Iid] C:\WINDOWS\Pue.exe
O4 - HKCU\..\Run: [Tnb] C:\WINDOWS\Evb.exe
O4 - HKCU\..\Run: [Ujc] C:\WINDOWS\Chc.exe
O4 - HKCU\..\Run: [Hig] C:\WINDOWS\System32\Hgm.exe
O4 - HKCU\..\Run: [Obt] C:\WINDOWS\Aas.exe
O4 - HKCU\..\Run: [Nnh] C:\WINDOWS\Fhp.exe
O4 - HKCU\..\Run: [Hvl] C:\WINDOWS\System32\Kef.exe
O4 - HKCU\..\Run: [Vmp] C:\WINDOWS\Fve.exe
O4 - HKCU\..\Run: [Chs] C:\WINDOWS\Pjf.exe
O4 - HKCU\..\Run: [Blg] C:\WINDOWS\System32\Vae.exe
O4 - HKCU\..\Run: [Jom] C:\WINDOWS\System32\Tov.exe
O4 - HKCU\..\Run: [Ehp] C:\WINDOWS\System32\Fnf.exe
O4 - HKCU\..\Run: [Sit] C:\WINDOWS\System32\Gjr.exe
O4 - HKCU\..\Run: [Flc] C:\WINDOWS\System32\Lre.exe
O4 - HKCU\..\Run: [Mej] C:\WINDOWS\System32\Ftg.exe
O4 - HKCU\..\Run: [Hns] C:\WINDOWS\System32\Mta.exe
O4 - HKCU\..\Run: [Oaf] C:\WINDOWS\Rfj.exe
O4 - HKCU\..\Run: [Jag] C:\WINDOWS\Ldj.exe
O4 - HKCU\..\Run: [Jhb] C:\WINDOWS\System32\Bro.exe
O4 - HKCU\..\Run: [Aso] C:\WINDOWS\Gdd.exe
O4 - HKCU\..\Run: [Odf] C:\WINDOWS\Mki.exe

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: MSMserv - {06FAF956-6F4E-4861-92AD-6B990F0E9205} - C:\WINDOWS\System32\nvapopen.dll (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Back in Windows
==Open Hoster and
Press "Restore Original Hosts" and press "OK".
Then Exit

Run hijackthis again and post a fresh log

Also, do the following
I've uploaded a file below called Search.zip
Unzip it to desktop
Double click on Search.bat
A text file will open, copy and paste back the contents

Title: SmartSecurity and other problems
Post by: Jarcy on October 23, 2005, 04:14:04 PM

Hi Gustolo,

Thanks again for your continued support!

Here's my HijactThis log and Search.bat:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:25 PM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\LeechGet 2005\LeechGet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com (http://\"http://www.meshcomputers.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2005\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2005\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2005\\Parser.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {9646D4D8-EAA9-43AC-BD57-FC13D25381EE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9646D4D8-EAA9-43AC-BD57-FC13D25381EE} - (no file) (HKCU)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab (http://\"http://members14.clubphoto.com/_img/uploader/atl_uploader.cab\")
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab (http://\"http://down.plaxo.com/down/release/PlaxoInstall.cab\")
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab\")
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TE.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)

SEARCH.BAT:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"PinnacleDriverCheck"="C:\\WINDOWS\\System32\\PSDrvCheck.exe -CheckReg"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTHelper"="CTHELPER.EXE"
"CTDVDDET"="C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE"
"Creative WebCam Tray"="C:\\Program Files\\Creative\\Shared Files\\CAMTRAY.EXE"
"Camera Detector"="C:\\PROGRA~1\\ACDSYS~1\\DEVDET~1\\DEVDET~1.EXE -autorun"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"HPHUPD05"="C:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MCAgentExe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\mcupdate.exe"
"McAfee Guardian"="\"C:\\Program Files\\McAfee\\McAfee Shared Components\\Guardian\\CMGrdian.exe\" /SU"
"VirusScanMSC"="\"C:\\Program Files\\McAfee\\McAfee VirusScan\\VSStat.exe\" /EMBEDDING"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"McAfee.InstantUpdate.Monitor"="\"C:\\Program Files\\McAfee\\McAfee Shared Components\\Instant Updater\\RuLaunch.exe\" /STARTMONITOR"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
"NoExplorer"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C56CB6B0-0D96-11D6-8C65-B2868B609932}]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000
"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoViewContextMenu"=dword:00000002
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"LoadedBefore"="1"
"ThemeActive"="1"
"LastUserLangID"="1033"
"DllName"=hex(2):25,00,00,00,53,00,00,00,79,00,00,00,73,00,00,00,74,00,00,00,\
  65,00,00,00,6d,00,00,00,52,00,00,00,6f,00,00,00,6f,00,00,00,74,00,00,00,25,\
  00,00,00,5c,00,00,00,72,00,00,00,65,00,00,00,73,00,00,00,6f,00,00,00,75,00,\
  00,00,72,00,00,00,63,00,00,00,65,00,00,00,73,00,00,00,5c,00,00,00,54,00,00,\
  00,68,00,00,00,65,00,00,00,6d,00,00,00,65,00,00,00,73,00,00,00,5c,00,00,00,\
  6c,00,00,00,75,00,00,00,6e,00,00,00,61,00,00,00,5c,00,00,00,6c,00,00,00,75,\
  00,00,00,6e,00,00,00,61,00,00,00,2e,00,00,00,6d,00,00,00,73,00,00,00,73,00,\
  00,00,74,00,00,00,79,00,00,00,6c,00,00,00,65,00,00,00,73,00,00,00,00,00,00,\
  00
"ColorName"="NormalColor"
"SizeName"="NormalSize"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
  00,00,01,00,00,00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000


There was plenty to check through HijackThis. Hopefully you can see the wood for the trees now!
Many thanks again.

Jarcy.

Title: SmartSecurity and other problems
Post by: guestolo on October 23, 2005, 07:13:35 PM

Remove your version of Smitrem.exe and the extracted folder

I'm going to upload you a couple files down below
Can you UNZIP both too desktop please
Smitrem.zip and fix.zip

So you now have a Smitfraud folder and fix.reg too desktop

Do another scan with hijackthis and fix checked these entries with all other windows closed
O9 - Extra button: Microsoft AntiSpyware helper - {9646D4D8-EAA9-43AC-BD57-FC13D25381EE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9646D4D8-EAA9-43AC-BD57-FC13D25381EE} - (no file) (HKCU)

Reboot back to SAFE MODE
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.

==Open the SmitRem folder you just unzipped, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

==Double click on fix.reg and allow to merge to the registry

Reboot back to Normal mode

Back in Windows

Can you show me the following logs
A new hijackthis log and the log from Smitrem
C:\smitfiles.txt <-this log

Let me know if the right click issue is resolved or any other problems

Title: SmartSecurity and other problems
Post by: Jarcy on October 24, 2005, 05:02:12 PM

Guestolo,

Thanks again. Had a problem opening the 2 files:- Smitrem.zip and Fix.zip. Winzip failed to open these and stated "Does not appear to be a valid archive". Do I need to buy the full version of Winzip in order to open these files? I thought anyone should be able to open a downloaded zipped file.

Thanks, Jarcy.

Title: SmartSecurity and other problems
Post by: guestolo on October 24, 2005, 09:46:00 PM

Can you override Winzip and use the built in utility within XP
Right click on the file and left click OPEN WITH
Select Compressed (Zipped) folders
Select File in the menu bar and then Extract All
Click Next
Allow to extract to desktop
Uncheck show extracted files
We'll need this later in safe mode

Do the same thing for both files

Title: SmartSecurity and other problems
Post by: Jarcy on October 26, 2005, 03:11:23 PM

Gustolo,

OK, here goes with my progress:

Could open fix.zip using the windows XP tool, but not smitRem.zip, so unzipped at work, and copied to my machine by memory stick.

SmitRem ran, but the disk cleanup seemed to crash - just exited and didn't even complete the initial disc scan.
So restarted disk cleanup from System Tools. I left it running for 24 hours, but still seemed nowhere near finished, so cancelled the operation. (it seemed to have stopped doing anything, and hadn't moved for a good 12 hours). Initial scan reported 40odd gig of files to clean!! /blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> If I restart now, still 27gig found.
Should I persevere to the end with disk cleanup? Is it ok to run it overnight repeatedly until it's worked it's way throught the files? i.e. keep starting and stopping it.

Good news is that Right Click on the desk top now works! Thanks!!

Problems that still exist are:

1. Doubled desktop icons (legacy of SmartSecurity)
2. Word crashes each time I try to start it. Unistalling Office, and reinstalling didn't solve this problem.
3. Excel crashes every time I try to open a file, although you can successfully start and work on a new file.
4. Notepad.exe seems to be missing. Notepad won't start.
5. McAfee Virus Scan crashes every time you try to enable it. Firewall appears to work fine though.

Here's Smitfile.txt


   smitRem log file
     version 2.7

     by noahdfear

The current date is: Tue 10/25/2005
The current time is: 23:08:10.57

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 checking for ShudderLTD key

ShudderLTD key not present!

 checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Existing Pre-run Files

 ~~~ Program Files ~~~
 ~~~ Shortcuts ~~~
 ~~~ Favorites ~~~
 ~~~ system32 folder ~~~
 ~~~ Icons in System32 ~~~
 ~~~ Windows directory ~~~
 ~~~ Drive root ~~~
 ~~~ Miscellaneous Files/folders ~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   Remaining Post-run Files

 ~~~ Program Files ~~~
 ~~~ Shortcuts ~~~
 ~~~ Favorites ~~~
 ~~~ system32 folder ~~~
 ~~~ Icons in System32 ~~~
 ~~~ Windows directory ~~~
 ~~~ Drive root ~~~
 ~~~ Miscellaneous Files/folders ~~~
 ~~~ Wininet.dll ~~~

 CLEAN! /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

And HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:04:53 PM, on 10/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com (http://\"http://www.meshcomputers.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab (http://\"http://members14.clubphoto.com/_img/uploader/atl_uploader.cab\")
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab (http://\"http://down.plaxo.com/down/release/PlaxoInstall.cab\")
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab\")
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TE.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)

Thanks again for your help.
Jarcy.

Title: SmartSecurity and other problems
Post by: guestolo on October 26, 2005, 04:00:46 PM

Let's first see if we can fix a couple problems

Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe (http://\"http://www.thespykiller.co.uk/files/cleandesktop.exe\") and double click on the cleandesktop.exe

It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script.

If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to.

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

If you get a message when you first run it "Cannot find script file "blah blah blah" then don't worry just double click the cleandesktop.vbs script again as you sometimes get that message when a script blocker blocks the script.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up
Another vbs is included to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs.

Open C:\ (Go to Start – Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

After the above is done
Sign back into your username
From below download notepad_xp.zip
UNZIP it too both of the following folders
C:\WINDOWS and C:\WINDOWS\System32
Let me know if notepad works properly afterwards

Can you also,
Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract

In Mwav
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
Give this scan time to finish, it's very thorough
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane---  Use "CTRL and the  C" keys  on your Keyboard to copy all found in the lower pane  and paste it back here in your reply

****If prompted that a Virus was found and you need to purchase the product  to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Title: SmartSecurity and other problems
Post by: Jarcy on October 27, 2005, 02:57:30 PM

Guestolo,

Excellent, my desktop is restored and all of the old icons have return! No more doubling up of icons. Big thank you!

Also notepad now works.

These problems still exists: Any ideas?

2. Word crashes each time I try to start it. Unistalling Office, and reinstalling didn't solve this problem.
3. Excel crashes every time I try to open a file, although you can successfully start and work on a new file.
5. McAfee Virus Scan crashes every time you try to enable it. Firewall appears to work fine though.

Here's the result of the Mwav virus scan. - 15 viruses and 157 errors.

Object "alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "slchost Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "tsl Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "clipgenie Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "topsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "topsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\gsda.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\CTDetect.cpl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\IVIPromotion.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\uvAC3Enc.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\gsda.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\HDK3AN32.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\Hdk3anim.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\HDK3CTNT.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\MSVCIRT.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\MFC42.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\MSVCRT.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\Install.wse.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\config.ini". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\templates.zip". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Real\GToolbar\BarControl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ubisoft\Crytek\Far Cry\Support\Readme (CZ).rtf". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QTPlugin.OCX". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "%JavaDir%\QTJava.zip". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\arcsoft.exe" refers to invalid object "C:\Program Files\ArcSoft\Software Suite\arcsoft.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\CDWizard.exe" refers to invalid object "c:\program files\pinnacle\studio 8\programs\CDWizard.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\CLaunch.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\CMGrdian.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\System32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\GS4.exe" refers to invalid object "C:\Program Files\ubi.com\GS4.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Ipe40.exe" refers to invalid object "C:\WINDOWS\Ipe40.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\nvarem.exe" refers to invalid object "C:\Program Files\NVIDIA Corporation\NVRemote\nvarem.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\NvSkins.exe" refers to invalid object "C:\Program Files\NVIDIA Corporation\NVDVD\NvSkins.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ORUN32.EXE" refers to invalid object "C:\WINDOWS\ORUN32.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Racer.exe" refers to invalid object "C:\Program Files\Infogrames\Grand Prix 4\Racer.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Racer95.exe" refers to invalid object "C:\Program Files\Microprose\Grand Prix 3\Racer95.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Schedwiz.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Toca2.exe" refers to invalid object "C:\Codemasters\Toca2\Toca2.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\USB Driver for Panasonic DVC (with Web Camera)" refers to invalid object "C:\WINDOWS\INF\USB Driver for Panasonic DVC (with Web Camera)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe" refers to invalid object "C:\Program Files\EPSON\Smart Panel\yourapp.Exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Temporary File Cache\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".016". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".05". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".abm". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".axe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".BUP". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".class". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".conf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dtl". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".IFO". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".lst". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".MRK". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".nv!". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pk3". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".PRO". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pvm". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rt". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".scn". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sdp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".UK". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".vca". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".VCD". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".VM1". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".x32". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Ad-aware 6 Personal". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "AltnetDM". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Best Search Engine!!!". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Hollywood FX 4.6". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MyWebSearch bar Uninstall". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIA". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIA nForce Drivers". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Search Relevancy". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Tiscali Internet Access". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Tiscali_uk". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "untopr1150". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Windows ControlAd". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Windows TaskAd". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{53EF6570-21A4-47ED-A40A-E6470A5677A3}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600211}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600602}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1033-7B44-000000000001}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{02D892F7-E5D4-41E3-9988-B9155BF800FE}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{07B18EA2-A523-4961-B6BB-170DE4475CCA}" refers to invalid object "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B487523-BEC2-11CF-BF9E-0020AF998FF5}" refers to invalid object "C:\PROGRA~1\SUPERS~1\Viscape\vrtocx.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B487524-BEC2-11CF-BF9E-0020AF998FF5}" refers to invalid object "C:\PROGRA~1\SUPERS~1\Viscape\vrtocx.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{27A9F557-B690-4798-BF58-EF69433366E6}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{39B7FAEB-68FE-4A52-A25F-5F896B088C7E}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4B4B40F0-C9DF-11D4-AA54-00104B49C4F0}" refers to invalid object "D:\R2ctlNS.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{578D8287-FB03-466E-A404-DD772E6CBEAE}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\gsda.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6F474F98-82D9-4694-9073-54FBCE4C9035}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6FFC1326-E077-44E7-8935-7F09F3F19FE4}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9502B2C1-553A-46AF-8F26-FE29CED44720}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9FECC4D5-A7AC-4C85-B15A-4B933AC0CD5D}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A48985C9-9602-412D-88CD-7E3D2E111C40}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B2EA5AEB-5BA3-47C9-95F3-42D63F2326AC}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BE6663AD-B0FD-4BFA-AD94-CFD678B927C3}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CD0F275B-050F-4568-8578-A852AC432622}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E2295278-994F-42A7-BC23-5722CECA2063}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{00A6FAF0-072E-44CF-8957-5838F569A31D}" refers to invalid object "C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{06337C1A-C69C-4371-A2F7-A41DBAEAED49}" refers to invalid object "C:\DOCUME~1\SUECAN~1\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{07293E71-EAE0-4FEA-9F92-5BD92325E790}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Excel8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{18331E46-35A5-4CEE-846C-BA7DB913865B}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Word8.0\SHDocVw.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{1A39043E-45C8-4075-867E-6D0E090A5DFA}" refers to invalid object "C:\DOCUME~1\SUECAN~1\LOCALS~1\Temp\Word8.0\InlineMultimedia.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{1B487520-BEC2-11CF-BF9E-0020AF998FF5}" refers to invalid object "C:\Program Files\Superscape\Viscape\vrtocx.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{2D81B49D-4646-4CB1-AE1B-3F3CF6429134}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{3905C537-264D-4350-A328-CC2DD483A9A4}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Word8.0\ShockwaveFlashObjects.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{4B4B40F2-C9DF-11D4-AA54-00104B49C4F0}" refers to invalid object "D:\R2ctlNS.OCX". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{65A6BB6D-78D0-4E0A-824D-2DE1E0D154AF}" refers to invalid object "C:\PROGRA~1\SEARCH~1\SearchRelevancy1.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{71C7B265-C6F6-459A-929F-1E3085A3CB4B}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Excel8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{758767F5-A4A5-4935-BCB5-517387C78DB8}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Word8.0\MARQUEELib.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{86018373-D939-4CDA-A130-A7C4C1600C0F}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\PPT8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{920ED957-862F-4CCE-B168-0BA8451F3E1C}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Excel8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{A5E16CA3-1C8F-4DB0-BE3F-67E8E9FD593D}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\gsda.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{CB850722-F2D1-4236-BB9D-85BDC2D7B854}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{DBD9915A-C650-4CFE-AF5E-670A05AEF680}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Excel8.0\SHDocVw.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{FA91240E-B719-42B7-BB70-5908A0A5E776}" refers to invalid object "C:\DOCUME~1\SUECAN~1\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\.acl" refers to invalid object "ACLFile". Action Taken: No Action Taken.
Entry "HKCR\.aw" refers to invalid object "AWFile". Action Taken: No Action Taken.
Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.
Entry "HKCR\.det" refers to invalid object "DETFile". Action Taken: No Action Taken.
Entry "HKCR\.elm" refers to invalid object "ELMFile". Action Taken: No Action Taken.
Entry "HKCR\.ffa" refers to invalid object "FFAFile". Action Taken: No Action Taken.
Entry "HKCR\.ffl" refers to invalid object "FFLFile". Action Taken: No Action Taken.
Entry "HKCR\.fft" refers to invalid object "FFTFile". Action Taken: No Action Taken.
Entry "HKCR\.ffx" refers to invalid object "FFXFile". Action Taken: No Action Taken.
Entry "HKCR\.frg" refers to invalid object "Access.Fragment". Action Taken: No Action Taken.
Entry "HKCR\.gst" refers to invalid object "MSMap.Datainst.8". Action Taken: No Action Taken.
Entry "HKCR\.ldb" refers to invalid object "Access.LockFile.9". Action Taken: No Action Taken.
Entry "HKCR\.lex" refers to invalid object "LEXFile". Action Taken: No Action Taken.
Entry "HKCR\.opc" refers to invalid object "OPCFile". Action Taken: No Action Taken.
Entry "HKCR\.pcb" refers to invalid object "PCBFile". Action Taken: No Action Taken.
Entry "HKCR\.pip" refers to invalid object "PIPFile". Action Taken: No Action Taken.
Entry "HKCR\.sll" refers to invalid object "SSLFile". Action Taken: No Action Taken.
Entry "HKCR\.stf" refers to invalid object "STFFile". Action Taken: No Action Taken.
Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.
Entry "HKCR\.wll" refers to invalid object "Word.Addin.8". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\ATLPlugin.ATL3DPage_d2.1" refers to invalid object "{cc10ddda-2452-4598-a6c4-f9f2f0b6a758
}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\System32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\LeechGet Download Queue\shell\open\command" refers to invalid object ""C:\Program Files\LeechGet 2005\LeechGet.exe" -import "%1"". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\TesCsFile\shell\open\command" refers to invalid object "C:\Program Files\Bethesda Softworks\Morrowind\\TES3 Construction Set.exe". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
File C:\WINDOWS\System32\150468.exe infected by "Trojan.Win32.Zapchast" Virus! Action Taken: No Action Taken.

Thanks again for your help.

Jarcy

Title: SmartSecurity and other problems
Post by: guestolo on October 27, 2005, 05:00:19 PM

Did you cut off the bottom of the mwav scan report
15 viruses and 157 errors

I only see 1 virus

Can you delete this file please
C:\WINDOWS\System32\150468.exe <-file

Title: SmartSecurity and other problems
Post by: Jarcy on October 27, 2005, 06:52:21 PM

I've deleted 150468.exe.
Also noticed 745625.exe in the same folder. Does this look suspicious?

Pretty sure I haven't truncated the Mwav report, but have rerun and posted the results here: This time 16 viruses and 157 errors:

Object "alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "slchost Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "tsl Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "clipgenie Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "topsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "topsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\gsda.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\CTDetect.cpl". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\IVIPromotion.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Ulead Systems\MPEG\uvAC3Enc.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\gsda.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\HDK3AN32.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\Hdk3anim.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\HDK3CTNT.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\MSVCIRT.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\MFC42.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\TEMP\_ISTMP0.DIR\FileGrp\MSVCRT.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\Install.wse.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\config.ini". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\templates.zip". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Real\GToolbar\BarControl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ubisoft\Crytek\Far Cry\Support\Readme (CZ).rtf". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\QTPlugin.OCX". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "%JavaDir%\QTJava.zip". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\arcsoft.exe" refers to invalid object "C:\Program Files\ArcSoft\Software Suite\arcsoft.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\CDWizard.exe" refers to invalid object "c:\program files\pinnacle\studio 8\programs\CDWizard.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\CLaunch.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\CMGrdian.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\System32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\GS4.exe" refers to invalid object "C:\Program Files\ubi.com\GS4.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Ipe40.exe" refers to invalid object "C:\WINDOWS\Ipe40.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\nvarem.exe" refers to invalid object "C:\Program Files\NVIDIA Corporation\NVRemote\nvarem.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\NvSkins.exe" refers to invalid object "C:\Program Files\NVIDIA Corporation\NVDVD\NvSkins.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ORUN32.EXE" refers to invalid object "C:\WINDOWS\ORUN32.EXE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Racer.exe" refers to invalid object "C:\Program Files\Infogrames\Grand Prix 4\Racer.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Racer95.exe" refers to invalid object "C:\Program Files\Microprose\Grand Prix 3\Racer95.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Schedwiz.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Toca2.exe" refers to invalid object "C:\Codemasters\Toca2\Toca2.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\USB Driver for Panasonic DVC (with Web Camera)" refers to invalid object "C:\WINDOWS\INF\USB Driver for Panasonic DVC (with Web Camera)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe" refers to invalid object "C:\Program Files\EPSON\Smart Panel\yourapp.Exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Temporary File Cache\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\temp\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Hewlett-Packard\Digital Imaging\hpis\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".016". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".05". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".abm". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".axe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".BUP". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".class". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".conf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dtl". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".IFO". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".lst". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".MRK". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".nv!". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pk3". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".PRO". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pvm". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rt". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".scn". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sdp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".UK". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".vca". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".VCD". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".VM1". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".x32". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Ad-aware 6 Personal". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "AltnetDM". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Best Search Engine!!!". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Hollywood FX 4.6". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MyWebSearch bar Uninstall". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIA". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIA nForce Drivers". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Search Relevancy". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Tiscali Internet Access". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Tiscali_uk". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "untopr1150". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Windows ControlAd". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Windows TaskAd". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{53EF6570-21A4-47ED-A40A-E6470A5677A3}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600211}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600602}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1033-7B44-000000000001}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{02D892F7-E5D4-41E3-9988-B9155BF800FE}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{07B18EA2-A523-4961-B6BB-170DE4475CCA}" refers to invalid object "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B487523-BEC2-11CF-BF9E-0020AF998FF5}" refers to invalid object "C:\PROGRA~1\SUPERS~1\Viscape\vrtocx.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B487524-BEC2-11CF-BF9E-0020AF998FF5}" refers to invalid object "C:\PROGRA~1\SUPERS~1\Viscape\vrtocx.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{27A9F557-B690-4798-BF58-EF69433366E6}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{39B7FAEB-68FE-4A52-A25F-5F896B088C7E}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4B4B40F0-C9DF-11D4-AA54-00104B49C4F0}" refers to invalid object "D:\R2ctlNS.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{578D8287-FB03-466E-A404-DD772E6CBEAE}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\gsda.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6F474F98-82D9-4694-9073-54FBCE4C9035}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6FFC1326-E077-44E7-8935-7F09F3F19FE4}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9502B2C1-553A-46AF-8F26-FE29CED44720}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9FECC4D5-A7AC-4C85-B15A-4B933AC0CD5D}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A48985C9-9602-412D-88CD-7E3D2E111C40}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B2EA5AEB-5BA3-47C9-95F3-42D63F2326AC}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BE6663AD-B0FD-4BFA-AD94-CFD678B927C3}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CD0F275B-050F-4568-8578-A852AC432622}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E2295278-994F-42A7-BC23-5722CECA2063}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{00A6FAF0-072E-44CF-8957-5838F569A31D}" refers to invalid object "C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{06337C1A-C69C-4371-A2F7-A41DBAEAED49}" refers to invalid object "C:\DOCUME~1\SUECAN~1\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{07293E71-EAE0-4FEA-9F92-5BD92325E790}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Excel8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{18331E46-35A5-4CEE-846C-BA7DB913865B}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Word8.0\SHDocVw.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{1A39043E-45C8-4075-867E-6D0E090A5DFA}" refers to invalid object "C:\DOCUME~1\SUECAN~1\LOCALS~1\Temp\Word8.0\InlineMultimedia.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{1B487520-BEC2-11CF-BF9E-0020AF998FF5}" refers to invalid object "C:\Program Files\Superscape\Viscape\vrtocx.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{2D81B49D-4646-4CB1-AE1B-3F3CF6429134}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{3905C537-264D-4350-A328-CC2DD483A9A4}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Word8.0\ShockwaveFlashObjects.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{4B4B40F2-C9DF-11D4-AA54-00104B49C4F0}" refers to invalid object "D:\R2ctlNS.OCX". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{65A6BB6D-78D0-4E0A-824D-2DE1E0D154AF}" refers to invalid object "C:\PROGRA~1\SEARCH~1\SearchRelevancy1.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{71C7B265-C6F6-459A-929F-1E3085A3CB4B}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Excel8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{758767F5-A4A5-4935-BCB5-517387C78DB8}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Word8.0\MARQUEELib.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{86018373-D939-4CDA-A130-A7C4C1600C0F}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\PPT8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{920ED957-862F-4CCE-B168-0BA8451F3E1C}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Excel8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{A5E16CA3-1C8F-4DB0-BE3F-67E8E9FD593D}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\gsda.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{CB850722-F2D1-4236-BB9D-85BDC2D7B854}" refers to invalid object "C:\Program Files\Internet\setupctl.ocx". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{DBD9915A-C650-4CFE-AF5E-670A05AEF680}" refers to invalid object "C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\Excel8.0\SHDocVw.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{FA91240E-B719-42B7-BB70-5908A0A5E776}" refers to invalid object "C:\DOCUME~1\SUECAN~1\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\.acl" refers to invalid object "ACLFile". Action Taken: No Action Taken.
Entry "HKCR\.aw" refers to invalid object "AWFile". Action Taken: No Action Taken.
Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.
Entry "HKCR\.det" refers to invalid object "DETFile". Action Taken: No Action Taken.
Entry "HKCR\.elm" refers to invalid object "ELMFile". Action Taken: No Action Taken.
Entry "HKCR\.ffa" refers to invalid object "FFAFile". Action Taken: No Action Taken.
Entry "HKCR\.ffl" refers to invalid object "FFLFile". Action Taken: No Action Taken.
Entry "HKCR\.fft" refers to invalid object "FFTFile". Action Taken: No Action Taken.
Entry "HKCR\.ffx" refers to invalid object "FFXFile". Action Taken: No Action Taken.
Entry "HKCR\.frg" refers to invalid object "Access.Fragment". Action Taken: No Action Taken.
Entry "HKCR\.gst" refers to invalid object "MSMap.Datainst.8". Action Taken: No Action Taken.
Entry "HKCR\.ldb" refers to invalid object "Access.LockFile.9". Action Taken: No Action Taken.
Entry "HKCR\.lex" refers to invalid object "LEXFile". Action Taken: No Action Taken.
Entry "HKCR\.opc" refers to invalid object "OPCFile". Action Taken: No Action Taken.
Entry "HKCR\.pcb" refers to invalid object "PCBFile". Action Taken: No Action Taken.
Entry "HKCR\.pip" refers to invalid object "PIPFile". Action Taken: No Action Taken.
Entry "HKCR\.sll" refers to invalid object "SSLFile". Action Taken: No Action Taken.
Entry "HKCR\.stf" refers to invalid object "STFFile". Action Taken: No Action Taken.
Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.
Entry "HKCR\.wll" refers to invalid object "Word.Addin.8". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\ATLPlugin.ATL3DPage_d2.1" refers to invalid object "{cc10ddda-2452-4598-a6c4-f9f2f0b6a758
}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\System32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\LeechGet Download Queue\shell\open\command" refers to invalid object ""C:\Program Files\LeechGet 2005\LeechGet.exe" -import "%1"". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\TesCsFile\shell\open\command" refers to invalid object "C:\Program Files\Bethesda Softworks\Morrowind\\TES3 Construction Set.exe". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.


P.S. Should I uninstall Kazaa? Have already removed P2PNetworking.
Thanks again, Jarcy.

Title: SmartSecurity and other problems
Post by: guestolo on October 28, 2005, 09:56:27 AM

I would opt to remove Kazaa, it came bundled with a Lot of crapware
I'll leave that up to you

Can you run that file  through
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Give this site time to load if busy

Use the browse button and navigate to the file on your hard drive
Right click on it  and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

We may have to reinstall McAfee and Office
But I would like to make sure you run a registry cleaner before you proceed
We won't do nothing with them yet
Is your subscription to McAfee's still OK?

Title: SmartSecurity and other problems
Post by: Jarcy on October 31, 2005, 05:41:49 PM

Here's the result from Jotti's malware scan of the suspicious file. Looks like a bug. Shall I delete the file?

Service  
Service load:  0%        100%  
 
File:  745625.exe  
Status:  INFECTED/MALWARE  
MD5  92ec1464b5bc22a409d7ccd16439cce6  
Packers detected:  UPX
Scanner results  
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found Dropped:Trojan.Small.DL  
ClamAV  Found Trojan.Clicker.Small-45  
Dr.Web  Found DLOADER.Trojan (probable variant)  
F-Prot Antivirus  Found unknown virus (probable variant)  
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing
   
Regarding McAfee & Office, of course willing to reinstall. However tried this earlier (before asking for help here) and it made no difference.
With McAfee Internet Security, my annual subscription is due up sometime in October, so must be due for renewal now. However, when I last reinstalled (2 - 3 weeks ago) I WAS able to update Firewall. Only the Virus Scan fails to function. Whereas I usually get reminder popups from McAfee to purchase my annual renewal, these are also crashing every time I log on. This leads me to suspect that I've got a clever bug that prevents me from updating or using my virus scanner. Therefore I don't know if I'm even able to renew my McAfee license.
Why Office has started to behave in this manner, I have no idea.

Any more ideas would be gratefully received.

Many thanks again,
Jarcy.

Title: SmartSecurity and other problems
Post by: Jarcy on November 02, 2005, 11:20:09 AM

Guestolo,

I've also uninstalled Kazaa.
Any ideas what to try next?

Many thanks!

Jarcy

Title: SmartSecurity and other problems
Post by: Jarcy on November 06, 2005, 10:42:40 AM

Guestolo / Anyone,

Has anyone got any ideas as to why my McAfee Virusscan and MS Office products (Word / Excel) crash every time I try to open them?

Thanks,

Jarcy

Title: SmartSecurity and other problems
Post by: guestolo on November 06, 2005, 11:58:24 AM

Did you delete this file?
745625.exe

If not, go ahead and do so

Sorry for the wait

Can you do the following
Just want to check on something
Open Hijackthis>>Open Misc tools section>>>Open Hosts file manager
Click the Open In Notepad button
A text file should open, can you copy and paste the contents back here please

Could you also
Go to this site
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Give this site time to load if busy

Use the browse button and navigate to the file on your hard drive
C:\WINDOWS\System32\Wininet.dll <-this file

Right click on it  and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please

Can you run one more scan please
From my signature below run an online scan at Panda's
Choose to scan "Local Disks"
When the scan is done, save a report and post the contents back here

Title: SmartSecurity and other problems
Post by: Jarcy on November 06, 2005, 02:34:26 PM

Guestolo,
Many thanks for coming back to this.

I couldn't find Host file manager with Hijackthis. The only report I could find with Misc Tools was Gerenate Startuplist Log. Did you mean this? I'm posting the result here. (I did notice that c:windows\explorer.exe is running. Is this a virus in this location?):

StartupList report, 11/6/2005, 7:10:05 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\John Canfield\My Documents\Download Software\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\John Canfield\My Documents\Download Software\HijackThis.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

UpdReg = C:\WINDOWS\UpdReg.EXE
SBDrvDet = C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
PinnacleDriverCheck = C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
IntelliType = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
CTSysVol = C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
CTHelper = CTHELPER.EXE
CTDVDDET = C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
Creative WebCam Tray = C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
Camera Detector = C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
AsioReg = REGSVR32.EXE /S CTASIO.DLL
HPHUPD05 = C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 = C:\WINDOWS\System32\hphmon05.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HP Software Update = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
MCAgentExe = C:\Program Files\McAfee.com\Agent\mcagent.exe
MCUpdateExe = C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
McAfee Guardian = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
VirusScanMSC = "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
IFSplash = ImmSplsh.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

RemoteCenter = C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McAfee.com Update Check (STUDYSERVER-Adam Canfield).job
McAfee.com Update Check (STUDYSERVER-John Canfield).job
McAfee.com Update Check (STUDYSERVER-Samuel Canfield).job
McAfee.com Update Check (STUDYSERVER-Sue Canfield).job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab (http://\"http://office.microsoft.com/templates/ieawsdc.cab\")

[UploaderCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\atl_uploader.dll
CODEBASE = http://members14.clubphoto.com/_img/upload...tl_uploader.cab (http://\"http://members14.clubphoto.com/_img/uploader/atl_uploader.cab\")

[PlxInstall Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PlaxoInstall.dll
CODEBASE = http://down.plaxo.com/down/release/PlaxoInstall.cab (http://\"http://down.plaxo.com/down/release/PlaxoInstall.cab\")

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab\")

[CheckNDownload Class]
CODEBASE = http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab\")
OSD = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\TEInstallPlugIn.osd

[TerraExplorer Class]
CODEBASE = http://www.skylinesoft.com/interactive/ter.../install/TE.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TE.cab\")
OSD = C:\WINDOWS\Downloaded Program Files\TE.osd

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\popcaploader.dll
CODEBASE = http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")

[Secure Delivery]
CODEBASE = http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #22: xfire_lsp_9028.dll (file MISSING)
Protocol #23: xfire_lsp_9028.dll (file MISSING)
Protocol #24: xfire_lsp_9028.dll (file MISSING)
Protocol #25: xfire_lsp_9028.dll (file MISSING)
Protocol #26: xfire_lsp_9028.dll (file MISSING)
Protocol #48: xfire_lsp_9028.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,424 bytes
Report generated in 0.047 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

The file in Jotti seemed OK. Here's the result:

Jotti's malware scan 2.99-TRANSITION_TO_3.00
 
File to upload & scan:          
Service  
Service load:  0%        100%  
 
File:  WININET.DLL  
Status:  OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)  
MD5  4f64d1df989e3aa2fad91a2f1167b9c7  
Packers detected:  -
Scanner results  
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing

I can't run Panda! when I try to install Panda ActiveScan, my browser crashes (as with Office McAfee etc) and I get the same old "Internet Explorer has encountered a problem and needs to close".
This is so frustrating!

Any other suggestions gratefully received.

Thanks again.
Jarcy

Title: SmartSecurity and other problems
Post by: guestolo on November 06, 2005, 02:56:42 PM

Can you try the following

We'll see if we can repair IE

Go to Start, and then click Run.
In the copy and paste the following

sfc /scannow

Don't hit OK yet

Instead close down all other windows, including this one

Then go hit OK

Title: SmartSecurity and other problems
Post by: Jarcy on November 06, 2005, 03:49:53 PM

Guestolo,

OK I've run the tool. It didn't find anything. (Just stopped when it had finished). Anything else to try?

Thanks
Jarcy

Title: SmartSecurity and other problems
Post by: guestolo on November 06, 2005, 06:18:08 PM

I think we may have to resort to a repair of your system

Afterwards you will have to install the latest Service pack from Windows updates

Beforehand
If McAfee's is expired, and you don't plan on renewing it
I can give you a link to a free virus scanner and firewall
You may want to uninstall Mcafee and office again

Restart afterwards
Use the link to run a Repair on your system
Make sure your running a Repair, follow the instructions closely
http://www.michaelstevenstech.com/XPrepairinstall.htm (http://\"http://www.michaelstevenstech.com/XPrepairinstall.htm\")

When your done come back here and post a fresh hijackthis log

Title: SmartSecurity and other problems
Post by: Jarcy on November 06, 2005, 07:22:25 PM

Guestolo,

OK I've run the tool. It didn't find anything. (Just stopped when it had finished). Anything else to try?

Thanks
Jarcy

Title: SmartSecurity and other problems
Post by: Jarcy on November 06, 2005, 07:55:52 PM

Sorry, I managed to double post my last message!

I'm willing to pay for a further year's McAffee subscription, unless you recommend your other source in preference. However, I don't want to take down my firewall until I've got something to replace it with lined up.

My PC didn't come with the full CD version of XP, only a "Recovery CD-Rom". However I've browsed the contents and it looks to all intents and purposes like a proper XP installation disc. - It has the options Install, or Upgrade. I haven't followed through the procedure yet as I need to spend some time backing up files, but I didn't see the setup option to repair. Does it sound like this is the CD that I need for this procedure, or should I contact my PC manufacturers' support desk for confirmation?

Thanks, Jarcy.

Title: SmartSecurity and other problems
Post by: guestolo on November 07, 2005, 07:33:43 PM

jarcy, sorry for the late reply

The makers of your computer have complete instructions on how to  run a repair
I assume you bought the computer at meshcomputers
http://www.meshcomputers.com/Default.aspx?...T_FAQS_SOFTWARE (http://\"http://www.meshcomputers.com/Default.aspx?PAGE=RUNTIME_OLD_SUPPORT_FAQS_SOFTWARE\")

Before you try any of the above
are all applications behaving this way?

Can you try something for me please
Download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe (http://\"http://swandog46.geekstogo.com/aproposfix.exe\")

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop.  Open the aproposfix folder on your desktop and run RunThis.bat.  Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

I would like to see that Hosts file also
Open Hijackthis>>>Then click on the Open Misc tools section
Under the System Tools click the button labelled
Open Hosts file manager

Click the Open in Notepad button, a text file should open
Copy and paste the whole contents back here please

Title: SmartSecurity and other problems
Post by: Jarcy on November 08, 2005, 06:39:35 PM

Hi Guestolo,

I've contacted Mesh and got the full repair / XP reinstall instructions, so I'm prepared if this proves the best route to take. Have also ordered a second hard drive to archive all passive files prior to any reinstall (my existing drive was nearing full anyway). My recovery CD IS the full version of XP Pro, so no problems there. Should also have all drivers.

Have run  aproposfix.exe in Safe mode.
Here's the Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 10:58:48 PM, on 11/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\John Canfield\My Documents\Download Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com (http://\"http://www.meshcomputers.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab (http://\"http://office.microsoft.com/templates/ieawsdc.cab\")
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab (http://\"http://members14.clubphoto.com/_img/uploader/atl_uploader.cab\")
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab (http://\"http://down.plaxo.com/down/release/PlaxoInstall.cab\")
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab\")
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab\")
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TE.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")

And here is the log.txt file from aproposfix:

Log of AproposFix v1
 
************
 
Running from directory:  
C:\Documents and Settings\John Canfield\Desktop\aproposfix
 
************
 
Registry entries found:
 
 
************
 
No service found!
 
Removing hidden folder:
No folder found!
 
Deleting files:
 
 
Backing up files:
Done!
 
Removing registry entries:
 
REGEDIT4
 
 
Done!
 
Finished!

And here is Open Hosts file manager from Hijackthis:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

Nothing seems to indicate much to me.
However did notice a process running of:
Windows\Explorer.EXE
Isn't this likely to be a virus when running from this folder?

Regarding general system performance, the obvious problems are as follows:

1. McAfee Virus Scan can't be run and crashes every time you try to enable the tool. What's more, any automated instant update reminders also crash before they load. This leads me to believe I've got a nasty virus which targets McAfee to avoid me capturing it.

2. MS Word won't open and crashes. MS Excel will open and you can use a spreadsheet. However you can't open an existing saved file and Excel duly crashes. I have noticed that a comment in the bottom left hand corner say's "requesting virus scan" just prior to Excel crashing. Linked to McAfee perhaps? Powerpoint won't open any saved files.

3. The white borders around open windows has turned a grey/buff colour. This has occured only in the last 2 weeks since starting this troubleshooting! Looks quite nice, but not my doing!

4. If I switch user in XP to my wife's profile, the system slows considerably, and often stalls. (perhaps I know who to blame for dodgy files/emails or poor firewall decisions /wink.gif\' class=\'bbc_emoticon\' alt=\';)\' /> ).

5. I received this email recently. Has someone hijacked my machine?:-
---------
Your question has been received. You should expect a response from us
within 24 hours.

You MUST enter your reply in the space below. Text entered into any
other part of this message will be discarded and your question may not
then be fully answered.

[===> Please enter your reply below this line <===]

[===> Please enter your reply above this line <===]

To update your question from our support site, click on the following
link or paste it into your Web browser.
http://holidayautos.custhelp.com/cgi-bin/h...ated=1131040545 (http://\"http://holidayautos.custhelp.com/cgi-bin/holidayautos.cfg/php/enduser/[email protected]&p_next_page=myq_upd.php&p_iid=133901&p_created=1131040545\")


question reference no051103-000544
---------------------------------------------------------------
           Summary: Mail System Error - Returned Mail
      date created: 03/11/2005 05:55 PM
      Last Updated: 03/11/2005 05:55 PM
            Status: Unresolved
Booking Reference :
Spain or Portugal?:

Discussion Thread
---------------------------------------------------------------
Customer - 03/11/2005 05:55 PM
Dear user [email protected],

We have found that your account was used to send a large amount of spam during this week.
Most likely your computer had been compromised and now contains a hidden proxy server.

Please follow instructions in order to keep your computer safe.

Best regards,
The mailnj.custhelp.com support team.

==================== application File Attachment ====================
[email protected], 28938 bytes, added to incident


[---001:001315:56836---]
-------------
I also received another email from Holiday Autos advising that an account had been set up in my name, listing my email address. I've never had any contact with this company!

All other software I've tried seems to run fine. Tried Pinnacle Studio 9 (which is very memory and power hungry) but this worked as usual.



Thanks for all your help. Any hope, or is it getting towards starting again from scratch?

Cheers, Jarcy.

Title: SmartSecurity and other problems
Post by: guestolo on November 08, 2005, 10:24:25 PM

You posted a hijackthis log from an old version of Hijackthis
Can you post a new log from version 1.99.1
Can you also, download & run this free tool called RootkitRevealer
Scroll to the bottom of that page for the download link

http://www.sysinternals.com/Utilities/RootkitRevealer.html (http://\"http://www.sysinternals.com/Utilities/RootkitRevealer.html\")

Unzip Rootkitreavler.zip  to desktop and double click on RootKitReavler.exe
Once open click on SCAN
Sit back and wait for the scan to finish
Once finished, Save a log of what was found
By clicking File>>Save
By default the log may want to save to the System32 folder
Try and save it too desktop if possible
Log off other users on the computer

You should also turn off any program that might activate during the scan, such as a screensaver, an antivirus tool, or any other running program. Switching focus to another program, or allowing other programs to activate during the scan, won't cause your system to crash, but doing so may cause the RootkitRevealer program to display inaccurate or misleading results.

Can you also run a hijackthis log from your wifes' profile please and post it here

Title: SmartSecurity and other problems
Post by: Jarcy on November 10, 2005, 04:53:50 PM

Guestolo,

Sorry about running the wrong version of Hijackthis.
Here's my correct log:

Logfile of HijackThis v1.99.1
Scan saved at 8:57:46 PM, on 11/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\OSDEAX.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com (http://\"http://www.meshcomputers.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab (http://\"http://members14.clubphoto.com/_img/uploader/atl_uploader.cab\")
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab (http://\"http://down.plaxo.com/down/release/PlaxoInstall.cab\")
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab\")
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TE.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)

And here's the log a run under my wife's profile:

Logfile of HijackThis v1.99.1
Scan saved at 8:56:41 PM, on 11/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\OSDEAX.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/1076/sp.php (http://\"http://69.50.191.52/1076/sp.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/1076/ (http://\"http://69.50.191.52/1076/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com (http://\"http://www.meshcomputers.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/1076/search.php?qq= (http://\"http://bestsearch.cc/1076/search.php?qq=\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Imv] C:\WINDOWS\Lmn.exe
O4 - HKCU\..\Run: [Hoe] C:\WINDOWS\Ume.exe
O4 - HKCU\..\Run: [Nns] C:\WINDOWS\System32\Ifc.exe
O4 - HKCU\..\Run: [Clp] C:\WINDOWS\Luu.exe
O4 - HKCU\..\Run: [Hub] C:\WINDOWS\Hio.exe
O4 - HKCU\..\Run: [Sre] C:\WINDOWS\Iki.exe
O4 - HKCU\..\Run: [Sci] C:\WINDOWS\Lbq.exe
O4 - HKCU\..\Run: [Gja] C:\WINDOWS\Udh.exe
O4 - HKCU\..\Run: [Lds] C:\WINDOWS\Oje.exe
O4 - HKCU\..\Run: [Kcm] C:\WINDOWS\System32\Tkf.exe
O4 - HKCU\..\Run: [Mes] C:\WINDOWS\Niu.exe
O4 - HKCU\..\Run: [Sbk] C:\WINDOWS\System32\Flv.exe
O4 - HKCU\..\Run: [Jtn] C:\WINDOWS\Nro.exe
O4 - HKCU\..\Run: [Tao] C:\WINDOWS\System32\Akf.exe
O4 - HKCU\..\Run: [Klt] C:\WINDOWS\Nbe.exe
O4 - HKCU\..\Run: [Ohn] C:\WINDOWS\System32\Neg.exe
O4 - HKCU\..\Run: [Bou] C:\WINDOWS\System32\Kme.exe
O4 - HKCU\..\Run: [Jek] C:\WINDOWS\System32\Icv.exe
O4 - HKCU\..\Run: [Pia] C:\WINDOWS\System32\Vgh.exe
O4 - HKCU\..\Run: [Hea] C:\WINDOWS\System32\Ubt.exe
O4 - HKCU\..\Run: [Jgc] C:\WINDOWS\System32\Vct.exe
O4 - HKCU\..\Run: [Evh] C:\WINDOWS\Jre.exe
O4 - HKCU\..\Run: [Sju] C:\WINDOWS\System32\Uva.exe
O4 - HKCU\..\Run: [Uai] C:\WINDOWS\Lfa.exe
O4 - HKCU\..\Run: [Mkh] C:\WINDOWS\System32\Pji.exe
O4 - HKCU\..\Run: [Qrh] C:\WINDOWS\Hfs.exe
O4 - HKCU\..\Run: [Ijo] C:\WINDOWS\Qaj.exe
O4 - HKCU\..\Run: [Osi] C:\WINDOWS\System32\Eqo.exe
O4 - HKCU\..\Run: [Bno] C:\WINDOWS\System32\Maa.exe
O4 - HKCU\..\Run: [Vfg] C:\WINDOWS\System32\Vbo.exe
O4 - HKCU\..\Run: [Jks] C:\WINDOWS\System32\Gje.exe
O4 - HKCU\..\Run: [Npr] C:\WINDOWS\Rvo.exe
O4 - HKCU\..\Run: [Mpu] C:\WINDOWS\System32\Niv.exe
O4 - HKCU\..\Run: [Rcq] C:\WINDOWS\System32\Irh.exe
O4 - HKCU\..\Run: [Mjm] C:\WINDOWS\Uon.exe
O4 - HKCU\..\Run: [Peh] C:\WINDOWS\Mhn.exe
O4 - HKCU\..\Run: [Hlk] C:\WINDOWS\Qne.exe
O4 - HKCU\..\Run: [Tsl] C:\WINDOWS\Mti.exe
O4 - HKCU\..\Run: [Dqm] C:\WINDOWS\System32\Tcq.exe
O4 - HKCU\..\Run: [Fqd] C:\WINDOWS\Sat.exe
O4 - HKCU\..\Run: [Huv] C:\WINDOWS\Roc.exe
O4 - HKCU\..\Run: [Mqa] C:\WINDOWS\Jom.exe
O4 - HKCU\..\Run: [Evs] C:\WINDOWS\Nda.exe
O4 - HKCU\..\Run: [Gqu] C:\WINDOWS\Ngp.exe
O4 - HKCU\..\Run: [Cid] C:\WINDOWS\System32\Ess.exe
O4 - HKCU\..\Run: [Gis] C:\WINDOWS\Acp.exe
O4 - HKCU\..\Run: [Rps] C:\WINDOWS\System32\Dtm.exe
O4 - HKCU\..\Run: [Jea] C:\WINDOWS\System32\Hdp.exe
O4 - HKCU\..\Run: [Pnd] C:\WINDOWS\System32\Nff.exe
O4 - HKCU\..\Run: [Bku] C:\WINDOWS\System32\Sca.exe
O4 - HKCU\..\Run: [Pad] C:\WINDOWS\System32\Psj.exe
O4 - HKCU\..\Run: [Cbh] C:\WINDOWS\Qnf.exe
O4 - HKCU\..\Run: [Bnu] C:\WINDOWS\Evh.exe
O4 - HKCU\..\Run: [Eer] C:\WINDOWS\Rgm.exe
O4 - HKCU\..\Run: [Bkj] C:\WINDOWS\System32\Arb.exe
O4 - HKCU\..\Run: [Eka] C:\WINDOWS\System32\Omr.exe
O4 - HKCU\..\Run: [Vme] C:\WINDOWS\Hun.exe
O4 - HKCU\..\Run: [Tva] C:\WINDOWS\System32\Uuu.exe
O4 - HKCU\..\Run: [Acb] C:\WINDOWS\System32\Bnf.exe
O4 - HKCU\..\Run: [Ldl] C:\WINDOWS\Kma.exe
O4 - HKCU\..\Run: [Mbs] C:\WINDOWS\System32\Ejo.exe
O4 - HKCU\..\Run: [Scn] C:\WINDOWS\Ibv.exe
O4 - HKCU\..\Run: [Ovn] C:\WINDOWS\Fjg.exe
O4 - HKCU\..\Run: [Omr] C:\WINDOWS\Ooi.exe
O4 - HKCU\..\Run: [Fji] C:\WINDOWS\Dbg.exe
O4 - HKCU\..\Run: [Jjr] C:\WINDOWS\Cvc.exe
O4 - HKCU\..\Run: [Esh] C:\WINDOWS\Ldg.exe
O4 - HKCU\..\Run: [Dcs] C:\WINDOWS\Nqd.exe
O4 - HKCU\..\Run: [Irt] C:\WINDOWS\Sqi.exe
O4 - HKCU\..\Run: [Lsl] C:\WINDOWS\System32\Juj.exe
O4 - HKCU\..\Run: [Lbr] C:\WINDOWS\System32\Ncj.exe
O4 - HKCU\..\Run: [Omv] C:\WINDOWS\System32\Efp.exe
O4 - HKCU\..\Run: [Ssa] C:\WINDOWS\Ugd.exe
O4 - HKCU\..\Run: [Lnp] C:\WINDOWS\Ofo.exe
O4 - HKCU\..\Run: [Tda] C:\WINDOWS\Ugg.exe
O4 - HKCU\..\Run: [Hgd] C:\WINDOWS\System32\Rfn.exe
O4 - HKCU\..\Run: [Amh] C:\WINDOWS\Pvb.exe
O4 - HKCU\..\Run: [Ofj] C:\WINDOWS\Muk.exe
O4 - HKCU\..\Run: [Jvf] C:\WINDOWS\System32\Feo.exe
O4 - HKCU\..\Run: [Fsl] C:\WINDOWS\Crl.exe
O4 - HKCU\..\Run: [Tur] C:\WINDOWS\Jfi.exe
O4 - HKCU\..\Run: [Mdd] C:\WINDOWS\Hjh.exe
O4 - HKCU\..\Run: [Lqe] C:\WINDOWS\Psp.exe
O4 - HKCU\..\Run: [Nqi] C:\WINDOWS\System32\Pts.exe
O4 - HKCU\..\Run: [Msf] C:\WINDOWS\Jbp.exe
O4 - HKCU\..\Run: [Dlu] C:\WINDOWS\System32\Vud.exe
O4 - HKCU\..\Run: [Okf] C:\WINDOWS\Veb.exe
O4 - HKCU\..\Run: [Hem] C:\WINDOWS\System32\Hib.exe
O4 - HKCU\..\Run: [Rli] C:\WINDOWS\System32\Cdr.exe
O4 - HKCU\..\Run: [Qdl] C:\WINDOWS\Lph.exe
O4 - HKCU\..\Run: [Qip] C:\WINDOWS\System32\Hve.exe
O4 - HKCU\..\Run: [Quj] C:\WINDOWS\Urk.exe
O4 - HKCU\..\Run: [Dqo] C:\WINDOWS\Qlm.exe
O4 - HKCU\..\Run: [Vov] C:\WINDOWS\Pou.exe
O4 - HKCU\..\Run: [Fec] C:\WINDOWS\System32\Bdn.exe
O4 - HKCU\..\Run: [Tqi] C:\WINDOWS\Jho.exe
O4 - HKCU\..\Run: [Gak] C:\WINDOWS\System32\Dgb.exe
O4 - HKCU\..\Run: [Fgm] C:\WINDOWS\Ldi.exe
O4 - HKCU\..\Run: [Rev] C:\WINDOWS\Kdk.exe
O4 - HKCU\..\Run: [Pmv] C:\WINDOWS\Rps.exe
O4 - HKCU\..\Run: [Hiq] C:\WINDOWS\System32\Uuc.exe
O4 - HKCU\..\Run: [Mjp] C:\WINDOWS\Dkm.exe
O4 - HKCU\..\Run: [Tmu] C:\WINDOWS\System32\Ele.exe
O4 - HKCU\..\Run: [Nto] C:\WINDOWS\Rlc.exe
O4 - HKCU\..\Run: [Qah] C:\WINDOWS\Rbk.exe
O4 - HKCU\..\Run: [Eae] C:\WINDOWS\Bqn.exe
O4 - HKCU\..\Run: [Crq] C:\WINDOWS\System32\Rtg.exe
O4 - HKCU\..\Run: [Ebd] C:\WINDOWS\System32\Tuo.exe
O4 - HKCU\..\Run: [Cnk] C:\WINDOWS\Bvi.exe
O4 - HKCU\..\Run: [Hku] C:\WINDOWS\System32\Pch.exe
O4 - HKCU\..\Run: [Rmm] C:\WINDOWS\Ugq.exe
O4 - HKCU\..\Run: [Jqm] C:\WINDOWS\System32\Grl.exe
O4 - HKCU\..\Run: [Lru] C:\WINDOWS\System32\Tqf.exe
O4 - HKCU\..\Run: [Pob] C:\WINDOWS\Dgo.exe
O4 - HKCU\..\Run: [Rkk] C:\WINDOWS\Veq.exe
O4 - HKCU\..\Run: [Evd] C:\WINDOWS\Fik.exe
O4 - HKCU\..\Run: [Irq] C:\WINDOWS\System32\Rhh.exe
O4 - HKCU\..\Run: [Gtg] C:\WINDOWS\System32\Dlu.exe
O4 - HKCU\..\Run: [Gbt] C:\WINDOWS\Vss.exe
O4 - HKCU\..\Run: [Men] C:\WINDOWS\System32\Mfs.exe
O4 - HKCU\..\Run: [Cov] C:\WINDOWS\System32\Hir.exe
O4 - HKCU\..\Run: [Ntj] C:\WINDOWS\System32\Hai.exe
O4 - HKCU\..\Run: [Lud] C:\WINDOWS\System32\Rgr.exe
O4 - HKCU\..\Run: [Eko] C:\WINDOWS\System32\Grp.exe
O4 - HKCU\..\Run: [Stl] C:\WINDOWS\Ilr.exe
O4 - HKCU\..\Run: [Jnb] C:\WINDOWS\Obq.exe
O4 - HKCU\..\Run: [Ism] C:\WINDOWS\Mtk.exe
O4 - HKCU\..\Run: [Mdl] C:\WINDOWS\System32\Fvq.exe
O4 - HKCU\..\Run: [Nba] C:\WINDOWS\System32\Gst.exe
O4 - HKCU\..\Run: [Joo] C:\WINDOWS\Gja.exe
O4 - HKCU\..\Run: [Ajt] C:\WINDOWS\Jao.exe
O4 - HKCU\..\Run: [Oce] C:\WINDOWS\System32\Fjm.exe
O4 - HKCU\..\Run: [Skp] C:\WINDOWS\System32\Eol.exe
O4 - HKCU\..\Run: [Krb] C:\WINDOWS\System32\Tmj.exe
O4 - HKCU\..\Run: [Ifv] C:\WINDOWS\Hqn.exe
O4 - HKCU\..\Run: [Miu] C:\WINDOWS\Gsu.exe
O4 - HKCU\..\Run: [Iqj] C:\WINDOWS\System32\Rcf.exe
O4 - HKCU\..\Run: [Pjp] C:\WINDOWS\Glt.exe
O4 - HKCU\..\Run: [Bht] C:\WINDOWS\System32\Brq.exe
O4 - HKCU\..\Run: [Pok] C:\WINDOWS\Sja.exe
O4 - HKCU\..\Run: [Ljk] C:\WINDOWS\System32\Ava.exe
O4 - HKCU\..\Run: [Clv] C:\WINDOWS\Qeu.exe
O4 - HKCU\..\Run: [Ibn] C:\WINDOWS\Vje.exe
O4 - HKCU\..\Run: [Hlr] C:\WINDOWS\System32\Cna.exe
O4 - HKCU\..\Run: [Trj] C:\WINDOWS\Fst.exe
O4 - HKCU\..\Run: [Jps] C:\WINDOWS\Vnc.exe
O4 - HKCU\..\Run: [Gvv] C:\WINDOWS\Mah.exe
O4 - HKCU\..\Run: [Glt] C:\WINDOWS\System32\Hkm.exe
O4 - HKCU\..\Run: [Ivd] C:\WINDOWS\System32\Jit.exe
O4 - HKCU\..\Run: [Vgm] C:\WINDOWS\System32\Iok.exe
O4 - HKCU\..\Run: [Kqt] C:\WINDOWS\System32\Rkd.exe
O4 - HKCU\..\Run: [Dgp] C:\WINDOWS\Ffk.exe
O4 - HKCU\..\Run: [Svj] C:\WINDOWS\System32\Vfe.exe
O4 - HKCU\..\Run: [Gvb] C:\WINDOWS\Sko.exe
O4 - HKCU\..\Run: [Dan] C:\WINDOWS\Djk.exe
O4 - HKCU\..\Run: [Nng] C:\WINDOWS\System32\Hjt.exe
O4 - HKCU\..\Run: [Vrf] C:\WINDOWS\System32\Pne.exe
O4 - HKCU\..\Run: [Qbf] C:\WINDOWS\System32\Oek.exe
O4 - HKCU\..\Run: [Ijs] C:\WINDOWS\System32\Rto.exe
O4 - HKCU\..\Run: [Hds] C:\WINDOWS\System32\Som.exe
O4 - HKCU\..\Run: [Eun] C:\WINDOWS\System32\Utb.exe
O4 - HKCU\..\Run: [Mrd] C:\WINDOWS\Vor.exe
O4 - HKCU\..\Run: [Jvt] C:\WINDOWS\System32\Lot.exe
O4 - HKCU\..\Run: [Ver] C:\WINDOWS\System32\Ndc.exe
O4 - HKCU\..\Run: [Dct] C:\WINDOWS\System32\Sds.exe
O4 - HKCU\..\Run: [Kqi] C:\WINDOWS\Kss.exe
O4 - HKCU\..\Run: [Opj] C:\WINDOWS\System32\Ibr.exe
O4 - HKCU\..\Run: [Hht] C:\WINDOWS\System32\Mki.exe
O4 - HKCU\..\Run: [Gst] C:\WINDOWS\System32\Rhf.exe
O4 - HKCU\..\Run: [Nbp] C:\WINDOWS\System32\Vre.exe
O4 - HKCU\..\Run: [Pju] C:\WINDOWS\Fsk.exe
O4 - HKCU\..\Run: [Vim] C:\WINDOWS\System32\Ufn.exe
O4 - HKCU\..\Run: [Qfo] C:\WINDOWS\Bjd.exe
O4 - HKCU\..\Run: [Qmt] C:\WINDOWS\System32\Hgf.exe
O4 - HKCU\..\Run: [Fsn] C:\WINDOWS\Fic.exe
O4 - HKCU\..\Run: [Kpd] C:\WINDOWS\Evn.exe
O4 - HKCU\..\Run: [Ocr] C:\WINDOWS\System32\Por.exe
O4 - HKCU\..\Run: [Hdv] C:\WINDOWS\Rrf.exe
O4 - HKCU\..\Run: [Erk] C:\WINDOWS\System32\Jsb.exe
O4 - HKCU\..\Run: [Cng] C:\WINDOWS\Ffj.exe
O4 - HKCU\..\Run: [Fcb] C:\WINDOWS\Kpq.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\System32\Rpe.exe
O4 - HKCU\..\Run: [Bvr] C:\WINDOWS\Fun.exe
O4 - HKCU\..\Run: [Pma] C:\WINDOWS\System32\Gdt.exe
O4 - HKCU\..\Run: [Etr] C:\WINDOWS\Mep.exe
O4 - HKCU\..\Run: [Rjp] C:\WINDOWS\Igd.exe
O4 - HKCU\..\Run: [Boj] C:\WINDOWS\System32\Pnu.exe
O4 - HKCU\..\Run: [Obl] C:\WINDOWS\System32\Nli.exe
O4 - HKCU\..\Run: [Nem] C:\WINDOWS\System32\Pdh.exe
O4 - HKCU\..\Run: [Nnj] C:\WINDOWS\Nog.exe
O4 - HKCU\..\Run: [Lar] C:\WINDOWS\System32\Vvk.exe
O4 - HKCU\..\Run: [Npm] C:\WINDOWS\Mst.exe
O4 - HKCU\..\Run: [Tmq] C:\WINDOWS\System32\Uam.exe
O4 - HKCU\..\Run: [Kct] C:\WINDOWS\Hkk.exe
O4 - HKCU\..\Run: [Gml] C:\WINDOWS\Vea.exe
O4 - HKCU\..\Run: [Hfu] C:\WINDOWS\System32\Cft.exe
O4 - HKCU\..\Run: [Fef] C:\WINDOWS\Nff.exe
O4 - HKCU\..\Run: [Dao] C:\WINDOWS\System32\Sld.exe
O4 - HKCU\..\Run: [Csc] C:\WINDOWS\System32\Jtc.exe
O4 - HKCU\..\Run: [Hpn] C:\WINDOWS\Ehf.exe
O4 - HKCU\..\Run: [Tnc] C:\WINDOWS\System32\Rnl.exe
O4 - HKCU\..\Run: [Tkd] C:\WINDOWS\System32\Tfq.exe
O4 - HKCU\..\Run: [Cuf] C:\WINDOWS\Ijl.exe
O4 - HKCU\..\Run: [Ebk] C:\WINDOWS\System32\Vqr.exe
O4 - HKCU\..\Run: [Vep] C:\WINDOWS\System32\Rih.exe
O4 - HKCU\..\Run: [Odr] C:\WINDOWS\System32\Fti.exe
O4 - HKCU\..\Run: [Vsr] C:\WINDOWS\Ptp.exe
O4 - HKCU\..\Run: [Ker] C:\WINDOWS\System32\Olh.exe
O4 - HKCU\..\Run: [Oaa] C:\WINDOWS\System32\Ukl.exe
O4 - HKCU\..\Run: [Tod] C:\WINDOWS\Buc.exe
O4 - HKCU\..\Run: [Eed] C:\WINDOWS\System32\Lpi.exe
O4 - HKCU\..\Run: [Oae] C:\WINDOWS\System32\Geq.exe
O4 - HKCU\..\Run: [Sfb] C:\WINDOWS\System32\Fem.exe
O4 - HKCU\..\Run: [Hba] C:\WINDOWS\Tpm.exe
O4 - HKCU\..\Run: [Tup] C:\WINDOWS\Hcu.exe
O4 - HKCU\..\Run: [Ljh] C:\WINDOWS\Bun.exe
O4 - HKCU\..\Run: [Mlm] C:\WINDOWS\System32\Fdt.exe
O4 - HKCU\..\Run: [Jsr] C:\WINDOWS\System32\Uem.exe
O4 - HKCU\..\Run: [Erm] C:\WINDOWS\Min.exe
O4 - HKCU\..\Run: [Rar] C:\WINDOWS\System32\Vba.exe
O4 - HKCU\..\Run: [Vkl] C:\WINDOWS\Jfo.exe
O4 - HKCU\..\Run: [Ukv] C:\WINDOWS\System32\Gqr.exe
O4 - HKCU\..\Run: [Ace] C:\WINDOWS\Jjn.exe
O4 - HKCU\..\Run: [Llq] C:\WINDOWS\Nat.exe
O4 - HKCU\..\Run: [Qce] C:\WINDOWS\Uoj.exe
O4 - HKCU\..\Run: [Pmg] C:\WINDOWS\Erc.exe
O4 - HKCU\..\Run: [Jog] C:\WINDOWS\Dvd.exe
O4 - HKCU\..\Run: [Pba] C:\WINDOWS\System32\Iol.exe
O4 - HKCU\..\Run: [Vau] C:\WINDOWS\System32\Mpf.exe
O4 - HKCU\..\Run: [Gub] C:\WINDOWS\Rtf.exe
O4 - HKCU\..\Run: [Sjt] C:\WINDOWS\System32\Luc.exe
O4 - HKCU\..\Run: [Mel] C:\WINDOWS\Tch.exe
O4 - HKCU\..\Run: [Nal] C:\WINDOWS\System32\Ipc.exe
O4 - HKCU\..\Run: [Nok] C:\WINDOWS\Ial.exe
O4 - HKCU\..\Run: [Pto] C:\WINDOWS\Dda.exe
O4 - HKCU\..\Run: [Tko] C:\WINDOWS\Bfi.exe
O4 - HKCU\..\Run: [Ugl] C:\WINDOWS\System32\Vbg.exe
O4 - HKCU\..\Run: [Brm] C:\WINDOWS\System32\Oaq.exe
O4 - HKCU\..\Run: [Fio] C:\WINDOWS\Agb.exe
O4 - HKCU\..\Run: [Ohe] C:\WINDOWS\Rvu.exe
O4 - HKCU\..\Run: [Gut] C:\WINDOWS\Qbj.exe
O4 - HKCU\..\Run: [Iuu] C:\WINDOWS\Lkp.exe
O4 - HKCU\..\Run: [Cre] C:\WINDOWS\System32\Adk.exe
O4 - HKCU\..\Run: [Oqe] C:\WINDOWS\System32\Qut.exe
O4 - HKCU\..\Run: [Nci] C:\WINDOWS\Ejj.exe
O4 - HKCU\..\Run: [Fmn] C:\WINDOWS\Hnu.exe
O4 - HKCU\..\Run: [Pni] C:\WINDOWS\Uve.exe
O4 - HKCU\..\Run: [Qak] C:\WINDOWS\System32\Joo.exe
O4 - HKCU\..\Run: [Gpk] C:\WINDOWS\Fpn.exe
O4 - HKCU\..\Run: [Ntr] C:\WINDOWS\Fpc.exe
O4 - HKCU\..\Run: [Fjv] C:\WINDOWS\System32\Nbn.exe
O4 - HKCU\..\Run: [Fce] C:\WINDOWS\Hph.exe
O4 - HKCU\..\Run: [Gjs] C:\WINDOWS\System32\Jld.exe
O4 - HKCU\..\Run: [Rfb] C:\WINDOWS\System32\Vhh.exe
O4 - HKCU\..\Run: [Ihq] C:\WINDOWS\Uvh.exe
O4 - HKCU\..\Run: [Tvk] C:\WINDOWS\Llv.exe
O4 - HKCU\..\Run: [Afe] C:\WINDOWS\System32\Api.exe
O4 - HKCU\..\Run: [Pkd] C:\WINDOWS\Hor.exe
O4 - HKCU\..\Run: [Gvc] C:\WINDOWS\Lnc.exe
O4 - HKCU\..\Run: [Uub] C:\WINDOWS\Ark.exe
O4 - HKCU\..\Run: [Ugp] C:\WINDOWS\Mbo.exe
O4 - HKCU\..\Run: [Rbb] C:\WINDOWS\Eug.exe
O4 - HKCU\..\Run: [Udk] C:\WINDOWS\Opa.exe
O4 - HKCU\..\Run: [Htk] C:\WINDOWS\System32\Atd.exe
O4 - HKCU\..\Run: [Gsd] C:\WINDOWS\Scd.exe
O4 - HKCU\..\Run: [Bdm] C:\WINDOWS\System32\Lev.exe
O4 - HKCU\..\Run: [Utp] C:\WINDOWS\System32\Ikf.exe
O4 - HKCU\..\Run: [Qqf] C:\WINDOWS\Oun.exe
O4 - HKCU\..\Run: [Nuf] C:\WINDOWS\Rhp.exe
O4 - HKCU\..\Run: [Jji] C:\WINDOWS\Cjc.exe
O4 - HKCU\..\Run: [Aki] C:\WINDOWS\System32\Sbg.exe
O4 - HKCU\..\Run: [Jcl] C:\WINDOWS\System32\Ihv.exe
O4 - HKCU\..\Run: [Mcc] C:\WINDOWS\Vmq.exe
O4 - HKCU\..\Run: [Kui] C:\WINDOWS\Bjh.exe
O4 - HKCU\..\Run: [Unk] C:\WINDOWS\Kqc.exe
O4 - HKCU\..\Run: [Fgv] C:\WINDOWS\System32\Usr.exe
O4 - HKCU\..\Run: [Stv] C:\WINDOWS\System32\Egl.exe
O4 - HKCU\..\Run: [Sth] C:\WINDOWS\System32\Pro.exe
O4 - HKCU\..\Run: [Pei] C:\WINDOWS\Bqp.exe
O4 - HKCU\..\Run: [Qmb] C:\WINDOWS\System32\Prs.exe
O4 - HKCU\..\Run: [Jlq] C:\WINDOWS\Kpp.exe
O4 - HKCU\..\Run: [Avp] C:\WINDOWS\Nlp.exe
O4 - HKCU\..\Run: [Lpi] C:\WINDOWS\Dqo.exe
O4 - HKCU\..\Run: [Iar] C:\WINDOWS\System32\Chb.exe
O4 - HKCU\..\Run: [Igo] C:\WINDOWS\System32\Ctt.exe
O4 - HKCU\..\Run: [Aak] C:\WINDOWS\Efv.exe
O4 - HKCU\..\Run: [Son] C:\WINDOWS\Ghd.exe
O4 - HKCU\..\Run: [Dep] C:\WINDOWS\Vpi.exe
O4 - HKCU\..\Run: [Lto] C:\WINDOWS\Naj.exe
O4 - HKCU\..\Run: [Svh] C:\WINDOWS\Nht.exe
O4 - HKCU\..\Run: [Hou] C:\WINDOWS\Bcn.exe
O4 - HKCU\..\Run: [Isj] C:\WINDOWS\Upu.exe
O4 - HKCU\..\Run: [Bsn] C:\WINDOWS\Imj.exe
O4 - HKCU\..\Run: [Qcc] C:\WINDOWS\Hvn.exe
O4 - HKCU\..\Run: [Vvp] C:\WINDOWS\Hct.exe
O4 - HKCU\..\Run: [Ttn] C:\WINDOWS\Bpv.exe
O4 - HKCU\..\Run: [Gah] C:\WINDOWS\Qvt.exe
O4 - HKCU\..\Run: [Pjv] C:\WINDOWS\Ebg.exe
O4 - HKCU\..\Run: [Qgl] C:\WINDOWS\Bhb.exe
O4 - HKCU\..\Run: [Vfd] C:\WINDOWS\Gha.exe
O4 - HKCU\..\Run: [Qol] C:\WINDOWS\Jid.exe
O4 - HKCU\..\Run: [Fag] C:\WINDOWS\System32\Sme.exe
O4 - HKCU\..\Run: [Peo] C:\WINDOWS\Bms.exe
O4 - HKCU\..\Run: [Lhd] C:\WINDOWS\System32\Ktc.exe
O4 - HKCU\..\Run: [Mjr] C:\WINDOWS\Dch.exe
O4 - HKCU\..\Run: [Knl] C:\WINDOWS\System32\Qlg.exe
O4 - HKCU\..\Run: [Emp] C:\WINDOWS\System32\Ord.exe
O4 - HKCU\..\Run: [Aru] C:\WINDOWS\Hpk.exe
O4 - HKCU\..\Run: [Jcn] C:\WINDOWS\System32\Iqg.exe
O4 - HKCU\..\Run: [Rlf] C:\WINDOWS\System32\Knn.exe
O4 - HKCU\..\Run: [Kjv] C:\WINDOWS\Mqq.exe
O4 - HKCU\..\Run: [Vda] C:\WINDOWS\Gqi.exe
O4 - HKCU\..\Run: [Tfk] C:\WINDOWS\System32\Vjl.exe
O4 - HKCU\..\Run: [Eob] C:\WINDOWS\System32\Tms.exe
O4 - HKCU\..\Run: [Eav] C:\WINDOWS\System32\Nnr.exe
O4 - HKCU\..\Run: [Vil] C:\WINDOWS\Npt.exe
O4 - HKCU\..\Run: [Fvi] C:\WINDOWS\Tik.exe
O4 - HKCU\..\Run: [Ifl] C:\WINDOWS\Kln.exe
O4 - HKCU\..\Run: [Old] C:\WINDOWS\Lol.exe
O4 - HKCU\..\Run: [Jao] C:\WINDOWS\System32\Ehi.exe
O4 - HKCU\..\Run: [Mte] C:\WINDOWS\Rtl.exe
O4 - HKCU\..\Run: [Qrm] C:\WINDOWS\System32\Lrk.exe
O4 - HKCU\..\Run: [Dfi] C:\WINDOWS\Usa.exe
O4 - HKCU\..\Run: [Tih] C:\WINDOWS\Nio.exe
O4 - HKCU\..\Run: [Ssc] C:\WINDOWS\Idp.exe
O4 - HKCU\..\Run: [Uqt] C:\WINDOWS\Ton.exe
O4 - HKCU\..\Run: [Bjd] C:\WINDOWS\System32\Qch.exe
O4 - HKCU\..\Run: [Uhb] C:\WINDOWS\System32\Ktt.exe
O4 - HKCU\..\Run: [Eti] C:\WINDOWS\System32\Qae.exe
O4 - HKCU\..\Run: [Gpb] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Olf] C:\WINDOWS\Bfc.exe
O4 - HKCU\..\Run: [Ecp] C:\WINDOWS\Giu.exe
O4 - HKCU\..\Run: [Ere] C:\WINDOWS\System32\Fua.exe
O4 - HKCU\..\Run: [Sqv] C:\WINDOWS\System32\Pts.exe
O4 - HKCU\..\Run: [Obq] C:\WINDOWS\System32\Kvc.exe
O4 - HKCU\..\Run: [Kaj] C:\WINDOWS\Ivn.exe
O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMan.exe /onboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb033 (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZSzeb033\")
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab (http://\"http://members14.clubphoto.com/_img/uploader/atl_uploader.cab\")
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab (http://\"http://down.plaxo.com/down/release/PlaxoInstall.cab\")
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab\")
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TE.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)

Seems there's lots here that needs checking!!

Here's the result from Rootkitrevealer:

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Sonic Desktop Software\Common\LibraryFilesFolder   9/5/2005 6:24 PM   87 bytes   Data mismatch between Windows API and raw hive data.

Thanks again,
Jarcy

Title: SmartSecurity and other problems
Post by: guestolo on November 12, 2005, 11:23:21 AM

I tried to reply earlier, but my replies weren't getting through

On th wife's account
Can you do the following

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/1076/sp.php (http://\"http://69.50.191.52/1076/sp.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/1076/ (http://\"http://69.50.191.52/1076/\")

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/1076/search.php?qq= (http://\"http://bestsearch.cc/1076/search.php?qq=\")

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Imv] C:\WINDOWS\Lmn.exe
O4 - HKCU\..\Run: [Hoe] C:\WINDOWS\Ume.exe
O4 - HKCU\..\Run: [Nns] C:\WINDOWS\System32\Ifc.exe
O4 - HKCU\..\Run: [Clp] C:\WINDOWS\Luu.exe
O4 - HKCU\..\Run: [Hub] C:\WINDOWS\Hio.exe
O4 - HKCU\..\Run: [Sre] C:\WINDOWS\Iki.exe
O4 - HKCU\..\Run: [Sci] C:\WINDOWS\Lbq.exe
O4 - HKCU\..\Run: [Gja] C:\WINDOWS\Udh.exe
O4 - HKCU\..\Run: [Lds] C:\WINDOWS\Oje.exe
O4 - HKCU\..\Run: [Kcm] C:\WINDOWS\System32\Tkf.exe
O4 - HKCU\..\Run: [Mes] C:\WINDOWS\Niu.exe
O4 - HKCU\..\Run: [Sbk] C:\WINDOWS\System32\Flv.exe
O4 - HKCU\..\Run: [Jtn] C:\WINDOWS\Nro.exe
O4 - HKCU\..\Run: [Tao] C:\WINDOWS\System32\Akf.exe
O4 - HKCU\..\Run: [Klt] C:\WINDOWS\Nbe.exe
O4 - HKCU\..\Run: [Ohn] C:\WINDOWS\System32\Neg.exe
O4 - HKCU\..\Run: [Bou] C:\WINDOWS\System32\Kme.exe
O4 - HKCU\..\Run: [Jek] C:\WINDOWS\System32\Icv.exe
O4 - HKCU\..\Run: [Pia] C:\WINDOWS\System32\Vgh.exe
O4 - HKCU\..\Run: [Hea] C:\WINDOWS\System32\Ubt.exe
O4 - HKCU\..\Run: [Jgc] C:\WINDOWS\System32\Vct.exe
O4 - HKCU\..\Run: [Evh] C:\WINDOWS\Jre.exe
O4 - HKCU\..\Run: [Sju] C:\WINDOWS\System32\Uva.exe
O4 - HKCU\..\Run: [Uai] C:\WINDOWS\Lfa.exe
O4 - HKCU\..\Run: [Mkh] C:\WINDOWS\System32\Pji.exe
O4 - HKCU\..\Run: [Qrh] C:\WINDOWS\Hfs.exe
O4 - HKCU\..\Run: [Ijo] C:\WINDOWS\Qaj.exe
O4 - HKCU\..\Run: [Osi] C:\WINDOWS\System32\Eqo.exe
O4 - HKCU\..\Run: [Bno] C:\WINDOWS\System32\Maa.exe
O4 - HKCU\..\Run: [Vfg] C:\WINDOWS\System32\Vbo.exe
O4 - HKCU\..\Run: [Jks] C:\WINDOWS\System32\Gje.exe
O4 - HKCU\..\Run: [Npr] C:\WINDOWS\Rvo.exe
O4 - HKCU\..\Run: [Mpu] C:\WINDOWS\System32\Niv.exe
O4 - HKCU\..\Run: [Rcq] C:\WINDOWS\System32\Irh.exe
O4 - HKCU\..\Run: [Mjm] C:\WINDOWS\Uon.exe
O4 - HKCU\..\Run: [Peh] C:\WINDOWS\Mhn.exe
O4 - HKCU\..\Run: [Hlk] C:\WINDOWS\Qne.exe
O4 - HKCU\..\Run: [Tsl] C:\WINDOWS\Mti.exe
O4 - HKCU\..\Run: [Dqm] C:\WINDOWS\System32\Tcq.exe
O4 - HKCU\..\Run: [Fqd] C:\WINDOWS\Sat.exe
O4 - HKCU\..\Run: [Huv] C:\WINDOWS\Roc.exe
O4 - HKCU\..\Run: [Mqa] C:\WINDOWS\Jom.exe
O4 - HKCU\..\Run: [Evs] C:\WINDOWS\Nda.exe
O4 - HKCU\..\Run: [Gqu] C:\WINDOWS\Ngp.exe
O4 - HKCU\..\Run: [Cid] C:\WINDOWS\System32\Ess.exe
O4 - HKCU\..\Run: [Gis] C:\WINDOWS\Acp.exe
O4 - HKCU\..\Run: [Rps] C:\WINDOWS\System32\Dtm.exe
O4 - HKCU\..\Run: [Jea] C:\WINDOWS\System32\Hdp.exe
O4 - HKCU\..\Run: [Pnd] C:\WINDOWS\System32\Nff.exe
O4 - HKCU\..\Run: [Bku] C:\WINDOWS\System32\Sca.exe
O4 - HKCU\..\Run: [Pad] C:\WINDOWS\System32\Psj.exe
O4 - HKCU\..\Run: [Cbh] C:\WINDOWS\Qnf.exe
O4 - HKCU\..\Run: [Bnu] C:\WINDOWS\Evh.exe
O4 - HKCU\..\Run: [Eer] C:\WINDOWS\Rgm.exe
O4 - HKCU\..\Run: [Bkj] C:\WINDOWS\System32\Arb.exe
O4 - HKCU\..\Run: [Eka] C:\WINDOWS\System32\Omr.exe
O4 - HKCU\..\Run: [Vme] C:\WINDOWS\Hun.exe
O4 - HKCU\..\Run: [Tva] C:\WINDOWS\System32\Uuu.exe
O4 - HKCU\..\Run: [Acb] C:\WINDOWS\System32\Bnf.exe
O4 - HKCU\..\Run: [Ldl] C:\WINDOWS\Kma.exe
O4 - HKCU\..\Run: [Mbs] C:\WINDOWS\System32\Ejo.exe
O4 - HKCU\..\Run: [Scn] C:\WINDOWS\Ibv.exe
O4 - HKCU\..\Run: [Ovn] C:\WINDOWS\Fjg.exe
O4 - HKCU\..\Run: [Omr] C:\WINDOWS\Ooi.exe
O4 - HKCU\..\Run: [Fji] C:\WINDOWS\Dbg.exe
O4 - HKCU\..\Run: [Jjr] C:\WINDOWS\Cvc.exe
O4 - HKCU\..\Run: [Esh] C:\WINDOWS\Ldg.exe
O4 - HKCU\..\Run: [Dcs] C:\WINDOWS\Nqd.exe
O4 - HKCU\..\Run: [Irt] C:\WINDOWS\Sqi.exe
O4 - HKCU\..\Run: [Lsl] C:\WINDOWS\System32\Juj.exe
O4 - HKCU\..\Run: [Lbr] C:\WINDOWS\System32\Ncj.exe
O4 - HKCU\..\Run: [Omv] C:\WINDOWS\System32\Efp.exe
O4 - HKCU\..\Run: [Ssa] C:\WINDOWS\Ugd.exe
O4 - HKCU\..\Run: [Lnp] C:\WINDOWS\Ofo.exe
O4 - HKCU\..\Run: [Tda] C:\WINDOWS\Ugg.exe
O4 - HKCU\..\Run: [Hgd] C:\WINDOWS\System32\Rfn.exe
O4 - HKCU\..\Run: [Amh] C:\WINDOWS\Pvb.exe
O4 - HKCU\..\Run: [Ofj] C:\WINDOWS\Muk.exe
O4 - HKCU\..\Run: [Jvf] C:\WINDOWS\System32\Feo.exe
O4 - HKCU\..\Run: [Fsl] C:\WINDOWS\Crl.exe
O4 - HKCU\..\Run: [Tur] C:\WINDOWS\Jfi.exe
O4 - HKCU\..\Run: [Mdd] C:\WINDOWS\Hjh.exe
O4 - HKCU\..\Run: [Lqe] C:\WINDOWS\Psp.exe
O4 - HKCU\..\Run: [Nqi] C:\WINDOWS\System32\Pts.exe
O4 - HKCU\..\Run: [Msf] C:\WINDOWS\Jbp.exe
O4 - HKCU\..\Run: [Dlu] C:\WINDOWS\System32\Vud.exe
O4 - HKCU\..\Run: [Okf] C:\WINDOWS\Veb.exe
O4 - HKCU\..\Run: [Hem] C:\WINDOWS\System32\Hib.exe
O4 - HKCU\..\Run: [Rli] C:\WINDOWS\System32\Cdr.exe
O4 - HKCU\..\Run: [Qdl] C:\WINDOWS\Lph.exe
O4 - HKCU\..\Run: [Qip] C:\WINDOWS\System32\Hve.exe
O4 - HKCU\..\Run: [Quj] C:\WINDOWS\Urk.exe
O4 - HKCU\..\Run: [Dqo] C:\WINDOWS\Qlm.exe
O4 - HKCU\..\Run: [Vov] C:\WINDOWS\Pou.exe
O4 - HKCU\..\Run: [Fec] C:\WINDOWS\System32\Bdn.exe
O4 - HKCU\..\Run: [Tqi] C:\WINDOWS\Jho.exe
O4 - HKCU\..\Run: [Gak] C:\WINDOWS\System32\Dgb.exe
O4 - HKCU\..\Run: [Fgm] C:\WINDOWS\Ldi.exe
O4 - HKCU\..\Run: [Rev] C:\WINDOWS\Kdk.exe
O4 - HKCU\..\Run: [Pmv] C:\WINDOWS\Rps.exe
O4 - HKCU\..\Run: [Hiq] C:\WINDOWS\System32\Uuc.exe
O4 - HKCU\..\Run: [Mjp] C:\WINDOWS\Dkm.exe
O4 - HKCU\..\Run: [Tmu] C:\WINDOWS\System32\Ele.exe
O4 - HKCU\..\Run: [Nto] C:\WINDOWS\Rlc.exe
O4 - HKCU\..\Run: [Qah] C:\WINDOWS\Rbk.exe
O4 - HKCU\..\Run: [Eae] C:\WINDOWS\Bqn.exe
O4 - HKCU\..\Run: [Crq] C:\WINDOWS\System32\Rtg.exe
O4 - HKCU\..\Run: [Ebd] C:\WINDOWS\System32\Tuo.exe
O4 - HKCU\..\Run: [Cnk] C:\WINDOWS\Bvi.exe
O4 - HKCU\..\Run: [Hku] C:\WINDOWS\System32\Pch.exe
O4 - HKCU\..\Run: [Rmm] C:\WINDOWS\Ugq.exe
O4 - HKCU\..\Run: [Jqm] C:\WINDOWS\System32\Grl.exe
O4 - HKCU\..\Run: [Lru] C:\WINDOWS\System32\Tqf.exe
O4 - HKCU\..\Run: [Pob] C:\WINDOWS\Dgo.exe
O4 - HKCU\..\Run: [Rkk] C:\WINDOWS\Veq.exe
O4 - HKCU\..\Run: [Evd] C:\WINDOWS\Fik.exe
O4 - HKCU\..\Run: [Irq] C:\WINDOWS\System32\Rhh.exe
O4 - HKCU\..\Run: [Gtg] C:\WINDOWS\System32\Dlu.exe
O4 - HKCU\..\Run: [Gbt] C:\WINDOWS\Vss.exe
O4 - HKCU\..\Run: [Men] C:\WINDOWS\System32\Mfs.exe
O4 - HKCU\..\Run: [Cov] C:\WINDOWS\System32\Hir.exe
O4 - HKCU\..\Run: [Ntj] C:\WINDOWS\System32\Hai.exe
O4 - HKCU\..\Run: [Lud] C:\WINDOWS\System32\Rgr.exe
O4 - HKCU\..\Run: [Eko] C:\WINDOWS\System32\Grp.exe
O4 - HKCU\..\Run: [Stl] C:\WINDOWS\Ilr.exe
O4 - HKCU\..\Run: [Jnb] C:\WINDOWS\Obq.exe
O4 - HKCU\..\Run: [Ism] C:\WINDOWS\Mtk.exe
O4 - HKCU\..\Run: [Mdl] C:\WINDOWS\System32\Fvq.exe
O4 - HKCU\..\Run: [Nba] C:\WINDOWS\System32\Gst.exe
O4 - HKCU\..\Run: [Joo] C:\WINDOWS\Gja.exe
O4 - HKCU\..\Run: [Ajt] C:\WINDOWS\Jao.exe
O4 - HKCU\..\Run: [Oce] C:\WINDOWS\System32\Fjm.exe
O4 - HKCU\..\Run: [Skp] C:\WINDOWS\System32\Eol.exe
O4 - HKCU\..\Run: [Krb] C:\WINDOWS\System32\Tmj.exe
O4 - HKCU\..\Run: [Ifv] C:\WINDOWS\Hqn.exe
O4 - HKCU\..\Run: [Miu] C:\WINDOWS\Gsu.exe
O4 - HKCU\..\Run: [Iqj] C:\WINDOWS\System32\Rcf.exe
O4 - HKCU\..\Run: [Pjp] C:\WINDOWS\Glt.exe
O4 - HKCU\..\Run: [Bht] C:\WINDOWS\System32\Brq.exe
O4 - HKCU\..\Run: [Pok] C:\WINDOWS\Sja.exe
O4 - HKCU\..\Run: [Ljk] C:\WINDOWS\System32\Ava.exe
O4 - HKCU\..\Run: [Clv] C:\WINDOWS\Qeu.exe
O4 - HKCU\..\Run: [Ibn] C:\WINDOWS\Vje.exe
O4 - HKCU\..\Run: [Hlr] C:\WINDOWS\System32\Cna.exe
O4 - HKCU\..\Run: [Trj] C:\WINDOWS\Fst.exe
O4 - HKCU\..\Run: [Jps] C:\WINDOWS\Vnc.exe
O4 - HKCU\..\Run: [Gvv] C:\WINDOWS\Mah.exe
O4 - HKCU\..\Run: [Glt] C:\WINDOWS\System32\Hkm.exe
O4 - HKCU\..\Run: [Ivd] C:\WINDOWS\System32\Jit.exe
O4 - HKCU\..\Run: [Vgm] C:\WINDOWS\System32\Iok.exe
O4 - HKCU\..\Run: [Kqt] C:\WINDOWS\System32\Rkd.exe
O4 - HKCU\..\Run: [Dgp] C:\WINDOWS\Ffk.exe
O4 - HKCU\..\Run: [Svj] C:\WINDOWS\System32\Vfe.exe
O4 - HKCU\..\Run: [Gvb] C:\WINDOWS\Sko.exe
O4 - HKCU\..\Run: [Dan] C:\WINDOWS\Djk.exe
O4 - HKCU\..\Run: [Nng] C:\WINDOWS\System32\Hjt.exe
O4 - HKCU\..\Run: [Vrf] C:\WINDOWS\System32\Pne.exe
O4 - HKCU\..\Run: [Qbf] C:\WINDOWS\System32\Oek.exe
O4 - HKCU\..\Run: [Ijs] C:\WINDOWS\System32\Rto.exe
O4 - HKCU\..\Run: [Hds] C:\WINDOWS\System32\Som.exe
O4 - HKCU\..\Run: [Eun] C:\WINDOWS\System32\Utb.exe
O4 - HKCU\..\Run: [Mrd] C:\WINDOWS\Vor.exe
O4 - HKCU\..\Run: [Jvt] C:\WINDOWS\System32\Lot.exe
O4 - HKCU\..\Run: [Ver] C:\WINDOWS\System32\Ndc.exe
O4 - HKCU\..\Run: [Dct] C:\WINDOWS\System32\Sds.exe
O4 - HKCU\..\Run: [Kqi] C:\WINDOWS\Kss.exe
O4 - HKCU\..\Run: [Opj] C:\WINDOWS\System32\Ibr.exe
O4 - HKCU\..\Run: [Hht] C:\WINDOWS\System32\Mki.exe
O4 - HKCU\..\Run: [Gst] C:\WINDOWS\System32\Rhf.exe
O4 - HKCU\..\Run: [Nbp] C:\WINDOWS\System32\Vre.exe
O4 - HKCU\..\Run: [Pju] C:\WINDOWS\Fsk.exe
O4 - HKCU\..\Run: [Vim] C:\WINDOWS\System32\Ufn.exe
O4 - HKCU\..\Run: [Qfo] C:\WINDOWS\Bjd.exe
O4 - HKCU\..\Run: [Qmt] C:\WINDOWS\System32\Hgf.exe
O4 - HKCU\..\Run: [Fsn] C:\WINDOWS\Fic.exe
O4 - HKCU\..\Run: [Kpd] C:\WINDOWS\Evn.exe
O4 - HKCU\..\Run: [Ocr] C:\WINDOWS\System32\Por.exe
O4 - HKCU\..\Run: [Hdv] C:\WINDOWS\Rrf.exe
O4 - HKCU\..\Run: [Erk] C:\WINDOWS\System32\Jsb.exe
O4 - HKCU\..\Run: [Cng] C:\WINDOWS\Ffj.exe
O4 - HKCU\..\Run: [Fcb] C:\WINDOWS\Kpq.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\System32\Rpe.exe
O4 - HKCU\..\Run: [Bvr] C:\WINDOWS\Fun.exe
O4 - HKCU\..\Run: [Pma] C:\WINDOWS\System32\Gdt.exe
O4 - HKCU\..\Run: [Etr] C:\WINDOWS\Mep.exe
O4 - HKCU\..\Run: [Rjp] C:\WINDOWS\Igd.exe
O4 - HKCU\..\Run: [Boj] C:\WINDOWS\System32\Pnu.exe
O4 - HKCU\..\Run: [Obl] C:\WINDOWS\System32\Nli.exe
O4 - HKCU\..\Run: [Nem] C:\WINDOWS\System32\Pdh.exe
O4 - HKCU\..\Run: [Nnj] C:\WINDOWS\Nog.exe
O4 - HKCU\..\Run: [Lar] C:\WINDOWS\System32\Vvk.exe
O4 - HKCU\..\Run: [Npm] C:\WINDOWS\Mst.exe
O4 - HKCU\..\Run: [Tmq] C:\WINDOWS\System32\Uam.exe
O4 - HKCU\..\Run: [Kct] C:\WINDOWS\Hkk.exe
O4 - HKCU\..\Run: [Gml] C:\WINDOWS\Vea.exe
O4 - HKCU\..\Run: [Hfu] C:\WINDOWS\System32\Cft.exe
O4 - HKCU\..\Run: [Fef] C:\WINDOWS\Nff.exe
O4 - HKCU\..\Run: [Dao] C:\WINDOWS\System32\Sld.exe
O4 - HKCU\..\Run: [Csc] C:\WINDOWS\System32\Jtc.exe
O4 - HKCU\..\Run: [Hpn] C:\WINDOWS\Ehf.exe
O4 - HKCU\..\Run: [Tnc] C:\WINDOWS\System32\Rnl.exe
O4 - HKCU\..\Run: [Tkd] C:\WINDOWS\System32\Tfq.exe
O4 - HKCU\..\Run: [Cuf] C:\WINDOWS\Ijl.exe
O4 - HKCU\..\Run: [Ebk] C:\WINDOWS\System32\Vqr.exe
O4 - HKCU\..\Run: [Vep] C:\WINDOWS\System32\Rih.exe
O4 - HKCU\..\Run: [Odr] C:\WINDOWS\System32\Fti.exe
O4 - HKCU\..\Run: [Vsr] C:\WINDOWS\Ptp.exe
O4 - HKCU\..\Run: [Ker] C:\WINDOWS\System32\Olh.exe
O4 - HKCU\..\Run: [Oaa] C:\WINDOWS\System32\Ukl.exe
O4 - HKCU\..\Run: [Tod] C:\WINDOWS\Buc.exe
O4 - HKCU\..\Run: [Eed] C:\WINDOWS\System32\Lpi.exe
O4 - HKCU\..\Run: [Oae] C:\WINDOWS\System32\Geq.exe
O4 - HKCU\..\Run: [Sfb] C:\WINDOWS\System32\Fem.exe
O4 - HKCU\..\Run: [Hba] C:\WINDOWS\Tpm.exe
O4 - HKCU\..\Run: [Tup] C:\WINDOWS\Hcu.exe
O4 - HKCU\..\Run: [Ljh] C:\WINDOWS\Bun.exe
O4 - HKCU\..\Run: [Mlm] C:\WINDOWS\System32\Fdt.exe
O4 - HKCU\..\Run: [Jsr] C:\WINDOWS\System32\Uem.exe
O4 - HKCU\..\Run: [Erm] C:\WINDOWS\Min.exe
O4 - HKCU\..\Run: [Rar] C:\WINDOWS\System32\Vba.exe
O4 - HKCU\..\Run: [Vkl] C:\WINDOWS\Jfo.exe
O4 - HKCU\..\Run: [Ukv] C:\WINDOWS\System32\Gqr.exe
O4 - HKCU\..\Run: [Ace] C:\WINDOWS\Jjn.exe
O4 - HKCU\..\Run: [Llq] C:\WINDOWS\Nat.exe
O4 - HKCU\..\Run: [Qce] C:\WINDOWS\Uoj.exe
O4 - HKCU\..\Run: [Pmg] C:\WINDOWS\Erc.exe
O4 - HKCU\..\Run: [Jog] C:\WINDOWS\Dvd.exe
O4 - HKCU\..\Run: [Pba] C:\WINDOWS\System32\Iol.exe
O4 - HKCU\..\Run: [Vau] C:\WINDOWS\System32\Mpf.exe
O4 - HKCU\..\Run: [Gub] C:\WINDOWS\Rtf.exe
O4 - HKCU\..\Run: [Sjt] C:\WINDOWS\System32\Luc.exe
O4 - HKCU\..\Run: [Mel] C:\WINDOWS\Tch.exe
O4 - HKCU\..\Run: [Nal] C:\WINDOWS\System32\Ipc.exe
O4 - HKCU\..\Run: [Nok] C:\WINDOWS\Ial.exe
O4 - HKCU\..\Run: [Pto] C:\WINDOWS\Dda.exe
O4 - HKCU\..\Run: [Tko] C:\WINDOWS\Bfi.exe
O4 - HKCU\..\Run: [Ugl] C:\WINDOWS\System32\Vbg.exe
O4 - HKCU\..\Run: [Brm] C:\WINDOWS\System32\Oaq.exe
O4 - HKCU\..\Run: [Fio] C:\WINDOWS\Agb.exe
O4 - HKCU\..\Run: [Ohe] C:\WINDOWS\Rvu.exe
O4 - HKCU\..\Run: [Gut] C:\WINDOWS\Qbj.exe
O4 - HKCU\..\Run: [Iuu] C:\WINDOWS\Lkp.exe
O4 - HKCU\..\Run: [Cre] C:\WINDOWS\System32\Adk.exe
O4 - HKCU\..\Run: [Oqe] C:\WINDOWS\System32\Qut.exe
O4 - HKCU\..\Run: [Nci] C:\WINDOWS\Ejj.exe
O4 - HKCU\..\Run: [Fmn] C:\WINDOWS\Hnu.exe
O4 - HKCU\..\Run: [Pni] C:\WINDOWS\Uve.exe
O4 - HKCU\..\Run: [Qak] C:\WINDOWS\System32\Joo.exe
O4 - HKCU\..\Run: [Gpk] C:\WINDOWS\Fpn.exe
O4 - HKCU\..\Run: [Ntr] C:\WINDOWS\Fpc.exe
O4 - HKCU\..\Run: [Fjv] C:\WINDOWS\System32\Nbn.exe
O4 - HKCU\..\Run: [Fce] C:\WINDOWS\Hph.exe
O4 - HKCU\..\Run: [Gjs] C:\WINDOWS\System32\Jld.exe
O4 - HKCU\..\Run: [Rfb] C:\WINDOWS\System32\Vhh.exe
O4 - HKCU\..\Run: [Ihq] C:\WINDOWS\Uvh.exe
O4 - HKCU\..\Run: [Tvk] C:\WINDOWS\Llv.exe
O4 - HKCU\..\Run: [Afe] C:\WINDOWS\System32\Api.exe
O4 - HKCU\..\Run: [Pkd] C:\WINDOWS\Hor.exe
O4 - HKCU\..\Run: [Gvc] C:\WINDOWS\Lnc.exe
O4 - HKCU\..\Run: [Uub] C:\WINDOWS\Ark.exe
O4 - HKCU\..\Run: [Ugp] C:\WINDOWS\Mbo.exe
O4 - HKCU\..\Run: [Rbb] C:\WINDOWS\Eug.exe
O4 - HKCU\..\Run: [Udk] C:\WINDOWS\Opa.exe
O4 - HKCU\..\Run: [Htk] C:\WINDOWS\System32\Atd.exe
O4 - HKCU\..\Run: [Gsd] C:\WINDOWS\Scd.exe
O4 - HKCU\..\Run: [Bdm] C:\WINDOWS\System32\Lev.exe
O4 - HKCU\..\Run: [Utp] C:\WINDOWS\System32\Ikf.exe
O4 - HKCU\..\Run: [Qqf] C:\WINDOWS\Oun.exe
O4 - HKCU\..\Run: [Nuf] C:\WINDOWS\Rhp.exe
O4 - HKCU\..\Run: [Jji] C:\WINDOWS\Cjc.exe
O4 - HKCU\..\Run: [Aki] C:\WINDOWS\System32\Sbg.exe
O4 - HKCU\..\Run: [Jcl] C:\WINDOWS\System32\Ihv.exe
O4 - HKCU\..\Run: [Mcc] C:\WINDOWS\Vmq.exe
O4 - HKCU\..\Run: [Kui] C:\WINDOWS\Bjh.exe
O4 - HKCU\..\Run: [Unk] C:\WINDOWS\Kqc.exe
O4 - HKCU\..\Run: [Fgv] C:\WINDOWS\System32\Usr.exe
O4 - HKCU\..\Run: [Stv] C:\WINDOWS\System32\Egl.exe
O4 - HKCU\..\Run: [Sth] C:\WINDOWS\System32\Pro.exe
O4 - HKCU\..\Run: [Pei] C:\WINDOWS\Bqp.exe
O4 - HKCU\..\Run: [Qmb] C:\WINDOWS\System32\Prs.exe
O4 - HKCU\..\Run: [Jlq] C:\WINDOWS\Kpp.exe
O4 - HKCU\..\Run: [Avp] C:\WINDOWS\Nlp.exe
O4 - HKCU\..\Run: [Lpi] C:\WINDOWS\Dqo.exe
O4 - HKCU\..\Run: [Iar] C:\WINDOWS\System32\Chb.exe
O4 - HKCU\..\Run: [Igo] C:\WINDOWS\System32\Ctt.exe
O4 - HKCU\..\Run: [Aak] C:\WINDOWS\Efv.exe
O4 - HKCU\..\Run: [Son] C:\WINDOWS\Ghd.exe
O4 - HKCU\..\Run: [Dep] C:\WINDOWS\Vpi.exe
O4 - HKCU\..\Run: [Lto] C:\WINDOWS\Naj.exe
O4 - HKCU\..\Run: [Svh] C:\WINDOWS\Nht.exe
O4 - HKCU\..\Run: [Hou] C:\WINDOWS\Bcn.exe
O4 - HKCU\..\Run: [Isj] C:\WINDOWS\Upu.exe
O4 - HKCU\..\Run: [Bsn] C:\WINDOWS\Imj.exe
O4 - HKCU\..\Run: [Qcc] C:\WINDOWS\Hvn.exe
O4 - HKCU\..\Run: [Vvp] C:\WINDOWS\Hct.exe
O4 - HKCU\..\Run: [Ttn] C:\WINDOWS\Bpv.exe
O4 - HKCU\..\Run: [Gah] C:\WINDOWS\Qvt.exe
O4 - HKCU\..\Run: [Pjv] C:\WINDOWS\Ebg.exe
O4 - HKCU\..\Run: [Qgl] C:\WINDOWS\Bhb.exe
O4 - HKCU\..\Run: [Vfd] C:\WINDOWS\Gha.exe
O4 - HKCU\..\Run: [Qol] C:\WINDOWS\Jid.exe
O4 - HKCU\..\Run: [Fag] C:\WINDOWS\System32\Sme.exe
O4 - HKCU\..\Run: [Peo] C:\WINDOWS\Bms.exe
O4 - HKCU\..\Run: [Lhd] C:\WINDOWS\System32\Ktc.exe
O4 - HKCU\..\Run: [Mjr] C:\WINDOWS\Dch.exe
O4 - HKCU\..\Run: [Knl] C:\WINDOWS\System32\Qlg.exe
O4 - HKCU\..\Run: [Emp] C:\WINDOWS\System32\Ord.exe
O4 - HKCU\..\Run: [Aru] C:\WINDOWS\Hpk.exe
O4 - HKCU\..\Run: [Jcn] C:\WINDOWS\System32\Iqg.exe
O4 - HKCU\..\Run: [Rlf] C:\WINDOWS\System32\Knn.exe
O4 - HKCU\..\Run: [Kjv] C:\WINDOWS\Mqq.exe
O4 - HKCU\..\Run: [Vda] C:\WINDOWS\Gqi.exe
O4 - HKCU\..\Run: [Tfk] C:\WINDOWS\System32\Vjl.exe
O4 - HKCU\..\Run: [Eob] C:\WINDOWS\System32\Tms.exe
O4 - HKCU\..\Run: [Eav] C:\WINDOWS\System32\Nnr.exe
O4 - HKCU\..\Run: [Vil] C:\WINDOWS\Npt.exe
O4 - HKCU\..\Run: [Fvi] C:\WINDOWS\Tik.exe
O4 - HKCU\..\Run: [Ifl] C:\WINDOWS\Kln.exe
O4 - HKCU\..\Run: [Old] C:\WINDOWS\Lol.exe
O4 - HKCU\..\Run: [Jao] C:\WINDOWS\System32\Ehi.exe
O4 - HKCU\..\Run: [Mte] C:\WINDOWS\Rtl.exe
O4 - HKCU\..\Run: [Qrm] C:\WINDOWS\System32\Lrk.exe
O4 - HKCU\..\Run: [Dfi] C:\WINDOWS\Usa.exe
O4 - HKCU\..\Run: [Tih] C:\WINDOWS\Nio.exe
O4 - HKCU\..\Run: [Ssc] C:\WINDOWS\Idp.exe
O4 - HKCU\..\Run: [Uqt] C:\WINDOWS\Ton.exe
O4 - HKCU\..\Run: [Bjd] C:\WINDOWS\System32\Qch.exe
O4 - HKCU\..\Run: [Uhb] C:\WINDOWS\System32\Ktt.exe
O4 - HKCU\..\Run: [Eti] C:\WINDOWS\System32\Qae.exe
O4 - HKCU\..\Run: [Gpb] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Olf] C:\WINDOWS\Bfc.exe
O4 - HKCU\..\Run: [Ecp] C:\WINDOWS\Giu.exe
O4 - HKCU\..\Run: [Ere] C:\WINDOWS\System32\Fua.exe
O4 - HKCU\..\Run: [Sqv] C:\WINDOWS\System32\Pts.exe
O4 - HKCU\..\Run: [Obq] C:\WINDOWS\System32\Kvc.exe
O4 - HKCU\..\Run: [Kaj] C:\WINDOWS\Ivn.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm



After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in Windows
The items found by Rootkit Revealer look harmless
but can you do the following

Download and Save F-secure's Blacklight (http://\"http://www.f-secure.com/blacklight/try.shtml\")  to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

Title: SmartSecurity and other problems
Post by: Jarcy on November 13, 2005, 06:49:24 PM

Guestolo,

I've checked the items through Hijackthis under my wife's profile.
Blacklight didn't find any hidden items, but here's the log:

11/13/05 23:41:20 [Info]: BlackLight Engine 1.0.25 initialized
11/13/05 23:41:20 [Info]: OS: 5.1 build 2600 (Service Pack 1)
11/13/05 23:41:20 [Note]: 4019 4
11/13/05 23:41:20 [Note]: 4005 0
11/13/05 23:41:38 [Note]: 4006 0
11/13/05 23:41:38 [Note]: 4011 1832
11/13/05 23:41:39 [Note]: FSRAW library version 1.7.1013

Unfortunately none of the current problems have improved yet.

Many thanks, Jarcy.

Title: SmartSecurity and other problems
Post by: guestolo on November 13, 2005, 08:29:20 PM

When I asked you to do this
Did you follow all the steps completely?

Quote

Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe (http://\"http://www.thespykiller.co.uk/files/cleandesktop.exe\") and double click on the cleandesktop.exe

It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script.

If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to.

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

If you get a message when you first run it "Cannot find script file "blah blah blah" then don't worry just double click the cleandesktop.vbs script again as you sometimes get that message when a script blocker blocks the script.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up
Another vbs is included to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs.

Open C:\ (Go to Start – Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then press F5

You will need to do this step for every user account

Can you also randomly look for any of these files we removed with hijackthis
Do any exist
Eg...
C:\WINDOWS\Jre.exe <-this file
C:\WINDOWS\System32\Uva.exe <-file

Do you have any other user accounts on this computer?

That log you saved earlier with Ewido, is it visible now, can you post it if it is

Title: SmartSecurity and other problems
Post by: Jarcy on November 14, 2005, 06:35:39 PM

Guestolo,

I did originally run the cleandesktop against each of my 4 user accounts, but I've rerun it again against each. I also ran Hijackthis against the 2 remaining user accounts, and took the liberty of checking and removing the following:

User Adam,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/1076/sp.php (http://\"http://69.50.191.52/1076/sp.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/1076/ (http://\"http://69.50.191.52/1076/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/1076/search.php (http://\"http://bestsearch.cc/1076/search.php\")

User Sam,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/1076/sp.php (http://\"http://69.50.191.52/1076/sp.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/1076/ (http://\"http://69.50.191.52/1076/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/1076/search.php?O4 (http://\"http://bestsearch.cc/1076/search.php?O4\") - HKCU\..\Run: [Otl] C:\WINDOWS\System32\Vgm.exe
O4 - HKCU\..\Run: [Unf] C:\WINDOWS\System32\Rep.exe
O4 - HKCU\..\Run: [Uns] C:\WINDOWS\Hkt.exe
O4 - HKCU\..\Run: [Ana] C:\WINDOWS\System32\Fvq.exe
O4 - HKCU\..\Run: [Frp] C:\WINDOWS\System32\Nub.exe
O4 - HKCU\..\Run: [Fnn] C:\WINDOWS\System32\Eho.exe

I found the original Ewido log. Here it is:

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         7:29:32 AM, 10/20/2005
 + Report-Checksum:      CDE33FDB

 + Scan result:

   HKLM\SOFTWARE\180solutions -> Spyware.180Solutions : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\adm.EXE\\AppID -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE\\AppID -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75} -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\{99A8E2B2-3405-4C0D-9110-131C14CAAF62} -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE} -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0} -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Classes\GSDA.GSDACtl\CLSID\\ -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Classes\GSDA.GSDACtl.1\CLSID\\ -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{29E825AA-13BC-457C-806A-D72E4A25B3C5} -> Spyware.BrilliantDigital : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{29E825AA-13BC-457C-806A-D72E4A25B3C5}\TypeLib\\ -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438} -> Spyware.BrilliantDigital : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438}\TypeLib\\ -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\LocalNRDDll.LocalNRDDllObj.1 -> Spyware.BetterInternet : Cleaned with backup
   HKLM\SOFTWARE\Classes\LocalNRDDll.LocalNRDDllObj.1\CLSID\\ -> Spyware.TwainTech : Cleaned with backup
   HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\\CLSID -> Spyware.Hijacker.Generic : Cleaned with backup
   HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\\CLSID -> Spyware.Hijacker.Generic : Cleaned with backup
   HKLM\SOFTWARE\Classes\SearchRelevant\CLSID\\ -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Updater.BHO\CLSID\\ -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B72F75B8-93F3-429D-B13E-660B206D897A} -> Spyware.Hijacker.Generic : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gsda.dll\\.Owner -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gsda.dll\\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1101.dll\\.Owner -> Spyware.Gator : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1101.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltnetDM -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Best Search Engine!!! -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Relevancy -> Spyware.SearchRelevancy : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows ControlAd -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
   HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy : Cleaned with backup
   HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Error during cleaning
   C:\Documents and Settings\John Canfield\My Documents\Download Software\backup-20040928-211232-167.dll -> Spyware.Wesbar : Cleaned with backup
   C:\Documents and Settings\John Canfield\My Documents\Download Software\backup-20040928-211232-841.dll -> Spyware.MyWebSearch : Cleaned with backup
   C:\Documents and Settings\John Canfield\My Documents\Download Software\backup-20040929-012615-805.dll -> Spyware.BiSpy : Cleaned with backup
   C:\Program Files\Kazaa\TopSearch.dll -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\SearchRelevant\SearchRelevant.dll -> Spyware.Relevance : Cleaned with backup
   C:\Program Files\Windows AdControl\WinAdShift.dll -> Spyware.WinAD : Cleaned with backup
   C:\Program Files\Windows TaskAd\WinProject.dll -> Spyware.WinAD : Cleaned with backup
   C:\Program Files\Windows TaskAd\WinTaskAd.exe -> Spyware.WinAD : Cleaned with backup
   C:\RECYCLER\S-1-5-21-4018580023-3645477719-86686005-1009\Dc7.exe -> Spyware.ConsCorr : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\gsda.dll -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
   C:\WINDOWS\LastGood\ZServ.dll -> Spyware.BiSpy : Cleaned with backup
   C:\WINDOWS\preInsln.exe -> Spyware.BiSpy : Cleaned with backup
   C:\WINDOWS\pss\winupdate25236385[1].exeStartup -> TrojanDownloader.Small.ait : Cleaned with backup
   C:\WINDOWS\pss\winupdate87250345[1].exeStartup -> TrojanDownloader.Small.ait : Cleaned with backup
   C:\WINDOWS\system32\20723828.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\20723968.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\315046.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\54885734.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\6148843.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\6149078.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\661218.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\78387359.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\8072218.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\82312.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\9101531.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\948609.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\949906.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\98671.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\f3pssavr.scr -> Spyware.MyWebSearch : Cleaned with backup
   C:\WINDOWS\system32\mszx23.exe -> Backdoor.Haxdoor.bh : Cleaned with backup
   C:\WINDOWS\system32\notepad.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\winlow.sys -> Backdoor.Haxdoor.bb : Cleaned with backup
   C:\WINDOWS\ZServ.dll_tobedeleted -> Spyware.DlMax : Cleaned with backup


::Report End

And I rerun the report today, and it still fixed 17 items. Here's the report:

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         11:16:20 PM, 11/14/2005
 + Report-Checksum:      557CB4EE

 + Scan result:

   HKU\S-1-5-21-4018580023-3645477719-86686005-1007\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1008\Software\180solutions -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1008\Software\180solutions\msbb -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1008\Software\LocalNRD -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1008\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1008\Software\ZServ -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1009\Software\180solutions -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1009\Software\180solutions\msbb -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1009\Software\LocalNRD -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1009\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\180solutions -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\180solutions\msbb -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\LocalNRD -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\ZServ -> Spyware.BetterInternet : Cleaned with backup


::Report End

Do you want me to post a new hijackthis for my other 2 user accounts?

Many thanks again.

Jarcy

Title: SmartSecurity and other problems
Post by: guestolo on November 14, 2005, 11:34:43 PM

Yes please
Post the logs from the other users

I want to try this one more time
From my signature below, try and run an online virus scan at Kaspersky's
You will be promted to install an ActiveX component from Kaspersky, Click Yes.

    * The program will launch and then begin downloading the latest definition files:
    * Once the files have been downloaded click on NEXT
    * Now click on Scan Settings
    * In the scan settings make sure that the following are selected:
          o Scan using the following Anti-Virus database:
            Extended (if available otherwise Standard)
          o Scan Options:
            Scan Archives
            Scan Mail Bases
    * Click OK
    * Now under select a target to scan:
            Select My Computer
    * This program will start and scan your system.
    * The scan will take a while so be patient and let it run.
    * Once the scan is complete it will display if your system has been infected.
          o Now click on the Save as Text button:
    * Save the file to your desktop.
    * Copy and paste that information in your next post.

Title: SmartSecurity and other problems
Post by: Jarcy on November 15, 2005, 05:32:32 PM

Guestolo,

Well, I tried to run Kaspersky's, but it crashes. To be more precise, once I click on OK, to install the ActiveX component, the usual prompt - "Internet Explorer has encounted a problem and needs to close. We are sorry for the inconvenience" appears and once I click on "don't send", Explorer closes down.

My guess is that a clever virus knows which virus scanners are likely to pick it up, and hence crashes them before they get a chance to open.

Here's the Hijackthis logs for the other 2 users:

Adam:

Logfile of HijackThis v1.99.1
Scan saved at 9:57:12 PM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com (http://\"http://www.meshcomputers.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.meshcomputers.com/ (http://\"http://www.meshcomputers.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Bln] C:\WINDOWS\Tnf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMan.exe /onboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab (http://\"http://members14.clubphoto.com/_img/uploader/atl_uploader.cab\")
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab (http://\"http://down.plaxo.com/down/release/PlaxoInstall.cab\")
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab\")
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TE.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: KE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\KE.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)

And Sam:

Logfile of HijackThis v1.99.1
Scan saved at 9:59:06 PM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ (http://\"http://www.google.co.uk/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com (http://\"http://www.meshcomputers.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.meshcomputers.com/ (http://\"http://www.meshcomputers.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab (http://\"http://members14.clubphoto.com/_img/uploader/atl_uploader.cab\")
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab (http://\"http://down.plaxo.com/down/release/PlaxoInstall.cab\")
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TEInstallPlugIn.cab\")
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab (http://\"http://www.skylinesoft.com/interactive/terraexplorer/install/TE.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: KE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\KE.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)


Do you think this one has beaten me? Is it time to reinstall XP, or should I try anything else?

Many thanks for all your help. Jarcy

Title: SmartSecurity and other problems
Post by: guestolo on November 17, 2005, 12:08:13 AM

I think this has beaten me too, I'm not sure what's happening

I still see the following that needs cleaned
Run hijackthis and fix checked this entry

O4 - HKCU\..\Run: [Bln] C:\WINDOWS\Tnf.exe

Also fix this one, it's looks legit but it's running from the temp folder
O23 - Service: KE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\KE.exe

Reboot the computer

Back in Windows
I suggest that if McAfee's is expired you uninstall it completely and then reboot the computer
This should eliminate the possibility it is corrupt
I would remove all of it
I have free solutions if you need it

Back in Windows
Yup, your right, if everything is still bad, go ahead and Repair the system
Then come back here and let me know how everythings going
You will have to reinstall Service packs for Windows

Make sure you backup important files and folders beforehand
Just to be safe

Title: SmartSecurity and other problems
Post by: Jarcy on November 20, 2005, 07:22:12 PM

Guestolo,

Will try the XP repair route. Need to spend time backing up now (if I could only get my new HDD to work. I'm sure it's faulty so am going to exchange it. - but that's another story!).

You mentioned that you have a recommendation for a free virus scanner. Is it as good as say McAfee or Norton? If so, yes please, could you post details. Also I think you've mentioned in the past a recommended firewall? I want to set up parental controls, as the kids are using the 'net more now. I was going to use the McAfee tools, but does your recommendation have an alternative solution?

Many thanks again.

Jarcy.

Title: SmartSecurity and other problems
Post by: Jarcy on November 24, 2005, 07:21:13 PM

Guestolo,

Do you have any recommendations for alternative Virus scan and firewall?

Many thanks,

Jarcy

Title: SmartSecurity and other problems
Post by: guestolo on November 24, 2005, 10:01:29 PM

Here's what I suggest if you want the free tools for the family computer

Anti-Virus software>>AVAST

Firewall>>I would Update to Windows service pack 2
It includes a better firewall, some say not the best, but it does the job
However, If your like many and want a better firewall than XP provides
I suggest either
Sygates or ZoneAlarm

Both have free versions
Don't run more that one Software Firewall on your computer, this includes the firewall built into XP
that goes for an AV too
This can cause conflicts and decrease system performance

For Spyware and other malware>> I have 3 tools I always have installed
All free
Ad-Aware SE Personal 1.06
Spybot 1.4
Microsoft Anti-Spyware Beta

2 of the above have realtime protection
Spybot has the TeaTimer and MAS also has realtime protection
I recommend not enabling the tea timer  and only use the realtime protections built into MAS
But in Spybot I would use the Immunize feature
Click Immunize>>OK>>Immunize at the top green cross
Do that after every update
This way the only program really running in the background is MAS out of those 3

 I would also install SpywareBlaster
Doesn't run in the background
Just install it>>Check for updates>>click the "Enable all protection" link
Do this after every update>>>You should check for updates every couple of weeks

I hope this helps
All the links to those programs can be found HERE (http://\"http://www.thetechguide.com/forum/index.php?showtopic=15894\")

Title: SmartSecurity and other problems
Post by: Jarcy on December 01, 2005, 09:34:17 AM

Guestolo,

Many thanks for the suggestions. It's an invaluable list when coupled with advice as to which to run realtime.
One day someone will develop a solution to cover everything. (Thought that's what I was buying when I purchased McAfee Internet Security, but not so). I'm now backing up to a new hard drive, prior to running the XP repair / reinstall. Will post how I get on.

Many thanks!
Jarcy.