TheTechGuide Forum

General Category => Tech Clinic => Topic started by: handsomecrown on March 11, 2006, 02:31:51 AM

Title: Please Help Me
Post by: handsomecrown on March 11, 2006, 02:31:51 AM

Hello,

You have been able to halp me many times in the past and now I bring to you another problem. My friend's computer is acting very slow, it has a lot of messages about corrupt files, and has a lot of spyware located in it.

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:24:23 AM, on 3/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\QW5kcmVhIFNhbmRlcnM\command.exe
C:\Program Files\NavNT\defwatch.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\fhcgeqf.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\thwsme.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\WINDOWS\System32\AUTODISC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Cvhalfp\Cxwsuuj.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\AAAAMON2.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\qoyckama.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\Vgwhpc.exe
C:\WINDOWS\System32\Bnhkuf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\inet20003\services.exe
C:\WINDOWS\fhcgeqfA.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\sys101759016610.exe
C:\WINDOWS\System32\hpsw.exe
C:\windows\system32\rndsrego.exe
C:\WINDOWS\System32\wgse.exe
C:\WINDOWS\System32\qwinosag.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\realmon.exe
C:\WINDOWS\System32\mcspy.exe
C:\WINDOWS\System32\dgfgql.exe
C:\WINDOWS\newfrn.exe
C:\WINDOWS\System32\klsx9e.exe
C:\Program Files\AdsBlocker\stopAds.exe
C:\WINDOWS\win32090175901661.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\mousepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\win32076101759016.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\sys017590166101.exe
C:\WINDOWS\ms040166101759.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\COMMON~1\WinTools\WSup.exe
C:\WINDOWS\System32\Ink630ww.exe
C:\WINDOWS\System32\Aik79G.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\update\update.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com (http://\"http://searchbar.findthewebsiteyouneed.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\System32\wdc1n.dll
O2 - BHO: (no name) - {1F132CEC-0DAE-44A1-FF51-4872CEB10D3F} - C:\WINDOWS\Zjamoskd.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\hfaoygo.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20003\3.02.00.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O2 - BHO: SDWin32 Class - {BDB3E784-0CE7-4623-A1B0-EF53F907DA91} - C:\WINDOWS\System32\kcdgt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [zyfhiztqbvg] C:\WINDOWS\System32\thwsme.exe
O4 - HKLM\..\Run: [cWvQUs] C:\documents and settings\ashley sanders\local settings\temp\cWvQUs.exe
O4 - HKLM\..\Run: [5Xfpa2Ud] C:\documents and settings\ashley sanders\local settings\temp\5Xfpa2Ud.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Upws.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [59135cce213c] C:\WINDOWS\System32\AUTODISC.exe
O4 - HKLM\..\Run: [FXXpYhr] C:\documents and settings\ashley sanders\local settings\temp\FXXpYhr.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Hfoogs] C:\Program Files\Akszm\Zgdq.exe
O4 - HKLM\..\Run: [Derwlywc] C:\Program Files\Cvhalfp\Cxwsuuj.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [4174cebf9c34] C:\WINDOWS\System32\AAAAMON2.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [uaahsn9b] C:\Program Files\uaahsn9b\uaahsn9b.exe
O4 - HKLM\..\Run: [jqd9Da0I] C:\WINDOWS\qoyckama.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Vgwhpc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Bnhkuf.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [0go40948.dll] RUNDLL32.EXE 0go40948.dll,b 4525093
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKLM\..\Run: [fhcgeqfA] C:\WINDOWS\fhcgeqfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys101759016610] C:\WINDOWS\sys101759016610.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [{87-76-6A-A2-ZN}] C:\windows\system32\rndsrego.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\qwinosag.exe CORN001
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Program Files\E-nrgyPlus\E-nrgyPlus.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [eTrust Realtime Monitor] C:\WINDOWS\System32\realmon.exe /start
O4 - HKLM\..\Run: [Recguard] C:\Program Files\HP\recguard.exe
O4 - HKLM\..\Run: [Apvxdwin] C:\WINDOWS\System32\APVXDWIN.EXE
O4 - HKLM\..\Run: [IPSecMon] C:\Program Files\Common files\VPN Network\IPSecMon.exe /vpncheck
O4 - HKLM\..\Run: [Windows Update AutoUpdate Client] C:\WINDOWS\System32\winupd\wuauclt.exe
O4 - HKLM\..\Run: [inst_] C:\WINDOWS\System32\inst_
O4 - HKLM\..\Run: [mcspy.exe] C:\WINDOWS\System32\mcspy.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\System32\loadadv64
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\System32\dgfgql.exe"
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe
O4 - HKLM\..\Run: [win32090175901661] C:\WINDOWS\win32090175901661.exe
O4 - HKLM\..\Run: [kcdgtc] C:\WINDOWS\System32\kcdgtc.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Tagasuarus7.exe] C:\WINDOWS\System32\Tagasuarus7.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys.exe
O4 - HKLM\..\Run: [FoolProof] C:\Program Files\SmartStuff\fpwinldr.exe /load
O4 - HKLM\..\Run: [win32076101759016] C:\WINDOWS\win32076101759016.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [sys017590166101] C:\WINDOWS\sys017590166101.exe
O4 - HKLM\..\Run: [ms040166101759] C:\WINDOWS\ms040166101759.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [vga64k] C:\WINDOWS\System32\vga64k.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://click.getmirar.com (http://\"http://click.getmirar.com\") (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (http://\"http://click.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (http://\"http://redirect.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://bannerfarm.ace.advertising.com/bann...r1154041108.EXE (http://\"http://bannerfarm.ace.advertising.com/bannerfarm/47041/WrapperOuter1154041108.EXE\")
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYes.../bridge-c17.cab (http://\"http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c17.cab\")
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c3.cab (http://\"http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c3.cab\")
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab (http://\"http://adserver.sharewareonline.com/adserver/Install.cab\")
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://66.29.7.159/toolbar/cabs/free_access.cab (http://\"http://66.29.7.159/toolbar/cabs/free_access.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab (http://\"http://awbeta.net-nucleus.com/FIX/WinATS.cab\")
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rcabinstall.cab (http://\"http://download.spyspotter.com/spyspotter/spsp29953.01noopt/spyspottercabinstall.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab (http://\"http://download.overpro.com/WildApp.cab\")
O20 - AppInit_DLLs: repairs302972994.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\System32\amacacgd.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QW5kcmVhIFNhbmRlcnM\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fhcgeqf.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Title: Please Help Me
Post by: guestolo on March 11, 2006, 11:40:15 AM

I would guess this computer is slow, hee hee
Let's see what we can cleanup

Can I see an uninstall list from Hijackthis please

Open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Click the SAVE LIST button
Save this list too desktop then copy and paste back here the whole contents please

Title: Please Help Me
Post by: handsomecrown on March 11, 2006, 12:39:58 PM

Here is the list:

Actiontec Gateway
Adobe Acrobat 5.0
Alt Win
AOL Instant Messenger
BCM V.92 56K Modem
Britannica Ready Reference
Broadcom Management Programs
BroadJump Client Foundation
CleanUp!
Command
Context Display
DAO
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support 5.0.0 (766)
D-helper Web Driver
Easy CD Creator 5 Basic
Enhanced Ads by Zeno removal
eSyndicate
FinePixViewer Ver.4.1
FUJIFILM USB Driver
Google Desktop Search
HijackThis 1.99.1
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
IE Host
IE Host R3
ImageMixer VCD2 for FinePix
Intel® Extreme Graphics Driver
iTunes
Java 2 Runtime Environment, SE v1.4.2
LimeWire 4.10.2
LiveUpdate 1.7 (Symantec Corporation)
MaxSpeed
McAfee.com SecurityCenter
McAfee.com VirusScan Online
Media Access
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
MicroStaff WINASPI
midADdle
Midnight Outlaw Illegal Street Drag
Modem Helper
MP3 Toolbar
MSN
MSN Encarta Plus Support Files
MSN Messenger 7.0
MUSICMATCH Jukebox
Network Monitor
Norton AntiVirus Corporate Edition
Outlook Express Q837009
pacman Game
Paint Shop Pro 7
Power Scan
Quicken 2002 New User Edition
Quicklinks
Quicklinks
QuickTime
RAW FILE CONVERTER LE
RealPlayer
Registry Cleaner
Related Page
RON Display
Search Aid
Search Relevancy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SEP
SigmaTel MSCN Audio Player
Spybot - Search & Destroy 1.3
Surf Accuracy
Surf SideKick
ToPicks
TSA
UCmore - The Search Accelerator
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
URL Display
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebSearch Tools
Win-dh
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See wm828026 for more information]
Windows Overlay Components
Windows SA
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB905915
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
WordPerfect Office 11
Zeno Search Assistant removal

Here is another HJT log because I ran Spybot and deleted about 65 infected files. I don't know if it will be different:

Logfile of HijackThis v1.99.1
Scan saved at 10:35:49 AM, on 3/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\QW5kcmVhIFNhbmRlcnM\command.exe
C:\Program Files\NavNT\defwatch.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\fhcgeqf.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\WINDOWS\inet20003\services.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\thwsme.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\WINDOWS\System32\AUTODISC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Akszm\Zgdq.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\AAAAMON2.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\qoyckama.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\Vgwhpc.exe
C:\WINDOWS\System32\Bnhkuf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\fhcgeqfA.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\sys101759016610.exe
C:\WINDOWS\System32\hpsw.exe
C:\windows\system32\rndsrego.exe
C:\WINDOWS\System32\qwinosag.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\Aik79G.exe
C:\WINDOWS\System32\mcspy.exe
C:\WINDOWS\System32\dgfgql.exe
C:\WINDOWS\newfrn.exe
C:\Program Files\AdsBlocker\stopAds.exe
C:\WINDOWS\win32090175901661.exe
C:\mousepad.exe
C:\WINDOWS\win32076101759016.exe
C:\WINDOWS\sys017590166101.exe
C:\WINDOWS\ms040166101759.exe
C:\WINDOWS\ms039016610175.exe
C:\WINDOWS\ms066610175901.exe
C:\WINDOWS\win32066610175901.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\wgse.exe
C:\WINDOWS\System32\klsx9e.exe
C:\WINDOWS\System32\Ink630ww.exe
C:\WINDOWS\pms111x.exe
C:\WINDOWS\SYSC00.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\System32\wdc1n.dll
O2 - BHO: (no name) - {1F132CEC-0DAE-44A1-FF51-4872CEB10D3F} - C:\WINDOWS\Zjamoskd.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\hfaoygo.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O2 - BHO: SDWin32 Class - {BDB3E784-0CE7-4623-A1B0-EF53F907DA91} - C:\WINDOWS\System32\kcdgt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [zyfhiztqbvg] C:\WINDOWS\System32\thwsme.exe
O4 - HKLM\..\Run: [cWvQUs] C:\documents and settings\ashley sanders\local settings\temp\cWvQUs.exe
O4 - HKLM\..\Run: [5Xfpa2Ud] C:\documents and settings\ashley sanders\local settings\temp\5Xfpa2Ud.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Upws.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [59135cce213c] C:\WINDOWS\System32\AUTODISC.exe
O4 - HKLM\..\Run: [FXXpYhr] C:\documents and settings\ashley sanders\local settings\temp\FXXpYhr.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Hfoogs] C:\Program Files\Akszm\Zgdq.exe
O4 - HKLM\..\Run: [Derwlywc] C:\Program Files\Cvhalfp\Cxwsuuj.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [4174cebf9c34] C:\WINDOWS\System32\AAAAMON2.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [uaahsn9b] C:\Program Files\uaahsn9b\uaahsn9b.exe
O4 - HKLM\..\Run: [jqd9Da0I] C:\WINDOWS\qoyckama.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Vgwhpc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Bnhkuf.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [0go40948.dll] RUNDLL32.EXE 0go40948.dll,b 4525093
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKLM\..\Run: [fhcgeqfA] C:\WINDOWS\fhcgeqfA.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys101759016610] C:\WINDOWS\sys101759016610.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [{87-76-6A-A2-ZN}] C:\windows\system32\rndsrego.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\qwinosag.exe CORN001
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Program Files\E-nrgyPlus\E-nrgyPlus.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [eTrust Realtime Monitor] C:\WINDOWS\System32\realmon.exe /start
O4 - HKLM\..\Run: [Recguard] C:\Program Files\HP\recguard.exe
O4 - HKLM\..\Run: [Apvxdwin] C:\WINDOWS\System32\APVXDWIN.EXE
O4 - HKLM\..\Run: [IPSecMon] C:\Program Files\Common files\VPN Network\IPSecMon.exe /vpncheck
O4 - HKLM\..\Run: [Windows Update AutoUpdate Client] C:\WINDOWS\System32\winupd\wuauclt.exe
O4 - HKLM\..\Run: [inst_] C:\WINDOWS\System32\inst_
O4 - HKLM\..\Run: [mcspy.exe] C:\WINDOWS\System32\mcspy.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\System32\loadadv64
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\System32\dgfgql.exe"
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe
O4 - HKLM\..\Run: [win32090175901661] C:\WINDOWS\win32090175901661.exe
O4 - HKLM\..\Run: [kcdgtc] C:\WINDOWS\System32\kcdgtc.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [Tagasuarus7.exe] C:\WINDOWS\System32\Tagasuarus7.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys.exe
O4 - HKLM\..\Run: [FoolProof] C:\Program Files\SmartStuff\fpwinldr.exe /load
O4 - HKLM\..\Run: [win32076101759016] C:\WINDOWS\win32076101759016.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [sys017590166101] C:\WINDOWS\sys017590166101.exe
O4 - HKLM\..\Run: [ms040166101759] C:\WINDOWS\ms040166101759.exe
O4 - HKLM\..\Run: [ms039016610175] C:\WINDOWS\ms039016610175.exe
O4 - HKLM\..\Run: [ms066610175901] C:\WINDOWS\ms066610175901.exe
O4 - HKLM\..\Run: [win32066610175901] C:\WINDOWS\win32066610175901.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [vga64k] C:\WINDOWS\System32\vga64k.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://click.getmirar.com (http://\"http://click.getmirar.com\") (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (http://\"http://click.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (http://\"http://redirect.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://bannerfarm.ace.advertising.com/bann...r1154041108.EXE (http://\"http://bannerfarm.ace.advertising.com/bannerfarm/47041/WrapperOuter1154041108.EXE\")
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYes.../bridge-c17.cab (http://\"http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c17.cab\")
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c3.cab (http://\"http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c3.cab\")
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab (http://\"http://adserver.sharewareonline.com/adserver/Install.cab\")
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://66.29.7.159/toolbar/cabs/free_access.cab (http://\"http://66.29.7.159/toolbar/cabs/free_access.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab (http://\"http://awbeta.net-nucleus.com/FIX/WinATS.cab\")
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rcabinstall.cab (http://\"http://download.spyspotter.com/spyspotter/spsp29953.01noopt/spyspottercabinstall.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab (http://\"http://download.overpro.com/WildApp.cab\")
O20 - AppInit_DLLs: repairs302972994.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\System32\amacacgd.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QW5kcmVhIFNhbmRlcnM\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\fhcgeqf.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

Title: Please Help Me
Post by: guestolo on March 11, 2006, 01:15:58 PM

Can you do the following please

Access your add/remove programs via control panel and remove IF you can
Not all may be uninstallable:

Alt Win
D-helper Web Driver
Enhanced Ads by Zeno removal
eSyndicate
IE Host
IE Host R3
MaxSpeed
Media Access
midADdle
Network Monitor
Power Scan
Related Page
RON Display
Search Aid
Search Relevancy
SEP
Surf Accuracy
Surf SideKick
ToPicks
TSA
UCmore - The Search Accelerator
URL Display
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebSearch Tools
Win-dh
Windows Overlay Components
Windows SA
Zeno Search Assistant removal

I've purposely omitted an entry to remove from add/remove programs
"Command">>It prompts to download an uninstaller which I don't want you to do

Finally, in add/remove programs remove
Spybot - Search & Destroy 1.3
It's not malicious, but it's outdated

Reboot the computer

Back in Windows
Download and Install
Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")

Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Close out after it is updated, as we will need it later

Download and Install Spybot 1.4 from
HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After it is updated, please exit

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu

Open Ad-Aware SE 1.06
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process
Please reboot back to Safe mode

Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

Reboot back to Normal mode
Back in windows
Can I see a fresh hijackthis log and a new uninstall list please

Title: Please Help Me
Post by: handsomecrown on March 11, 2006, 05:17:11 PM

All of the programs uninstalled fine except for midADdle, Related Page, and ToPicks. However, looking at the uninstall list, it looks like some other ones came back...

Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 3:08:00 PM, on 3/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\AUTODISC.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Akszm\Zgdq.exe
C:\Program Files\Cvhalfp\Cxwsuuj.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\System32\hpsw.exe
C:\WINDOWS\System32\mcspy.exe
C:\WINDOWS\System32\dgfgql.exe
C:\WINDOWS\System32\wgse.exe
C:\Program Files\AdsBlocker\stopAds.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\win32090175901661.exe
C:\WINDOWS\System32\klsx9e.exe
C:\mousepad1.exe
C:\WINDOWS\sys017590166101.exe
C:\WINDOWS\ms040166101759.exe
C:\WINDOWS\SYSC00.exe
C:\windows\eee2.exe
C:\WINDOWS\System32\GpirM.exe
C:\WINDOWS\System32\Ink630ww.exe
C:\Program Files\Dell Support\DSAgnt.exe
c:\windows\system32\dwdsregt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\disrdi.exe
C:\WINDOWS\System32\disrdi.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\QW5kcmVhIFNhbmRlcnM\command.exe
C:\PROGRA~1\COMMON~1\uuwf\uuwfm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\836d3968070ab62a086b67f1c6e551d1\update\update.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\System32\wdc1n.dll
O2 - BHO: (no name) - {1F132CEC-0DAE-44A1-FF51-4872CEB10D3F} - C:\WINDOWS\Zjamoskd.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\hfaoygo.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SDWin32 Class - {BDB3E784-0CE7-4623-A1B0-EF53F907DA91} - C:\WINDOWS\System32\kcdgt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [cWvQUs] C:\documents and settings\ashley sanders\local settings\temp\cWvQUs.exe
O4 - HKLM\..\Run: [5Xfpa2Ud] C:\documents and settings\ashley sanders\local settings\temp\5Xfpa2Ud.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Fah1q5.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [59135cce213c] C:\WINDOWS\System32\AUTODISC.exe
O4 - HKLM\..\Run: [FXXpYhr] C:\documents and settings\ashley sanders\local settings\temp\FXXpYhr.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Hfoogs] C:\Program Files\Akszm\Zgdq.exe
O4 - HKLM\..\Run: [Derwlywc] C:\Program Files\Cvhalfp\Cxwsuuj.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [uaahsn9b] C:\Program Files\uaahsn9b\uaahsn9b.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Program Files\E-nrgyPlus\E-nrgyPlus.exe
O4 - HKLM\..\Run: [inst_] C:\WINDOWS\System32\inst_
O4 - HKLM\..\Run: [mcspy.exe] C:\WINDOWS\System32\mcspy.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\System32\loadadv64
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\System32\dgfgql.exe"
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe
O4 - HKLM\..\Run: [win32090175901661] C:\WINDOWS\win32090175901661.exe
O4 - HKLM\..\Run: [kcdgtc] C:\WINDOWS\System32\kcdgtc.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [Tagasuarus7.exe] C:\WINDOWS\System32\Tagasuarus7.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard1.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad1.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys1.exe
O4 - HKLM\..\Run: [win32076101759016] C:\WINDOWS\win32076101759016.exe
O4 - HKLM\..\Run: [sys017590166101] C:\WINDOWS\sys017590166101.exe
O4 - HKLM\..\Run: [ms040166101759] C:\WINDOWS\ms040166101759.exe
O4 - HKLM\..\Run: [ms039016610175] C:\WINDOWS\ms039016610175.exe
O4 - HKLM\..\Run: [ms066610175901] C:\WINDOWS\ms066610175901.exe
O4 - HKLM\..\Run: [win32066610175901] C:\WINDOWS\win32066610175901.exe
O4 - HKLM\..\Run: [ms051661017590] C:\WINDOWS\ms051661017590.exe
O4 - HKLM\..\Run: [wrapperouter.exeg] C:\WINDOWS\System32\wrapperouter.exeg
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [{87-76-6A-A2-ZN}] c:\windows\system32\dwdsregt.exe TST001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\owinnrag.exe TST001
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [vga64k] C:\WINDOWS\System32\vga64k.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [disrdi] C:\WINDOWS\System32\disrdi.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00135.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [uuwf] C:\PROGRA~1\COMMON~1\uuwf\uuwfm.exe
O4 - HKCU\..\RunOnce: [disrdi] C:\WINDOWS\System32\disrdi.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\owinnrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\rndsrego.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://click.getmirar.com (http://\"http://click.getmirar.com\") (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (http://\"http://click.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (http://\"http://redirect.mirarsearch.com\") (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c3.cab (http://\"http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c3.cab\")
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rcabinstall.cab (http://\"http://download.spyspotter.com/spyspotter/spsp29953.01noopt/spyspottercabinstall.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QW5kcmVhIFNhbmRlcnM\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

The New Uninstall List:

Actiontec Gateway
Ad-Aware SE Personal
Adobe Acrobat 5.0
AOL Instant Messenger
BCM V.92 56K Modem
Britannica Ready Reference
Broadcom Management Programs
BroadJump Client Foundation
CleanUp!
Command
Context Display
DAO
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support 5.0.0 (766)
E2give Plug-in
Easy CD Creator 5 Basic
Enhanced Ads by Zeno removal
FinePixViewer Ver.4.1
FUJIFILM USB Driver
Google Desktop Search
HijackThis 1.99.1
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
ImageMixer VCD2 for FinePix
Intel® Extreme Graphics Driver
iTunes
Java 2 Runtime Environment, SE v1.4.2
LimeWire 4.10.2
LiveUpdate 1.7 (Symantec Corporation)
McAfee.com SecurityCenter
McAfee.com VirusScan Online
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
MicroStaff WINASPI
Midnight Outlaw Illegal Street Drag
Modem Helper
MSN
MSN Encarta Plus Support Files
MSN Messenger 7.0
MUSICMATCH Jukebox
Network Monitor
Norton AntiVirus Corporate Edition
Outlook Express Q837009
Paint Shop Pro 7
Quicken 2002 New User Edition
Quicklinks
Quicklinks
QuickTime
RAW FILE CONVERTER LE
RealPlayer
Registry Cleaner
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SigmaTel MSCN Audio Player
Spybot - Search & Destroy 1.4
ToPicks
TSA
UCmore - The Search Accelerator
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
Win-dh
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB905915
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
WordPerfect Office 11
Zeno Search Assistant removal

Title: Please Help Me
Post by: guestolo on March 11, 2006, 06:47:32 PM

We cleaned up a bit of the mess, let's clear this computer of more please

==Download and save to your desktop
"Remove.txt"
Once saved to your desktop, can you do the following
Right click on it and Rename it too Remove.bat please
Ensure it has the .bat extension
We'll need it later
[attachment=475:attachment]

==Download CWShredder.exe (http://\"http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe\") and save to your desktop, don't run yet

Download and save to your desktop PeperFix.exe (http://\"http://www.bleepingcomputer.com/files/virus/PeperFix.exe\")
Don't run this yet

=Download and then Install
Ewido anti-malware 3.5 (http://\"http://download.ewido.net/ewido-setup.exe\")

When installing, under "Additional Options" Uncheck
"Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

Reboot back into Safe mode

In safe mode
Again access your add/remove programs and remove any of the following if they will remove
Don't reboot the computer after removing any of them, remain in safe mode
Context Display
E2give Plug-in
Enhanced Ads by Zeno removal
Network Monitor
ToPicks
TSA
UCmore - The Search Accelerator
Win-dh
Zeno Search Assistant removal

==Double click on Remove.bat
A dos window will open and close, this is normal

==Double click on CWShredder.exe and run the FIX
Let it finish and then exit the tool

==Double click on PeperFix.exe
Click the "Find and Fix"
Follow the prompts
Exit and remain in safe mode when done

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
If you have not intentionally saved any files to a temp location, use the Standard CleanUp!
If you have or unsure
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop or somewhere convienent you can access later
Exit Ewido
NOTE: Don't open other windows when Ewido is running it's scan, let it finish please

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\System32\wdc1n.dll
O2 - BHO: (no name) - {1F132CEC-0DAE-44A1-FF51-4872CEB10D3F} - C:\WINDOWS\Zjamoskd.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\System32\hfaoygo.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SDWin32 Class - {BDB3E784-0CE7-4623-A1B0-EF53F907DA91} - C:\WINDOWS\System32\kcdgt.dll
~~O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx~~
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll

O4 - HKLM\..\Run: [cWvQUs] C:\documents and settings\ashley sanders\local settings\temp\cWvQUs.exe
O4 - HKLM\..\Run: [5Xfpa2Ud] C:\documents and settings\ashley sanders\local settings\temp\5Xfpa2Ud.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Fah1q5.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [59135cce213c] C:\WINDOWS\System32\AUTODISC.exe
O4 - HKLM\..\Run: [FXXpYhr] C:\documents and settings\ashley sanders\local settings\temp\FXXpYhr.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Hfoogs] C:\Program Files\Akszm\Zgdq.exe
O4 - HKLM\..\Run: [Derwlywc] C:\Program Files\Cvhalfp\Cxwsuuj.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [uaahsn9b] C:\Program Files\uaahsn9b\uaahsn9b.exe

O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Program Files\E-nrgyPlus\E-nrgyPlus.exe
O4 - HKLM\..\Run: [inst_] C:\WINDOWS\System32\inst_
O4 - HKLM\..\Run: [mcspy.exe] C:\WINDOWS\System32\mcspy.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\System32\loadadv64
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\System32\dgfgql.exe"
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe
O4 - HKLM\..\Run: [win32090175901661] C:\WINDOWS\win32090175901661.exe
O4 - HKLM\..\Run: [kcdgtc] C:\WINDOWS\System32\kcdgtc.exe
O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\System32\guarnset.exe
O4 - HKLM\..\Run: [Tagasuarus7.exe] C:\WINDOWS\System32\Tagasuarus7.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard1.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad1.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys1.exe
O4 - HKLM\..\Run: [win32076101759016] C:\WINDOWS\win32076101759016.exe
O4 - HKLM\..\Run: [sys017590166101] C:\WINDOWS\sys017590166101.exe
O4 - HKLM\..\Run: [ms040166101759] C:\WINDOWS\ms040166101759.exe
O4 - HKLM\..\Run: [ms039016610175] C:\WINDOWS\ms039016610175.exe
O4 - HKLM\..\Run: [ms066610175901] C:\WINDOWS\ms066610175901.exe
O4 - HKLM\..\Run: [win32066610175901] C:\WINDOWS\win32066610175901.exe
O4 - HKLM\..\Run: [ms051661017590] C:\WINDOWS\ms051661017590.exe
O4 - HKLM\..\Run: [wrapperouter.exeg] C:\WINDOWS\System32\wrapperouter.exeg
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [{87-76-6A-A2-ZN}] c:\windows\system32\dwdsregt.exe TST001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\owinnrag.exe TST001
O4 - HKCU\..\Run: [vga64k] C:\WINDOWS\System32\vga64k.exe

O4 - HKCU\..\Run: [disrdi] C:\WINDOWS\System32\disrdi.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00135.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [uuwf] C:\PROGRA~1\COMMON~1\uuwf\uuwfm.exe
O4 - HKCU\..\RunOnce: [disrdi] C:\WINDOWS\System32\disrdi.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\owinnrag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\rndsrego.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://click.getmirar.com (http://\"http://click.getmirar.com\") (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (http://\"http://click.mirarsearch.com\") (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (http://\"http://redirect.mirarsearch.com\") (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c3.cab (http://\"http://static.windupdates.com/cab/MediaAcc...e/bridge-c3.cab\")
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rcabinstall.cab (http://\"http://download.spyspotter.com/spyspotter/...rcabinstall.cab\")

O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file)

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode

Post a fresh hijackthis log
Also include the whole report from Ewido's please

Title: Please Help Me
Post by: handsomecrown on March 11, 2006, 09:40:20 PM

Ok... Here you go:

Logfile of HijackThis v1.99.1
Scan saved at 7:26:17 PM, on 3/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

HERE (http://\"http://www.filelodge.com/files/hdd7/162744/ScanReport.txt\") is the Ewido Scan Report. (Uploaded on this site due to its length)

Title: Please Help Me
Post by: guestolo on March 11, 2006, 10:54:37 PM

I accidentally had you remove a legit entry from Hijackthis
Let's do the following please
Open Hijackthis>>Click the "View a list of Backups"

Highlight ONLY this entry please
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
and click the Restore button

You appear to be running both McAfee's virus scanner and Norton's
It's not recommended to run more than one Anti-Virus software's realtime protection
This will cause conflicts and/or decrease system performance

You should either disable one completely from running on startup or Uninstall it
Reboot the computer afterwards

Post back one last hijackthis log and let me know how things are running
We should do some final cleanup

Title: Please Help Me
Post by: handsomecrown on March 12, 2006, 12:39:59 PM

I tried to uninstall McAfee VirusScan but the uninstaller never worked. I even downloaded the manual uninstaller from their website and still nothing, so I just disabled it. The Security Center is still running, is that ok? I didn't find out how to disable that service.

Anyway, the computer is running amazingly well. There are only a few small things that are still out of the ordinary. One of these is the fact that on start up, two text files open up in Notepad that are named "DESKTOP." They both say:

Code: [Select]

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

Otherwise the only other problem I see is that there is an executable file on the desktop called TagASaurus. I think it is some sorrt of adware program.

Overall, the computer is great. It only takes about a minute from log on to use as opposed to the 7+ minutes it took before. Also, there are no pop-ups atall which is a great improvement from before.

Here is the latest HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:28:47 AM, on 3/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Title: Please Help Me
Post by: guestolo on March 12, 2006, 04:01:18 PM

Can you delete these folders if found
C:\Program Files\AdsBlocker <-folder
C:\Program Files\Akszm
C:\Program Files\Cvhalfp
C:\Program Files\Jalmp
C:\Program Files\uaahsn9b
C:\WINDOWS\QW5kcmVhIFNhbmRlcnM

Here is some info from Microsoft
http://support.microsoft.com/?id=330132 (http://\"http://support.microsoft.com/?id=330132\")

Post back, you still appear to have both McAfee's virus scanner and Norton's running at the same time
What version of McAfee's is it???
Where did you find the uninstaller??
Is Norton's an up to date version??
If both norton's and mcafee's are old versions, we can get you free software that is more up to date

Title: Please Help Me
Post by: handsomecrown on March 12, 2006, 04:40:41 PM

This computer is running Norton AntiVirus Corporate Edition 7.61.937. The definitions are updated and it is a paid subsription. McAfee Security Center and McAfee VirusScan Online are both items that came with the computer (through Dell).

I tried to uninstall McAfee VirusScan Online through the Add/ Remove Programs and after I confirmed the uninstall, a scprit error came up. After I closed the script error, the uninstaller just stayed at "Uninstalling Components..." I left it like this over night and it made no progress.

After that failed I went to http://ts.mcafeehelp.com/?siteID=1&resolution=800x600 (http://\"http://ts.mcafeehelp.com/?siteID=1&resolution=800x600\") where it gave me an uninstaller that I ran, but still didn't work.

My friend (who owns the computer) said she would be willing to get rid of McAfee, but Norton she wanted to keep because it is paid for.

Also, I deleted the folders you asked me to (except for the last one which wasn't there) and I deleted the textfile that kept opening.

EDIT: Also, another thing I wanted to mention was the fact that .ini files are showing even though I have the computer hiding protected system files. I don't know why this is occuring.

Title: Please Help Me
Post by: guestolo on March 12, 2006, 04:52:49 PM

I'm not sure what version of Virusscan
McAfee's is?
Is this the tool you used?
http://tools.mcafeehelp.com/doc.php?siteid...1541&support=ts (http://\"http://tools.mcafeehelp.com/doc.php?siteid=1&docid=71541&support=ts\")

Title: Please Help Me
Post by: handsomecrown on March 12, 2006, 04:59:07 PM

Ya, that is the tool I used. I could not find a version number anywhere on any of the McAfee products.

Also, incase you didn't see the edit I made in the above post:

Another thing I wanted to mention was the fact that .ini files are showing even though I have the computer hiding protected system files. I don't know why this is occuring.

Title: Please Help Me
Post by: guestolo on March 12, 2006, 08:34:02 PM

How many .ini files did you delete
Did you follow Microsoft's instructions closely
Can you navigate to the .ini file and right click on it and choose Hidden?
If you can, do so

Try the following for McAfee's
I want to make sure that a firewall is enabled
SP1 firewall is disabled by default
Read this link to enable it
http://www.computerhope.com/issues/ch000551.htm (http://\"http://www.computerhope.com/issues/ch000551.htm\")

Reboot the computer into safe mode
Go to START>>RUN>>type in services.msc
Hit Ok
In the next window, look on the right hand side for this service
name---- McAfee.com McShield

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Do the same for this one
McAfee.com VirusScan Online Realtime Engine

Try running the uninstaller from add/remove programs again for McAfee AV
If it won't work
Try the tool to uninstall it

Reboot back to Normal mode and post a fresh hijackthis log
and the mccleanup.log from the uninstall tool

Title: Please Help Me
Post by: handsomecrown on March 12, 2006, 09:18:41 PM

I only deleted the .ini files specified by the Microsoft instructions.

The .ini files that were viewable were able to be hidden.

I followed the document you posted above to enable Microsoft's firewall and I got an error that stated: "The specified service does not exist as an installed service."

I haven't done anything below that step.

Title: Please Help Me
Post by: guestolo on March 12, 2006, 09:27:56 PM

I want to clear your restore points so you don't undo anything we have done to this point

Go to START>>RUN>>In the open field
Type in msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer

Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point

*Install SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

Please install the latest Service pack for Windows
In IE>>go to TOOLS>>WINDOWS UPDATES
Install all latest High priority updates and service pack 2
Keep revisiting until you have all High Priorities installed
Reboot whenever prompted

After SP2 is installed you will have a new icon in the Windows Control panel
labelled "Windows Firewall"
Can you open it and ensure the firewall is enabled please
Come back here and post a fresh hijackthis log
Let me know if you were able to enable the firewall or if it is enabled

Title: Please Help Me
Post by: handsomecrown on March 12, 2006, 10:26:18 PM

Yay! More difficulties...

I reset all the System Restore Points and installed SpywareBlaster, but the probelm started with Windows Update. The following item failed to be installed: Windows Genuine Advantage Validation Tool (KB892130). It could be downloaded, but it could not be installed.

Title: Please Help Me
Post by: guestolo on March 12, 2006, 11:18:59 PM

Can you do the following please
Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Select "Configure Scan Options"
Under Run Addon's on the right hand side
Put a tick in all the empty boxes then click Apply

Click START SCAN
Let this finish, a log will open so you will know it's done
Close out after

Post the results of the WindPFind.txt located in the WinPFind folder

Title: Please Help Me
Post by: handsomecrown on March 12, 2006, 11:38:59 PM

Here it is:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 2/12/2006 8:24:00 PM 45568 C:\WINDOWS\SYSTEM32\0go4efoy.dll
PEC2 8/29/2002 3:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PECompact2 2/7/2006 9:28:40 PM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2/7/2006 9:28:40 PM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/29/2002 3:00:00 AM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
UPX! 2/26/2006 7:35:14 PM 224768 C:\WINDOWS\SYSTEM32\realarcade_seedcorn_stub.exe
winsync 8/29/2002 3:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS
127.0.0.1 abetterinternet.com #[downloader.stubby.a]
127.0.0.1 belt.abetterinternet.com
127.0.0.1 c.abetterinternet.com #[adware-betterinet application]
127.0.0.1 download.abetterinternet.com #[adware.stoppopupadsnow]
127.0.0.1 download2.abetterinternet.com #[parasite.transponder]
127.0.0.1 s.abetterinternet.com
127.0.0.1 thinstall.abetterinternet.com
127.0.0.1 www.abetterinternet.com

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
3/5/2006 6:44:00 PM H 54156 C:\WINDOWS\QTFont.qfn
2/16/2006 6:25:40 PM HS 846 C:\WINDOWS\SYSTEM32\Geke3L.3b3
2/11/2006 9:14:06 PM HS 846 C:\WINDOWS\SYSTEM32\NuzK63G.i8q
3/11/2006 4:57:58 PM HS 846 C:\WINDOWS\SYSTEM32\Ryeo85km.bua
1/13/2006 12:28:32 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB913446.cat
2/27/2006 9:14:10 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\b1188722-ba2a-44c8-9ed3-6966d4d85833
3/12/2006 9:20:54 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/29/2002 3:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
Broadcom Corporation 5/8/2003 5:25:18 PM 815104 C:\WINDOWS\SYSTEM32\B57exp.cpl
Broadcom Corporation 6/3/2003 8:38:44 AM 94208 C:\WINDOWS\SYSTEM32\BCMSM.CPL
5/10/2001 10:00:00 PM 183808 C:\WINDOWS\SYSTEM32\BDEADMIN.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Intel Corporation 4/6/2003 10:14:30 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/29/2002 3:00:00 AM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 65536 C:\WINDOWS\SYSTEM32\JOY.CPL
Sun Microsystems 9/25/2003 6:00:12 PM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 3:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/29/2002 3:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 3:00:00 AM 578560 C:\WINDOWS\SYSTEM32\DLLCACHE\appwiz.cpl
Microsoft Corporation 8/29/2002 3:00:00 AM 292352 C:\WINDOWS\SYSTEM32\DLLCACHE\inetcpl.cpl
Microsoft Corporation 8/29/2002 1:41:00 AM 208896 C:\WINDOWS\SYSTEM32\DLLCACHE\joy.cpl
Intel Corporation 4/6/2003 10:14:30 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/25/2003 12:02:32 PM 551 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 6:50:46 AM 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
10/21/2003 7:55:36 PM 12 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt
12/8/2004 8:42:40 PM 366 C:\Documents and Settings\All Users\Application Data\hpzinstall.log
1/15/2006 12:35:14 PM 1755 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 6:50:46 AM 62 C:\Documents and Settings\Michael Sanders\Application Data\DESKTOP.INI
12/6/2003 8:26:48 AM 12358 C:\Documents and Settings\Michael Sanders\Application Data\PFP110JCM.{PB
12/6/2003 8:26:48 AM 61678 C:\Documents and Settings\Michael Sanders\Application Data\PFP110JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
       =
   E-nrgyPlus    = |
   dial    = |

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
   {AA383E6D-B09A-4850-B6B1-6FD2D6C70BE7}    =
   {AD2463D3-1C57-4634-9C90-79D15A801A47}    =
   {6BA67FF3-B01D-44C3-8AEC-42DB57FE1C3E}    =
   {35B1EBC1-119D-4F95-A628-68F5B3D4B549}    =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
   {BDA77241-42F6-11d0-85E2-00AA001FE28C}    = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
   {BDA77241-42F6-11d0-85E2-00AA001FE28C}    = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
   {C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}    = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
   Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
   ButtonText    = AIM   : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
   ButtonText    = Real.com   :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   IgfxTray   C:\WINDOWS\System32\igfxtray.exe
   HotKeysCmds   C:\WINDOWS\System32\hkcmd.exe
   BCMSMMSG   BCMSMMSG.exe
   MMTray   C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
   MCAgentExe   C:\Program Files\McAfee.com\Agent\mcagent.exe
   MCUpdateExe   C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
   AdaptecDirectCD   "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
   VirusScan Online   c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
   REGSHAVE   C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
   TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
   iTunesHelper   "C:\Program Files\iTunes\iTunesHelper.exe"
   QuickTime Task   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   MSConfig   C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   MSMSGS   "C:\Program Files\Messenger\msmsgs.exe" /background
   AIM   C:\Program Files\AIM\aim.exe -cnetwait.odl
   DellSupport   "C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   2
   services   0
   startup   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
   disrdi   C:\WINDOWS\System32\disrdi.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\SYSTEM32\Userinit.exe,
   Shell      = explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

<<<<<<<<<< Checking for AddOn Monitors.def information >>>>>>>>>>
Parameter line : regkey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors found!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\BJ Language Monitor
   Driver   cnbjmon.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\hpzsnt07
   Driver   hpzsnt07.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Local Port
   Driver   localspl.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Microsoft Shared Fax Monitor
   Driver   FXSMON.DLL

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\PJL Language Monitor
   Driver   pjlmon.dll
   EOJTimeout   60000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port
   Driver   tcpmon.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports
   StatusUpdateInterval   10
   StatusUpdateEnabled   1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\USB Monitor
   Driver   usbmon.dll

<<<<<<<<<< Checking for AddOn OpenCommand.def information >>>>>>>>>>
>>>>>>>>>> Exporting Shell Open\Command entries
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\batfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\batfile\shell\open\command found!
      "%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\comfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\comfile\shell\open\command found!
      "%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command found!
      "%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\piffile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\piffile\shell\open\command found!
      "%1" %*

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\regfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\regfile\shell\open\command found!
      regedit.exe "%1"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command found!
      "%1" /S

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\vbsfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\vbsfile\shell\open\command found!

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\htmlfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\htmlfile\shell\open\command found!
      "C:\Program Files\Internet Explorer\iexplore.exe" -nohome

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\http\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\http\shell\open\command found!
      "C:\Program Files\Internet Explorer\iexplore.exe" -nohome

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mp3file\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mp3file\shell\open\command found!
      "C:\Program Files\Windows Media Player\wmplayer.exe" /Open "%L"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mpegfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\mpegfile\shell\open\command found!
      "C:\Program Files\Windows Media Player\wmplayer.exe" /Open "%L"

Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\jsfile\shell\open\command;;
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\jsfile\shell\open\command found!

<<<<<<<<<< Checking for AddOn Policies.def information >>>>>>>>>>

<<<<<<<<<< Checking for AddOn Qoologic.def information >>>>>>>>>>
>>>>>>>>>> Search by size and name
>>>>>>>>>> Files found by this method are not necessarily bad
>>>>>>>>>> Example PNGFILT.DLL is a windows file
Parameter line : file=%sysdir%;*.exe;150;61952;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 61952 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;7680;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 7680 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;91648;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 91648 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;81920;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 81920 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;7168;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 7168 bytes was not found!
Parameter line : file=%sysdir%;*.exe;150;65536;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 150 days with a size of 65536 bytes was not found!
Parameter line : file=%sysdir%;redit.cpl;;;;;
File C:\WINDOWS\SYSTEM32\redit.cpl was not found!
Parameter line : file=%sysdir%;conres.cpl;;;;;
File C:\WINDOWS\SYSTEM32\conres.cpl was not found!
Parameter line : file=%sysdir%;datadx.dll;;;;;
File C:\WINDOWS\SYSTEM32\datadx.dll was not found!
Parameter line : file=%sysdir%;*.dll;150;10240;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 10240 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;46080;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 46080 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;34816;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 34816 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;16384;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 16384 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;29184;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 29184 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;26624;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 26624 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;9728;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 9728 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;10843;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 10843 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;18432;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 18432 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;23040;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 23040 bytes was not found!
Parameter line : file=%sysdir%;*.dll;150;17920;;;
File C:\WINDOWS\SYSTEM32\*.dll for today - 150 days with a size of 17920 bytes was not found!
Parameter line : file=%allusers%\start menu\programs\startup;*.exe;;;;;
File C:\Documents and Settings\All Users\start menu\programs\startup\*.exe was not found!
>>>>>>>>>> Misc Checks
Parameter line : file=%sysdir%;*.dat;150;81920;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 81920 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;61952;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 61952 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;65536;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 65536 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;7680;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 7680 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;91648;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 91648 bytes was not found!
Parameter line : file=%sysdir%;*.dat;150;7168;;;
File C:\WINDOWS\SYSTEM32\*.dat for today - 150 days with a size of 7168 bytes was not found!
Parameter line : file=%windir%;*.dll;150;10843;;;
File C:\WINDOWS\*.dll for today - 150 days with a size of 10843 bytes was not found!
Parameter line : file=%windir%;*.dll;150;3950;;;
File C:\WINDOWS\*.dll for today - 150 days with a size of 3950 bytes was not found!
Parameter line : file=%windir%;*.dll;150;3943;;;
File C:\WINDOWS\*.dll for today - 150 days with a size of 3943 bytes was not found!

<<<<<<<<<< Checking for AddOn RDriv.def information >>>>>>>>>>
Registry Entries
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Updates;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Updates not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center AntiVirus;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center AntiVirus not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Firewall;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Firewall not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\OLE;;
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE found!
   EnableDCOM   Y

HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\NONREDIST
   System.EnterpriseServices.Thunk.dll

Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV;;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate;;
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall;;
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall not found!
Parameter line : RegKey=HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters;;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters found!
   autodisconnect   15
   enableforcedlogoff   1
   enablesecuritysignature   0
   requiresecuritysignature   0
   Lmannounce   0
   Size   1
   Guid   ”ß‡cBüNH†Æ·Vœl1
   srvcomment   Sanders school work
   CachedOpenLimit   0
Parameter line : RegKey=HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters;;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters found!
   enableplaintextpassword   0
   enablesecuritysignature   1
   requiresecuritysignature   0

Parameter line : RegKey=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions;;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions found!

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
   {00022613-0000-0000-C000-000000000046}   Multimedia File Property Sheet
   {176d6597-26d3-11d1-b350-080036a75b03}   ICM Scanner Management
   {1F2E5C40-9550-11CE-99D2-00AA006E086C}   NTFS Security Page
   {3EA48300-8CF6-101B-84FB-666CCB9BCD32}   OLE Docfile Property Page
   {40dd6e20-7c17-11ce-a804-00aa003ca9f6}   Shell extensions for sharing
   {41E300E0-78B6-11ce-849B-444553540000}   PlusPack CPL Extension
   {42071712-76d4-11d1-8b24-00a0c9068ff3}   Display Adapter CPL Extension
   {42071713-76d4-11d1-8b24-00a0c9068ff3}   Display Monitor CPL Extension
   {42071714-76d4-11d1-8b24-00a0c9068ff3}   Display Panning CPL Extension
   {4E40F770-369C-11d0-8922-00A024AB2DBB}   DS Security Page
   {513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}   Compatibility Page
   {56117100-C0CD-101B-81E2-00AA004AE837}   Shell Scrap DataHandler
   {59099400-57FF-11CE-BD94-0020AF85B590}   Disk Copy Extension
   {59be4990-f85c-11ce-aff7-00aa003ca9f6}   Shell extensions for Microsoft Windows Network objects
   {5DB2625A-54DF-11D0-B6C4-0800091AA605}   ICM Monitor Management
   {675F097E-4C4D-11D0-B6C1-0800091AA605}   ICM Printer Management
   {764BF0E1-F219-11ce-972D-00AA00A14F56}   Shell extensions for file compression
   {77597368-7b15-11d0-a0c2-080036af3f03}   Web Printer Shell Extension
   {7988B573-EC89-11cf-9C00-00AA00A14F56}   Disk Quota UI
   {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}   Encryption Context Menu
   {85BBD920-42A0-1069-A2E4-08002B30309D}   Briefcase
   {88895560-9AA2-1069-930E-00AA0030EBC8}   HyperTerminal Icon Ext
   {BD84B380-8CA2-1069-AB1D-08000948F534}   Fonts
   {DBCE2480-C732-101B-BE72-BA78E9AD5B27}   ICC Profile
   {F37C5810-4D3F-11d0-B4BF-00AA00BBB723}   Printers Security Page
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   Shell extensions for sharing
   {f92e8c40-3d33-11d2-b1aa-080036a75b03}   Display TroubleShoot CPL Extension
   {7007ACC7-3202-11D1-AAD2-00805FC1270E}   Network Connections
   {992CFFA0-F557-101A-88EC-00DD010CCC48}   Network Connections
   {E211B736-43FD-11D1-9EFB-0000F8757FCD}   Scanners & Cameras
   {FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}   Scanners & Cameras
   {905667aa-acd6-11d2-8080-00805f6596d2}   Scanners & Cameras
   {3F953603-1008-4f6e-A73A-04AAC7A992F1}   Scanners & Cameras
   {83bbcbf3-b28a-4919-a5aa-73027445d672}   Scanners & Cameras
   {F0152790-D56E-4445-850E-4F3117DB740C}   Remote Sessions CPL Extension
   {60254CA5-953B-11CF-8C96-00AA00B8708C}   Shell extensions for Windows Script Host
   {2206CDB2-19C1-11D1-89E0-00C04FD7A829}   Microsoft Data Link
   {DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}   Tasks Folder Icon Handler
   {797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}   Tasks Folder Shell Extension
   {D6277990-4C6A-11CF-8D87-00AA0060F5BF}   Scheduled Tasks
   {0DF44EAA-FF21-4412-828E-260A8728E7F1}   Taskbar and Start Menu
   {2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}   Search
   {2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}   Help and Support
   {2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}   Help and Support
   {2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}   Run...
   {2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}   Internet
   {2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}   E-mail
   {D20EA4E1-3957-11d2-A40B-0C5020524152}   Fonts
   {D20EA4E1-3957-11d2-A40B-0C5020524153}   Administrative Tools
   {875CB1A1-0F29-45de-A1AE-CFB4950D0B78}   Audio Media Properties Handler
   {40C3D757-D6E4-4b49-BB41-0E5BBEA28817}   Video Media Properties Handler
   {E4B29F9D-D390-480b-92FD-7DDB47101D71}   Wav Properties Handler
   {87D62D94-71B3-4b9a-9489-5FE6850DC73E}   Avi Properties Handler
   {A6FD9E45-6E44-43f9-8644-08598F5A74D9}   Midi Properties Handler
   {c5a40261-cd64-4ccf-84cb-c394da41d590}   Video Thumbnail Extractor
   {5E6AB780-7743-11CF-A12B-00AA004AE837}   Microsoft Internet Toolbar
   {22BF0C20-6DA7-11D0-B373-00A0C9034938}   Download Status
   {91EA3F8B-C99B-11d0-9815-00C04FD91972}   Augmented Shell Folder
   {6413BA2C-B461-11d1-A18A-080036B11A03}   Augmented Shell Folder 2
   {F61FFEC1-754F-11d0-80CA-00AA005B4383}   BandProxy
   {7BA4C742-9E81-11CF-99D3-00AA004AE837}   Microsoft BrowserBand
   {30D02401-6A81-11d0-8274-00C04FD5AE38}   Search Band
   {32683183-48a0-441b-a342-7c2a440a9478}   Media Band
   {169A0691-8DF9-11d1-A1C4-00C04FD75D13}   In-pane search
   {07798131-AF23-11d1-9111-00A0C98BA67D}   Web Search
   {AF4F6510-F982-11d0-8595-00AA004CD6D8}   Registry Tree Options Utility
   {01E04581-4EEE-11d0-BFE9-00AA005B4383}   &Address
   {A08C11D2-A228-11d0-825B-00AA005B4383}   Address EditBox
   {00BB2763-6A77-11D0-A535-00C04FD7D062}   Microsoft AutoComplete
   {7376D660-C583-11d0-A3A5-00C04FD706EC}   TridentImageExtractor
   {6756A641-DE71-11d0-831B-00AA005B4383}   MRU AutoComplete List
   {6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}   Custom MRU AutoCompleted List
   {7e653215-fa25-46bd-a339-34a2790f3cb7}   Accessible
   {acf35015-526e-4230-9596-becbe19f0ac9}   Track Popup Bar
   {E0E11A09-5CB8-4B6C-8332-E00720A168F2}   Address Bar Parser
   {00BB2764-6A77-11D0-A535-00C04FD7D062}   Microsoft History AutoComplete List
   {03C036F1-A186-11D0-824A-00AA005B4383}   Microsoft Shell Folder AutoComplete List
   {00BB2765-6A77-11D0-A535-00C04FD7D062}   Microsoft Multiple AutoComplete List Container
   {ECD4FC4E-521C-11D0-B792-00A0C90312E1}   Shell Band Site Menu
   {3CCF8A41-5C85-11d0-9796-00AA00B90ADF}   Shell DeskBarApp
   {ECD4FC4C-521C-11D0-B792-00A0C90312E1}   Shell DeskBar
   {ECD4FC4D-521C-11D0-B792-00A0C90312E1}   Shell Rebar BandSite
   {DD313E04-FEFF-11d1-8ECD-0000F87A470C}   User Assist
   {EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}   Global Folder Settings
   {EFA24E61-B078-11d0-89E4-00C04FC9E26E}   Favorites Band
   {0A89A860-D7B1-11CE-8350-444553540000}   Shell Automation Inproc Service
   {E7E4BC40-E76A-11CE-A9BB-00AA004AE837}   Shell DocObject Viewer
   {A5E46E3A-8849-11D1-9D8C-00C04FC99D61}   Microsoft Browser Architecture
   {FBF23B40-E3F0-101B-8488-00AA003E56F8}   InternetShortcut
   {3C374A40-BAE4-11CF-BF7D-00AA006946EE}   Microsoft Url History Service
   {FF393560-C2A7-11CF-BFF4-444553540000}   History
   {7BD29E00-76C1-11CF-9DD0-00A0C9034933}   Temporary Internet Files
   {7BD29E01-76C1-11CF-9DD0-00A0C9034933}   Temporary Internet Files
   {CFBFAE00-17A6-11D0-99CB-00C04FD64497}   Microsoft Url Search Hook
   {A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}   IE4 Suite Splash Screen
   {67EA19A0-CCEF-11d0-8024-00C04FD75D13}   CDF Extension Copy Hook
   {131A6951-7F78-11D0-A979-00C04FD705A2}   ISFBand OC
   {9461b922-3c5a-11d2-bf8b-00c04fb93661}   Search Assistant OC
   {3DC7A020-0ACD-11CF-A9BB-00AA004AE837}   The Internet
   {871C5380-42A0-1069-A2EA-08002B30309D}   Internet Name Space
   {EFA24E64-B078-11d0-89E4-00C04FC9E26E}   Explorer Band
   {9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}   Sendmail service
   {9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}   Sendmail service
   {88C6C381-2E85-11D0-94DE-444553540000}   ActiveX Cache Folder
   {E6FB5E20-DE35-11CF-9C87-00AA005127ED}   WebCheck
   {ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}   Subscription Mgr
   {F5175861-2688-11d0-9C5E-00AA00A45957}   Subscription Folder
   {08165EA0-E946-11CF-9C87-00AA005127ED}   WebCheckWebCrawler
   {E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}   WebCheckChannelAgent
   {E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}   TrayAgent
   {7D559C10-9FE9-11d0-93F7-00AA0059CE02}   Code Download Agent
   {E6CC6978-6B6E-11D0-BECA-00C04FD940BE}   ConnectionAgent
   {D8BD2030-6FC9-11D0-864F-00AA006809D9}   PostAgent
   {7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}   WebCheck SyncMgr Handler
   {352EC2B7-8B9A-11D1-B8AE-006008059382}   Shell Application Manager
   {0B124F8F-91F0-11D1-B8B5-006008059382}   Installed Apps Enumerator
   {CFCCC7A0-A282-11D1-9082-006008059382}   Darwin App Publisher
   {e84fda7c-1d6a-45f6-b725-cb260c236066}   Shell Image Verbs
   {66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}   Shell Image Data Factory
   {3F30C968-480A-4C6C-862D-EFC0897BB84B}   GDI+ file thumbnail extractor
   {9DBD2C50-62AD-11d0-B806-00C04FD706EC}   Summary Info Thumbnail handler (DOCFILES)
   {EAB841A0-9550-11cf-8C16-00805F1408F3}   HTML Thumbnail Extractor
   {eb9b1153-3b57-4e68-959a-a3266bc3d7fe}   Shell Image Property Handler
   {CC6EEFFB-43F6-46c5-9619-51D571967F7D}   Web Publishing Wizard
   {add36aa8-751a-4579-a266-d66f5202ccbb}   Print Ordering via the Web
   {6b33163c-76a5-4b6c-bf21-45de9cd503a1}   Shell Publishing Wizard Object
   {58f1f272-9240-4f51-b6d4-fd63d1618591}   Get a Passport Wizard
   {7A9D77BD-5403-11d2-8785-2E0420524153}   User Accounts
   {E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}   Compressed (zipped) Folder
   {BD472F60-27FA-11cf-B8B4-444553540000}   Compressed (zipped) Folder Right Drag Handler
   {888DCA60-FC0A-11CF-8F0F-00C04FD7D062}   Compressed (zipped) Folder SendTo Target
   {f39a0dc0-9cc8-11d0-a599-00c04fd64433}   Channel File
   {f3aa0dc0-9cc8-11d0-a599-00c04fd64434}   Channel Shortcut
   {f3ba0dc0-9cc8-11d0-a599-00c04fd64435}   Channel Handler Object
   {f3da0dc0-9cc8-11d0-a599-00c04fd64437}   Channel Menu
   {f3ea0dc0-9cc8-11d0-a599-00c04fd64438}   Channel Properties
   {63da6ec0-2e98-11cf-8d82-444553540000}   FTP Folders Webview
   {883373C3-BF89-11D1-BE35-080036B11A03}   Microsoft DocProp Shell Ext
   {A9CF0EAE-901A-4739-A481-E35B73E47F6D}   Microsoft DocProp Inplace Edit Box Control
   {8EE97210-FD1F-4B19-91DA-67914005F020}   Microsoft DocProp Inplace ML Edit Box Control
   {0EEA25CC-4362-4A12-850B-86EE61B0D3EB}   Microsoft DocProp Inplace Droplist Combo Control
   {6A205B57-2567-4A2C-B881-F787FAB579A3}   Microsoft DocProp Inplace Calendar Control
   {28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}   Microsoft DocProp Inplace Time Control
   {8A23E65E-31C2-11d0-891C-00A024AB2DBB}   Directory Query UI
   {9E51E0D0-6E0F-11d2-9601-00C04FA31A86}   Shell properties for a DS object
   {163FDC20-2ABC-11d0-88F0-00A024AB2DBB}   Directory Object Find
   {F020E586-5264-11d1-A532-0000F8757D7E}   Directory Start/Search Find
   {0D45D530-764B-11d0-A1CA-00AA00C16E65}   Directory Property UI
   {62AE1F9A-126A-11D0-A14B-0800361B1103}   Directory Context Menu Verbs
   {ECF03A33-103D-11d2-854D-006008059367}   MyDocs Copy Hook
   {ECF03A32-103D-11d2-854D-006008059367}   MyDocs Drop Target
   {4a7ded0a-ad25-11d0-98a8-0800361b1103}   MyDocs Properties
   {750fdf0e-2a26-11d1-a3ea-080036587f03}   Offline Files Menu
   {10CFC467-4392-11d2-8DB4-00C04FA31A66}   Offline Files Folder Options
   {AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}   Offline Files Folder
   {143A62C8-C33B-11D1-84FE-00C04FA34A14}   Microsoft Agent Character Property Sheet Handler
   {ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}   DfsShell
   {60fd46de-f830-4894-a628-6fa81bc0190d}   %DESC_PublishDropTarget%
   {7A80E4A8-8005-11D2-BCF8-00C04F72C717}   MMC Icon Handler
   {0CD7A5C0-9F37-11CE-AE65-08002B2E1262}   .CAB file viewer
   {32714800-2E5F-11d0-8B85-00AA0044F941}   For &People...
   {8DD448E6-C188-4aed-AF92-44956194EB1F}   Windows Media Player Play as Playlist Context Menu Handler
   {CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}   Windows Media Player Burn Audio CD Context Menu Handler
   {F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}   Windows Media Player Add to Playlist Context Menu Handler
   {1D2680C9-0E2A-469d-B787-065558BC7D43}   Fusion Cache
   {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}   Shell Extensions for RealOne Player
   {5E44E225-A408-11CF-B581-008029601108}   Adaptec DirectCD Shell Extension
   {5F327514-6C5E-4d60-8F16-D07FA08A78ED}   Auto Update Property Sheet Extension
   {BDA77241-42F6-11d0-85E2-00AA001FE28C}   LDVP Shell Extensions
   {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}   iTunes
   {AA383E6D-B09A-4850-B6B1-6FD2D6C70BE7}
   {AD2463D3-1C57-4634-9C90-79D15A801A47}
   {6BA67FF3-B01D-44C3-8AEC-42DB57FE1C3E}
   {35B1EBC1-119D-4F95-A628-68F5B3D4B549}
   {7444C717-39BF-11D1-8CD9-00C04FC29D45}   Crypto PKO Extension
   {7444C719-39BF-11D1-8CD9-00C04FC29D45}   Crypto Sign Extension

Files
Parameter line : File=%sysdir%;rdriv.sys;;;;;
File C:\WINDOWS\SYSTEM32\rdriv.sys was not found!
Parameter line : File=%sysdir%;ItunesMusic.exe;;;;;
File C:\WINDOWS\SYSTEM32\ItunesMusic.exe was not found!
Parameter line : File=%sysdir%;wkssvc.exe;;;;;
File C:\WINDOWS\SYSTEM32\wkssvc.exe was not found!
Parameter line : File=%windir%;ItunesMusic.exe;;;;;
File C:\WINDOWS\ItunesMusic.exe was not found!
Parameter line : File=%windir%;wkssvc.exe;;;;;
File C:\WINDOWS\wkssvc.exe was not found!

<<<<<<<<<< Checking for AddOn SharedTaskScheduler.def information >>>>>>>>>>
>>>>>>>>>> Exporting Policies from HKLM
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler found!
   {438755C2-A8BA-11D1-B96B-00A0C90312E1}   Browseui preloader
   {8C7461EF-2B13-11d2-BE35-3078302C2030}   Component Categories cache daemon

<<<<<<<<<< Checking for AddOn WareOut.def information >>>>>>>>>>
>>>>>>>>>> PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Parameter line : file=%sysdir%;*.exe;300;55304;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 300 days with a size of 55304 bytes was not found!
Parameter line : file=%sysdir%;*.exe;;43528;;;
File C:\WINDOWS\SYSTEM32\*.exe with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;*.exe;300;4096;;;
2/16/2006 2:05:28 PM 4096 C:\WINDOWS\SYSTEM32\inst_0006.exe found!
2/26/2006 7:35:40 PM 4096 C:\WINDOWS\SYSTEM32\s_install_ID8.exe found!
Parameter line : file=%sysdir%;*.exe;;43528;;;
File C:\WINDOWS\SYSTEM32\*.exe with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;*.exe;300;28680;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 300 days with a size of 28680 bytes was not found!
Parameter line : file=%sysdir%;*.exe;;11264;;;
8/29/2002 3:00:00 AM 11264 C:\WINDOWS\SYSTEM32\ATTRIB.EXE found!
8/29/2002 3:00:00 AM 11264 C:\WINDOWS\SYSTEM32\CHKNTFS.EXE found!
8/29/2002 3:00:00 AM 11264 C:\WINDOWS\SYSTEM32\fxssend.exe found!
8/29/2002 3:00:00 AM 11264 C:\WINDOWS\SYSTEM32\RASDIAL.EXE found!
Parameter line : file=%sysdir%;*.ren;300;43528;;;
File C:\WINDOWS\SYSTEM32\*.ren for today - 300 days with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;ntfsnlpa.exe;;;;;
File C:\WINDOWS\SYSTEM32\ntfsnlpa.exe was not found!
Parameter line : file=%sysdir%;cisvvc.exe;;;;;
File C:\WINDOWS\SYSTEM32\cisvvc.exe was not found!
Parameter line : file=%sysdir%;drv2cltr.dll;;;;;
File C:\WINDOWS\SYSTEM32\drv2cltr.dll was not found!
Parameter line : file=%sysdir%;hybsys32.dll;;;;;
File C:\WINDOWS\SYSTEM32\hybsys32.dll was not found!
Parameter line : file=%sysdir%;loadctr.exe;;;;;
File C:\WINDOWS\SYSTEM32\loadctr.exe was not found!
Parameter line : file=%sysdir%;rdsndin.exe;;;;;
File C:\WINDOWS\SYSTEM32\rdsndin.exe was not found!
Parameter line : file=%sysdir%;pxpcya64.exe;;;;;
File C:\WINDOWS\SYSTEM32\pxpcya64.exe was not found!
Parameter line : file=%windir%;*.exe;300;55304;;;
File C:\WINDOWS\*.exe for today - 300 days with a size of 55304 bytes was not found!
Parameter line : file=%windir%;*.exe;300;43528;;;
File C:\WINDOWS\*.exe for today - 300 days with a size of 43528 bytes was not found!
Parameter line : file=%windir%;*.exe;300;4096;;;
File C:\WINDOWS\*.exe for today - 300 days with a size of 4096 bytes was not found!
Parameter line : file=%windir%;rdt.ini;;;;;
File C:\WINDOWS\rdt.ini was not found!
Parameter line : file=%windir%;baloon.wav;;;;;
File C:\WINDOWS\baloon.wav was not found!
Parameter line : file=%allusers%\start menu\programs\startup;*.exe;;;;;
File C:\Documents and Settings\All Users\start menu\programs\startup\*.exe was not found!
>>>>>>>>>>Registry keys to look for
Parameter line : regvalue=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon;system;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon found!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\system found!
   System
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\WareOut;;
HKEY_LOCAL_MACHINE\SOFTWARE\WareOut not found!
Parameter line : regkey=HKEY_CURRENT_USER\Software\WareOut;;
HKEY_CURRENT_USER\Software\WareOut not found!
Parameter line : regvalue=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;NoBandCustomize;;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer found!
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoBandCustomize not found!
Parameter line : regvalue=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion;Disabled;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion found!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\\Disabled not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar;;
HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar not found!
Parameter line : regkey=HKEY_CURRENT_USER\Software\SearchToolbar;;
HKEY_CURRENT_USER\Software\SearchToolbar not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls not found!
Parameter line : regvalue=HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser;{08BEC6AA-49FC-4379-3587-4B21E286C19E};;
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser found!
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} not found!

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 3/12/2006 9:33:01 PM

Title: Please Help Me
Post by: guestolo on March 13, 2006, 09:36:08 PM

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Can you find these files and send them to the recycle bin
C:\WINDOWS\SYSTEM32\inst_0006.exe
C:\WINDOWS\SYSTEM32\s_install_ID8.exe
C:\WINDOWS\SYSTEM32\0go4efoy.dll
C:\WINDOWS\SYSTEM32\realarcade_seedcorn_stub.exe
C:\WINDOWS\SYSTEM32\Geke3L.3b3
C:\WINDOWS\SYSTEM32\NuzK63G.i8q
C:\WINDOWS\SYSTEM32\Ryeo85km.bua

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

Reboot the computer

Do the following please
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)

Use Internet Explorer and Run the online Panda ActiveScan (http://\"http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan.htm&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest\")
* Once you are on the Panda site click the Scan your PC button.
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.

When the scan is complete
click See Report, then click Save Report and save it to your Desktop.

I need to see the following please
1. Post the report from Panda's
2. Post a fresh hijackthis log

Could you also
Download: Registry Search Tool from this link, it's a very small download
http://billsway.com/vbspage/ (http://\"http://billsway.com/vbspage/\")
You will have to scroll down to see it

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK

AA383E6D-B09A-4850-B6B1-6FD2D6C70BE7

Wait for the results and post them back here
Do the same for these ones
AD2463D3-1C57-4634-9C90-79D15A801A47
6BA67FF3-B01D-44C3-8AEC-42DB57FE1C3E
35B1EBC1-119D-4F95-A628-68F5B3D4B549

Title: Please Help Me
Post by: handsomecrown on March 13, 2006, 10:40:17 PM

Here is the Panda ActiveScan Report:

Incident Status Location

Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Michael Sanders\Cookies\michael sanders@2o7[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Michael Sanders\Cookies\michael sanders@advertising[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Michael Sanders\Cookies\michael sanders@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Michael Sanders\Cookies\michael sanders@doubleclick[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Michael Sanders\Cookies\michael [email protected][2].txt
Virus:Trj/Downloader.AEE Not disinfected C:\Documents and Settings\Michael Sanders\Desktop\Stuff\backups\backup-20060311-191706-604.inf
Adware:Adware/DollarRevenue Not disinfected C:\gimmysmileys1.exe
Adware:Adware/DollarRevenue Not disinfected C:\keyboard1.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Common Files\VCClient\VCClient.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Common Files\VCClient\VCMain.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Common Files\VCClient\VCUpdate.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\InetGet2\gimmysmileysB.exe
Adware:Adware/Prositefinder Not disinfected C:\RECYCLER\S-1-5-21-3400589454-969008293-3482092931-1008\Dc5\25781568.exe
Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-3400589454-969008293-3482092931-1008\Dc5\9rpa9wsd.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-3400589454-969008293-3482092931-1008\Dc5\oe8vkg67.DLL
Adware:adware/secure32 Not disinfected C:\secure32.html
Spyware:spyware/surfsidekick Not disinfected C:\SS1001.exe
Spyware:Spyware/Altnet Not disinfected C:\WildMedia.exe[IdmUP.dll]
Adware:Adware Program Not disinfected C:\WildMedia.exe[Topicks.reg]
Spyware:Spyware/Altnet Not disinfected C:\WildMedia.exe[TPReg.dll]
Adware:Adware Program Not disinfected C:\WildMedia.exe[FileVersions.ini]
Spyware:Spyware/Altnet Not disinfected C:\WildMedia.exe[HtCheck2.dll]
Spyware:Spyware/Altnet Not disinfected C:\WildMedia.exe[Idhost.exe]
Virus:Trj/Downloader.gen Not disinfected C:\WildMedia.exe[IdInst.exe]
Adware:adware/clickalchemy Not disinfected C:\WINDOWS\alchem.ini
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
Adware:Adware Program Not disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:adware/gator Not disinfected C:\WINDOWS\GatorPatch.log
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\gimmygames.dat
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\alchem.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\satmat.inf
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb_gdf.dat
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\satmat.ini
Adware:adware/sidesearch Not disinfected C:\WINDOWS\sepsd.bin
Adware:adware/commad Not disinfected C:\WINDOWS\SYSTEM32\atmtd.dll
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\CqbFH.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\FgoeGdW1.exe
Adware:adware/adlogix Not disinfected C:\WINDOWS\SYSTEM32\guarnset.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\Hux1Ua1Z.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\Ifojyc.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\KnlaLVh.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\Mxe42m.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\Oal92Xd2.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\PwnQ9t0X.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\Pywf2.exe
Adware:Adware/Sqwire Not disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq

Here are the results for the RegSrch.vbs program:

1)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "AA383E6D-B09A-4850-B6B1-6FD2D6C70BE7" 3/13/2006 8:30:16 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AA383E6D-B09A-4850-B6B1-6FD2D6C70BE7}"=""

2)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "AD2463D3-1C57-4634-9C90-79D15A801A47" 3/13/2006 8:31:38 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AD2463D3-1C57-4634-9C90-79D15A801A47}"=""

3)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "6BA67FF3-B01D-44C3-8AEC-42DB57FE1C3E" 3/13/2006 8:32:39 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6BA67FF3-B01D-44C3-8AEC-42DB57FE1C3E}"=""

4)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "35B1EBC1-119D-4F95-A628-68F5B3D4B549" 3/13/2006 8:33:50 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{35B1EBC1-119D-4F95-A628-68F5B3D4B549}"=""

Title: Please Help Me
Post by: guestolo on March 13, 2006, 11:41:30 PM

Can you find these files and send them to the recycle bin
C:\gimmysmileys1.exe
C:\keyboard1.exe
C:\secure32.html
C:\SS1001.exe
C:\WildMedia.exe
C:\WINDOWS\alchem.ini
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
C:\WINDOWS\Downloaded Program Files\WildApp.inf
C:\WINDOWS\GatorPatch.log
C:\WINDOWS\gimmygames.dat
C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\INF\satmat.inf
C:\WINDOWS\kwv2.dat
C:\WINDOWS\msbb_gdf.dat
C:\WINDOWS\satmat.ini
C:\WINDOWS\sepsd.bin
C:\WINDOWS\SYSTEM32\atmtd.dll
C:\WINDOWS\SYSTEM32\CqbFH.exe
C:\WINDOWS\SYSTEM32\FgoeGdW1.exe
C:\WINDOWS\SYSTEM32\guarnset.exe
C:\WINDOWS\SYSTEM32\Hux1Ua1Z.exe
C:\WINDOWS\SYSTEM32\Ifojyc.exe
C:\WINDOWS\SYSTEM32\KnlaLVh.exe
C:\WINDOWS\SYSTEM32\Mxe42m.exe
C:\WINDOWS\SYSTEM32\Oal92Xd2.exe
C:\WINDOWS\SYSTEM32\PwnQ9t0X.exe
C:\WINDOWS\SYSTEM32\Pywf2.exe
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\SYSTEM32\xmltok.dll
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\uniq
SEARCH for these next files please
IdmUP.dll
Topicks.reg
TPReg.dll
FileVersions.ini
HtCheck2.dll
Idhost.exe
IdInst.exe

and these folders
C:\Program Files\Common Files\VCClient
C:\Program Files\InetGet2
C:\Program Files\altnet
C:\Program Files\topicks
Let me know if you found and removed all the above please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AA383E6D-B09A-4850-B6B1-6FD2D6C70BE7}"=-
"{AD2463D3-1C57-4634-9C90-79D15A801A47}"=-
"{6BA67FF3-B01D-44C3-8AEC-42DB57FE1C3E}"=-
"{35B1EBC1-119D-4F95-A628-68F5B3D4B549}"=-

Reboot the computer

Are you now able to install Windows updates?

Title: Please Help Me
Post by: handsomecrown on March 14, 2006, 12:23:33 AM

All of the files deleted fine except for the following files which were not located on the computer:

C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
C:\WINDOWS\Downloaded Program Files\WildApp.inf
(When searching for these files I made sure it was looking in hidden files as well)
IdmUP.dll
Topicks.reg
TPReg.dll
FileVersions.ini
HtCheck2.dll
Idhost.exe
IdInst.exe
C:\Program Files\altnet
C:\Program Files\topicks

After following the rest of your instructions, the same update failed in Windowns Update as before (the Validation Tool). It tells me to look at my update history to seee why it failed, but it is not even on the list..

I am sorry for not posting a HJT log before (I forgot), but here is one now after completing your most recent instructions:

Logfile of HijackThis v1.99.1
Scan saved at 10:17:03 PM, on 3/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Title: Please Help Me
Post by: guestolo on March 14, 2006, 01:15:08 AM

Let's get rid of 2 files that you can't see right now
Go to START>>RUN>>Copy and paste the following command in bold below then hit OK

regsvr32 /u occache.dll

Find and delete these files
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf <-file
C:\WINDOWS\Downloaded Program Files\WildApp.inf <-file

Then go back to the Run command and copy and paste the following in bold below
regsvr32 occache.dll

Let's try this for the windows updates
You may have best results with Step2, but work thru the list
If the WGA issue occurred when the Windows system has been activated, it was likely caused by one of the following factors:
1. A security program running in the background prevents the validation tool from running properly.
2. The WGA engine was not installed or running properly.
We can take the following steps and see if the issue can be resolved.
==========================
Step 1: Disable the security programs temporarily
*The following programs can prevent the validation tool from running properly. I suggest we disable them temporarily to test the issue:
*Norton Security programs
*Panda Antivirus programs
*Web Accelarator programs
*Anti-Spyware programs
If any of the above programs cause the issue, please check if it can be re-configured to accept the WGA ActiveX control. Otherwise, please
temporarily disabled to enable the WGA validation tool. However, please re-enable the application after we complete the troubleshooting steps.
==========================
Step 2: Install the WGA engine manually
The WGA engine may have been already installed but is not working properly.
We can use the following steps to reinstall it. This will ensure the engine files be copied and registered properly.
1. Download the ActiveX cab file from the following link and then save it to the Desktop.
http://download.microsoft.com/download/a/c...heckControl.cab (http://\"http://download.microsoft.com/download/a/c/f/acfe4666-1faf-43fd-b6fb-19191521126d/LegitCheckControl.cab\")
Open the downloaded cab file and we will find the following three files:
GWFSPIDGen.dll
LegitCheckControl.dll
LegitCheckControl.inf
2. Click "Start", click "Run", type: "%windir%\system32" (without quotations) and press Enter. Copy the GWFSPIDGen.dll and LegitCheckControl.dll files into the opened system32 folder.
3. Click "Start", click "Run", type: "REGSVR32 LegitCheckControl.dll" (without the quotations) and press Enter. We will see a popup message state
this process succeeded.
4. Click "Start", click "Run", type: "inf" (without quotations) and press Enter. Copy the LegitCheckControl.inf file into the opened inf folder.
5. Right click on the copied LegitCheckControl.inf file in the inf folder, and then choose Install. The WGA engine will be installed automatically.
==========================
After we finish the above steps, please restart the computer and try to validate the Windows again.

Title: Please Help Me
Post by: handsomecrown on March 14, 2006, 07:58:45 PM

Ok... I did everything asked, and it all went fine, but the validation tool still fails to install.

I don't know if this is important of not, but when I go into the list of pervious updates, in about the middle of the list there are several canceled and failed updates. All it says on the info about them is that they can be uninstalled under Add / Remove Programs.

Title: Please Help Me
Post by: handsomecrown on March 15, 2006, 08:29:30 PM

So, after searching around for a little while, I found THIS PAGE (http://\"http://www.tinyurl.com/jnz2z\") on Microsoft that helped my problem. I didn't do exactly what the thread said, but I went to the location he said the downloaded files were and installed the validator manually. This worked perfect, and the next time I went into Windows Updates, it showed that I could install SP2.

Well, it turns out the SP2 files were already downloaded, and failed to install through Windows Update in IE. So, I went into were I found the validator files and manually installed SP2. The problem is, Windows Update still does not let me install updates. It can download them, but it won't install them. Alos, there is still no firewall because when I click to enable it, it gives me another error message.

Here is a new HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 6:18:06 PM, on 3/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\cisvc.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - <a href='http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab' target='_blank' rel='nofollow'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab</a>
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - <a href='http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab' target='_blank' rel='nofollow'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab</a>
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Title: Please Help Me
Post by: handsomecrown on March 15, 2006, 11:16:15 PM

Well, after visiting This Website (http://\"http://windowsxp.mvps.org/sharedaccess.htm\") I was able to enable the Firewall, but Windows Update still fails to install the updates. Also, McAfee still will not uninstall in safe mode or normal mode.

Title: Please Help Me
Post by: guestolo on March 16, 2006, 09:06:24 PM

Sorry for the delay, I couldn't find time to access the forum that much the last couple days
I had to go back and reread what we have done to this point
Any thing help out in this link?
http://v4.windowsupdate.microsoft.com/troubleshoot/ (http://\"http://v4.windowsupdate.microsoft.com/troubleshoot/\")

Do you get an exact error message when trying to install updates?

We should eliminate the possibility that McAfee's is interfering
I wish I knew the exact version of Mcafee virus scan
Can you navigate to this folder
C:\Program Files\McAfee.com
any read me or other text files that will give you an indication?

Also, could you open Hijackthis>>Open Misc tools section>>Open Hosts file manager
click the "Open In Notepad" button
A text file will open, copy and paste the whole contents back here please

Title: Please Help Me
Post by: handsomecrown on March 16, 2006, 09:43:04 PM

Okay, after installing SP2, I found out I had 7 critical updates, so I downloaded them, but they wouldn't install; however, they did install after I shut down the computer. When I try to install updates through the Windows Update in IE, the error I get says: "Problem: A problem on your computer is preventing updates from being downloaded or installed."

With McAfee, in that folder, there was no specific version number found, but in a readme.txt file it called the AntiVirus software "Mcafee.com AntiVirus Online." At THIS LINK (http://\"http://s2.supload.com/free/untitled-20060316214517.bmp/view/\") I put up a picture to show you what the McAfee Security Center looks like. I hope that helps.

Here is the Hosts file from HJT:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

127.0.0.1 www.f1organizer.com #removed adware url
127.0.0.1 www.netpalnow.com #removed adware url
127.0.0.1 www.addictivetechnologies.com #removed adware url
127.0.0.1 www.mindseti.com #removed adware url
127.0.0.1 www.mindsetinteractive.com #removed adware url
127.0.0.1 1-se.com #[cws.aboutblank][w32.tuoba.trojan]
127.0.0.1 www.1-se.com #[vbs.startpage.c]
127.0.0.1 1stpagehere.com
127.0.0.1 www.1stpagehere.com
127.0.0.1 www.31234.com #[cws.msconfig]
127.0.0.1 356563.net #[win32.winshow.g]
127.0.0.1 www.356563.net
127.0.0.1 4-counter.com #[cws.winproc32][icanfindit.net]
127.0.0.1 75tz.com #[win32.winshow.g]
127.0.0.1 www.75tz.com
127.0.0.1 8ad.com #[parasite.winshow]
127.0.0.1 www.8ad.com
127.0.0.1 adasearch.com
127.0.0.1 www.adasearch.com
127.0.0.1 adulthyperlinks.com #[parasite.coolwebsearch]
127.0.0.1 www.adulthyperlinks.com
127.0.0.1 acc.count-all.com #[cws.tapicfg]
127.0.0.1 aifind.biz
127.0.0.1 www.aifind.biz #[aifind.cc][troj/startpg-bg]
127.0.0.1 aifind.com
127.0.0.1 www.aifind.com
127.0.0.1 aifind.info #[cws.xmlmimefilter][trojan.bookmarker.b,f]
127.0.0.1 allhyperlinks.com #[cws.dnsrelay]
127.0.0.1 www.allhyperlinks.com #[cws.oslogo][cws.oemsyspnp]
127.0.0.1 alfa-search.com #[cws.alfasearch]
127.0.0.1 www.alfa-search.com
127.0.0.1 allneedsearch.com #[troj_startpage.b][find-itnow.com]
127.0.0.1 approvedlinks.com #[super-spider.com]
127.0.0.1 best-search.info #[cws.smartfinder.2]
127.0.0.1 blanksearch.biz #[cws.jksearch]
127.0.0.1 cashsearch.biz #[cws.jksearch]
127.0.0.1 www.clearsearch.net
127.0.0.1 www.coolfreehost.com
127.0.0.1 coolwebsearch.biz
127.0.0.1 www.crooder.com
127.0.0.1 defaultsearching.com #[cws.sounddrv][searchmeup.com]
127.0.0.1 www.e-finder.cc #[cws.addclass.2][startpage-da]
127.0.0.1 ehttp.cc #[cws.addclass][troj_startpage.d]
127.0.0.1 enjoysearch.info #[cws.xxxvideo]
127.0.0.1 www.enjoysearch.info
127.0.0.1 e-plus.cc #[adware.worldsearch]
127.0.0.1 fastsearch.cc #[cws.tapicfg.2][adware.searchcounter]
127.0.0.1 fast-search.us #[cws.docobj]
127.0.0.1 fastwebfinder.com #[app/fastweb-a][adware.fastwebfinder]
127.0.0.1 www.fastwebfinder.com #[cws.aff.tooncomics.2][search.targetwords.com]
127.0.0.1 findemnow.com
127.0.0.1 www.findemnow.com
127.0.0.1 find-itnow.com #[w32.bizten][cws.alfasearch.2]
127.0.0.1 just.find-itnow.com #[startpage-au]
127.0.0.1 www.find-itnow.com #[w32.hostidel.trojan][troj_hostidel.a]
127.0.0.1 findloss.com #[umaxsearch.com]
127.0.0.1 www.findloss.com
127.0.0.1 find-online.net #[troj_startpag.gy]
127.0.0.1 www.find-online.net
127.0.0.1 firstbookmark.com #[parasite.clientman]
127.0.0.1 www.firstbookmark.com
127.0.0.1 www.geo-traffic.com #[redirects to search.msmn.com]
127.0.0.1 globe-finder.cc #[win32.startpage.n]
127.0.0.1 globe-finder.net #[clearsearch.net]
127.0.0.1 www.globe-finder.net
127.0.0.1 global-finder.com #[cws.msinfo]
127.0.0.1 www.global-finder.com
127.0.0.1 gonnasearch.com #[cws.gonnasearch]
127.0.0.1 www.gonnasearch.com #[supaseek.com]
127.0.0.1 greatsearch.biz #[cws.jksearch]
127.0.0.1 greg-search.com #[trojandropper.win32.small.cw]
127.0.0.1 www.greg-search.com
127.0.0.1 hotbookmark.com #[troj/iestart-f]
127.0.0.1 www.hotbookmark.com
127.0.0.1 idgsearch.com #[googlems search helper][cws.googlems]
127.0.0.1 www.idgsearch.com #[trojan.digits]
127.0.0.1 icansearch.net
127.0.0.1 www.icansearch.net
127.0.0.1 ie-search.com #[cws.loadbat][umaxsearch.com]
127.0.0.1 www.ie-search.com
127.0.0.1 iefeadsl.com #[win32.winshow.g]
127.0.0.1 jksearch.biz #[cws.jksearch][startpage-dc]
127.0.0.1 lookfor.cc #[troj_iefeats.a]
127.0.0.1 www.lookfor.cc
127.0.0.1 luckysearch.net #[cws.tapicfg]
127.0.0.1 www.luckysearch.net
127.0.0.1 lustler.com
127.0.0.1 www.lustler.com
127.0.0.1 madfinder.com #[backdoor.madfind][madfinder]
127.0.0.1 www.madfinder.com #[cws.aff.madfinder][downloader-eu]
127.0.0.1 martfinder.com #[adware.startpage][troj/startpa-gh]
127.0.0.1 www.martfinder.com
127.0.0.1 404.msmn.com
127.0.0.1 search.msmn.com
127.0.0.1 gotosearch.msmn.com
127.0.0.1 bjvvhk.t.muxa.cc #[adware.raxums][random sub-domains]
127.0.0.1 myexexex.com #[cws.jsconsole]
127.0.0.1 www.myexexex.com
127.0.0.1 ntsearch.com
127.0.0.1 www.ntsearch.com #[trojan.win32.spooner.d][adware-nsearch]
127.0.0.1 omega-search.com #[cws.olehelp][trojan.bookmarker.d]
127.0.0.1 best.omega-search.com
127.0.0.1 www.omega-search.com
127.0.0.1 payfortraffic.net #[cws.dnsrelay.3][cws.msole]
127.0.0.1 www.payfortraffic.net
127.0.0.1 power-search.info #[trojan.bookmarker.g]
127.0.0.1 www.power-search.info
127.0.0.1 real-yellow-page.com #[cws.realyellowpage]
127.0.0.1 rightfinder.net #[cws.addclass.2]
127.0.0.1 www.rightfinder.net #[troj/startpg-ay]
127.0.0.1 riviera.cc
127.0.0.1 opti.riviera.cc
127.0.0.1 runsearch.com #[cws.mupdate]
127.0.0.1 www.runsearch.com
127.0.0.1 searchcentral.cc
127.0.0.1 searchdesire.com
127.0.0.1 search-dot.com #[cws.systeminit][adware.searchdot]
127.0.0.1 www.search-dot.com
127.0.0.1 searchx.cc #[cws.searchx][trojan.win32.startpage.fw]
127.0.0.1 searchpage.cc
127.0.0.1 search-town.net #[riviera.cc]
127.0.0.1 slawsearch.com #[cws.svchost32]
127.0.0.1 www.slawsearch.com #[cws.ctfmon32]
127.0.0.1 solongas.com #[cws.hputi]
127.0.0.1 start-space.com #[cws.qttasks]
127.0.0.1 www.start-space.com #[search-space.com][navext]
127.0.0.1 supersearch.com
127.0.0.1 www.supersearch.com #[cws.msoffice.3]
127.0.0.1 super-spider.com #[cws.control][troj_krepper.i]
127.0.0.1 tadstore.cc #[cws.addclass.2][rightfinder.net]
127.0.0.1 t.rack.cc #[troj_seeker.b]
127.0.0.1 roquvp.t.rack.cc
127.0.0.1 thebestse.com #[searchmeup.com]
127.0.0.1 www.thebestse.com
127.0.0.1 the-exit.com
127.0.0.1 www.the-exit.com
127.0.0.1 www.the-huns-yellow-pages.com
127.0.0.1 search.thestex.com #[cws.yexe]
127.0.0.1 topfivesearch.com
127.0.0.1 www.topfivesearch.com
127.0.0.1 toteen.com #[trojan.bookmarker.g]
127.0.0.1 out.true-counter.com #[trojan.bootconf][cws.msinfo]
127.0.0.1 true-counter.com #[trojan.slog]
127.0.0.1 www.true-counter.com
127.0.0.1 in.webcounter.cc #[cws.tapicfg.2][adware.searchcounter]
127.0.0.1 www.wholeworldmarket.com #[cws.systeminit.2]
127.0.0.1 www.windowws.cc #[cws.control][search2004.net]
127.0.0.1 world-search.biz #[adware.worldsearch][e-plus.cc]
127.0.0.1 yellow-pages.ws #[searchmeup.com]
127.0.0.1 adult.yellow-pages.ws
127.0.0.1 search.yellow-pages.ws
127.0.0.1 www.yellow500.com #[troj/iestart-f]
127.0.0.1 www.yopta.info #[trojan.bookmarker.c][smart-finder.biz]
127.0.0.1 www.youfindall.com #[cws.aff.winshow]
127.0.0.1 www.your-search.info #[trojan.bookmarker.gen][cws.systeminit]
127.0.0.1 xwebsearch.biz #[cws.svcinit][cws.dreplace][backdoor.sinit
127.0.0.1 search-1.net
127.0.0.1 search-about.net
127.0.0.1 www.search-about.net
127.0.0.1 search-aid.com
127.0.0.1 www.search-aid.com #[coolwebsearch.iefeatsl]
127.0.0.1 search-click.com
127.0.0.1 www.search-click.com
127.0.0.1 search-company.com
127.0.0.1 www.search-company.com
127.0.0.1 search-direct.net
127.0.0.1 www.search-direct.net
127.0.0.1 www.search-and-find.net

127.0.0.1 audioseek.net
127.0.0.1 www.audioseek.net
127.0.0.1 conspy.com
127.0.0.1 conf.conspy.com
127.0.0.1 www.conspy.com
127.0.0.1 searchmyrequest.com #[startpage-bs]
127.0.0.1 conf.searchmyrequest.com #[cws.therealsearch.2]
127.0.0.1 therealsearch.com #[cws.therealsearch]
127.0.0.1 conf.therealsearch.com
127.0.0.1 www.therealsearch.com #[fastwebfinder.com][trojan.realsrch.a]
127.0.0.1 any-find.com
127.0.0.1 www.any-find.com
127.0.0.1 bizonio.com
127.0.0.1 www.bizonio.com
127.0.0.1 dubolom.com
127.0.0.1 www.dubolom.com
127.0.0.1 find4u.net #[cws.ieengine]
127.0.0.1 pilot.find4u.net
127.0.0.1 www.find4u.net
127.0.0.1 free-spy-cam.net
127.0.0.1 getthis4free.com
127.0.0.1 www.getthis4free.com
127.0.0.1 terra.hbison.com
127.0.0.1 hcworld.com
127.0.0.1 free.hcworld.com
127.0.0.1 terra.hcworld.com
127.0.0.1 klounada.com
127.0.0.1 www.klounada.com
127.0.0.1 mypoiskovik.com
127.0.0.1 www.mypoiskovik.com
127.0.0.1 topotun.com #[adware.topotun]
127.0.0.1 www.topotun.com
127.0.0.1 web-cams-chat.com
127.0.0.1 your-searcher.com #[cws.ieengine]
127.0.0.1 activexupdate.com #[cws.oemsyspnp]
127.0.0.1 www.activexupdate.com
127.0.0.1 adult-friends-finder.net
127.0.0.1 coolsearcher.info #[coolsearcher toolbar]
127.0.0.1 www.coolsearcher.info
127.0.0.1 www.coolwebsearch.org
127.0.0.1 fdadfswr.com #[adware.freecomm]
127.0.0.1 www.fdadfswr.com
127.0.0.1 www.netcross.cz #[netcross.cz toolbar]
127.0.0.1 searchcomplete.com #[adware.yellowpages]
127.0.0.1 www.searchcomplete.com
127.0.0.1 searchforge.com
127.0.0.1 ie.searchforge.com #[cws.oemsyspnp.3]
127.0.0.1 www.searchforge.com
127.0.0.1 coolpage.cc #[cws.realyellowpage]
127.0.0.1 ww11.coolpage.cc
127.0.0.1 here4search.com #[downloader.tooncom][cws.aff.tooncomics]
127.0.0.1 www.here4search.com
127.0.0.1 hugesearch.net #[cws.msoffice.3]
127.0.0.1 www.hugesearch.net
127.0.0.1 icanfindit.net
127.0.0.1 www.icanfindit.net #[cws.winproc32]
127.0.0.1 list2004.com #[cws.realyellowpage]
127.0.0.1 linklist.cc #[cws.realyellowpage][adware.raxums][coolpage.cc]
127.0.0.1 ww9.linklist.cc
127.0.0.1 www.linklist.cc
127.0.0.1 my-find.com
127.0.0.1 www.my-find.com
127.0.0.1 royalsearch.net
127.0.0.1 www.royalsearch.net #[vbs.bootconf][cws.msoffice.2]
127.0.0.1 www.search-and-go.com
127.0.0.1 searchdot.net #[cws.msoffice]
127.0.0.1 www.searchdot.net
127.0.0.1 searchmeup.com #[cws.svcinit.3]
127.0.0.1 www.searchmeup.com
127.0.0.1 searchmeup.net
127.0.0.1 www.searchmeup.net
127.0.0.1 thesten.com #[cws.aff.winshow.3]
127.0.0.1 umaxsearch.com #[troj_esepor.a][cws.xplugin]
127.0.0.1 affiliates.umaxsearch.com
127.0.0.1 www.umaxsearch.com
127.0.0.1 uni-dialer.com
127.0.0.1 www.uni-dialer.com
127.0.0.1 00hq.com #[adware.winshow][parasite.winshow]
127.0.0.1 www.00hq.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 008i.com
127.0.0.1 www.008i.com
127.0.0.1 opsex.com
127.0.0.1 www.opsex.com
127.0.0.1 searchv.com #[troj_startpage.u][cws.mupdate]
127.0.0.1 www.searchv.com #[cws.bootconf][searchv.winshow]
127.0.0.1 searchxp.com #[cws.bootconf]
127.0.0.1 www.searchxp.com
127.0.0.1 v61.com #[win32.winshow.g]
127.0.0.1 www.v61.com
127.0.0.1 windowupdate.ws #[cws.aboutblank]
127.0.0.1 winshow.biz
127.0.0.1 www.winshow.biz
127.0.0.1 freescratchandwin.com #[parasite.freescratchandwin]
127.0.0.1 www.freescratchandwin.com
127.0.0.1 free-scratch-cards.com
127.0.0.1 www.free-scratch-cards.com
127.0.0.1 fsc2k.com
127.0.0.1 www.fsc2k.com
127.0.0.1 newtopsites.com
127.0.0.1 servedby.newtopsites.com
127.0.0.1 www.newtopsites.com
127.0.0.1 2nd-thought.com #[parasite.pugi][trojan.win32.secondthought.c]
127.0.0.1 www.2nd-thought.com #[adw_secthought.a][adware.secondthought]
127.0.0.1 xzoomy.com #[freescratchandwin]
127.0.0.1 www.xzoomy.com
127.0.0.1 commonname.com
127.0.0.1 www.commonname.com
127.0.0.1 commonnames.com
127.0.0.1 www.commonnames.com
127.0.0.1 xpsn.com
127.0.0.1 www.xpsn.com
127.0.0.1 info.browserdirect.net
127.0.0.1 search.findsall.info
127.0.0.1 find.greatsearch.info
127.0.0.1 result.goodsearch.info
127.0.0.1 www.esearchandfind.org
127.0.0.1 hit.lookupanything.biz #[qsrch.net]
127.0.0.1 www.new.chat.new.net
127.0.0.1 eps.new.search.new.net
127.0.0.1 client.newdotnet.net
127.0.0.1 upgrade.newdotnet.net
127.0.0.1 www.newdotnet.com
127.0.0.1 www.new.net #[adware.ndotnet]
127.0.0.1 www.onestepsearch.net
127.0.0.1 www.onestepsearch.biz
127.0.0.1 www.qsrch.net
127.0.0.1 bgw.qsrch.com
127.0.0.1 moniker.qsrch.com
127.0.0.1 newnet.qsrch.com
127.0.0.1 regfly.qsrch.com
127.0.0.1 rg.qsrch.com
127.0.0.1 worldwide.qsrch.com
127.0.0.1 www.qsrch.com
127.0.0.1 data.quicksearches.net
127.0.0.1 www.mysearchnet.org
127.0.0.1 web.yoursearchfinder.com
127.0.0.1 windowpatch.info
127.0.0.1 windowpatch.net
127.0.0.1 delfinproject.com
127.0.0.1 content.delfinproject.com
127.0.0.1 mm.delfinproject.com #[delfin media viewer]
127.0.0.1 www.delfinproject.com #[promulgate][kb811270]
127.0.0.1 pgate-basic.com #[pgate-basic]
127.0.0.1 www.pgate-basic.com
127.0.0.1 centralmedia.ws #[flashlightsearch.com]
127.0.0.1 ads.centralmedia.ws
127.0.0.1 c.centralmedia.ws
127.0.0.1 www.centralmedia.ws
127.0.0.1 memorymeter.com #[adware-tvelocity][totalvelocity.memorymeter]
127.0.0.1 www.memorymeter.com
127.0.0.1 totalvelocity.com #[tv t-media display]
127.0.0.1 www.totalvelocity.com
127.0.0.1 zsearchtoolbar.com
127.0.0.1 www.zsearchtoolbar.com
127.0.0.1 bluehavenmedia.com
127.0.0.1 www.bluehavenmedia.com
127.0.0.1 download.bulletproofsoft.com
127.0.0.1 www.bulletproofsoft.com
127.0.0.1 bigbrother.gigatechsoftware.com
127.0.0.1 download.gigatechsoftware.com
127.0.0.1 www.gigatechsoftware.com
127.0.0.1 www.greasycow.com
127.0.0.1 www.nuker.com #[netsource101]
127.0.0.1 www.no-pops.com
127.0.0.1 nopop.net
127.0.0.1 www.nopop.net
127.0.0.1 www.trekblue.com
127.0.0.1 crossroad.trekdata.com
127.0.0.1 1ad2srvr-cpt-v1.com
127.0.0.1 www.srv2cpt.com
127.0.0.1 www.spywarenuker.com #[adware.spywarenuker]
127.0.0.1 twistedhumor.com #[parasite.cometcursor/toolbar]
127.0.0.1 www.twistedhumor.com
127.0.0.1 www.crazydrinks.com
127.0.0.1 www.em5000.com
127.0.0.1 www.rankyou.com
127.0.0.1 www.wayweird.com
127.0.0.1 www.newtonknows.com #[newton knows.bar]
127.0.0.1 virtumundo.com
127.0.0.1 ads3.virtumundo.com
127.0.0.1 ads4.virtumundo.com
127.0.0.1 dyn.virtumundo.com
127.0.0.1 pchi-vtrk.virtumundo.com
127.0.0.1 updates.desktop.virtumundo.com #[targetsoft.inetadpt]
127.0.0.1 vtrack.virtumundo.com
127.0.0.1 www.virtumundo.com
127.0.0.1 www.webhancer.com
127.0.0.1 a1.webhancer.com
127.0.0.1 d.webhancer.com
127.0.0.1 a1.webhancer.com
127.0.0.1 d2.webhancer.com
127.0.0.1 d3.webhancer.com
127.0.0.1 download.webhancer.com
127.0.0.1 prime.webhancer.com
127.0.0.1 reports.webhancer.com
127.0.0.1 server.webhancer.com
127.0.0.1 update.webhancer.com
127.0.0.1 b1-v2-bell.webhancer.com
127.0.0.1 vr1-v1.webhancer.com
127.0.0.1 vws-1.webhancer.com
127.0.0.1 www.realenduser.com
127.0.0.1 www.aadcom.com
127.0.0.1 addictivetechnologies.net
127.0.0.1 www.addictivetechnologies.net #[favoriteman]
127.0.0.1 www.acustat.com
127.0.0.1 www.mindsetinteractive.com
127.0.0.1 mindseti.com #[parasite.transponder]
127.0.0.1 www.mindseti.com
127.0.0.1 netpalnow.com #[adware.netpal]
127.0.0.1 www.netpalnow.com
127.0.0.1 netpaloffers.net #[parasite.netpal]
127.0.0.1 www.netpaloffers.net
127.0.0.1 look2me.com #[spyware.look2me]
127.0.0.1 www.look2me.com #[trojan.loome][download.look2me]
127.0.0.1 www.look2me2.com
127.0.0.1 www.lovetraffic.com
127.0.0.1 nictechnetworks.com
127.0.0.1 www.nictechnetworks.com
127.0.0.1 similarsingles.com
127.0.0.1 www.similarsingles.com
127.0.0.1 zestyfind.com #[adtomi.yahoostocks][adware.adtomi]
127.0.0.1 www.zestyfind.com #[adware.zestyfind]
127.0.0.1 datastorm.biz
127.0.0.1 ipend.datastorm.biz #[parasite.clientman]
127.0.0.1 www.datastorm.biz
127.0.0.1 kazanon.com #[kazanon]
127.0.0.1 www.kazanon.com
127.0.0.1 omi-update.net
127.0.0.1 www.omi-update.net #[adware.omi]
127.0.0.1 messagebroadcaster.net #[messenger pop-up scam]
127.0.0.1 www.messagebroadcaster.net
127.0.0.1 netpopup.net #[messenger pop-up scam]
127.0.0.1 www.netpopup.net
127.0.0.1 odysseusmarketing.com
127.0.0.1 www.odysseusmarketing.com
127.0.0.1 searchassistant.net
127.0.0.1 alpha.searchassistant.net #[7search.com]
127.0.0.1 beta.searchassistant.net #[goclick.com]
127.0.0.1 cassandra.searchassistant.net
127.0.0.1 epsilon.searchassistant.net #[goclick.com]
127.0.0.1 www.searchassistant.net
127.0.0.1 www.unitedvending.net #[affiliate]
127.0.0.1 www.world-portal.com
127.0.0.1 ads.vx2.cc
127.0.0.1 download.vx2.cc
127.0.0.1 internal.vx2.cc
127.0.0.1 mail.vx2.cc
127.0.0.1 transctl.vx2.cc
127.0.0.1 transctl-dev.vx2.cc
127.0.0.1 ns1.vx2.cc
127.0.0.1 ns2.vx2.cc
127.0.0.1 z1.vx2.cc
127.0.0.1 www.vx2.cc #[parasite.transponder]
127.0.0.1 sputnik.vx2.cc
127.0.0.1 abetterinternet.com #[downloader.stubby.a]
127.0.0.1 belt.abetterinternet.com
127.0.0.1 c.abetterinternet.com #[adware-betterinet application]
127.0.0.1 download.abetterinternet.com #[adware.stoppopupadsnow]
127.0.0.1 download2.abetterinternet.com #[parasite.transponder]
127.0.0.1 s.abetterinternet.com
127.0.0.1 thinstall.abetterinternet.com
127.0.0.1 www.abetterinternet.com
127.0.0.1 cleangetaway.biz #[abetterinternet.d]
127.0.0.1 www.cleangetaway.biz
127.0.0.1 msview.cc #[parasite.transponder]
127.0.0.1 www.msview.cc
127.0.0.1 mypanicbutton.com #[abetterinternet.c]
127.0.0.1 stop-popup-ads-now.com #[parasite.transponder]
127.0.0.1 cr.stop-popup-ads-now.com
127.0.0.1 update.stop-popup-ads-now.com
127.0.0.1 www.stop-popup-ads-now.com #[adware.binet]
127.0.0.1 www.tps108.org #[parasite.transponder]
127.0.0.1 www.clkprecision.com
127.0.0.1 www.pacimedia.com
127.0.0.1 www.exactsearch.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.clkprecision.com
127.0.0.1 www.clkprecision.com

Title: Please Help Me
Post by: handsomecrown on March 16, 2006, 11:42:24 PM

Ok, after logging into another one of the accounts on the computer, the following two files are not able to be found so error messages come up:

C:\WINDOWS\inet20003\services.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe

Title: Please Help Me
Post by: guestolo on March 17, 2006, 01:11:48 AM

How many other users on the machine?
Can I see hijackthis logs from the other users please

Keep them seperated
As eg... USER 1
USER 2
USER 3

How many have adminstrative privileges?
I'll have more time to check out the logs this weekend
We may need manual uninstall instructions of McAfee online virus scan and attemp to uninstall
McAfee security center
Make sure the XP firewall is enabled please

Title: Please Help Me
Post by: handsomecrown on March 17, 2006, 06:27:50 PM

On this computer there are 4 users, alla with administrator privlages. Here are there logs:

USER 1 (the main user I have been using):

Logfile of HijackThis v1.99.1
Scan saved at 4:22:07 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\qwinosag.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 2 (the user with the two file errors on start up:

Logfile of HijackThis v1.99.1
Scan saved at 4:16:44 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost (http://\"http://localhost\")
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxLiteNnAj
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000123.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 3 (no visable problems):

Logfile of HijackThis v1.99.1
Scan saved at 4:19:19 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com (http://\"http://www.dellnet.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093 (http://\"http://www.websearch.com/ie.aspx?tb_id=50093\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.quicksearch.com/ (http://\"http://www.quicksearch.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 4 (no visable problems):

Logfile of HijackThis v1.99.1
Scan saved at 4:20:59 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\qwinosag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\SYSTEM32\qwinosag.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com (http://\"http://www.dellnet.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093 (http://\"http://www.websearch.com/ie.aspx?tb_id=50093\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com (http://\"http://www.dellnet.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Title: Please Help Me
Post by: guestolo on March 18, 2006, 09:46:10 AM

Hi again, let's hopefully try and sort this all out
Print out these instructions please

Let's start in USER 1
Log off all other users
==Download SmitRem.exe by Noahdfear (http://\"http://noahdfear.geekstogo.com/click%20counter/click.php?id=1\") and save the file to your Local disk C:\ directory
So you now have C:\SmitRem.exe
Don't run it yet

==Download DelDomains.inf from HERE (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\")
Save this too local disk C: as well
Right Click on DelDomains.inf>>Choose Install from the menu bar

Although the Hosts file is blocking know bad sites, can we clear them please to ensure it's not any trouble
== Download Hoster.zip (http://\"http://www.funkytoad.com/download/hoster.zip\") and unzip it too a folder of it's own
We'll use it later

Open Hijackthis>>Open Misc tools section>>Open "Process Manager"
Left click to Highlight
C:\WINDOWS\SYSTEM32\qwinosag.exe
Then Kill the Process>>OK the prompt
Then click BACK under Other stuff>>Click Config
Open "Delete File on Reboot"
In the file name field, copy and paste the below line in bold

C:\WINDOWS\SYSTEM32\qwinosag.exe
Now click the OPEN button, hijackthis should prompt that the file will be deleted and too reboot your computer
Don't reboot yet
Instead, in Hijackthis, click BACK under Other stuff
Do a "SCAN" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot into safe mode please
Log in with USER 2
Find and delete this file if found
Make sure windows is set to show hidden files and folders
C:\Program Files\SoftwareOnline\soproc.exe <-this file
Or the WHOLE SoftwareOnline folder if unknown

Again, right click on Deldomains and choose install
==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish. Remain in safe mode

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxLiteNnAj

O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000123.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot in USER 3
Normal mode is fine
Run DelDomains

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093 (http://\"http://www.websearch.com/ie.aspx?tb_id=50093\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.quicksearch.com/ (http://\"http://www.quicksearch.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot and log in with USER4
>>DelDomains
Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093 (http://\"http://www.websearch.com/ie.aspx?tb_id=50093\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= (http://\"http://websearch.drsnsrch.com/sidesearch.cgi?id=\")

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer
Can you reboot back to USER 2 please
Since we ran SmitRem, do the following
You will have to reset the background in Display properties
The XP theme may experience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.

Reboot back to USER 1

==Open Hoster
Then select the "Restore Original Hosts" button
OK the prompts

++++Open SpywareBlaster you downloaded earlier
Check for updates, if any, let it download
Regardless of an update or not, under "Protection"
Select the "Enable all Protection"

Post back with fresh hijackthis logs please

I hope the above isn't too confusing

/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: Please Help Me
Post by: handsomecrown on March 18, 2006, 12:55:38 PM

It all went very smoothly. Here are the logs:

USER 1:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:26 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 2:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:34 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost (http://\"http://localhost\")
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 3:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:41 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\SYSTEM32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com (http://\"http://www.dellnet.com\")
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 4:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:32 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com (http://\"http://www.dellnet.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com (http://\"http://www.dellnet.com\")
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Title: Please Help Me
Post by: guestolo on March 18, 2006, 01:21:14 PM

USER 1 and USER 2 each has a shortcut directing to
Zeno.lnk

Can you go into the appropriate folders
C:\Documents and Settings\USER 1&2\Start Menu\Programs\Startup
and delete it please

You should run an updated scan with Ewido afterwards and additionally run
Windows CleanUp!

Let me know how things are running

Title: Please Help Me
Post by: handsomecrown on March 18, 2006, 06:15:29 PM

I deleted the files and ran ewido.

The computer is runnuing great. Thre are no prolems that I can see. The only thing is just the fact that McAfee will not uninstall and Windows Update does not install updates.

Here is the report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         2:20:01 PM, 3/18/2006
+ Report-Checksum:      675615BD

+ Scan result:

   C:\Documents and Settings\Andrea Sanders\Cookies\andrea [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Sanders\Cookies\michael [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\WINDOWS\inst_adperform.exe -> Adware.BargainBuddy : Cleaned with backup

::Report End

Title: Please Help Me
Post by: guestolo on March 19, 2006, 11:59:56 AM

Can you try the following again

Clear all the restore points from the computer
By disabling system restore>>Reboot>>Enable system restore
This creates a fresh restore point

Make sure the XP firewall is enabled!

Log off all other users
Go to START>>RUN>>type in services.msc
Hit Ok
In the next window, look on the right hand side for this service
name---- McAfee.com McShield

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Do the same for this one
McAfee.com VirusScan Online Realtime Engine

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

You may not have the CD that came with this computer
that has the McAfee trial version on it. Do you?
If you do, you can try reinstalling it and then uninstall all components of McAfee

I seen in one of the other logs Registry cleaner
I'm not familiar with it, so let's keep away from it

Access add/remove programs via control panel
Remove McAfee.com VirusScan Online if you can

If that won't work
Download and UNZIP this free registry cleaner
RegSeeker 1.45
http://www.hoverdesk.net/freeware.htm (http://\"http://www.hoverdesk.net/freeware.htm\")
Open the RegSeeker Folder and double click on RegSeeker.exe
Click on Installed Applications>>add/remove entries
Try removing McAfee.com VirusScan Online
Carry on if still no luck

Try removing McAfee.com SecurityCenter
from add/remove programs via control pane
Reboot if that was successful
Then send this folder to the recycle bin
C:\Program Files\McAfee.com

Open RegSeeker.exe again
Click on "Clean the registry" in the left menu
Hit OK on the right
Let it finish scanning and then ensure Backup before deletion is checked

Choose "Select all"
Right click and choose
Delete all selected

Reboot the computer one more time

Back in Windows
Post back a fresh hijackthis log from USER 1

Title: Please Help Me
Post by: handsomecrown on March 19, 2006, 01:33:15 PM

I did everything you asked, but I do not have the original discs that came with the computer so that option is out. McAfee Security Center is now not on the add/ remove programs list, but the program is still there (along with the McAfee AntiVirus program).

Here is a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:26:02 AM, on 3/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Title: Please Help Me
Post by: guestolo on March 19, 2006, 01:48:30 PM

I'm not sure if I understand?

Quote

McAfee Security Center is now not on the add/ remove programs list, but the program is still there (along with the McAfee AntiVirus program).

Did you send this folder to the recycle bin?
C:\Program Files\McAfee.com

Can you reboot into safe mode
Go to start>>run>>type in the following then hit OK
sc delete McShield
Do the same for this one

sc delete MCVSRte

Can you have hijackthis fix these entries again
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

Send the McAfee.com folder to the recycle bin

run regseeker again

boot back to Normal mode

Title: Please Help Me
Post by: handsomecrown on March 19, 2006, 02:25:55 PM

The Mcafee programs are gone. The folder deleted fine in safe mode.

By the way, I am returning this computer back to my friend tonight.

Here is another HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:18:33 PM, on 3/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; (http://\"http://localhost;\")
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email (http://\"http://by113fd.bay113.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email (http://\"http://pdl.stream.Email\") Removed/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Title: Please Help Me
Post by: guestolo on March 19, 2006, 02:35:04 PM

It looks good
Just one last check, i'll try and get back to you before you return the computer

Could you Download GetServices.zip (http://\"http://www.bleepingcomputer.com/files/spyware/getservices.zip\")
Unzip it to a folder
Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder.
getservice.txt will list all active Services

Post the getservices.txt

Title: Please Help Me
Post by: handsomecrown on March 19, 2006, 02:46:57 PM

Here you go:

PsService v1.1 - local and remote services viewer/controller
Copyright © 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Alerter
   DEPENDENCIES    : LanmanWorkstation
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Application Layer Gateway Service
   DEPENDENCIES    :
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Application Management
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : ASP.NET State Service
   DEPENDENCIES    :
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : AudioGroup
   TAG       : 0
   DISPLAY_NAME    : Windows Audio
   DEPENDENCIES    : PlugPlay
          : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Background Intelligent Transfer Service
   DEPENDENCIES    : Rpcss
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Computer Browser
   DEPENDENCIES    : LanmanWorkstation
          : LanmanServer
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CiSvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\cisvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Indexing Service
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : ClipBook
   DEPENDENCIES    : NetDDE
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : COM+ System Application
   DEPENDENCIES    : rpcss
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 30 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 1000 seconds
          : Restart   DELAY: 5000 seconds
          : None   DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Cryptographic Services
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DcomLaunch
Provides launch functionality for DCOM services.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
   LOAD_ORDER_GROUP : Event Log
   TAG       : 0
   DISPLAY_NAME    : DCOM Server Process Launcher
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS    : Reboot   DELAY: 60000 seconds

SERVICE_NAME: DefWatch
(null)
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\Program Files\NavNT\defwatch.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : DefWatch
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : DHCP Client
   DEPENDENCIES    : Tcpip
          : Afd
          : NetBT
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Logical Disk Manager Administrative Service
   DEPENDENCIES    : RpcSs
          : PlugPlay
          : DmServer
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Logical Disk Manager
   DEPENDENCIES    : RpcSs
          : PlugPlay
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : DNS Client
   DEPENDENCIES    : Tcpip
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Error Reporting Service
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
   LOAD_ORDER_GROUP : Event log
   TAG       : 0
   DISPLAY_NAME    : Event Log
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : Network
   TAG       : 0
   DISPLAY_NAME    : COM+ Event System
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ewido security suite control
(null)
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\Program Files\ewido anti-malware\ewidoctrl.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : ewido security suite control
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Fast User Switching Compatibility
   DEPENDENCIES    : TermService
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Fax
Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\fxssvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Fax
   DEPENDENCIES    : TapiSrv
          : RpcSs
          : PlugPlay
          : Spooler
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Help and Support
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 100 seconds
          : Restart   DELAY: 100 seconds
          : None   DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Human Interface Device Access
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: HTTPFilter
This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : HTTP SSL
   DEPENDENCIES    : HTTP
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: IDriverT
Provides support for the Running Object Table for InstallShield Drivers
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : InstallDriver Table Manager
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\imapi.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : IMAPI CD-Burning COM Service
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: iPodService
iPod hardware management services
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\Program Files\iPod\bin\iPodService.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : iPodService
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Server
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : NetworkProvider
   TAG       : 0
   DISPLAY_NAME    : Workstation
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : TCP/IP NetBIOS Helper
   DEPENDENCIES    : NetBT
          : Afd
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Messenger
   DEPENDENCIES    : LanmanWorkstation
          : NetBIOS
          : PlugPlay
          : RpcSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : NetMeeting Remote Desktop Sharing
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe
   LOAD_ORDER_GROUP : MS Transactions
   TAG       : 0
   DISPLAY_NAME    : Distributed Transaction Coordinator
   DEPENDENCIES    : RPCSS
          : SamSS
   SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: MSIServer
Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\msiexec.exe /V
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Installer
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
   LOAD_ORDER_GROUP : NetDDEGroup
   TAG       : 0
   DISPLAY_NAME    : Network DDE
   DEPENDENCIES    : NetDDEDSDM
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network DDE DSDM
   DEPENDENCIES    :
          : EGrLocalSystem
          : Network DDE DSDM
          : etwork DDE
          : workService
          : Distributed Transaction Coordinator
          : ion
          : gs\Micha‚
          :
          : ú
          :
          : ˆK6
          : x6
          : ges Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
          :
          : u
          : n
          : a
          : v
          : a
          : i
          : l
          : a
          : b
          : l
          : e
          : .
          :
          : I
          : f
          :
          : t
          : h
          : i
          : s
          :
          : s
          : e
          : r
          : v
          : i
          : c
          : e
          :
          : i
          : s
          :
          : d
          : i
          : s
          : a
          : b
          : l
          : e
          : d
          : ,
          :
          : a
          : n
          : y
          :
          : s
          : e
          : r
          : v
          : i
          : c
          : e
          : s
          :
          : t
          : h
          : a
          : t
          :
          : e
          : x
          : p
          : l
          : i
          : c
          : i
          : t
          : l
          : y
          :
          : d
          : e
          : p
          : e
          : n
          : d
          :
          : o
          : n
          :
          : i
          : t
          :
          : w
          : i
          : l
          : l
          :
          : f
          : a
          : i
          : l
          :
          : t
          : o
          :
          : s
          : t
          : a
          : r
          : t
          : .
          :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP : RemoteValidation
   TAG       : 0
   DISPLAY_NAME    : Net Logon
   DEPENDENCIES    : LanmanWorkstation
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network Connections
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network Location Awareness (NLA)
   DEPENDENCIES    : Tcpip
          : Afd
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Norton AntiVirus Server
(null)
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\Program Files\NavNT\rtvscan.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Norton AntiVirus Client
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : NT LM Security Support Provider
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Removable Storage
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
   LOAD_ORDER_GROUP : PlugPlay
   TAG       : 0
   DISPLAY_NAME    : Plug and Play
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : IPSEC Services
   DEPENDENCIES    : RPCSS
          : Tcpip
          : IPSec
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Protected Storage
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Access Auto Connection Manager
   DEPENDENCIES    : RasMan
          : Tapisrv
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Access Connection Manager
   DEPENDENCIES    : Tapisrv
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Desktop Help Session Manager
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 4 DISABLED
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Routing and Remote Access
   DEPENDENCIES    : RpcSS
          : +NetBIOSGroup
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Remote Procedure Call (RPC) Locator
   DEPENDENCIES    : LanmanWorkstation
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
   LOAD_ORDER_GROUP : COM Infrastructure
   TAG       : 0
   DISPLAY_NAME    : Remote Procedure Call (RPC)
   DEPENDENCIES    :
   SERVICE_START_NAME: NT Authority\NetworkService
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS    : Reboot   DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : QoS RSVP
   DEPENDENCIES    : TcpIp
          : Afd
          : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
   LOAD_ORDER_GROUP : LocalValidation
   TAG       : 0
   DISPLAY_NAME    : Security Accounts Manager
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
   LOAD_ORDER_GROUP : SmartCardGroup
   TAG       : 0
   DISPLAY_NAME    : Smart Card
   DEPENDENCIES    : PlugPlay
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : SchedulerGroup
   TAG       : 0
   DISPLAY_NAME    : Task Scheduler
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Secondary Logon
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : Network
   TAG       : 0
   DISPLAY_NAME    : System Event Notification
   DEPENDENCIES    : EventSystem
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Firewall/Internet Connection Sharing (ICS)
   DEPENDENCIES    : Netman
          : WinMgmt
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
(null)
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : ShellSvcGroup
   TAG       : 0
   DISPLAY_NAME    : Shell Hardware Detection
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
   TYPE       : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
   LOAD_ORDER_GROUP : SpoolerGroup
   TAG       : 0
   DISPLAY_NAME    : Print Spooler
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds
          : None   DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : System Restore Service
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : SSDP Discovery Service
   DEPENDENCIES    : HTTP
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Image Acquisition (WIA)
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3}
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : MS Software Shadow Copy Provider
   DEPENDENCIES    : rpcss
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Performance Logs and Alerts
   DEPENDENCIES    :
   SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Telephony
   DEPENDENCIES    : PlugPlay
          : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Terminal Services
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : UIGroup
   TAG       : 0
   DISPLAY_NAME    : Themes
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds
          : None   DELAY: 0 seconds

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Distributed Link Tracking Client
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Universal Plug and Play Device Host
   DEPENDENCIES    : SSDPSRV
          : HTTP
   SERVICE_START_NAME: NT AUTHORITY\LocalService
   FAIL_RESET_PERIOD : -1 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Uninterruptible Power Supply
   DEPENDENCIES    :
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Volume Shadow Copy
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: w32time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Time
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 5 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP : NetworkProvider
   TAG       : 0
   DISPLAY_NAME    : WebClient
   DEPENDENCIES    : MRxDAV
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 0 IGNORE
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Windows Management Instrumentation
   DEPENDENCIES    : RPCSS
          : Eventlog
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS    : Restart   DELAY: 60000 seconds
          : Restart   DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Portable Media Serial Number Service
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
   TYPE       : 10 WIN32_OWN_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : WMI Performance Adapter
   DEPENDENCIES    : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wscsvc
Monitors system security settings and configurations.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Security Center
   DEPENDENCIES    : RpcSs
          : winmgmt
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Automatic Updates
   DEPENDENCIES    :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 2 AUTO_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP : TDI
   TAG       : 0
   DISPLAY_NAME    : Wireless Zero Configuration
   DEPENDENCIES    : RpcSs
          : Ndisuio
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: xmlprov
Manages XML configuration files on a domain basis for automatic network provisioning.
   TYPE       : 20 WIN32_SHARE_PROCESS
   START_TYPE    : 3 DEMAND_START
   ERROR_CONTROL    : 1 NORMAL
   BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP :
   TAG       : 0
   DISPLAY_NAME    : Network Provisioning Service
   DEPENDENCIES    : RpcSs
   SERVICE_START_NAME: LocalSystem

Title: Please Help Me
Post by: guestolo on March 19, 2006, 03:03:52 PM

It appears to look good

Make sure to do the following
Hold onto SpywareBlaster 3.5.1
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

*Make sure your Anti-Virus software is always kept up to date and actively running in the background

*Check for updates with your anti-spyware programs and run a scan on a regular basis
In Spybot 1.4,
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Please Immunize after every update
You may also want to install
SpywareGuard 2.2 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareguard.html\")
*SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster
Make sure to check for updates after it is installed
It won't and doesn't have to update that much, but check once a month

*Keep up to date on Windows updates
I'm not sure if that problem is figured out now
you said you can't install them but they install on shutdown?

*Make sure your Firewall is enabled and running
A Firewall is very important
This provides a line of defense against someone who might try to access your computer without your permission
SP2 supplies a sufficient firewall, or you can install one from this LINK (http://\"http://www.thetechguide.com/forum/index.php?showtopic=15894\")
The ones at the link will provide a more controlled enviroment, I consider them better protection
ONLY use ONE software firewall please, this includes the one in SP2
More than one will cause conflicts

You may also choose to hold onto Ewido and CleanUp!
Ewido will become a Limited version in a couple weeks
It's still a very good scanner to update and run once a month

Title: Please Help Me
Post by: handsomecrown on March 19, 2006, 03:09:04 PM

Ok, thank you so much!

Title: Please Help Me
Post by: guestolo on March 19, 2006, 05:28:18 PM

If the owner of the computer had a custom host file
They will have to replace it
The one in spybot is fine if they want to use it or the one found at this link
http://www.mvps.org/winhelp2002/hosts.htm (http://\"http://www.mvps.org/winhelp2002/hosts.htm\")

I would also do a Disk Defrag on this computer if it hasn't been done in awhile
May be best to do it in safe mode
Could take awhile if it hasn't been done in in some time
I'll consider the problems resolved and lock this topic in a bit

Take care

/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />