Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Found malware-CW.MSConfig, BHO and BackWeb

Started by halfopus , May 07 2005 01:15 AM

Page 4 of 6
2
3
4
5
6

Please log in to reply

#46
coachwife6

Posted 02 June 2005 - 09:47 PM

SuperStar

Retired Staff
11,413 posts

Please download the latest version of about buster.

http://www.geekstogo...=download&id=25

Also, run CWShredder and Adaware again.

Please scan your system with Ad-aware:
Ad-aware SE - Download - Home Page

If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
Once the definitions have been updated:
Reconfigure Ad-Aware for Full Scan as per the following instructions:
- Launch the program, and click on the Gear at the top of the start screen.
- Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
  - "Automatically save logfile"
  - Automatically quarantine objects prior to removal"
  - Safe Mode (always request confirmation)
  - Prompt to update outdated confirmation) - Change to 7 days.
- Click the "Scanning" button (On the left side).
- Under Drives & Folders, select "Scan within Archives"
- Click "Click here to select Drives + folders" and select your installed hard drives.
- Under Memory & Registry, select all options.
- Click the "Advanced" button (On the left hand side).
- Under "Shell Integration", select "Move deleted files to Recycle Bin".
- Under "Log-file detail", select all options.
- Click on the "Defaults" button on the left.
- Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
- Click the "Tweak" button (Again, on the left hand side).
- Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
  - "Unload recognized processes during scanning."
  - "Obtain command line of scanned processes"
  - "Scan registry for all users instead of current user only"
- Under "Cleaning Engine", select the following:
  - "Automatically try to unregister objects prior to deletion."
  - "During removal, unload explorer and IE if necessary"
  - "Let Windows remove files in use at next reboot."
  - "Delete quarrantined objects after restoring"
- Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
- Click on "Proceed" to save these Preferences.
- Click on the "Scan Now" button on the left.
- Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
Close all programs except ad-aware.
Click on "Next" in the bottom right corner to start the scan.
Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Please Download CoolWebShredder, from http://www.geekstogo...=download&id=17 , Extract it & run the program. Click the Next Button & let it scan. Make sure you let it fix all CWS Remnants. Afterwards, Please Post a fresh Hijack This log.

Please download CleanUp! - Download - HomePage
Install and run. Click on the button labeled CleanUp!.

When it finishes it will prompt you to restart Windows - there will be one or two files it cannot delete when Windows is running - however, they will be deleted next time Windows starts up.

If you would please, rescan with HijackThis and post a fresh log in this same topic.

#47
halfopus

Posted 05 June 2005 - 05:06 PM

Member

Topic Starter
Member
44 posts

Hello Again!

I ran About Buster, CWS and Ad-Aware found no problems (Thanks for the detailed settings for the latter!).

CleanUp! always shows files that are in use that cannot be erased until next start up and even when I reboot, the program does not run, therefore, the tmp, etc files never fully get erased. Even manually, I cannot erase as they are currently being used by another program.

Good News! The Google start page does not show words corrupted by italics and some other programs which also were affected have returned to their normal un-italicized font. Don't know what fixed this but I am nonetheless happy!

Effective-i is being found on my system but I cannot remove it. Nothing to uninstall and no known .dlls are found on my system.

Here is my latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:28:49 PM, on 6/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Folder Shield\FSService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Folder Shield\fsp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\SpyCatcher\DeleteSatellite.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\StealthSurf\StealthSurf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\SPC129~1\swdoctor.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpitstop.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpitstop.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:9095
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPC129~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPC129~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [fspr] "C:\Program Files\Folder Shield\FolderShield.exe" CR
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [StealthSurf] C:\Program Files\StealthSurf\StealthSurf.exe /startup
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPC129~1\swdoctor.exe /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPC129~1\tools\iesdpb.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093236713921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...484/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: FSService - Unknown owner - C:\Program Files\Folder Shield\FSService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

#48
coachwife6

Posted 05 June 2005 - 09:07 PM

SuperStar

Retired Staff
11,413 posts

Have you been surfing the net a bunch lately? It looks as if there's more trash there than before. Please refrain from doing so until it gets cleaned up.

I would suggest disabling Microsoft Anti-Spyware until we get you clean as well. You can re-enable it after we’re through.

Click Start > Run > type services.msc, then click OK
Scroll down and right click on 'COM+ System Service'
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.

Please disable winpatrol as well.

Please set your system to show
all hidden files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\Program Files\Folder Shield\FSService.exe<<only if you want to get rid of it.
C:\Program Files\Folder Shield\fsp.exe<<only if you want to get rid of it.
C:\Program Files\SpyCatcher\DeleteSatellite.exe<<only if you want to get rid of it.
C:\Program Files\StealthSurf\StealthSurf.exe<<only if you want to get rid of it.

Exit the Task Manager when finished.

Close all programs and all windows, leaving only HijackThis running. Please disconnect from the internet. Place a check narj against each of the following, making sure you get each one and not any others by mistake:

R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [fspr] "C:\Program Files\Folder Shield\FolderShield.exe" CR<<only if you want to get rid of it.
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe"<<only if you want to get rid of it.
O4 - HKLM\..\Run: [StealthSurf] C:\Program Files\StealthSurf\StealthSurf.exe /startup<<only if you want to get rid of it.
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait<<only if you want to get rid of it.
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O23 - Service: FSService - Unknown owner - C:\Program Files\Folder Shield\FSService.exe<<only if you want to get rid of it.

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\Program Files\SpyCatcher\DeleteSatellite.exe<<only if you want to get rid of it.
C:\Program Files\StealthSurf\StealthSurf.exe<<only if you want to get rid of it.
Exit Explorer, and reboot as normal afterwards.

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Please reboot and post a fresh HijackThis log and we will take another look to see how we did.

#49
halfopus

Posted 06 June 2005 - 11:57 PM

Member

Topic Starter
Member
44 posts

I appreciate your continued help!
Here is my HJT log :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:13 PM, on 6/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Folder Shield\FSService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Folder Shield\fsp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\SPC129~1\swdoctor.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\CleanUp!\Cleanup.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpitstop.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpitstop.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:9095
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPC129~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPC129~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [fspr] "C:\Program Files\Folder Shield\FolderShield.exe" CR
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPC129~1\swdoctor.exe /Q
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPC129~1\tools\iesdpb.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093236713921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...484/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: FSService - Unknown owner - C:\Program Files\Folder Shield\FSService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

Edited by halfopus, 06 June 2005 - 11:59 PM.

#50
coachwife6

Posted 07 June 2005 - 03:30 AM

SuperStar

Retired Staff
11,413 posts

How is it running now?

#51
halfopus

Posted 07 June 2005 - 10:14 AM

Member

Topic Starter
Member
44 posts

Hi,
My system is more responsive and applications open more quickly. :tazz:

I have found c:/documentsandsettings/ have two administrator folders. one is "administrator" with just application data, NTUSER.dat and NTUSER.dat.log as the only three entries. The other folder in named "administrator.D6CG5L3" which contains the typical folders and file components. Should I rename the latter folder and delete the prior one with three files if perchance this could be part of my original problem?

I had surfed the net briefly only to run online scans before June 6th and to check my many neglected emails. At what point can I safely try the internet?

Thanks again!

#52
coachwife6

Posted 07 June 2005 - 01:10 PM

SuperStar

Retired Staff
11,413 posts

You can go ahead and surf.

#53
halfopus

Posted 07 June 2005 - 06:19 PM

Member

Topic Starter
Member
44 posts

I am able to access the internet normally but I cannot check for windows updates. All I get is a blank page. :tazz:

Do I need to enable COM+ System Service?
Thanks!

Edited by halfopus, 07 June 2005 - 08:12 PM.

#54
coachwife6

Posted 08 June 2005 - 03:37 AM

SuperStar

Retired Staff
11,413 posts

COM+ Event System
You will receive, in the Event Log, a entry from "DCOM" complaining about not having this service running if Disabled. Required for System Event Notification. Required if you want to run BootVis with the "optimize system" option.
Recommend: Disabled

Found info. here

but I cannot check for windows updates. All I get is a blank page.

Are you getting an error number?

#55
halfopus

Posted 10 June 2005 - 12:20 AM

Member

Topic Starter
Member
44 posts

Hello,

Thanks for your response. There is no error number but http://windowsupdate.microsoft.com/ shows a blank white page with no writing (this is found in my start menu). The website http://v4.windowsupd.../en/default.asp will allow me to check for updates but I have to find it with a Google search.

So far my system is stable but in safe mode (administrator only) my keyboard will lock up! Is there still something still lurking on my system?

Is it safe to re-enable MS Antispyware?

Thanks for all your help! :tazz:

Edited by halfopus, 10 June 2005 - 12:23 AM.

#56
coachwife6

Posted 10 June 2005 - 12:37 PM

SuperStar

Retired Staff
11,413 posts

You can re-enable microsoft antispyware. Only needs to be disabled when we fix things. Have you tried a different keyboard?

#57
halfopus

Posted 12 June 2005 - 07:11 PM

Member

Topic Starter
Member
44 posts

Hello,

I am using a brand new Dell keyboard so don't think this is the problem.

When I start up in safe mode, the screen will occasionally state "keyboard failure" or something similar. I believe this is a malware warning which attempts to prevent the user from pressing F8 and stop safe modestartup.

CleanUp! shows many files in use which cannot be cleaned until restart. When I reboot and rerun the program, no new files are removed.

My Administrator folder has had its name changed to Administrator.******
where ***** = computer name. I don't remember the folder being named this prior to my system having problems.

Thanks for your help! :tazz:

Edited by halfopus, 12 June 2005 - 07:13 PM.

#58
coachwife6

Posted 12 June 2005 - 09:16 PM

SuperStar

Retired Staff
11,413 posts

"keyboard failure"

Are you tapping it before the dell logo comes up?

#59
halfopus

Posted 13 June 2005 - 12:26 AM

Member

Topic Starter
Member
44 posts

Are you tapping it before the dell logo comes up?

Yes, you are right! When I tap too early, the message comes up. If I tap after the DELL screen appears, everything is fine! :tazz:

Effective-i spyware is consistently being found on my system. I delete it, but this always returns. it is found in: HKCU/software/microsoft/windows/currentversion/internet settings/zonemap/ranges/range1/ -- is this something to worry about?
Thanks!

#60
coachwife6

Posted 13 June 2005 - 03:28 AM

SuperStar

Retired Staff
11,413 posts

Read the document, How to back up your registryfor instructions.

1. Click Start > Run.
2. Type regedit

Then click OK.
3. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

In the right pane, delete the value:

"{44BE0690-5429-47f0-85BB-3FFD8020233E}" = "UCmore - The Search Accelerator"

4. Delete the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44BE0690-5429-47F0-85BB-3FFD8020233E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCmore - The Search Accelerator
HKEY_LOCAL_MACHINE\SOFTWARE\Effective-i
HKEY_CURRENT_USER\Software\Effective-i
HKEY_CURRENT_USER\Software\Maxthon

5. Exit the Registry Editor.

Reboot. Do another scan and see if it is still therre. :tazz: