Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Persistent virus/hijacker [RESOLVED]


  • This topic is locked This topic is locked

#16
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Update --

Last night, I saw that my other computer was exhibiting the same behavior. The two computers both access the internet through a wireless access point. I don't think I have file sharing enabled for either computer, and know I did not move media from one computer to the other. That computer gives me the same "Generic Host Process Services for Win32" message, and the technical information refers again to a file named "svchost.exe.mdmp" running out of the TEMP directories.

This feels like a worm/virus/trojan of some sort. I'm just wondering whether it has modified Norton AV to avoid detection.

Sigh.
  • 0

Advertisements


#17
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,


Lets do two things -


1) Make sure that the Windows Firewall is up and running.

Click on Start ---> Settings ---> Control panel. Double click on Windows Firewall. Click on General Tab. Make sure that the ON button is checked.

Click on Exceptions tab. The list of programs which would be allowed by the firewall to operate freely would be listed here. Make a note of any program you are not familiar with and let me know about it.

2) Run Internet Explorer. Click on Tools ---> Internet Options ---> Security. For each of the 4 items - Internet, Local Intranet, trusted Sites and Restricted Sites - let me know what the security settings are. If any of them are set to Custom Level, then please click on Custom Level button and make a note of settings for each item under ActiveX Controls and Plugins and let me know.


Finally, Download FxBlast.exe and save it on your Desktop.

Now disconnect the internet connection. If you have cable / DSL connectivity, then switch off the modem / router and remove the cord between the PC and the modem.

Run FxBlast.exe. Let it fix any items it finds.

Reconnect back the cord betwen the PC and the modem. Switch on the modem.

Reboot the PC.

Let me know how that goes.
  • 0

#18
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Okay, doing it.

Windows Firewall was turned "off". I had been using Norton Internet Security and it's inherent firewall. Is Norton's flawed?

In any event, here are the exceptions:

Four exceptions for "file and printer sharing", all of which are limited in scope to my subnet. I think I installed these for gaming with my son (I just haven't done that in months).

One Remote assistance program -- I don't recall it, but maybe it was installed way back when my computer was last reformatted (about a year ago, IIRC). The program is "c:\windows\system32\sessmgr.exe".

Looking at the Norton Personal Firewall, it is set to a custom level. It is allowing the following unfamiliar programs:

Gamedrvr.exe
GTEK AOL on Desktop
Two instances of Microsoft Application Error Reporting
Two instances of Microsoft Generic Host Process for Win32 Services (
the error messages come up on these programs!)
Two instances of Microsoft help &support center
Microsoft DOS FTP (
I always use WinFTP myself)
Microsoft Help Center Hosting Server
Microsoft HTML Application Host
point32.exe
rundll32.exe
Wildtanget application
WildTangent AIM WD Installer


I'm guessing that the WildTangent issues are part of the problem. I also noticed that many of the programs (like Outlook, Corel WordPerfect (yes, I am a dinosaur) and others apperaed 2-5 times on the list.

My internet Explorer Security levels were all "custom." Here are the Internet settings:

.NET Framework-reliant components:
Run components not signed with Authenticode -- ENABLED
Run components signed with Authenticode -- ENABLED

ActiveX Controls and plugins:
Automatic prompting for Active-X controls -- DISABLED
Binary and Script Behaviors -- ENABLED
Download signed ActiveX controls -- ENABLED
Download unsigned ActiveX controls -- PROMPT
Initialize and script ActiveX controls not marked as safe -- PROMPT
Run ActiveX controls and plug-ins -- ENABLED
Script ActiveX controls marked safe for scripting -- ENABLED

Downloads:
Automatic prompting for file downlaods -- DISABLED
File download -- ENABLED
Font download -- ENABLED

Java VM:
Java Permissions -- LOW SAFETY

Miscellaneous:
Access data sources across domains -- ENABLED
Allow META REFRESH -- ENABLED
Allow scripting of Internet Explorer Webbrowser control -- DISABLED
Allow script-iinitiated windows without size or position constraints -- DISABLED
Allow Web pages to use restricted protocols for active content -- PROMPT
Display mixed content -- PROMPT
Don't prompt for client certificate selection when no certificates or only one certificate exists --  ENABLED
Drag and drop or copy and paste files -- ENABLED
Installation of desktop items -- ENABLED
Launching programs and files in an IFRAME -- ENABLED
Navigate subframes across different domains -- ENABLED
Open files based on content, not file extension -- ENABLED
Software channel permissions -- LOW SAFETY
Submit non-encrypted form data -- ENABLED
Use Pop-up Blocker -- ENABLED
Userdata persistence -- ENABLED
Web sites in less privileged web content zone can navigate into this zone -- ENABLED

Scripting:
Active Scripting -- ENABLED
Allow paste operations via script -- ENABLED
Scripting of Java applets -- ENABLED

User Authentication: Logon:
Automatic logon with current username and password


Now for the Local Intranet settings:

.NET Framework-reliant components:
Run components not signed with Authenticode -- ENABLED
Run components signed with Authenticode -- ENABLED

ActiveX Controls and plugins:
Automatic prompting for Active-X controls -- ENABLED
Binary and Script Behaviors -- ENABLED
Download signed ActiveX controls -- PROMPT
Download unsigned ActiveX controls -- DISABLED
Initialize and script ActiveX controls not marked as safe -- DISABLED
Run ActiveX controls and plug-ins -- ENABLED
Script ActiveX controls marked safe for scripting -- ENABLED

Downloads:
Automatic prompting for file downlaods -- DISABLED
File download -- ENABLED
Font download -- ENABLED

Java VM:
Java Permissions -- MEDIUM SAFETY

Miscellaneous:
Access data sources across domains -- PROMPT
Allow META REFRESH -- ENABLED
Allow scripting of Internet Explorer Webbrowser control -- ENABLED
Allow script-iinitiated windows without size or position constraints -- ENABLED
Allow Web pages to use restricted protocols for active content -- PROMPT
Display mixed content -- PROMPT
Don't prompt for client certificate selection when no certificates or only one certificate exists --  ENABLED
Drag and drop or copy and paste files -- ENABLED
Installation of desktop items -- PROMPT
Launching programs and files in an IFRAME -- PROMPT
Navigate subframes across different domains -- ENABLED
Open files based on content, not file extension -- ENABLED
Software channel permissions -- MEDIUM SAFETY
Submit non-encrypted form data -- ENABLED
Use Pop-up Blocker -- DISABLED
Userdata persistence -- ENABLED
Web sites in less privileged web content zone can navigate into this zone -- ENABLED

Scripting:
Active Scripting -- ENABLED
Allow paste operations via script -- ENABLED
Scripting of Java applets -- ENABLED

User Authentication: Logon:
Automatic logon only in Intranet zone



Now the Custom Sites:

.NET Framework-reliant components:
Run components not signed with Authenticode -- ENABLED
Run components signed with Authenticode -- ENABLED

ActiveX Controls and plugins:
Automatic prompting for Active-X controls -- ENABLED
Binary and Script Behaviors -- ENABLED
Download signed ActiveX controls -- ENABLED
Download unsigned ActiveX controls -- PROMPT
Initialize and script ActiveX controls not marked as safe -- PROMPT
Run ActiveX controls and plug-ins -- ENABLED
Script ActiveX controls marked safe for scripting -- ENABLED

Downloads:
Automatic prompting for file downlaods -- DISABLED
File download -- ENABLED
Font download -- ENABLED

Java VM:
Java Permissions -- LOW SAFETY

Miscellaneous:
Access data sources across domains -- ENABLED
Allow META REFRESH -- ENABLED
Allow scripting of Internet Explorer Webbrowser control -- ENABLED
Allow script-iinitiated windows without size or position constraints -- ENABLED
Allow Web pages to use restricted protocols for active content -- ENABLED
Display mixed content -- PROMPT
Don't prompt for client certificate selection when no certificates or only one certificate exists --  PROMPT
Drag and drop or copy and paste files -- ENABLED
Installation of desktop items -- ENABLED
Launching programs and files in an IFRAME -- ENABLED
Navigate subframes across different domains -- ENABLED
Open files based on content, not file extension -- ENABLED
Software channel permissions -- LOW SAFETY
Submit non-encrypted form data -- ENABLED
Use Pop-up Blocker -- DISABLED
Userdata persistence -- ENABLED
Web sites in less privileged web content zone can navigate into this zone -- PROMPT

Scripting:
Active Scripting -- ENABLED
Allow paste operations via script -- ENABLED
Scripting of Java applets -- ENABLED

User Authentication: Logon:
Automatic logon with current username and password



Finally, here are the Restricted Sites:

.NET Framework-reliant components:
Run components not signed with Authenticode -- DISABLED
Run components signed with Authenticode -- DISABLED

ActiveX Controls and plugins:
Automatic prompting for Active-X controls -- DISABLED
Binary and Script Behaviors -- DISABLED
Download signed ActiveX controls -- DISABLED
Download unsigned ActiveX controls -- DISABLED
Initialize and script ActiveX controls not marked as safe -- DISABLED
Run ActiveX controls and plug-ins -- DISABLED
Script ActiveX controls marked safe for scripting -- DISABLED

Downloads:
Automatic prompting for file downlaods -- DISABLED
File download -- DISABLED
Font download -- PROMPT

Java VM:
Java Permissions -- DISABLE JAVA

Miscellaneous:
Access data sources across domains -- DISABLED
Allow META REFRESH -- DISABLED
Allow scripting of Internet Explorer Webbrowser control -- DISABLED
Allow script-iinitiated windows without size or position constraints -- DISABLED
Allow Web pages to use restricted protocols for active content -- DISABLED
Display mixed content -- PROMPT
Don't prompt for client certificate selection when no certificates or only one certificate exists --  DISABLED
Drag and drop or copy and paste files -- DISABLED
Installation of desktop items -- DISABLED
Launching programs and files in an IFRAME -- DISABLED
Navigate subframes across different domains -- DISABLED
Open files based on content, not file extension -- DISABLED
Software channel permissions -- HIGH SAFETY
Submit non-encrypted form data -- PROMPT
Use Pop-up Blocker -- ENABLED
Userdata persistence -- DISABLED
Web sites in less privileged web content zone can navigate into this zone -- DISABLED

Scripting:
Active Scripting -- DISABLED
Allow paste operations via script -- DISABLED
Scripting of Java applets -- DISABLED

User Authentication: Logon:
Prompt for username and password



I also use Mozilla Firefox -- I checked the security settings and they appear okay (all three SSL security boxes are checked). Do you need more info?

Finally, I'm ready to run FxBlast.exe. I'm at the office, so I don't have connectivity on my personal laptop. For good measure, though, I popped the Linksys card -- and the machine died.

That's never happened before. Odd.

Okay, rebooted without the laptop wireless card plugged in. Interestingly, I got no error messages this time. Perhaps the malware determiens whether it has internet access before attempting to do it's thing?

Now to run FxBlast.exe.

It didn't find anything.

After looking at the "permissions" in my Norton Firewall, I took a gander at my program directories. I do not have AOL, but it is on there. I have not downloaded AIM, but it is on there. Weatherbug (which I have NEVER used on this computer) is on there. Something called Msnmusic is on there (never heard of that); Netmeeting is on there -- dated last week (I didn't install it); and a new folder called "xerox" with a subfolder titled "nwwia" that I am not able to delete (WinXP says it is in use by another person or program). It is also a hidden file.

Okay -- now I reinserted the linksys card and rebooted. I am still getting the error messages. This does not appear to have worked.

Sigh.

Edited by MrSpkr, 23 August 2005 - 12:56 PM.

  • 0

#19
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

Lets try two things -


1) Please visit this page at McAfee -
http://vil.nai.com/vil/stinger/

Download Stinger and follow the instructions to do a scan. NOTE - please do not turn off System Restore as the site says. We will tackle the System Restore later once eveything is clean.



2) Next time you have the error pop-up, immediately follow the instructions below -

Please click on Start ---> Settings ---> Control panel ----> Administrative Tools ---> Computer Management ---> System Tools ---> Event Viewer.


Under both "Application" and "System" check for error messages. Post back the detailed error messages. We can then narrow down as to where the problem is.
  • 0

#20
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Okay. System Restore was already turned off from use of an earlier application.

I ran Stinger, but it didn't seem to find anything. I am going to reboot and see if I still get the error messages.

Is there anything I can run to get rid of the WildTangent stuff?
  • 0

#21
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts

2) Next time you have the error pop-up, immediately follow the instructions below -

Please click on Start ---> Settings ---> Control panel ----> Administrative Tools ---> Computer Management ---> System Tools ---> Event Viewer.
Under both "Application" and "System" check for error messages. Post back the detailed error messages. We can then narrow down as to where the problem is.

View Post

Here we go.

Powered on at the office (meaning, no internet access) at 9:12:27 am. Logged on a minute or so later.

APPLICATION:

9:14:08 a.m. -- Error message -- Application Error -- Category (100)
Event ID:  1000
Description:  Faulting application svchost.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x009a6f9a.

9:17:31 AM -- Information message -- ccPwdSvc application started/

9:17:37 am -- Error message -- Faulting Applicaiton svchost.exe, version 5.1.2600.1280, faulting mode unknown, version 0.0.0.0, fault address 0x009a6f9a.


SYSTEM:

9:12:26 AM -- Information -- The Event Log services was started.

9:13:52 AM -- Error -- The Windows Image Acquisition (WIA) service hung on starting.

9:13:52 AM -- A variety of services/events started.  One, my wireless internet card, shut down a second later (probably because I didn't ahve the wireless card in my computer).

9:14:09 AM -- Error -- The Windows Image Acquisition (WIA) service terminated unexpectedly.  It has done this 1 time(s).

Looking back on the previous evening's logs, I found a series of error messages. One is a "Windows Image Acquisition" service message -- says WIA is shutting down and has done this 1 time(s) --wonder why today's error wasn't the 2nd time WIA had shut down?

Also found this series of interesting messages. Keep in mind, I got these while my computer had full access to the internet:

9:38:52 PM -- Information message -- The system detected that network adapter . . . <snip> . . . was connected to the network, and has initiated normal opration over the network adapter.

9:48:04 PM -- Source: MRxSmb  Category: None  Event ID:  8003
The master browser has received a server announcement from the computer YOUR-B188E2F7FC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{56DC263C-CE2.  The master browser is stopping or an election is being forced.


The same message is repeated verbatim at 10:48:04 PM, 11:48:09 PM and 12:48:13 AM.

Also, going back through the past several days, I count at least five times in the past two days that WIA terminated unexpectedly.

Now, should I get some cloves of garlic, a stake, and some holy water to treat my laptop? :tazz:

Steve

Edited by MrSpkr, 24 August 2005 - 08:49 AM.

  • 0

#22
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Do you have any scanners / cameras installed on your PC ????
  • 0

#23
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Our primary printer is an HP All-in-one color printer/fax/scanner. I also have an HP 350 digital camera.

The printer is connected wirelessly through the primary wireless access point. The camera is a regular digital camera that I connect to the laptop via USB whenever I need to download pictures.
  • 0

#24
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Can you uninstall and then reinstall the Printer/scanner ???
  • 0

#25
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I can uninstall now -- but I will have to wait until this evening to reinstall and test.
  • 0

Advertisements


#26
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Do it at one go and post back when done.

Uninstall the Printer.

Reboot the PC and then install it back. Let me know how it goes.
  • 0

#27
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Okay, going to do this this afternoon. Been out of the office/working late last several days.

Steve
  • 0

#28
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi steve,

Sure post back how it goes
  • 0

#29
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Did it -- have now lost all connectivity with my laptop. I am posting from my wife's computer.

At this point, I have uninstalled all the linksys programs and reinstalled them; I have also uninstalled all the HP programs (and NOT reinstalled them).

I think I am going to reinstall windows (moving all critical data from the C:\ drive to the D:\ and E:\ drives). Then we will see if I can get connectivity again.

It is weird, because my wife's computer ALSO connects wirelessly to the router, but it isn't having the problems I am having (well, it is getting the pop-up error messages I described earlier, but it can still connect to the internet).

Sorry to have waited so long to reply, but I have been off the air for nearly two weeks.

Steve

UPDATE: Okay, I have now gotten direct connection and wireless connectivity with my access point by turning off the encryption. So, no reinstalling windows for now.

Edited by MrSpkr, 03 September 2005 - 02:27 PM.

  • 0

#30
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Okay, I have unloaded all HP software. I no longer get the error message, but my computer is occasionally "freezing" as I described earlier. The problem is getting worse -- now, the computer does not recover and I have to power down and turn it back on. Also, I notice that from time to time the desktop picture does not refresh.

I just ran AdAware and killed 13 processes. Here is my latest "HijackThis!" log:

Logfile of HijackThis v1.99.1
Scan saved at 9:18:23 PM, on 9/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stephen Hines\Desktop\Security Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dallasnews.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akama...qt/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124323643390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Please advise. If we cannot get this fixed soon, wipping the C:\ drive and reinstalling Windows (and EVERYTHING ELSE!) is an option, though an unpalatable one. :tazz:

Steve
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP