Author Topic: Please Help Me (Read 3460 times)

handsomecrown · « **Reply #20 on:** March 13, 2006, 10:40:17 PM »

Here is the Panda ActiveScan Report:

Incident Status Location

Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Michael Sanders\Cookies\michael sanders@2o7[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Michael Sanders\Cookies\michael sanders@advertising[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Michael Sanders\Cookies\michael sanders@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Michael Sanders\Cookies\michael sanders@doubleclick[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Michael Sanders\Cookies\michael [email protected][2].txt
Virus:Trj/Downloader.AEE Not disinfected C:\Documents and Settings\Michael Sanders\Desktop\Stuff\backups\backup-20060311-191706-604.inf
Adware:Adware/DollarRevenue Not disinfected C:\gimmysmileys1.exe
Adware:Adware/DollarRevenue Not disinfected C:\keyboard1.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Common Files\VCClient\VCClient.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Common Files\VCClient\VCMain.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Common Files\VCClient\VCUpdate.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\InetGet2\gimmysmileysB.exe
Adware:Adware/Prositefinder Not disinfected C:\RECYCLER\S-1-5-21-3400589454-969008293-3482092931-1008\Dc5\25781568.exe
Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-3400589454-969008293-3482092931-1008\Dc5\9rpa9wsd.DLL
Spyware:Spyware/ClearSearch Not disinfected C:\RECYCLER\S-1-5-21-3400589454-969008293-3482092931-1008\Dc5\oe8vkg67.DLL
Adware:adware/secure32 Not disinfected C:\secure32.html
Spyware:spyware/surfsidekick Not disinfected C:\SS1001.exe
Spyware:Spyware/Altnet Not disinfected C:\WildMedia.exe[IdmUP.dll]
Adware:Adware Program Not disinfected C:\WildMedia.exe[Topicks.reg]
Spyware:Spyware/Altnet Not disinfected C:\WildMedia.exe[TPReg.dll]
Adware:Adware Program Not disinfected C:\WildMedia.exe[FileVersions.ini]
Spyware:Spyware/Altnet Not disinfected C:\WildMedia.exe[HtCheck2.dll]
Spyware:Spyware/Altnet Not disinfected C:\WildMedia.exe[Idhost.exe]
Virus:Trj/Downloader.gen Not disinfected C:\WildMedia.exe[IdInst.exe]
Adware:adware/clickalchemy Not disinfected C:\WINDOWS\alchem.ini
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
Adware:Adware Program Not disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:adware/gator Not disinfected C:\WINDOWS\GatorPatch.log
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\gimmygames.dat
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\alchem.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\satmat.inf
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb_gdf.dat
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\satmat.ini
Adware:adware/sidesearch Not disinfected C:\WINDOWS\sepsd.bin
Adware:adware/commad Not disinfected C:\WINDOWS\SYSTEM32\atmtd.dll
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\CqbFH.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\FgoeGdW1.exe
Adware:adware/adlogix Not disinfected C:\WINDOWS\SYSTEM32\guarnset.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\Hux1Ua1Z.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\Ifojyc.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\KnlaLVh.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\Mxe42m.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\Oal92Xd2.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\PwnQ9t0X.exe
Adware:Adware/MemoryWatcher Not disinfected C:\WINDOWS\SYSTEM32\Pywf2.exe
Adware:Adware/Sqwire Not disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq

Here are the results for the RegSrch.vbs program:

1)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "AA383E6D-B09A-4850-B6B1-6FD2D6C70BE7" 3/13/2006 8:30:16 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AA383E6D-B09A-4850-B6B1-6FD2D6C70BE7}"=""

2)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "AD2463D3-1C57-4634-9C90-79D15A801A47" 3/13/2006 8:31:38 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AD2463D3-1C57-4634-9C90-79D15A801A47}"=""

3)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "6BA67FF3-B01D-44C3-8AEC-42DB57FE1C3E" 3/13/2006 8:32:39 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6BA67FF3-B01D-44C3-8AEC-42DB57FE1C3E}"=""

4)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "35B1EBC1-119D-4F95-A628-68F5B3D4B549" 3/13/2006 8:33:50 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{35B1EBC1-119D-4F95-A628-68F5B3D4B549}"=""

guestolo · « **Reply #21 on:** March 13, 2006, 11:41:30 PM »

Can you find these files and send them to the recycle bin
C:\gimmysmileys1.exe
C:\keyboard1.exe
C:\secure32.html
C:\SS1001.exe
C:\WildMedia.exe
C:\WINDOWS\alchem.ini
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
C:\WINDOWS\Downloaded Program Files\WildApp.inf
C:\WINDOWS\GatorPatch.log
C:\WINDOWS\gimmygames.dat
C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\INF\satmat.inf
C:\WINDOWS\kwv2.dat
C:\WINDOWS\msbb_gdf.dat
C:\WINDOWS\satmat.ini
C:\WINDOWS\sepsd.bin
C:\WINDOWS\SYSTEM32\atmtd.dll
C:\WINDOWS\SYSTEM32\CqbFH.exe
C:\WINDOWS\SYSTEM32\FgoeGdW1.exe
C:\WINDOWS\SYSTEM32\guarnset.exe
C:\WINDOWS\SYSTEM32\Hux1Ua1Z.exe
C:\WINDOWS\SYSTEM32\Ifojyc.exe
C:\WINDOWS\SYSTEM32\KnlaLVh.exe
C:\WINDOWS\SYSTEM32\Mxe42m.exe
C:\WINDOWS\SYSTEM32\Oal92Xd2.exe
C:\WINDOWS\SYSTEM32\PwnQ9t0X.exe
C:\WINDOWS\SYSTEM32\Pywf2.exe
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\SYSTEM32\xmltok.dll
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\uniq
SEARCH for these next files please
IdmUP.dll
Topicks.reg
TPReg.dll
FileVersions.ini
HtCheck2.dll
Idhost.exe
IdInst.exe

and these folders
C:\Program Files\Common Files\VCClient
C:\Program Files\InetGet2
C:\Program Files\altnet
C:\Program Files\topicks
Let me know if you found and removed all the above please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AA383E6D-B09A-4850-B6B1-6FD2D6C70BE7}"=-
"{AD2463D3-1C57-4634-9C90-79D15A801A47}"=-
"{6BA67FF3-B01D-44C3-8AEC-42DB57FE1C3E}"=-
"{35B1EBC1-119D-4F95-A628-68F5B3D4B549}"=-

Reboot the computer

Are you now able to install Windows updates?

handsomecrown · « **Reply #22 on:** March 14, 2006, 12:23:33 AM »

All of the files deleted fine except for the following files which were not located on the computer:

C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
C:\WINDOWS\Downloaded Program Files\WildApp.inf
(When searching for these files I made sure it was looking in hidden files as well)
IdmUP.dll
Topicks.reg
TPReg.dll
FileVersions.ini
HtCheck2.dll
Idhost.exe
IdInst.exe
C:\Program Files\altnet
C:\Program Files\topicks

After following the rest of your instructions, the same update failed in Windowns Update as before (the Validation Tool). It tells me to look at my update history to seee why it failed, but it is not even on the list..

I am sorry for not posting a HJT log before (I forgot), but here is one now after completing your most recent instructions:

Logfile of HijackThis v1.99.1
Scan saved at 10:17:03 PM, on 3/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

guestolo · « **Reply #23 on:** March 14, 2006, 01:15:08 AM »

Let's get rid of 2 files that you can't see right now
Go to START>>RUN>>Copy and paste the following command in bold below then hit OK

regsvr32 /u occache.dll

Find and delete these files
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf <-file
C:\WINDOWS\Downloaded Program Files\WildApp.inf <-file

Then go back to the Run command and copy and paste the following in bold below
regsvr32 occache.dll

Let's try this for the windows updates
You may have best results with Step2, but work thru the list
If the WGA issue occurred when the Windows system has been activated, it was likely caused by one of the following factors:
1. A security program running in the background prevents the validation tool from running properly.
2. The WGA engine was not installed or running properly.
We can take the following steps and see if the issue can be resolved.
==========================
Step 1: Disable the security programs temporarily
*The following programs can prevent the validation tool from running properly. I suggest we disable them temporarily to test the issue:
*Norton Security programs
*Panda Antivirus programs
*Web Accelarator programs
*Anti-Spyware programs
If any of the above programs cause the issue, please check if it can be re-configured to accept the WGA ActiveX control. Otherwise, please
temporarily disabled to enable the WGA validation tool. However, please re-enable the application after we complete the troubleshooting steps.
==========================
Step 2: Install the WGA engine manually
The WGA engine may have been already installed but is not working properly.
We can use the following steps to reinstall it. This will ensure the engine files be copied and registered properly.
1. Download the ActiveX cab file from the following link and then save it to the Desktop.
http://download.microsoft.com/download/a/c...heckControl.cab
Open the downloaded cab file and we will find the following three files:
GWFSPIDGen.dll
LegitCheckControl.dll
LegitCheckControl.inf
2. Click "Start", click "Run", type: "%windir%\system32" (without quotations) and press Enter. Copy the GWFSPIDGen.dll and LegitCheckControl.dll files into the opened system32 folder.
3. Click "Start", click "Run", type: "REGSVR32 LegitCheckControl.dll" (without the quotations) and press Enter. We will see a popup message state
this process succeeded.
4. Click "Start", click "Run", type: "inf" (without quotations) and press Enter. Copy the LegitCheckControl.inf file into the opened inf folder.
5. Right click on the copied LegitCheckControl.inf file in the inf folder, and then choose Install. The WGA engine will be installed automatically.
==========================
After we finish the above steps, please restart the computer and try to validate the Windows again.

handsomecrown · « **Reply #24 on:** March 14, 2006, 07:58:45 PM »

Ok... I did everything asked, and it all went fine, but the validation tool still fails to install.

I don't know if this is important of not, but when I go into the list of pervious updates, in about the middle of the list there are several canceled and failed updates. All it says on the info about them is that they can be uninstalled under Add / Remove Programs.

handsomecrown · « **Reply #25 on:** March 15, 2006, 08:29:30 PM »

So, after searching around for a little while, I found THIS PAGE on Microsoft that helped my problem. I didn't do exactly what the thread said, but I went to the location he said the downloaded files were and installed the validator manually. This worked perfect, and the next time I went into Windows Updates, it showed that I could install SP2.

Well, it turns out the SP2 files were already downloaded, and failed to install through Windows Update in IE. So, I went into were I found the validator files and manually installed SP2. The problem is, Windows Update still does not let me install updates. It can download them, but it won't install them. Alos, there is still no firewall because when I click to enable it, it gives me another error message.

Here is a new HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 6:18:06 PM, on 3/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\cisvc.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - <a href='http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab' target='_blank' rel='nofollow'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab</a>
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - <a href='http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab' target='_blank' rel='nofollow'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab</a>
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

handsomecrown · « **Reply #26 on:** March 15, 2006, 11:16:15 PM »

Well, after visiting This Website I was able to enable the Firewall, but Windows Update still fails to install the updates. Also, McAfee still will not uninstall in safe mode or normal mode.

guestolo · « **Reply #27 on:** March 16, 2006, 09:06:24 PM »

Sorry for the delay, I couldn't find time to access the forum that much the last couple days
I had to go back and reread what we have done to this point
Any thing help out in this link?
http://v4.windowsupdate.microsoft.com/troubleshoot/

Do you get an exact error message when trying to install updates?

We should eliminate the possibility that McAfee's is interfering
I wish I knew the exact version of Mcafee virus scan
Can you navigate to this folder
C:\Program Files\McAfee.com
any read me or other text files that will give you an indication?

Also, could you open Hijackthis>>Open Misc tools section>>Open Hosts file manager
click the "Open In Notepad" button
A text file will open, copy and paste the whole contents back here please

handsomecrown · « **Reply #28 on:** March 16, 2006, 09:43:04 PM »

Okay, after installing SP2, I found out I had 7 critical updates, so I downloaded them, but they wouldn't install; however, they did install after I shut down the computer. When I try to install updates through the Windows Update in IE, the error I get says: "Problem: A problem on your computer is preventing updates from being downloaded or installed."

With McAfee, in that folder, there was no specific version number found, but in a readme.txt file it called the AntiVirus software "Mcafee.com AntiVirus Online." At THIS LINK I put up a picture to show you what the McAfee Security Center looks like. I hope that helps.

Here is the Hosts file from HJT:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

127.0.0.1 www.f1organizer.com #removed adware url
127.0.0.1 www.netpalnow.com #removed adware url
127.0.0.1 www.addictivetechnologies.com #removed adware url
127.0.0.1 www.mindseti.com #removed adware url
127.0.0.1 www.mindsetinteractive.com #removed adware url
127.0.0.1 1-se.com #[cws.aboutblank][w32.tuoba.trojan]
127.0.0.1 www.1-se.com #[vbs.startpage.c]
127.0.0.1 1stpagehere.com
127.0.0.1 www.1stpagehere.com
127.0.0.1 www.31234.com #[cws.msconfig]
127.0.0.1 356563.net #[win32.winshow.g]
127.0.0.1 www.356563.net
127.0.0.1 4-counter.com #[cws.winproc32][icanfindit.net]
127.0.0.1 75tz.com #[win32.winshow.g]
127.0.0.1 www.75tz.com
127.0.0.1 8ad.com #[parasite.winshow]
127.0.0.1 www.8ad.com
127.0.0.1 adasearch.com
127.0.0.1 www.adasearch.com
127.0.0.1 adulthyperlinks.com #[parasite.coolwebsearch]
127.0.0.1 www.adulthyperlinks.com
127.0.0.1 acc.count-all.com #[cws.tapicfg]
127.0.0.1 aifind.biz
127.0.0.1 www.aifind.biz #[aifind.cc][troj/startpg-bg]
127.0.0.1 aifind.com
127.0.0.1 www.aifind.com
127.0.0.1 aifind.info #[cws.xmlmimefilter][trojan.bookmarker.b,f]
127.0.0.1 allhyperlinks.com #[cws.dnsrelay]
127.0.0.1 www.allhyperlinks.com #[cws.oslogo][cws.oemsyspnp]
127.0.0.1 alfa-search.com #[cws.alfasearch]
127.0.0.1 www.alfa-search.com
127.0.0.1 allneedsearch.com #[troj_startpage.b][find-itnow.com]
127.0.0.1 approvedlinks.com #[super-spider.com]
127.0.0.1 best-search.info #[cws.smartfinder.2]
127.0.0.1 blanksearch.biz #[cws.jksearch]
127.0.0.1 cashsearch.biz #[cws.jksearch]
127.0.0.1 www.clearsearch.net
127.0.0.1 www.coolfreehost.com
127.0.0.1 coolwebsearch.biz
127.0.0.1 www.crooder.com
127.0.0.1 defaultsearching.com #[cws.sounddrv][searchmeup.com]
127.0.0.1 www.e-finder.cc #[cws.addclass.2][startpage-da]
127.0.0.1 ehttp.cc #[cws.addclass][troj_startpage.d]
127.0.0.1 enjoysearch.info #[cws.xxxvideo]
127.0.0.1 www.enjoysearch.info
127.0.0.1 e-plus.cc #[adware.worldsearch]
127.0.0.1 fastsearch.cc #[cws.tapicfg.2][adware.searchcounter]
127.0.0.1 fast-search.us #[cws.docobj]
127.0.0.1 fastwebfinder.com #[app/fastweb-a][adware.fastwebfinder]
127.0.0.1 www.fastwebfinder.com #[cws.aff.tooncomics.2][search.targetwords.com]
127.0.0.1 findemnow.com
127.0.0.1 www.findemnow.com
127.0.0.1 find-itnow.com #[w32.bizten][cws.alfasearch.2]
127.0.0.1 just.find-itnow.com #[startpage-au]
127.0.0.1 www.find-itnow.com #[w32.hostidel.trojan][troj_hostidel.a]
127.0.0.1 findloss.com #[umaxsearch.com]
127.0.0.1 www.findloss.com
127.0.0.1 find-online.net #[troj_startpag.gy]
127.0.0.1 www.find-online.net
127.0.0.1 firstbookmark.com #[parasite.clientman]
127.0.0.1 www.firstbookmark.com
127.0.0.1 www.geo-traffic.com #[redirects to search.msmn.com]
127.0.0.1 globe-finder.cc #[win32.startpage.n]
127.0.0.1 globe-finder.net #[clearsearch.net]
127.0.0.1 www.globe-finder.net
127.0.0.1 global-finder.com #[cws.msinfo]
127.0.0.1 www.global-finder.com
127.0.0.1 gonnasearch.com #[cws.gonnasearch]
127.0.0.1 www.gonnasearch.com #[supaseek.com]
127.0.0.1 greatsearch.biz #[cws.jksearch]
127.0.0.1 greg-search.com #[trojandropper.win32.small.cw]
127.0.0.1 www.greg-search.com
127.0.0.1 hotbookmark.com #[troj/iestart-f]
127.0.0.1 www.hotbookmark.com
127.0.0.1 idgsearch.com #[googlems search helper][cws.googlems]
127.0.0.1 www.idgsearch.com #[trojan.digits]
127.0.0.1 icansearch.net
127.0.0.1 www.icansearch.net
127.0.0.1 ie-search.com #[cws.loadbat][umaxsearch.com]
127.0.0.1 www.ie-search.com
127.0.0.1 iefeadsl.com #[win32.winshow.g]
127.0.0.1 jksearch.biz #[cws.jksearch][startpage-dc]
127.0.0.1 lookfor.cc #[troj_iefeats.a]
127.0.0.1 www.lookfor.cc
127.0.0.1 luckysearch.net #[cws.tapicfg]
127.0.0.1 www.luckysearch.net
127.0.0.1 lustler.com
127.0.0.1 www.lustler.com
127.0.0.1 madfinder.com #[backdoor.madfind][madfinder]
127.0.0.1 www.madfinder.com #[cws.aff.madfinder][downloader-eu]
127.0.0.1 martfinder.com #[adware.startpage][troj/startpa-gh]
127.0.0.1 www.martfinder.com
127.0.0.1 404.msmn.com
127.0.0.1 search.msmn.com
127.0.0.1 gotosearch.msmn.com
127.0.0.1 bjvvhk.t.muxa.cc #[adware.raxums][random sub-domains]
127.0.0.1 myexexex.com #[cws.jsconsole]
127.0.0.1 www.myexexex.com
127.0.0.1 ntsearch.com
127.0.0.1 www.ntsearch.com #[trojan.win32.spooner.d][adware-nsearch]
127.0.0.1 omega-search.com #[cws.olehelp][trojan.bookmarker.d]
127.0.0.1 best.omega-search.com
127.0.0.1 www.omega-search.com
127.0.0.1 payfortraffic.net #[cws.dnsrelay.3][cws.msole]
127.0.0.1 www.payfortraffic.net
127.0.0.1 power-search.info #[trojan.bookmarker.g]
127.0.0.1 www.power-search.info
127.0.0.1 real-yellow-page.com #[cws.realyellowpage]
127.0.0.1 rightfinder.net #[cws.addclass.2]
127.0.0.1 www.rightfinder.net #[troj/startpg-ay]
127.0.0.1 riviera.cc
127.0.0.1 opti.riviera.cc
127.0.0.1 runsearch.com #[cws.mupdate]
127.0.0.1 www.runsearch.com
127.0.0.1 searchcentral.cc
127.0.0.1 searchdesire.com
127.0.0.1 search-dot.com #[cws.systeminit][adware.searchdot]
127.0.0.1 www.search-dot.com
127.0.0.1 searchx.cc #[cws.searchx][trojan.win32.startpage.fw]
127.0.0.1 searchpage.cc
127.0.0.1 search-town.net #[riviera.cc]
127.0.0.1 slawsearch.com #[cws.svchost32]
127.0.0.1 www.slawsearch.com #[cws.ctfmon32]
127.0.0.1 solongas.com #[cws.hputi]
127.0.0.1 start-space.com #[cws.qttasks]
127.0.0.1 www.start-space.com #[search-space.com][navext]
127.0.0.1 supersearch.com
127.0.0.1 www.supersearch.com #[cws.msoffice.3]
127.0.0.1 super-spider.com #[cws.control][troj_krepper.i]
127.0.0.1 tadstore.cc #[cws.addclass.2][rightfinder.net]
127.0.0.1 t.rack.cc #[troj_seeker.b]
127.0.0.1 roquvp.t.rack.cc
127.0.0.1 thebestse.com #[searchmeup.com]
127.0.0.1 www.thebestse.com
127.0.0.1 the-exit.com
127.0.0.1 www.the-exit.com
127.0.0.1 www.the-huns-yellow-pages.com
127.0.0.1 search.thestex.com #[cws.yexe]
127.0.0.1 topfivesearch.com
127.0.0.1 www.topfivesearch.com
127.0.0.1 toteen.com #[trojan.bookmarker.g]
127.0.0.1 out.true-counter.com #[trojan.bootconf][cws.msinfo]
127.0.0.1 true-counter.com #[trojan.slog]
127.0.0.1 www.true-counter.com
127.0.0.1 in.webcounter.cc #[cws.tapicfg.2][adware.searchcounter]
127.0.0.1 www.wholeworldmarket.com #[cws.systeminit.2]
127.0.0.1 www.windowws.cc #[cws.control][search2004.net]
127.0.0.1 world-search.biz #[adware.worldsearch][e-plus.cc]
127.0.0.1 yellow-pages.ws #[searchmeup.com]
127.0.0.1 adult.yellow-pages.ws
127.0.0.1 search.yellow-pages.ws
127.0.0.1 www.yellow500.com #[troj/iestart-f]
127.0.0.1 www.yopta.info #[trojan.bookmarker.c][smart-finder.biz]
127.0.0.1 www.youfindall.com #[cws.aff.winshow]
127.0.0.1 www.your-search.info #[trojan.bookmarker.gen][cws.systeminit]
127.0.0.1 xwebsearch.biz #[cws.svcinit][cws.dreplace][backdoor.sinit
127.0.0.1 search-1.net
127.0.0.1 search-about.net
127.0.0.1 www.search-about.net
127.0.0.1 search-aid.com
127.0.0.1 www.search-aid.com #[coolwebsearch.iefeatsl]
127.0.0.1 search-click.com
127.0.0.1 www.search-click.com
127.0.0.1 search-company.com
127.0.0.1 www.search-company.com
127.0.0.1 search-direct.net
127.0.0.1 www.search-direct.net
127.0.0.1 www.search-and-find.net

127.0.0.1 audioseek.net
127.0.0.1 www.audioseek.net
127.0.0.1 conspy.com
127.0.0.1 conf.conspy.com
127.0.0.1 www.conspy.com
127.0.0.1 searchmyrequest.com #[startpage-bs]
127.0.0.1 conf.searchmyrequest.com #[cws.therealsearch.2]
127.0.0.1 therealsearch.com #[cws.therealsearch]
127.0.0.1 conf.therealsearch.com
127.0.0.1 www.therealsearch.com #[fastwebfinder.com][trojan.realsrch.a]
127.0.0.1 any-find.com
127.0.0.1 www.any-find.com
127.0.0.1 bizonio.com
127.0.0.1 www.bizonio.com
127.0.0.1 dubolom.com
127.0.0.1 www.dubolom.com
127.0.0.1 find4u.net #[cws.ieengine]
127.0.0.1 pilot.find4u.net
127.0.0.1 www.find4u.net
127.0.0.1 free-spy-cam.net
127.0.0.1 getthis4free.com
127.0.0.1 www.getthis4free.com
127.0.0.1 terra.hbison.com
127.0.0.1 hcworld.com
127.0.0.1 free.hcworld.com
127.0.0.1 terra.hcworld.com
127.0.0.1 klounada.com
127.0.0.1 www.klounada.com
127.0.0.1 mypoiskovik.com
127.0.0.1 www.mypoiskovik.com
127.0.0.1 topotun.com #[adware.topotun]
127.0.0.1 www.topotun.com
127.0.0.1 web-cams-chat.com
127.0.0.1 your-searcher.com #[cws.ieengine]
127.0.0.1 activexupdate.com #[cws.oemsyspnp]
127.0.0.1 www.activexupdate.com
127.0.0.1 adult-friends-finder.net
127.0.0.1 coolsearcher.info #[coolsearcher toolbar]
127.0.0.1 www.coolsearcher.info
127.0.0.1 www.coolwebsearch.org
127.0.0.1 fdadfswr.com #[adware.freecomm]
127.0.0.1 www.fdadfswr.com
127.0.0.1 www.netcross.cz #[netcross.cz toolbar]
127.0.0.1 searchcomplete.com #[adware.yellowpages]
127.0.0.1 www.searchcomplete.com
127.0.0.1 searchforge.com
127.0.0.1 ie.searchforge.com #[cws.oemsyspnp.3]
127.0.0.1 www.searchforge.com
127.0.0.1 coolpage.cc #[cws.realyellowpage]
127.0.0.1 ww11.coolpage.cc
127.0.0.1 here4search.com #[downloader.tooncom][cws.aff.tooncomics]
127.0.0.1 www.here4search.com
127.0.0.1 hugesearch.net #[cws.msoffice.3]
127.0.0.1 www.hugesearch.net
127.0.0.1 icanfindit.net
127.0.0.1 www.icanfindit.net #[cws.winproc32]
127.0.0.1 list2004.com #[cws.realyellowpage]
127.0.0.1 linklist.cc #[cws.realyellowpage][adware.raxums][coolpage.cc]
127.0.0.1 ww9.linklist.cc
127.0.0.1 www.linklist.cc
127.0.0.1 my-find.com
127.0.0.1 www.my-find.com
127.0.0.1 royalsearch.net
127.0.0.1 www.royalsearch.net #[vbs.bootconf][cws.msoffice.2]
127.0.0.1 www.search-and-go.com
127.0.0.1 searchdot.net #[cws.msoffice]
127.0.0.1 www.searchdot.net
127.0.0.1 searchmeup.com #[cws.svcinit.3]
127.0.0.1 www.searchmeup.com
127.0.0.1 searchmeup.net
127.0.0.1 www.searchmeup.net
127.0.0.1 thesten.com #[cws.aff.winshow.3]
127.0.0.1 umaxsearch.com #[troj_esepor.a][cws.xplugin]
127.0.0.1 affiliates.umaxsearch.com
127.0.0.1 www.umaxsearch.com
127.0.0.1 uni-dialer.com
127.0.0.1 www.uni-dialer.com
127.0.0.1 00hq.com #[adware.winshow][parasite.winshow]
127.0.0.1 www.00hq.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 008i.com
127.0.0.1 www.008i.com
127.0.0.1 opsex.com
127.0.0.1 www.opsex.com
127.0.0.1 searchv.com #[troj_startpage.u][cws.mupdate]
127.0.0.1 www.searchv.com #[cws.bootconf][searchv.winshow]
127.0.0.1 searchxp.com #[cws.bootconf]
127.0.0.1 www.searchxp.com
127.0.0.1 v61.com #[win32.winshow.g]
127.0.0.1 www.v61.com
127.0.0.1 windowupdate.ws #[cws.aboutblank]
127.0.0.1 winshow.biz
127.0.0.1 www.winshow.biz
127.0.0.1 freescratchandwin.com #[parasite.freescratchandwin]
127.0.0.1 www.freescratchandwin.com
127.0.0.1 free-scratch-cards.com
127.0.0.1 www.free-scratch-cards.com
127.0.0.1 fsc2k.com
127.0.0.1 www.fsc2k.com
127.0.0.1 newtopsites.com
127.0.0.1 servedby.newtopsites.com
127.0.0.1 www.newtopsites.com
127.0.0.1 2nd-thought.com #[parasite.pugi][trojan.win32.secondthought.c]
127.0.0.1 www.2nd-thought.com #[adw_secthought.a][adware.secondthought]
127.0.0.1 xzoomy.com #[freescratchandwin]
127.0.0.1 www.xzoomy.com
127.0.0.1 commonname.com
127.0.0.1 www.commonname.com
127.0.0.1 commonnames.com
127.0.0.1 www.commonnames.com
127.0.0.1 xpsn.com
127.0.0.1 www.xpsn.com
127.0.0.1 info.browserdirect.net
127.0.0.1 search.findsall.info
127.0.0.1 find.greatsearch.info
127.0.0.1 result.goodsearch.info
127.0.0.1 www.esearchandfind.org
127.0.0.1 hit.lookupanything.biz #[qsrch.net]
127.0.0.1 www.new.chat.new.net
127.0.0.1 eps.new.search.new.net
127.0.0.1 client.newdotnet.net
127.0.0.1 upgrade.newdotnet.net
127.0.0.1 www.newdotnet.com
127.0.0.1 www.new.net #[adware.ndotnet]
127.0.0.1 www.onestepsearch.net
127.0.0.1 www.onestepsearch.biz
127.0.0.1 www.qsrch.net
127.0.0.1 bgw.qsrch.com
127.0.0.1 moniker.qsrch.com
127.0.0.1 newnet.qsrch.com
127.0.0.1 regfly.qsrch.com
127.0.0.1 rg.qsrch.com
127.0.0.1 worldwide.qsrch.com
127.0.0.1 www.qsrch.com
127.0.0.1 data.quicksearches.net
127.0.0.1 www.mysearchnet.org
127.0.0.1 web.yoursearchfinder.com
127.0.0.1 windowpatch.info
127.0.0.1 windowpatch.net
127.0.0.1 delfinproject.com
127.0.0.1 content.delfinproject.com
127.0.0.1 mm.delfinproject.com #[delfin media viewer]
127.0.0.1 www.delfinproject.com #[promulgate][kb811270]
127.0.0.1 pgate-basic.com #[pgate-basic]
127.0.0.1 www.pgate-basic.com
127.0.0.1 centralmedia.ws #[flashlightsearch.com]
127.0.0.1 ads.centralmedia.ws
127.0.0.1 c.centralmedia.ws
127.0.0.1 www.centralmedia.ws
127.0.0.1 memorymeter.com #[adware-tvelocity][totalvelocity.memorymeter]
127.0.0.1 www.memorymeter.com
127.0.0.1 totalvelocity.com #[tv t-media display]
127.0.0.1 www.totalvelocity.com
127.0.0.1 zsearchtoolbar.com
127.0.0.1 www.zsearchtoolbar.com
127.0.0.1 bluehavenmedia.com
127.0.0.1 www.bluehavenmedia.com
127.0.0.1 download.bulletproofsoft.com
127.0.0.1 www.bulletproofsoft.com
127.0.0.1 bigbrother.gigatechsoftware.com
127.0.0.1 download.gigatechsoftware.com
127.0.0.1 www.gigatechsoftware.com
127.0.0.1 www.greasycow.com
127.0.0.1 www.nuker.com #[netsource101]
127.0.0.1 www.no-pops.com
127.0.0.1 nopop.net
127.0.0.1 www.nopop.net
127.0.0.1 www.trekblue.com
127.0.0.1 crossroad.trekdata.com
127.0.0.1 1ad2srvr-cpt-v1.com
127.0.0.1 www.srv2cpt.com
127.0.0.1 www.spywarenuker.com #[adware.spywarenuker]
127.0.0.1 twistedhumor.com #[parasite.cometcursor/toolbar]
127.0.0.1 www.twistedhumor.com
127.0.0.1 www.crazydrinks.com
127.0.0.1 www.em5000.com
127.0.0.1 www.rankyou.com
127.0.0.1 www.wayweird.com
127.0.0.1 www.newtonknows.com #[newton knows.bar]
127.0.0.1 virtumundo.com
127.0.0.1 ads3.virtumundo.com
127.0.0.1 ads4.virtumundo.com
127.0.0.1 dyn.virtumundo.com
127.0.0.1 pchi-vtrk.virtumundo.com
127.0.0.1 updates.desktop.virtumundo.com #[targetsoft.inetadpt]
127.0.0.1 vtrack.virtumundo.com
127.0.0.1 www.virtumundo.com
127.0.0.1 www.webhancer.com
127.0.0.1 a1.webhancer.com
127.0.0.1 d.webhancer.com
127.0.0.1 a1.webhancer.com
127.0.0.1 d2.webhancer.com
127.0.0.1 d3.webhancer.com
127.0.0.1 download.webhancer.com
127.0.0.1 prime.webhancer.com
127.0.0.1 reports.webhancer.com
127.0.0.1 server.webhancer.com
127.0.0.1 update.webhancer.com
127.0.0.1 b1-v2-bell.webhancer.com
127.0.0.1 vr1-v1.webhancer.com
127.0.0.1 vws-1.webhancer.com
127.0.0.1 www.realenduser.com
127.0.0.1 www.aadcom.com
127.0.0.1 addictivetechnologies.net
127.0.0.1 www.addictivetechnologies.net #[favoriteman]
127.0.0.1 www.acustat.com
127.0.0.1 www.mindsetinteractive.com
127.0.0.1 mindseti.com #[parasite.transponder]
127.0.0.1 www.mindseti.com
127.0.0.1 netpalnow.com #[adware.netpal]
127.0.0.1 www.netpalnow.com
127.0.0.1 netpaloffers.net #[parasite.netpal]
127.0.0.1 www.netpaloffers.net
127.0.0.1 look2me.com #[spyware.look2me]
127.0.0.1 www.look2me.com #[trojan.loome][download.look2me]
127.0.0.1 www.look2me2.com
127.0.0.1 www.lovetraffic.com
127.0.0.1 nictechnetworks.com
127.0.0.1 www.nictechnetworks.com
127.0.0.1 similarsingles.com
127.0.0.1 www.similarsingles.com
127.0.0.1 zestyfind.com #[adtomi.yahoostocks][adware.adtomi]
127.0.0.1 www.zestyfind.com #[adware.zestyfind]
127.0.0.1 datastorm.biz
127.0.0.1 ipend.datastorm.biz #[parasite.clientman]
127.0.0.1 www.datastorm.biz
127.0.0.1 kazanon.com #[kazanon]
127.0.0.1 www.kazanon.com
127.0.0.1 omi-update.net
127.0.0.1 www.omi-update.net #[adware.omi]
127.0.0.1 messagebroadcaster.net #[messenger pop-up scam]
127.0.0.1 www.messagebroadcaster.net
127.0.0.1 netpopup.net #[messenger pop-up scam]
127.0.0.1 www.netpopup.net
127.0.0.1 odysseusmarketing.com
127.0.0.1 www.odysseusmarketing.com
127.0.0.1 searchassistant.net
127.0.0.1 alpha.searchassistant.net #[7search.com]
127.0.0.1 beta.searchassistant.net #[goclick.com]
127.0.0.1 cassandra.searchassistant.net
127.0.0.1 epsilon.searchassistant.net #[goclick.com]
127.0.0.1 www.searchassistant.net
127.0.0.1 www.unitedvending.net #[affiliate]
127.0.0.1 www.world-portal.com
127.0.0.1 ads.vx2.cc
127.0.0.1 download.vx2.cc
127.0.0.1 internal.vx2.cc
127.0.0.1 mail.vx2.cc
127.0.0.1 transctl.vx2.cc
127.0.0.1 transctl-dev.vx2.cc
127.0.0.1 ns1.vx2.cc
127.0.0.1 ns2.vx2.cc
127.0.0.1 z1.vx2.cc
127.0.0.1 www.vx2.cc #[parasite.transponder]
127.0.0.1 sputnik.vx2.cc
127.0.0.1 abetterinternet.com #[downloader.stubby.a]
127.0.0.1 belt.abetterinternet.com
127.0.0.1 c.abetterinternet.com #[adware-betterinet application]
127.0.0.1 download.abetterinternet.com #[adware.stoppopupadsnow]
127.0.0.1 download2.abetterinternet.com #[parasite.transponder]
127.0.0.1 s.abetterinternet.com
127.0.0.1 thinstall.abetterinternet.com
127.0.0.1 www.abetterinternet.com
127.0.0.1 cleangetaway.biz #[abetterinternet.d]
127.0.0.1 www.cleangetaway.biz
127.0.0.1 msview.cc #[parasite.transponder]
127.0.0.1 www.msview.cc
127.0.0.1 mypanicbutton.com #[abetterinternet.c]
127.0.0.1 stop-popup-ads-now.com #[parasite.transponder]
127.0.0.1 cr.stop-popup-ads-now.com
127.0.0.1 update.stop-popup-ads-now.com
127.0.0.1 www.stop-popup-ads-now.com #[adware.binet]
127.0.0.1 www.tps108.org #[parasite.transponder]
127.0.0.1 www.clkprecision.com
127.0.0.1 www.pacimedia.com
127.0.0.1 www.exactsearch.net
127.0.0.1 www.contextplus.net
127.0.0.1 www.clkprecision.com
127.0.0.1 www.clkprecision.com

handsomecrown · « **Reply #29 on:** March 16, 2006, 11:42:24 PM »

Ok, after logging into another one of the accounts on the computer, the following two files are not able to be found so error messages come up:

C:\WINDOWS\inet20003\services.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe

guestolo · « **Reply #30 on:** March 17, 2006, 01:11:48 AM »

How many other users on the machine?
Can I see hijackthis logs from the other users please

Keep them seperated
As eg... USER 1
USER 2
USER 3

How many have adminstrative privileges?
I'll have more time to check out the logs this weekend
We may need manual uninstall instructions of McAfee online virus scan and attemp to uninstall
McAfee security center
Make sure the XP firewall is enabled please

handsomecrown · « **Reply #31 on:** March 17, 2006, 06:27:50 PM »

On this computer there are 4 users, alla with administrator privlages. Here are there logs:

USER 1 (the main user I have been using):

Logfile of HijackThis v1.99.1
Scan saved at 4:22:07 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\qwinosag.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 2 (the user with the two file errors on start up:

Logfile of HijackThis v1.99.1
Scan saved at 4:16:44 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxLiteNnAj
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000123.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 3 (no visable problems):

Logfile of HijackThis v1.99.1
Scan saved at 4:19:19 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.quicksearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 4 (no visable problems):

Logfile of HijackThis v1.99.1
Scan saved at 4:20:59 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSTEM32\qwinosag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\SYSTEM32\qwinosag.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

guestolo · « **Reply #32 on:** March 18, 2006, 09:46:10 AM »

Hi again, let's hopefully try and sort this all out
Print out these instructions please

Let's start in USER 1
Log off all other users
==Download SmitRem.exe by Noahdfear and save the file to your Local disk C:\ directory
So you now have C:\SmitRem.exe
Don't run it yet

==Download DelDomains.inf from HERE
Save this too local disk C: as well
Right Click on DelDomains.inf>>Choose Install from the menu bar

Although the Hosts file is blocking know bad sites, can we clear them please to ensure it's not any trouble
== Download Hoster.zip and unzip it too a folder of it's own
We'll use it later

Open Hijackthis>>Open Misc tools section>>Open "Process Manager"
Left click to Highlight
C:\WINDOWS\SYSTEM32\qwinosag.exe
Then Kill the Process>>OK the prompt
Then click BACK under Other stuff>>Click Config
Open "Delete File on Reboot"
In the file name field, copy and paste the below line in bold

C:\WINDOWS\SYSTEM32\qwinosag.exe
Now click the OPEN button, hijackthis should prompt that the file will be deleted and too reboot your computer
Don't reboot yet
Instead, in Hijackthis, click BACK under Other stuff
Do a "SCAN" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot into safe mode please
Log in with USER 2
Find and delete this file if found
Make sure windows is set to show hidden files and folders
C:\Program Files\SoftwareOnline\soproc.exe <-this file
Or the WHOLE SoftwareOnline folder if unknown

Again, right click on Deldomains and choose install
==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish. Remain in safe mode

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack RegSoAlertWxLiteNnAj

O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000123.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot in USER 3
Normal mode is fine
Run DelDomains

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.quicksearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot and log in with USER4
>>DelDomains
Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\qwinosag.exe TST001
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer
Can you reboot back to USER 2 please
Since we ran SmitRem, do the following
You will have to reset the background in Display properties
The XP theme may experience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.

Reboot back to USER 1

==Open Hoster
Then select the "Restore Original Hosts" button
OK the prompts

++++Open SpywareBlaster you downloaded earlier
Check for updates, if any, let it download
Regardless of an update or not, under "Protection"
Select the "Enable all Protection"

Post back with fresh hijackthis logs please

I hope the above isn't too confusing

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

handsomecrown · « **Reply #33 on:** March 18, 2006, 12:55:38 PM »

It all went very smoothly. Here are the logs:

USER 1:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:26 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 2:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:34 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Registry Cleaner] C:\PROGRA~1\REGIST~1\Regclean.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\qwinosag.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 3:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:41 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\SYSTEM32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

USER 4:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:32 AM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

guestolo · « **Reply #34 on:** March 18, 2006, 01:21:14 PM »

USER 1 and USER 2 each has a shortcut directing to
Zeno.lnk

Can you go into the appropriate folders
C:\Documents and Settings\USER 1&2\Start Menu\Programs\Startup
and delete it please

You should run an updated scan with Ewido afterwards and additionally run
Windows CleanUp!

Let me know how things are running

handsomecrown · « **Reply #35 on:** March 18, 2006, 06:15:29 PM »

I deleted the files and ran ewido.

The computer is runnuing great. Thre are no prolems that I can see. The only thing is just the fact that McAfee will not uninstall and Windows Update does not install updates.

Here is the report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         2:20:01 PM, 3/18/2006
+ Report-Checksum:      675615BD

+ Scan result:

   C:\Documents and Settings\Andrea Sanders\Cookies\andrea [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Michael Sanders\Cookies\michael [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\WINDOWS\inst_adperform.exe -> Adware.BargainBuddy : Cleaned with backup

::Report End

guestolo · « **Reply #36 on:** March 19, 2006, 11:59:56 AM »

Can you try the following again

Clear all the restore points from the computer
By disabling system restore>>Reboot>>Enable system restore
This creates a fresh restore point

Make sure the XP firewall is enabled!

Log off all other users
Go to START>>RUN>>type in services.msc
Hit Ok
In the next window, look on the right hand side for this service
name---- McAfee.com McShield

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Do the same for this one
McAfee.com VirusScan Online Realtime Engine

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

You may not have the CD that came with this computer
that has the McAfee trial version on it. Do you?
If you do, you can try reinstalling it and then uninstall all components of McAfee

I seen in one of the other logs Registry cleaner
I'm not familiar with it, so let's keep away from it

Access add/remove programs via control panel
Remove McAfee.com VirusScan Online if you can

If that won't work
Download and UNZIP this free registry cleaner
RegSeeker 1.45
http://www.hoverdesk.net/freeware.htm
Open the RegSeeker Folder and double click on RegSeeker.exe
Click on Installed Applications>>add/remove entries
Try removing McAfee.com VirusScan Online
Carry on if still no luck

Try removing McAfee.com SecurityCenter
from add/remove programs via control pane
Reboot if that was successful
Then send this folder to the recycle bin
C:\Program Files\McAfee.com

Open RegSeeker.exe again
Click on "Clean the registry" in the left menu
Hit OK on the right
Let it finish scanning and then ensure Backup before deletion is checked

Choose "Select all"
Right click and choose
Delete all selected

Reboot the computer one more time

Back in Windows
Post back a fresh hijackthis log from USER 1

handsomecrown · « **Reply #37 on:** March 19, 2006, 01:33:15 PM »

I did everything you asked, but I do not have the original discs that came with the computer so that option is out. McAfee Security Center is now not on the add/ remove programs list, but the program is still there (along with the McAfee AntiVirus program).

Here is a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:26:02 AM, on 3/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

guestolo · « **Reply #38 on:** March 19, 2006, 01:48:30 PM »

I'm not sure if I understand?

Quote

McAfee Security Center is now not on the add/ remove programs list, but the program is still there (along with the McAfee AntiVirus program).

Did you send this folder to the recycle bin?
C:\Program Files\McAfee.com

Can you reboot into safe mode
Go to start>>run>>type in the following then hit OK
sc delete McShield
Do the same for this one

sc delete MCVSRte

Can you have hijackthis fix these entries again
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

Send the McAfee.com folder to the recycle bin

run regseeker again

boot back to Normal mode

handsomecrown · « **Reply #39 on:** March 19, 2006, 02:25:55 PM »

The Mcafee programs are gone. The folder deleted fine in safe mode.

By the way, I am returning this computer back to my friend tonight.

Here is another HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:18:33 PM, on 3/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Sanders\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab\' target=\'_blank\' rel=\'nofollow\'>http://by113fd.bay113.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

News:

Author Topic: Please Help Me (Read 3460 times)