Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - deduemjo

Pages: [1]

Tech Clinic / CWS.hiddendll

« on: December 01, 2004, 03:53:07 AM »

1. Spybot S&D 1.3 last detection update 2004-08-20 is what I have
2. SDHelper.dll is there
3. When you said fix everything in red - do you mean run Spybot?
4. In the Hijack THis configuration etc - when I try to Open hosts file manager it says ' cannot find the hosts file. Do you want to create a new default hosts file yes or no' - i chose no for now.
5. The control.exe file appears to be there
6. When I try to download the notepad link I get the same error regarding security settins I got earlier when trying to donload the riched 32 file.

Thanks for staying with this.

Tech Clinic / CWS.hiddendll

« on: December 01, 2004, 03:36:37 AM »

1. Followed the manual hijack this instructions - seemed to work and rebooted
2. Still can't run adaware - presumably cos of the riched files?
3. In Add/Remove Programs there is a 'Pop Up Stopper free edition' - is this what I need to get rid of?
4. Is it OK to leave the hidden files changes we made?
5 Here's latest hijack this log

Logfile of HijackThis v1.98.2
Scan saved at 08:43:08, on 01/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://www.ravantivirus.com
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Tech Clinic / CWS.hiddendll

« on: November 30, 2004, 07:18:20 AM »

Here's the current Hijack This log - not from safe mode

Logfile of HijackThis v1.98.2
Scan saved at 12:25:35, on 30/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ojesjimfnxnbap.net/QXE0FBhc7BD9...IbuNZuwy5N.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe

Tech Clinic / CWS.hiddendll

« on: November 30, 2004, 07:09:52 AM »

Would you believe my ISP erroneously cut me off and I've only just got back on-line.
Hope you're still around.
I'll set about your latest set of instructions now

Tech Clinic / CWS.hiddendll

« on: November 25, 2004, 02:55:03 AM »

Im in the UK - 8:00 BST.

Bit more progress but not much

1. Downloaded LOP installer - seemed to work OK - and restarted computer (slightly faster?or is it me. Didn't get the configuration conflicts error when going into IE)
2. Couldn't rename riched20 - said 'access is denied - the source file may be in use'. So didn't download the new riched files you suggest - should I have done?
3. Browser settings regarding Active X are all as you suggested
4. Tried copying and pasting Rav's into trusted sites- wouldn't let me - said ' needed prefix to ensure secure connection https://prefix

Still getting the Windows Security Firewall warning.
Look forward to next installment!

Tech Clinic / CWS.hiddendll

« on: November 24, 2004, 01:35:13 PM »

Thanks for update.
latest is
1) downloaded file you suggested - so have now successfully updated aboutblaster.
2) Ad-Aware still won't work - same error
3) in c:windows/system found 2 files RICHED>DLL (235KB) and RICHED20.DLL (412KB) - but no RICHED32
4) Couldn't do on-line virus scan at Rav's due to an Active X error again (said security settings needed to be on medium - which it seems to be)

Am getting a Windows security Serice message regularly saying Windiws firewall is detecting strange(malicious) activity on network

Look forward to reply

Tech Clinic / CWS.hiddendll

« on: November 24, 2004, 03:09:29 AM »

Thanks for continued support.
Not much worked I'm afraid - here's details

1. I have Norton Anti Virus software - as far as I know I have to run it manually (when I updated and ran at weekend(in relation to current problem) it found a trojan virus - it is now clean)
2. There is no entry for Spyware Assassin in Add/Remove Program list (Spykiller is but it won't lat me remove it as described earlier) . I searched files for Spyware Assassin - found [email protected][2] and Cyber Tech Help Support- deleted both of these manually (?) and restarted computer
3. Downloading Aboutblaster didn't seem to work - got ' Run-time error 339' then 'Component MsComCtl.ocx or one of its dependencies not correctly registered: a file is missing or invalid'
4. AD-Aware also won't work (tried this the other night and got same message)
'Ad-aware caused an error in<unknown>' something in German and then'Exception EReadError in Modul AD-AWARE.EXE bei00021FOB'
5. None of the things you mention in Add/Remove Programs are listed. Did you mean delete LOP installer? What is/where do I find this? Again did manual search and found various files - most obvious looking one being HSFLOP.PDR but didn't delete any.
6. Tried to do the virus scans- trend micro website seemed to hang before I got there (could be me - but other websites work OK). Panda one started but got an error when downloading 'Your security settings prohibit Active X controls on this page. As a result the page will not display correctly' and download failed.

I should perhaps also mention when I attempt to start up internet I get a 'configurations conflict error' which I need to fix before I go any further.

Interestingly I've just gone back into home page and About:blank is not there!!!!
Plenty problems anyway it seems.
Look forward to your response.

Tech Clinic / CWS.hiddendll

« on: November 23, 2004, 07:41:29 AM »

The DLL Compare threw uo nothing in the bottom pane.

The new HIjackthis log is as follows

Logfile of HijackThis v1.98.2
Scan saved at 12:47:24, on 23/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
C:\PROGRAM FILES\ERROR NUKER 2004\BIN\ERRORNUKER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qgvaqzprawkvgmtyc.com/QXE0FBhc7...IbuNZuwy5N.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {24D52758-A1FE-4A21-A2F0-A86CE31C0B40} - C:\WINDOWS\SNNPAPI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [amen plan mp3 16] C:\WINDOWS\All Users\Application Data\GPL MEMO AMEN PLAN\closerule.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\Run: [Error Nuker 2004] C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O4 - HKCU\..\Run: [send show] C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O18 - Filter: text/html - {EBE573C9-8819-4FCA-890F-9D2DF3A9897D} - C:\WINDOWS\SNNPAPI.DLL
O18 - Filter: text/plain - {EBE573C9-8819-4FCA-890F-9D2DF3A9897D} - C:\WINDOWS\SNNPAPI.DLL

Tech Clinic / CWS.hiddendll

« on: November 23, 2004, 07:22:11 AM »

Here is the log from STARTDRECK

StartDreck (build 2.1.7 public stable) - 2004-11-23 @ 12:25:25 (GMT +00:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as default at OEMCOMPUTER

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*SpyKiller=C:\Program Files\SpyKiller\spykiller.exe /startup
*BestPopUpKiller=C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
*Spyware Assassin v.4.0="C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
*send show=C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
*PopUpStopperFreeEdition="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*SpyKiller=C:\Program Files\SpyKiller\spykiller.exe /startup
*BestPopUpKiller=C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
*Spyware Assassin v.4.0="C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
*send show=C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
*PopUpStopperFreeEdition="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*EnsoniqMixer=C:\WINDOWS\starter.exe
*CountrySelection=pctptt.exe
*PTSNOOP=ptsnoop.exe
*SystemTray=SysTray.Exe
*Internet Registration=c:\program files\internet explorer\connection wizard\netcheck.exe
*Gearbox="C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
*LoadQM=loadqm.exe
*PE2CKFNT SE=C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
*InstantAccess=C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
*RegisterDropHandler=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
*Password Check=c:\windows\GrabCookie.exe
*Disc Detector=C:\Program Files\Creative\ShareDLL\CtNotify.exe
*AtiCwd32=Aticwd32.exe
*AtiQiPcl=AtiQiPcl.exe
*amen plan mp3 16=C:\WINDOWS\All Users\Application Data\GPL MEMO AMEN PLAN\closerule.exe
*C:\WINDOWS\IPCFG.EXE=C:\WINDOWS\IPCFG.EXE
*C:\WINDOWS\SCANDS32.EXE=C:\WINDOWS\SCANDS32.EXE
*Error Nuker 2004=C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*SAgent2ExePath=C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
*RegisterDropHandler=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{24D52758-A1FE-4A21-A2F0-A86CE31C0B40}
`InprocServer32=C:\WINDOWS\SNNPAPI.DLL
»Files
»System/Drivers
»Running Processes
+FF0FA045=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFE5D9=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE05D5=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE0F89=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEB2D5=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEBE19=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
+FFFE70F9=C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
+FFFD2FB5=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFECF41=C:\WINDOWS\EXPLORER.EXE
+FFFE424D=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFCFE01=C:\WINDOWS\TASKMON.EXE
+FFFB2519=C:\WINDOWS\STARTER.EXE
+FFFB14E1=C:\WINDOWS\ptsnoop.exe
+FFFB773D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFBB169=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFBFA39=C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
+FFFBF541=C:\WINDOWS\LOADQM.EXE
+FFFB5CC9=C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
+FFFA02AD=C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
+FFFA5319=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFAEF2D=C:\WINDOWS\IPCFG.EXE
+FFFAD81D=C:\WINDOWS\SCANDS32.EXE
+FFF93801=C:\PROGRAM FILES\ERROR NUKER 2004\BIN\ERRORNUKER.EXE
+FFF961C5=C:\WINDOWS\RunDLL.exe
+FFF94849=C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
+FFF9A615=C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
+FFF9E201=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
+FFF9D3C5=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
+FFF81791=C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
+FFF85A95=C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
+FFF8A969=C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
+FFF8EC4D=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF8C23D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF7E5A1=C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
+FFF8E5F5=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF6A59D=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF655E9=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF685E5=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF52499=C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
+FFF43DE1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF482B1=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF48A7D=C:\WINDOWS\RUNDLL32.EXE
+FFFCB579=C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\2PF8TSRM\STARTDRECK[1]\STARTDRECK.EXE
»Application specific

Hope this helps

Tech Clinic / CWS.hiddendll

« on: November 23, 2004, 03:36:51 AM »

Thanks for this - will try after work - I did not buy the Spyware you mention (I will have downloaded them before I settled on Spybot).
Won't let me remove spykiller with Add/REmove Programs - says could not load initialisation file (haven't tried to remove other one yet)

Tech Clinic / CWS.hiddendll

« on: November 22, 2004, 02:47:27 PM »

My problem sounds exactly the same as that of Felix - below

Basically my IE Startpage was constantly changed to about:blank and had a Search engine site called Search Now. (isnt about:blank just supposed to be blank?). Also, other random sites were constantly beeing forwarded to this while I was browsing the internet.

I googled it and found out that I, like many, was infested with the CWS Spyware. I downloaded CWShredder and ran it. The program found CWS.HiddenDll and removed it along with 6 apparent registry entries. After doing this my IE was back to normal. After a while it came back though. I ran CWShredder again and it again found the above.

This keeps coming back and all I can do is rerun CWShredder every time, but its really annoying.

I've followed the forum with Guestolo - but Hijackthis does not appear to have the same rogue file. My log is as follows

Logfile of HijackThis v1.98.2
Scan saved at 19:42:18, on 22/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
C:\PROGRAM FILES\ERROR NUKER 2004\BIN\ERRORNUKER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\WINDOWS\TEMP\TD_0013.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ngseomiqzb.us/QXE0FBhc7BD97G3U/...IbuNZuwy5N.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {47868855-3B52-4DB6-9DD7-CC0D0CB59B21} - C:\WINDOWS\SNNPAPI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [amen plan mp3 16] C:\WINDOWS\All Users\Application Data\GPL MEMO AMEN PLAN\closerule.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\Run: [Error Nuker 2004] C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O4 - HKCU\..\Run: [send show] C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O18 - Filter: text/html - {5EC39ADF-04CA-4601-88B8-2C51E9DABFEF} - C:\WINDOWS\SNNPAPI.DLL
O18 - Filter: text/plain - {5EC39ADF-04CA-4601-88B8-2C51E9DABFEF} - C:\WINDOWS\SNNPAPI.DLL

Please can somebody help?

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - deduemjo

Tech Clinic / CWS.hiddendll

Tech Clinic / CWS.hiddendll

Tech Clinic / CWS.hiddendll

Tech Clinic / CWS.hiddendll

Tech Clinic / CWS.hiddendll

Tech Clinic / CWS.hiddendll

Tech Clinic / CWS.hiddendll

Tech Clinic / CWS.hiddendll

Tech Clinic / CWS.hiddendll

Tech Clinic / CWS.hiddendll

Tech Clinic / CWS.hiddendll