Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't shutdown windows, Can't install anything [RESOLVED]


  • This topic is locked This topic is locked

#1
scout1

scout1

    Member

  • Member
  • PipPip
  • 30 posts
I have an issue that has (somewhat recently) prevented Windows from shutting down and have a never ending install in process. The admin guys from the XP forum suggested that I might need help from this forum.

Problem : 1) Can't install anything as the system thinks there is an install in process. Tells me to complete the first install.
2) Windows will NOT shutdown. Gets to the Windows shutting down screen and freezes. Let it sit over night without any change. Was able to shutdown in safe mode. Tried system restore. Went throguh the entire process only to be told that it was unsuccessful.

Appreciate any help or assistance that can be provided to clean up these problems.


Copied below are the log files from
-- HijackThis
-- Ad-Aware
-- StartupList
-- SystemClean

Sorry about the long listing, but not sure which you might need ......

Logfile of HijackThis v1.99.1
Scan saved at 9:01:27 AM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\BugHunt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.formature...d=272&keywords=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\AIM Phone\n2paim.exe
O9 - Extra 'Tools' menuitem: AIM Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\AIM Phone\n2paim.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Ad-Aware SE Build 1.05
Logfile Created on:Sunday, July 24, 2005 4:25:31 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R54 14.07.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):12 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R54 14.07.2005
Internal build : 63
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 496849 Bytes
Total size : 1499538 Bytes
Signature data size : 1467043 Bytes
Reference data size : 31983 Bytes
Signatures total : 41785
Fingerprints total : 962
Fingerprints size : 33758 Bytes
Target categories : 15
Target families : 715


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:41 %
Total physical memory:523808 kb
Available physical memory:210700 kb
Total page file size:2064356 kb
Available on page file:1775124 kb
Total virtual memory:2097024 kb
Available virtual memory:2047364 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


7-24-2005 4:25:31 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 552
ThreadCreationTime : 7-24-2005 9:11:00 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe
ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows
ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off
MaxRequestTh
ProcessID : 604
ThreadCreationTime : 7-24-2005 9:11:02 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 628
ThreadCreationTime : 7-24-2005 9:11:03 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 672
ThreadCreationTime : 7-24-2005 9:11:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 684
ThreadCreationTime : 7-24-2005 9:11:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 836
ThreadCreationTime : 7-24-2005 9:11:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 916
ThreadCreationTime : 7-24-2005 9:11:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 1020
ThreadCreationTime : 7-24-2005 9:11:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k
LocalService
ProcessID : 1228
ThreadCreationTime : 7-24-2005 9:11:07 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1376
ThreadCreationTime : 7-24-2005 9:11:08 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1512
ThreadCreationTime : 7-24-2005 9:11:09 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [kbd.exe]
ModuleName : C:\HP\KBD\KBD.EXE
Command Line : "C:\HP\KBD\KBD.EXE"
ProcessID : 1776
ThreadCreationTime : 7-24-2005 9:11:12 PM
BasePriority : High


#:13 [hpsysdrv.exe]
ModuleName : C:\windows\system\hpsysdrv.exe
Command Line : "c:\windows\system\hpsysdrv.exe"
ProcessID : 1796
ThreadCreationTime : 7-24-2005 9:11:12 PM
BasePriority : Normal
FileVersion : 1, 7, 0, 0
ProductVersion : 1, 7, 0, 0
ProductName : hpsysdrv
CompanyName : Hewlett-Packard Company
FileDescription : hpsysdrv
InternalName : hpsysdrv
LegalCopyright : Copyright © 1998
OriginalFilename : hpsysdrv.exe

#:14 [shstat.exe]
ModuleName : C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE
Command Line : "C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
ProcessID : 1824
ThreadCreationTime : 7-24-2005 9:11:12 PM
BasePriority : Normal


#:15 [updaterui.exe]
ModuleName : C:\Program Files\Network Associates\Common
Framework\UpdaterUI.exe
Command Line : "C:\Program Files\Network Associates\Common
Framework\UpdaterUI.exe" /StartedFromRunKey
ProcessID : 1836
ThreadCreationTime : 7-24-2005 9:11:12 PM
BasePriority : Normal
FileVersion : 3.1.1.184
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : Common User Interface
InternalName : UpdaterUI
LegalCopyright : Copyright© 2000-2003 Networks Associates
Technology, Inc. All Rights Reserved.
OriginalFilename : UpdaterUI.exe

#:16 [ipclient.exe]
ModuleName : C:\Program Files\Visual Networks\Visual IP
InSight\SBC\IPClient.exe
Command Line : "C:\Program Files\Visual Networks\Visual IP
InSight\SBC\IPClient.exe" -l
ProcessID : 1848
ThreadCreationTime : 7-24-2005 9:11:12 PM
BasePriority : Normal
FileVersion : 5.8.0.13
ProductVersion : 5.8.0.13
ProductName : Visual IP InSight
CompanyName : Visual Networks
FileDescription : IP Session Statistics
InternalName : IPCLIENT
LegalCopyright : Copyright © 2003 Visual Networks Technologies,
Inc.
OriginalFilename : ipclient32.exe

#:17 [ipmon32.exe]
ModuleName : C:\Program Files\Visual Networks\Visual IP
InSight\SBC\IPMon32.exe
Command Line : "C:\Program Files\Visual Networks\Visual IP
InSight\SBC\IPMon32.exe"
ProcessID : 1868
ThreadCreationTime : 7-24-2005 9:11:12 PM
BasePriority : Normal
FileVersion : 5.8.0.13
ProductVersion : 5.8.0.13
ProductName : Visual IP InSight
CompanyName : Visual Networks
FileDescription : IP Monitor
InternalName : IPMON32
LegalCopyright : Copyright © 2003 Visual Networks Technologies,
Inc.
OriginalFilename : ipmon32.exe

#:18 [motivesb.exe]
ModuleName : C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
Command Line : "C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe"
ProcessID : 1876
ThreadCreationTime : 7-24-2005 9:11:12 PM
BasePriority : Normal
FileVersion : 5.6.7.asst_classic.smartbridge.20031210_035000
ProductVersion : 5.6.7.asst_classic.smartbridge
ProductName : Motive System
CompanyName : Motive Communications, Inc.
FileDescription : SBC Self Support Tool Alerts
InternalName : version
LegalCopyright : Copyright 1998-2003
OriginalFilename : version

#:19 [ybrwicon.exe]
ModuleName : C:\Program Files\Yahoo!\browser\ybrwicon.exe
Command Line : "C:\Program Files\Yahoo!\browser\ybrwicon.exe"
ProcessID : 1884
ThreadCreationTime : 7-24-2005 9:11:12 PM
BasePriority : Normal
FileVersion : 2003, 7, 11, 1
ProductVersion : 1, 0, 0, 1
ProductName : Yahoo!, Inc. YBrwIcon
CompanyName : Yahoo!, Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
LegalCopyright : Copyright © 2003
OriginalFilename : YBrwIcon.exe

#:20 [rundll32.exe]
ModuleName : C:\WINDOWS\system32\RUNDLL32.EXE
Command Line : "C:\WINDOWS\system32\RUNDLL32.EXE"
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
ProcessID : 1892
ThreadCreationTime : 7-24-2005 9:11:12 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:21 [zlclient.exe]
ModuleName : C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe
Command Line : n/a
ProcessID : 1924
ThreadCreationTime : 7-24-2005 9:11:12 PM
BasePriority : Normal
FileVersion : 5.5.094.000
ProductVersion : 5.5.094.000
ProductName : Zone Labs Client
CompanyName : Zone Labs, LLC
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
OriginalFilename : zlclient.exe

#:22 [ycommon.exe]
ModuleName : C:\PROGRA~1\Yahoo!\browser\ycommon.exe
Command Line : C:\PROGRA~1\Yahoo!\browser\ycommon.exe
-Embedding
ProcessID : 2036
ThreadCreationTime : 7-24-2005 9:11:13 PM
BasePriority : Normal
FileVersion : 2003, 9, 3, 1
ProductVersion : 1, 0, 0, 1
ProductName : YCommon Exe Module
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
LegalCopyright : Copyright 2003 Yahoo! Inc.
OriginalFilename : YCommon.EXE

#:23 [gcasserv.exe]
ModuleName : C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe
Command Line : "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
ProcessID : 172
ThreadCreationTime : 7-24-2005 9:11:13 PM
BasePriority : Idle
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation.
All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered
trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft
Corporation.
OriginalFilename : gcasServ.exe

#:24 [weather.exe]
ModuleName : C:\Program Files\AWS\WeatherBug\Weather.exe
Command Line : "C:\Program Files\AWS\WeatherBug\Weather.exe"
1
ProcessID : 224
ThreadCreationTime : 7-24-2005 9:11:13 PM
BasePriority : Normal
FileVersion : 6, 4, 0, 8
ProductVersion : 6, 4, 0, 8
ProductName : WeatherBug
CompanyName : AWS Convergence Technologies, Inc.
FileDescription : WeatherBug
InternalName : Desktop Weather
LegalCopyright : Copyright © 2001-2004
LegalTrademarks : WeatherBug
OriginalFilename : Weather.exe
Comments : World Largest Weather Network

#:25 [osa.exe]
ModuleName : C:\Program Files\Microsoft
Office\Office\OSA.EXE
Command Line : "C:\Program Files\Microsoft
Office\Office\OSA.EXE" -b
ProcessID : 440
ThreadCreationTime : 7-24-2005 9:11:14 PM
BasePriority : Normal


#:26 [isafe.exe]
ModuleName : C:\WINDOWS\system32\ZoneLabs\isafe.exe
Command Line : C:\WINDOWS\system32\ZoneLabs\isafe.exe
ProcessID : 868
ThreadCreationTime : 7-24-2005 9:11:17 PM
BasePriority : Normal
FileVersion : Version 10.65.0.7
ProductVersion : Version 10.65.0.7
ProductName : ISafe
CompanyName : Computer Associates International, Inc.
FileDescription : ISafe Service
InternalName : ISafe
LegalCopyright : © 2003 Computer Associates International, Inc.
LegalTrademarks : Vet is a trademark of Computer Associates
International, Inc.
OriginalFilename : ISafe.exe
Comments : ISafe

#:27 [frameworkservice.exe]
ModuleName : C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
Command Line : "C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe" /ServiceStart
ProcessID : 1008
ThreadCreationTime : 7-24-2005 9:11:17 PM
BasePriority : Normal
FileVersion : 3.1.1.184
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : Framework Service
InternalName : Framework
LegalCopyright : Copyright© 2000-2003 Networks Associates
Technology, Inc. All Rights Reserved.
OriginalFilename : Framework.exe

#:28 [gcasdtserv.exe]
ModuleName : C:\Program Files\Microsoft
AntiSpyware\gcasDtServ.exe
Command Line : "C:\Program Files\Microsoft
AntiSpyware\gcasDtServ.exe"
ProcessID : 1176
ThreadCreationTime : 7-24-2005 9:11:19 PM
BasePriority : Normal
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation.
All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered
trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft
Corporation.
OriginalFilename : gcasDtServ.exe

#:29 [mcshield.exe]
ModuleName : C:\Program Files\Network
Associates\VirusScan\mcshield.exe
Command Line : "C:\Program Files\Network
Associates\VirusScan\mcshield.exe"
ProcessID : 1252
ThreadCreationTime : 7-24-2005 9:11:20 PM
BasePriority : High


#:30 [vstskmgr.exe]
ModuleName : C:\Program Files\Network
Associates\VirusScan\vstskmgr.exe
Command Line : "C:\Program Files\Network
Associates\VirusScan\vstskmgr.exe"
ProcessID : 1300
ThreadCreationTime : 7-24-2005 9:11:21 PM
BasePriority : Normal


#:31 [naprdmgr.exe]
ModuleName : C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
Command Line : C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
-Embedding
ProcessID : 1368
ThreadCreationTime : 7-24-2005 9:11:22 PM
BasePriority : Normal
FileVersion : 3.1.1.184
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : NAI Product Manager
InternalName : Product Manager
LegalCopyright : Copyright© 2000-2003 Networks Associates
Technology, Inc. All Rights Reserved.
OriginalFilename : naPrdMgr.exe

#:32 [nvsvc32.exe]
ModuleName : C:\WINDOWS\system32\nvsvc32.exe
Command Line : C:\WINDOWS\system32\nvsvc32.exe
ProcessID : 1416
ThreadCreationTime : 7-24-2005 9:11:22 PM
BasePriority : Normal
FileVersion : 6.14.10.7189
ProductVersion : 6.14.10.7189
ProductName : NVIDIA Driver Helper Service, Version 71.89
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 71.89
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:33 [vsmon.exe]
ModuleName : C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Command Line : n/a
ProcessID : 1120
ThreadCreationTime : 7-24-2005 9:11:24 PM
BasePriority : Normal
FileVersion : 5.5.094.000
ProductVersion : 5.5.094.000
ProductName : TrueVector Service
CompanyName : Zone Labs, LLC
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
OriginalFilename : vsmon.exe

#:34 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 3668
ThreadCreationTime : 7-24-2005 9:11:59 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:35 [mantispm.exe]
ModuleName :
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
Command Line :
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
ProcessID : 3964
ThreadCreationTime : 7-24-2005 9:12:03 PM
BasePriority : Normal
FileVersion : 4, 2, 1, 2891
ProductVersion : 4, 2, 1, 2891
FileDescription : Spam Filter
InternalName : mantispm.exe
LegalCopyright : © 2002-2004
OriginalFilename : mantispm.exe

#:36 [msiexec.exe]
ModuleName : C:\WINDOWS\system32\msiexec.exe
Command Line : C:\WINDOWS\system32\msiexec.exe /V
ProcessID : 2584
ThreadCreationTime : 7-24-2005 9:12:18 PM
BasePriority : Normal


#:37 [iexplore.exe]
ModuleName : C:\Program Files\Internet
Explorer\iexplore.exe
Command Line : "C:\Program Files\Internet
Explorer\iexplore.exe"
ProcessID : 2868
ThreadCreationTime : 7-24-2005 9:16:33 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:38 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE
Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE
Personal\Ad-Aware.exe"
ProcessID : 3884
ThreadCreationTime : 7-24-2005 9:19:05 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: :
software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft
direct3d


MRU List Object Recognized!
Location: :
software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft
direct X


MRU List Object Recognized!
Location: :
software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft
directdraw


MRU List Object Recognized!
Location: :
S-1-5-21-1538417202-414440772-572454927-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft
internet explorer


MRU List Object Recognized!
Location: :
S-1-5-21-1538417202-414440772-572454927-1003\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft
management console


MRU List Object Recognized!
Location: :
S-1-5-21-1538417202-414440772-572454927-1003\software\microsoft\office\8.0\common\open find\microsoft
word\settings\save as\file name mru
Description : list of recent documents saved by microsoft
word


MRU List Object Recognized!
Location: :
S-1-5-21-1538417202-414440772-572454927-1003\software\microsoft\office\8.0\excel\recent file list
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: :
S-1-5-21-1538417202-414440772-572454927-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: :
S-1-5-21-1538417202-414440772-572454927-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according
to file extension


MRU List Object Recognized!
Location: :
S-1-5-21-1538417202-414440772-572454927-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: :
S-1-5-21-1538417202-414440772-572454927-1003\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: :
S-1-5-21-1538417202-414440772-572454927-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 12




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12

4:53:14 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:27:42.938
Objects scanned:263910
Objects identified:0
Objects ignored:0
New critical objects:0



StartupList report, 7/24/2005, 8:59:35 AM
StartupList version: 1.52
Started from : C:\BugHunt\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\BugHunt\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office\Office\FINDFAST.EXE
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = c:\windows\system32\userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

USB = C:\WINDOWS\system32\usb.exe
S3TRAY2 = S3tray2.exe
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 = C:\WINDOWS\system32\ps2.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
KBD = C:\HP\KBD\KBD.EXE
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
ShStatEXE = "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE"
/STANDALONE
McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common
Framework\UpdaterUI.exe" /StartedFromRunKey
IPInSightLAN 02 = "C:\Program Files\Visual Networks\Visual IP
InSight\SBC\IPClient.exe" -l
IPInSightMonitor 02 = "C:\Program Files\Visual Networks\Visual IP
InSight\SBC\IPMon32.exe"
Motive SmartBridge = C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
YBrowser = C:\Program Files\Yahoo!\browser\ybrwicon.exe
NvMediaCenter = RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
TempRemove = "C:\Program Files\Crystal Ball\CB
Predictor\terminator.exe"
nwiz = nwiz.exe /install
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Weather = C:\Program Files\AWS\WeatherBug\Weather.exe 1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sspipes.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program
Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
- {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll -
{53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - C:\Program Files\MSN Apps\MSN
Toolbar\01.02.3000.1001\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
(no name) - c:\Program Files\Microsoft Money\System\mnyviewer.dll -
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

1-Click Maintenance.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE =
http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: imslsp.dll (file MISSING)
Protocol #2: imslsp.dll (file MISSING)
Protocol #3: imslsp.dll (file MISSING)
Protocol #4: C:\WINDOWS\system32\ZoneLabs\vetredir.dll
Protocol #5: C:\WINDOWS\system32\ZoneLabs\vetredir.dll
Protocol #6: C:\WINDOWS\system32\ZoneLabs\vetredir.dll
Protocol #26: C:\WINDOWS\system32\ZoneLabs\vetredir.dll
Protocol #27: imslsp.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,996 bytes
Report generated in 0.156 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of
platform
/history - to list version history only




/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-03-08, 21:17:07, Auto-clean mode specified.
2005-03-08, 21:17:07, Running scanner "C:\BugHunt\TSC.BIN"...
2005-03-08, 21:17:37, Scanner "C:\BugHunt\TSC.BIN" has finished running.
2005-03-08, 21:17:37, TSC Log:

2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\$shtdwn$.req": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\spmsg.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\spuninst.exe": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\sp2gdr\browseui.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\sp2gdr\mshtml.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\sp2gdr\shdocvw.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\sp2gdr\urlmon.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\sp2gdr\wininet.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\sp2qfe\browseui.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\sp2qfe\mshtml.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\sp2qfe\shdocvw.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\sp2qfe\urlmon.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\sp2qfe\wininet.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\update\branches.inf": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\update\eula.txt": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\update\KB834707.CAT": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\update\spcustom.dll": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\update\update.exe": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\update\update.ver": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\update\updatebr.inf": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\update\update_SP2GDR.inf": Access is denied.
2005-03-08, 21:17:38, Could not set file for reading on "C:\1846ac5a7991fc959b\update\update_SP2QFE.inf": Access is denied.
2005-03-08, 21:17:51, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp": Access is denied.
2005-03-08, 21:18:34, An error occurred while scanning file "C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
2005-03-08, 21:18:34, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied.
2005-03-08, 21:18:34, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-03-08, 21:18:34, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-03-08, 21:18:34, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2005-03-08, 21:18:34, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2005-03-08, 21:18:34, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-03-08, 21:18:34, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-03-08, 21:18:34, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat": Access is denied.
2005-03-08, 21:18:34, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat.LOG": Access is denied.
2005-03-08, 21:20:00, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-03-08, 21:20:00, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-03-08, 21:20:02, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Temp\JETB7A3.tmp": Access is denied.
2005-03-08, 22:56:29, Could not set file for reading on "C:\WINDOWS\Prefetch\BUGOFF.EXE-37E513B3.pf": Access is denied.
2005-03-08, 22:56:29, Could not set file for reading on "C:\WINDOWS\Prefetch\CLEANUP.EXE-1671E52D.pf": Access is denied.
2005-03-08, 22:56:29, Could not set file for reading on "C:\WINDOWS\Prefetch\CLEANUP312.EXE-14E97D27.pf": Access is denied.
2005-03-08, 22:56:29, Could not set file for reading on "C:\WINDOWS\Prefetch\CNMSM4B.EXE-367413E3.pf": Access is denied.
2005-03-08, 22:56:29, Could not set file for reading on "C:\WINDOWS\Prefetch\CWSHREDDER.EXE-0DF67055.pf": Access is denied.
2005-03-08, 22:56:29, Could not set file for reading on "C:\WINDOWS\Prefetch\CWSINSTALL.EXE-0F4AE135.pf": Access is denied.
2005-03-08, 22:56:29, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-38
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Scout1,

I will continue in this topic.

Please post a fresh HJT log.
  • 0

#3
scout1

scout1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Here's an updated HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 7:46:18 AM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\BugHunt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.formature...d=272&keywords=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\AIM Phone\n2paim.exe
O9 - Extra 'Tools' menuitem: AIM Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\AIM Phone\n2paim.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi scout1,


Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.

CWShredder

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder


2. Remove Infections


Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

Run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.formature...d=272&keywords=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

AWS / Weather Bug

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folder -

C:\Program Files\AWS

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log along with Ewido scan report.
  • 0

#5
scout1

scout1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Task performed with the exception of the weaterbug remaoval. Program been there a lig time by request. Do you really think it needs to go ? Also, didn't understand the "prefetch" request.....

Logfile of HijackThis v1.99.1
Scan saved at 10:44:06 PM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\BugHunt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#6
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Scout1,


There are some minor stuff to fix. Your PC is clean of infections.

As regards Weatherbug, the earlier versions of the program are considered to be "bad". The recent versions are fine. As I do not know which version of Weatherbug you have, I would have preferred that you uninstall it and install the latest version if you want it !!! If you have the latest version of weatherbug, then you can retain it.


Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Fixing these entries in HJT wont uninstall the programs. It will only prevent them from running at startup thus freeing system resources and making your PC faster. You can always run the programs manually.

Reboot the PC and let me know how your PC is behaving.
  • 0

#7
scout1

scout1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
OK,

Here's the update .......


Uninstalled Weatherbug and HJT cleaned up the items you listed. Always appreciate advice to get my pc to run faster.

Results ....

PC will still NOT shutdown under normal mode, will shutdown in safe mode. Below are the HJT logs for both configurations. Interestingly enough, was able to re-install weatherbug. First program to install in some time. (some progress, yeah !)

Here's the HJT for a normal start mode - can't shut down

Logfile of HijackThis v1.99.1
Scan saved at 9:16:39 PM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\BugHunt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Here's the HJT for a safe mode - does shut down

Logfile of HijackThis v1.99.1
Scan saved at 9:26:39 PM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\BugHunt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Question is, whose the trouble maker ????? Though I'm a computer weenie, couple of observations .....

1) I don't have msn any longer so I can probably lose these ?????
2) I still think it's an errant windows update that has gotten confused. Though
I haven't done a detailed comparison between the 2 HJT logs, I have noticed
the absence of msiexec.exe in the problem startup. Though I'm at a loss for
why it prevents a system restore even in safe mode.

Thoughts/suggestions .....
  • 0

#8
scout1

scout1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
"I have noticed the absence of msiexec.exe in the NON-problem startup."
I think faster than type ....
  • 0

#9
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Scout1,


msiexec.exe is the program used by windows to install programs !!!! So dont delete it. However since that is running it implies that something is trying to get installed !!!!!!

Step 1

Click on Start ----> Settings ---> Control Panel ---> Administrative Tools ---> Computer Management.

In the left hand pane, click on Application (under Computer Managemetn (Local ---> System Tools ---> Event Viewer). In the right hand pane locate instances of MsiInstaller. It will be of particular use, if you can locate any instance of MsiInstaller with a warning or error notation.

Double click on it and then make a note of the details it provides.

Step2

Download Process Explorer from HERE

Run Process Explorer and find the following process in the list of Processes:

msiexec.exe.

Click on it. In the bottom pane it will list various parameters. Please make a note of all the parameters of File and Key.


Post back the notes from Step 1 and Step 2 here
  • 0

#10
scout1

scout1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
"It will be of particular use, if you can locate any instance of MsiInstaller with a warning or error notation. "

Well that certainly hit a mark. Had numerous warnings (looks fairly consistent with a muliple of 2 for each time I was on the pc over some period of time. Also had some error messages from my recent "sucessful" install the other night where I got some strange messages but didn't seem to stop the install. Anyways, first things first. Here's the info from the 2 warnings that I believe appeared at least once per pc use.


Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1001
Date: 8/2/2005
Time: 10:32:04 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-W92P4BHLZG
Description:
Detection of product '{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}', feature 'feat.SystemPerm' failed during request for component '{C50ED491-8358-4351-89DA-33E1EF15BE2A}'

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.


Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1004
Date: 8/2/2005
Time: 10:32:04 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-W92P4BHLZG
Description:
Detection of product '{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}', feature 'feat.SystemPerm', component '{EB944547-9BA3-11D3-82BD-00C04FA309DE}' failed. The resource 'c:\WINDOWS\System32\msrepl35.dll' does not exist.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.

Lots of warnings over some period of time, but a quick glance through them appears to be a repeat of the above two warnings.


Now on to step two. Here's ths info from Process Tracker Tool

Process PID CPU Description Company Name
System Idle Process 0 89.71
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 556 Windows NT Session Manager Microsoft Corporation
csrss.exe 604 Client Server Runtime Process Microsoft Corporation
winlogon.exe 628 Windows NT Logon Application Microsoft Corporation
services.exe 672 2.94 Services and Controller app Microsoft Corporation
svchost.exe 836 Generic Host Process for Win32 Services Microsoft Corporation
ycommon.exe 1744 YCommon Exe Module Yahoo!, Inc.
gcasDtServ.exe 404 Microsoft AntiSpyware Data Service Microsoft Corporation
naPrdMgr.exe 1192 NAI Product Manager Network Associates, Inc.
scan32.exe 3636 On-Demand Scanner Network Associates, Inc.
svchost.exe 912 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1020 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1136 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1456 Spooler SubSystem App Microsoft Corporation
isafe.exe 492 ISafe Service Computer Associates International, Inc.
ewidoctrl.exe 520 ewido control ewido networks
ewidoguard.exe 536 guard ewido networks
FrameworkService.exe 608 Framework Service Network Associates, Inc.
mcshield.exe 860 On-Access Scanner service Network Associates, Inc.
vstskmgr.exe 1068 Task Manager : scheduling and OAS alerting service Network Associates, Inc.
nvsvc32.exe 1200 NVIDIA Driver Helper Service, Version 71.89 NVIDIA Corporation
vsmon.exe 1212 TrueVector Service Zone Labs, LLC
msiexec.exe 3840 Windows® installer Microsoft Corporation
alg.exe 3972 Application Layer Gateway Service Microsoft Corporation
lsass.exe 684 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1376 1.47 Windows Explorer Microsoft Corporation
zlclient.exe 1660 Zone Labs Client Zone Labs, LLC
ybrwicon.exe 1668 YBrwIcon Yahoo!, Inc.
shstat.exe 1700 On-access scanner statistics Network Associates, Inc.
rundll32.exe 1760 Run a DLL as an App Microsoft Corporation
MotiveSB.exe 1812 SBC Self Support Tool Alerts Motive Communications, Inc.
UpdaterUI.exe 1824 Common User Interface Network Associates, Inc.
KBD.EXE 1832 KBD EXE Hewlett-Packard Company
hpsysdrv.exe 1940 hpsysdrv Hewlett-Packard Company
Weather.exe 128 WeatherBug AWS Convergence Technologies, Inc.
iexplore.exe 968 Internet Explorer Microsoft Corporation
mmc.exe 3788 Microsoft Management Console Microsoft Corporation
winword.exe 4092
procexp.exe 180 2.94 Sysinternals Process Explorer Sysinternals
procexp.exe 2228 2.94 Sysinternals Process Explorer Sysinternals

Process: msiexec.exe Pid: 3840

Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\crypt32LogoffEvent
Event \BaseNamedObjects\DINPUTWINMM
Event \BaseNamedObjects\userenv: User Profile setup event
File C:\WINDOWS\Installer\185ea2.msi
File \Device\NamedPipe\SfcApi
File C:\WINDOWS\Installer\MSI8.tmp
File C:\Config.Msi\30bc9.rbs
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Device\NamedPipe\net\NtControlPipe17
File C:\WINDOWS\SYSTEM32
Key HKLM
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
Key HKCR
Key HKCR
Key HKCR
Key HKU\.DEFAULT
Key HKU
Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18
Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Key HKCR\Installer\Products\7F3915FC73B65D117B2D00AA002A401F\SourceList
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKCR
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant \BaseNamedObjects\_MSIExecute
Mutant \BaseNamedObjects\ShimCacheMutex
Mutant \BaseNamedObjects\SHIMLIB_LOG_MUTEX
Port \RPC Control\OLE6940CFB4513846B4B7A87E7FCD09
Section \BaseNamedObjects\__R_00000000000d_SMem__
Section \BaseNamedObjects\DfRoot00005521E
Section \BaseNamedObjects\DFMap0-348700
Section \BaseNamedObjects\ShimSharedMemory
Semaphore \BaseNamedObjects\OleDfRoot00005521E
Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Thread msiexec.exe(3840): 3960
Thread msiexec.exe(3840): 3964
Thread msiexec.exe(3840): 3960
Thread msiexec.exe(3840): 3964
Thread msiexec.exe(3840): 1312
Thread msiexec.exe(3840): 3852
Thread msiexec.exe(3840): 3940
Thread msiexec.exe(3840): 3940
Token NT AUTHORITY\NETWORK SERVICE
Token NT AUTHORITY\SYSTEM
Token NT AUTHORITY\SYSTEM
Token NT AUTHORITY\SYSTEM
Token NT AUTHORITY\SYSTEM
WindowStation \Windows\WindowStations\Service-0x0-3e7$
WindowStation \Windows\WindowStations\Service-0x0-3e7$
  • 0

Advertisements


#11
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Download the Registry Search Tool from here:
http://www.billsway....les/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

CF5193F7-6B37-11D5-B7D2-00AA00A204F1

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.
  • 0

#12
scout1

scout1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "CF5193F7-6B37-11D5-B7D2-00AA00A204F1" 8/5/2005 9:10:41 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\7F3915FC73B65D117B2D00AA002A401F]
"ProductIcon"="c:\\WINDOWS\\Installer\\{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}\\MnyIco.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Money System Pack\10.0\SysMsi]
"LastPackage"="{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"c:\\WINDOWS\\Installer\\{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}\\"=""
  • 0

#13
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Scout1,

The offending thing here is the Microsoft Money software.

The solution is to uninstall Money and then reinstall it if you use it !!! Do you have the CD for Microsoft Money??? There are no free downloads !!!
  • 0

#14
scout1

scout1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Fair enough, now on the the next problem ....

Never have used Money, ever ......

Went to add/remove programs and it does NOT give me ANY options to change or remove. Would be happy to get rid of something that I never asked for, tried,etc ....

Suggestions ?
  • 0

#15
scout1

scout1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Tried uninstall with Tune up. Failed. Said I had an install in process that need to complete first ! Back to the original problem .....

Help
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP