TheTechGuide Forum
General Category => Tech Clinic => Topic started by: anotherep on December 11, 2005, 07:59:44 PM
-
Hi.
I've been having this problem for a while now. Not immediatly, but after a while using my computer, programs start freezing for no apparent reason such as when I try to open a file from the Firefox download manager or open something in any other program. When I try to look at the task manager, the icon for it shows up in the system tray, but the actual task manager never comes up. Please help.
Logfile of HijackThis v1.99.1
Scan saved at 7:53:09 PM, on 12/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134348118853 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134348118853\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134348101068 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134348101068\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: scheduler (schedul3.exe) - Unknown owner - C:\WINDOWS\schedul3.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Thanks
-
==Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet
RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter
In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after
Reboot back to Normal mode
Back in Windows
Can you please supply me with a few a new Hijackthis log
also
Post the results of the WindPFind.txt located in the WinPFind folder
-
Thanks for the help!
------------
WinPFind.txt
------------
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 7/16/2003 11:20:54 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 9/28/2005 4:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 9/28/2005 4:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
Umonitor 7/16/2003 11:36:24 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 7/16/2003 11:44:22 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/12/2005 12:48:46 AM S 2048 C:\WINDOWS\bootstat.dat
12/11/2005 7:06:50 PM H 54156 C:\WINDOWS\QTFont.qfn
12/11/2005 4:19:14 PM RHS 199680 C:\WINDOWS\schedul3.exe
12/9/2005 9:58:42 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
12/9/2005 9:58:52 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
12/9/2005 9:59:54 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
12/11/2005 7:42:14 PM H 0 C:\WINDOWS\INF\oem8.inf
12/9/2005 9:58:52 PM H 65 C:\WINDOWS\occache\desktop.ini
12/9/2005 9:58:52 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
12/9/2005 9:59:26 PM RHS 727 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_1.cab
12/9/2005 9:59:26 PM RHS 19854 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_2.cab
12/9/2005 9:59:26 PM RHS 243124 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_3.cab
12/9/2005 10:05:08 PM H 229376 C:\WINDOWS\REPAIR\ntuser.dat
12/9/2005 9:58:42 PM RH 749 C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
12/9/2005 9:58:52 PM RH 488 C:\WINDOWS\SYSTEM32\logonui.exe.manifest
12/9/2005 9:58:42 PM RH 749 C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
12/9/2005 9:58:42 PM RH 749 C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
12/9/2005 9:58:42 PM RH 749 C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
12/9/2005 9:58:52 PM RH 488 C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
12/9/2005 9:58:42 PM RH 749 C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
12/12/2005 12:48:52 AM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\default.LOG
12/12/2005 12:52:38 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
12/12/2005 12:48:48 AM H 12288 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
12/12/2005 1:04:18 AM H 118784 C:\WINDOWS\SYSTEM32\CONFIG\software.LOG
12/12/2005 12:48:50 AM H 786432 C:\WINDOWS\SYSTEM32\CONFIG\system.LOG
12/9/2005 4:47:50 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\TempKey.LOG
12/9/2005 4:47:54 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\userdiff.LOG
12/11/2005 2:44:00 PM H 0 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat.LOG
12/9/2005 4:49:30 PM HS 62 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\desktop.ini
12/9/2005 4:49:30 PM HS 62 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\desktop.ini
12/9/2005 9:59:28 PM HS 113 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\desktop.ini
12/9/2005 9:59:28 PM HS 113 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\desktop.ini
12/9/2005 9:59:28 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
12/9/2005 9:59:28 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
12/9/2005 9:59:28 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KLMVG963\desktop.ini
12/9/2005 9:59:28 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9EBGDUR\desktop.ini
12/9/2005 9:59:28 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WHUBO5IN\desktop.ini
12/9/2005 9:59:28 PM HS 67 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YR47E94B\desktop.ini
12/9/2005 9:58:56 PM HS 181 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\SendTo\desktop.ini
12/9/2005 4:49:30 PM HS 62 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\desktop.ini
12/9/2005 10:00:42 PM HS 206 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\desktop.ini
12/9/2005 10:00:42 PM HS 482 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Accessories\desktop.ini
12/9/2005 10:00:42 PM HS 348 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
12/9/2005 10:00:42 PM HS 84 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
12/9/2005 10:00:42 PM HS 84 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Startup\desktop.ini
12/9/2005 10:12:52 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\a15380e3-025b-48e0-9119-fdaad678256f
12/9/2005 10:12:52 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
12/11/2005 7:42:22 PM RHS 13698 C:\WINDOWS\SYSTEM32\Restore\filelist.xml
12/12/2005 12:22:38 AM H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 7/16/2003 11:17:46 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 7/16/2003 11:18:22 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 7/16/2003 11:20:52 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 7/16/2003 11:23:30 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 7/16/2003 11:24:46 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 7/16/2003 11:24:58 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 7/16/2003 11:25:34 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 7/16/2003 11:26:58 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 7/16/2003 11:28:32 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 7/16/2003 11:31:48 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 7/16/2003 11:33:56 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 1/8/2004 3:26:00 PM 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 7/16/2003 11:34:02 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 7/16/2003 11:34:14 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 7/16/2003 11:35:32 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel® Corporation 12/19/2003 12:39:16 PM 77824 C:\WINDOWS\SYSTEM32\PRAppltW.cpl
SigmaTel Inc. 10/29/2003 9:40:22 AM 102481 C:\WINDOWS\SYSTEM32\stac97.cpl
Microsoft Corporation 7/16/2003 11:41:20 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 7/16/2003 11:41:52 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 7/16/2003 11:42:00 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 7/16/2003 11:17:46 AM 66048 C:\WINDOWS\SYSTEM32\DLLCACHE\access.cpl
Microsoft Corporation 7/16/2003 11:18:22 AM 578560 C:\WINDOWS\SYSTEM32\DLLCACHE\appwiz.cpl
Microsoft Corporation 7/16/2003 11:20:52 AM 129024 C:\WINDOWS\SYSTEM32\DLLCACHE\desk.cpl
Microsoft Corporation 7/16/2003 11:23:30 AM 150016 C:\WINDOWS\SYSTEM32\DLLCACHE\hdwwiz.cpl
Microsoft Corporation 7/16/2003 11:24:46 AM 292352 C:\WINDOWS\SYSTEM32\DLLCACHE\inetcpl.cpl
Microsoft Corporation 7/16/2003 11:24:58 AM 121856 C:\WINDOWS\SYSTEM32\DLLCACHE\intl.cpl
Microsoft Corporation 7/16/2003 11:25:34 AM 65536 C:\WINDOWS\SYSTEM32\DLLCACHE\joy.cpl
Microsoft Corporation 7/16/2003 11:26:58 AM 187904 C:\WINDOWS\SYSTEM32\DLLCACHE\main.cpl
Microsoft Corporation 7/16/2003 11:28:32 AM 559616 C:\WINDOWS\SYSTEM32\DLLCACHE\mmsys.cpl
Microsoft Corporation 7/16/2003 11:31:48 AM 35840 C:\WINDOWS\SYSTEM32\DLLCACHE\ncpa.cpl
Microsoft Corporation 7/16/2003 11:33:56 AM 256000 C:\WINDOWS\SYSTEM32\DLLCACHE\nusrmgr.cpl
Microsoft Corporation 7/16/2003 11:34:02 AM 36864 C:\WINDOWS\SYSTEM32\DLLCACHE\nwc.cpl
Microsoft Corporation 7/16/2003 11:34:14 AM 36864 C:\WINDOWS\SYSTEM32\DLLCACHE\odbccp32.cpl
Microsoft Corporation 7/16/2003 11:35:32 AM 109056 C:\WINDOWS\SYSTEM32\DLLCACHE\powercfg.cpl
Microsoft Corporation 3/19/2004 5:42:22 PM 147456 C:\WINDOWS\SYSTEM32\DLLCACHE\sapi.cpl
Microsoft Corporation 7/16/2003 11:41:20 AM 268288 C:\WINDOWS\SYSTEM32\DLLCACHE\sysdm.cpl
Microsoft Corporation 7/16/2003 11:41:52 AM 28160 C:\WINDOWS\SYSTEM32\DLLCACHE\telephon.cpl
Microsoft Corporation 7/16/2003 11:42:00 AM 90112 C:\WINDOWS\SYSTEM32\DLLCACHE\timedate.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
12/11/2005 1:33:10 PM 1757 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
12/9/2005 10:00:42 PM HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/9/2005 4:49:30 PM HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini
12/11/2005 6:47:44 PM 1759 C:\Documents and Settings\All Users.WINDOWS\Application Data\QTSBandwidthCache
Checking files in %USERPROFILE%\Startup folder...
12/9/2005 10:00:42 PM HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
12/9/2005 4:49:30 PM HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
ButtonText = @shdoclc.dll,-866 :
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
BCMSMMSG BCMSMMSG.exe
PRONoMgr.exe c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring
= c:\WINDOWS\System32\LgNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12/12/2005 1:11:21 AM
-----------
and HijackThis
-----------
Logfile of HijackThis v1.99.1
Scan saved at 1:15:47 AM, on 12/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134348118853 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134348118853\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134348101068 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134348101068\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: scheduler (schedul3.exe) - Unknown owner - C:\WINDOWS\schedul3.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
-
Let's try some cleanup please
Do the following
Download and save rdrivrem.zip (http://\"http://www.atribune.org/downloads/rdrivrem.zip\")
UNZIP the contents to your desktop
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet
==Download and then Install
Ewido Security Suite (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!
Can I have you disable SpySweeper's protections so it won't interfere in any fixes we are about to try
We can reenable this after you are clean
To disable SpySweeper: Find any of the following if accessible
Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter
Once in safe mode
Go to START>>>RUN>>>type in
services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- scheduler
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Go to start>>run>>type in the following command, or copy and paste this into the open field
sc delete schedul3.exe
Then hit OK
==Please go into the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder
I'll need to see it later
Find and delete this file if found
C:\WINDOWS\schedul3.exe <-this file
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows
Reboot back to normal mode
I need to see a few logs
1. Post a fresh hijackthis log
2. Post the whole report from Ewidos
3. Post rdriv.txt in the rdrivRem folder
-
Hey thanks again. Here are the logs
------
Hijack This
------
Logfile of HijackThis v1.99.1
Scan saved at 1:13:19 PM, on 12/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\1XConfig.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134348118853 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134348118853\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134348101068 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134348101068\")
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
--------
Ewidos
--------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 1:08:45 PM, 12/12/2005
+ Report-Checksum: FAA190E9
+ Scan result:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator 2\Application Data\Mozilla\Firefox\Profiles\7fs8q3p6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator 2\Application Data\Mozilla\Firefox\Profiles\7fs8q3p6.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\pznb2pyo.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\pznb2pyo.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\pznb2pyo.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\pznb2pyo.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\pznb2pyo.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\pznb2pyo.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP12\A0002032.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP12\A0002041.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP13\A0003041.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP13\A0004041.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP13\A0005041.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP13\A0006053.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP13\A0006060.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP13\A0006069.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP4\A0000403.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP4\A0000410.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP4\A0000420.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{0CC2BDE3-5767-403E-971A-6867C0AC8F92}\RP4\A0000431.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP31\A0009407.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP31\A0009476.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP32\A0010478.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP32\A0010515.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP32\A0010567.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP32\A0010753.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP32\A0010770.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP33\A0011769.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP33\A0011809.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP33\A0011827.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP33\A0012829.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP36\A0014828.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP36\A0014834.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP36\A0015834.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP44\A0018859.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP47\A0019761.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{5BE6A2D1-729F-441F-876D-60CF01EB970E}\RP47\A0020479.sys -> Trojan.Rootkit.k : Cleaned with backup
::Report End
-------
and rdriv.txt
-------
~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~
~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~
~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~
~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~
rdriv.sys present!
~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~
-
How's everything on your end?
Are you having problems with Nortons?
Any problems with your Firewall?
Can you access Windows Updates?>>Curious, because the ability to install Service pack2 may be prevented
Don't install SP2 yet, but I just want to make sure you are able too access it
Can you do the following please
Open SpySweeper and check for definition updates
Afterwards
Click on Options > Sweep Options and check Sweep all Folders on Selected drives
Ensure Local Disk C is checked
Under What to Sweep, check every box.
Click on Sweep and allow it to fully scan your system.
When the sweep has finished, click Remove. Click Select All and then Next
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
Reboot your computer
Back in Windows
Can I see the log from SpySweeper please
Also, Download: Registry Search Tool from this link
http://billsway.com/vbspage/ (http://\"http://billsway.com/vbspage/\")
Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run
In the open field copy and paste the below in bold then hit OK
schedul3.exe
Wait for the results and post them back here
-
Everything seems to be working fine now. Thanks!!
-
You still have some final cleanup to do!!
What happened to the logs I asked for?
-
Oops sorry
----
SpySweeper
----
********
1:20 AM: | Start of Session, Friday, December 16, 2005 |
1:20 AM: Spy Sweeper started
1:20 AM: Sweep initiated using definitions version 584
1:20 AM: Starting Memory Sweep
1:24 AM: Memory Sweep Complete, Elapsed Time: 00:04:11
1:24 AM: Starting Registry Sweep
1:25 AM: Registry Sweep Complete, Elapsed Time:00:00:08
1:25 AM: Starting Cookie Sweep
1:25 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:25 AM: Starting File Sweep
1:56 AM: File Sweep Complete, Elapsed Time: 00:31:46
1:56 AM: Full Sweep has completed. Elapsed time 00:36:11
1:56 AM: Traces Found: 0
********
9:42 AM: | Start of Session, Tuesday, December 13, 2005 |
9:42 AM: Spy Sweeper started
9:42 AM: Sweep initiated using definitions version 582
9:42 AM: Starting Memory Sweep
9:44 AM: Memory Sweep Complete, Elapsed Time: 00:01:32
9:44 AM: Starting Registry Sweep
9:44 AM: Registry Sweep Complete, Elapsed Time:00:00:06
9:44 AM: Starting Cookie Sweep
9:44 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:44 AM: Starting File Sweep
9:47 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
9:57 AM: Warning: Unhandled Archive Type
9:58 AM: File Sweep Complete, Elapsed Time: 00:13:35
9:58 AM: Full Sweep has completed. Elapsed time 00:15:16
9:58 AM: Traces Found: 0
2:49 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
2:49 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
2:50 PM: Processing Startup Alerts
2:50 PM: Allowed Startup entry: vptray
2:50 PM: Allowed Startup entry: ccApp
2:50 PM: Processing Internet Explorer Favorites Alerts
2:50 PM: Removed IE Favorite: Windows Marketplace
2:51 PM: Processing Startup Alerts
2:51 PM: Removed Startup entry: wextract_cleanup0
2:56 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
3:03 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
4:16 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
4:16 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
9:45 PM: BHO Shield: found: -- BHO installation allowed at user request
9:45 PM: Processing Startup Alerts
9:45 PM: Allowed Startup entry: AIM
9:45 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
3:57 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
11:42 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
2:47 PM: BHO Shield: found: ssv.dll-- BHO installation allowed at user request
2:47 PM: Processing Startup Alerts
2:47 PM: Allowed Startup entry: SunJavaUpdateSched
8:07 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
11:41 AM: Your spyware definitions have been updated.
12:37 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
4:18 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:37 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:43 AM: Processing Startup Alerts
12:43 AM: Allowed Startup entry: DVDLauncher
12:43 AM: Processing Startup Alerts
12:43 AM: Allowed Startup entry: MSMSGS
12:46 AM: Processing Startup Alerts
12:46 AM: Allowed Startup entry: PCMService
********
7:07 PM: | Start of Session, Sunday, December 11, 2005 |
7:07 PM: Spy Sweeper started
7:07 PM: Sweep initiated using definitions version 582
7:07 PM: Starting Memory Sweep
7:10 PM: Memory Sweep Complete, Elapsed Time: 00:02:44
7:10 PM: Starting Registry Sweep
7:10 PM: Starting Cookie Sweep
7:10 PM: Registry Sweep Complete, Elapsed Time:00:00:00
7:10 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
7:10 PM: Starting File Sweep
7:20 PM: File Sweep Complete, Elapsed Time: 00:10:31
7:20 PM: Full Sweep has completed. Elapsed time 00:13:22
7:20 PM: Traces Found: 0
7:41 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
8:45 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
1:28 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
9:41 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
9:41 AM: IE Tracking Cookies Shield: Removed advertising cookie
9:41 AM: IE Tracking Cookies Shield: Removed atlas dmt cookie
9:41 AM: IE Tracking Cookies Shield: Removed atwola cookie
9:41 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
9:42 AM: | End of Session, Tuesday, December 13, 2005 |
********
6:02 PM: | Start of Session, Sunday, December 11, 2005 |
6:02 PM: Spy Sweeper started
6:03 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
6:03 PM: IE Tracking Cookies Shield: Removed advertising cookie
6:03 PM: IE Tracking Cookies Shield: Removed atlas dmt cookie
6:03 PM: IE Tracking Cookies Shield: Removed atwola cookie
----
RegEdit
----
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "schedul3.exe" 12/16/2005 1:50:06 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SCHEDUL3.EXE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
"Service"="schedul3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\schedul3.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\schedul3.exe\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\schedul3.exe\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\schedul3.exe\Enum]
"0"="Root\\LEGACY_SCHEDUL3.EXE\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SCHEDUL3.EXE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
"Service"="schedul3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\schedul3.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\schedul3.exe\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCHEDUL3.EXE]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
"Service"="schedul3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\schedul3.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\schedul3.exe\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\schedul3.exe\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\schedul3.exe\Enum]
"0"="Root\\LEGACY_SCHEDUL3.EXE\\0000"
[HKEY_USERS\S-1-5-21-606747145-1677128483-1343024091-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="schedul3.exe"
-
Sorry for the delay
Going with some info found here
http://www.sophos.com/virusinfo/analyses/w32rbotavx.html (http://\"http://www.sophos.com/virusinfo/analyses/w32rbotavx.html\")
Can we do the following
Let's create a new restore point first
Go to START>>Programs>>Accessories>>System Tools>>System Restore
Click on Creat New restore point
Name it then click Create
Afterwards
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SCHEDUL3.EXE]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\schedul3.exe\Security]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\schedul3.exe\Enum]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\schedul3.exe]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SCHEDUL3.EXE]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\schedul3.exe\Security]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\schedul3.exe]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCHEDUL3.EXE]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\schedul3.exe\Security]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\schedul3.exe\Enum]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\schedul3.exe]
Double click on fix.reg and allow to add or Merge to the registry
Run Windows CleanUp! one more time
Don't just log off, but instead Restart the computer
Back in windows
Can you run schedul3.exe thru RegSrch.vbs again and post the results
-
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "schedul3.exe" 12/20/2005 11:28:25 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SCHEDUL3.EXE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
"Service"="schedul3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SCHEDUL3.EXE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
"Service"="schedul3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCHEDUL3.EXE]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCHEDUL3.EXE\0000]
"Service"="schedul3.exe"
[HKEY_USERS\S-1-5-21-606747145-1677128483-1343024091-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="schedul3.exe"
-
Those keys won't go away
Can you do the following
Go to START>>Programs>>Accessories>>System Tools>>System Restore
Click Create a New Restore point
Name it and then click Create
When that is done
Download and install Registrar Lite
http://www.resplendence.com/reglite (http://\"http://www.majorgeeks.com/downloadget.php?id=469&file=10&evp=99920ce30ba0a7f4dddc1c3d163fe982\")
Open Registrar Lite shortcut
Copy and paste the following line in bold into the top address bar of Registrar Lite and then hit GO
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SCHEDUL3.EXE
Reglite should now of Highlighted the key and be purple in color
right click on LEGACY_SCHEDUL3.EXE and select 'Delete'.
If you can't delete it, select 'Security' >> 'Edit Permissions' from the pull down menu at the top (with the key still highlighted). Make sure 'Read' and 'Full Control' are selected for your account(in the top pane), click 'Ok' and try to delete it again.
If they are selected and it won't delete
Again in Edit Permissions>>Click the Advanced button
Check the following if unchecked
"Inherit from parent the permission entries that apply to child objects."
OK it and OK again
Then try and delete the key
Do the same for these ones
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SCHEDUL3.EXE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SCHEDUL3.EXE
Let me know how it goes
-
For each of the entries access was denied when I tried to delete them. After the access denied window came up I checked the security settings and the Read and Full Control boxes had been unchecked even though I had just checked them
-
Can you try everything in safe mode please
See if makes a difference
Please sign in with Adminstrator account