Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works


  • Please log in to reply




  • Topic Starter
  • Member
  • PipPip
  • 11 posts
IE is acting a bit quirky on occasion. When I enter url, it comes back with an error saying something like it can't open the search page (as if I am doing a web search and it can't function). I reset modem, and somehow got it working to get to the gtg web site. Retry a few more times and everything appears normal. I'll capture the message if it happens again. Not sure if it is related. :tazz:

Here is the silent runner text log. Let me know what bad stuff you see. Thanks again for your help getting rid of this mess!

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet" [file not found]
"PhotoShow Deluxe Media Manager" = "C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe" ["Simple Star, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"(Default)" = (empty string)
"StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [file not found]
"Daemon14" = "C:\PROGRA~1\MICROS~4\GAMECO~1\STRATE~1\daemon14.exe" [MS]
"SideWinderTrayV4" = "C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe" [MS]
"IntelliPoint" = ""C:\Program Files\Microsoft IntelliPoint\point32.exe"" [MS]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"CaAvTray" = ""C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"" ["Computer Associates International, Inc."]
"CAVRID" = ""C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"" ["Computer Associates International, Inc."]
"tgcmd" = ""C:\Program Files\support.com\bin\tgcmd.exe" /server" ["Support.com, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{1CE2AA40-1317-11D3-9922-00104B0AD431}" = "CA_AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."]

INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."]

QuickFinderMenu\(Default) = "{C0E10002-0028-0003-C0E1-C0E1C0E1C0E1}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Corel\WordPerfect Office 2002\PROGRAMS\PFSE100.DLL" ["Novell, Inc., c/o Corel Corporation Limited"]

CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\VetRedir.dll ["Computer Associates International, Inc."], 01 - 03, 23
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08

Toolbars, Explorer Bars, Extensions:

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" [file not found]

{9455301C-CF6B-11D3-A266-00C04F689C50}\ = "Encarta &Researcher" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
"ButtonText" = "Researcher"

"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.sony.com/vaiopeople

Missing lines (compared with English-language version):
[Strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):

CAISafe, CAISafe, "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe" ["Computer Associates International, Inc."]
VAIO Media Music Server (Application), VAIOMediaPlatform-MusicServer-AppServer, ""C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application)"" ["Sony Corporation"]
VAIO Media Music Server (HTTP), VAIOMediaPlatform-MusicServer-HTTP, ""C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP"" ["Sony Corporation"]
VAIO Media Music Server (UPnP), VAIOMediaPlatform-MusicServer-UPnP, "C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe" ["Sony Corporation"]
VAIO Media Photo Server (Application), VAIOMediaPlatform-PhotoServer-AppServer, "C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe" [empty string]
VAIO Media Photo Server (HTTP), VAIOMediaPlatform-PhotoServer-HTTP, ""C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP"" ["Sony Corporation"]
VAIO Media Photo Server (UPnP), VAIOMediaPlatform-PhotoServer-UPnP, "C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe" ["Sony Corporation"]
VET Message Service, VETMSGNT, "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe" ["Computer Associates International, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 97 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 25 seconds.
---------- (total run time: 163 seconds)
  • 0





  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Everything appears to be OK this AM, so probably was a communication problem. Requested log attached in previous post.
  • 0




  • Retired Staff
  • 11,413 posts
Sorry, I had a long day and will get to this later tonight.
  • 0




  • Retired Staff
  • 11,413 posts
The log looks good. Everything still running smooth?

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 11 posts
No problems. It is a big project, so take a break! Let me know if you see anything else I should delete. I really appreciate all the expertise!
  • 0




  • Retired Staff
  • 11,413 posts
I think you're good to go. I will leave this log open for a few more days, just in case you have any more problems. Good luck. :tazz:
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Cheers! :tazz:
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP