Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

winfixer and its ilk/ virtumonde?


  • Please log in to reply

#1
crossedfingers

crossedfingers

    New Member

  • Member
  • Pip
  • 5 posts
hi, for the past week i have had a heck of a problem. i'm not sure how it got into my computer, but i had winantispyware/winfixer/winantivirus trying to install on my computer. i ran adaware, got nothing, ran spybot s&d, nothing... started searching online, fixed some of it by analyzing my hijackthis file.

here is my most current scan from hijackthis--

Logfile of HijackThis v1.99.1
Scan saved at 5:42:37 PM, on 9/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.google....515hDXKVsR1zfLr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\ddcca.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...e=WWW.ABC15.COM
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125599395468
O17 - HKLM\System\CCS\Services\Tcpip\..\{97594398-BCD3-4364-9675-315AB602D2F0}: NameServer = 204.60.203.179 66.73.20.40
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Megan Hunt\Desktop\cwshredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

downloaded ewido which told me about the file up there- c:\windows\system32\ddcca.dll being infected with virtumonde. i ran a slew of other programs, including spysweeper, trend homecall (which cleaned some unrelated problems) , trojanhunter (nothing) the symantec vundo and virtumonde fixers (nothing). also a^2, which found the file and said it was cleaned but nothing got cleaned. any time ewido picks up on it it doesn't fix the problem. and i tried using killbox to delete the file but it won't allow it.

help me fix what's wrong with my computer please! i am at my wits' end; i can't even open up my norton antivirus program or use system restore, it doesn't seem to want to let me. any suggestions please, i'll do them in a heartbeat.

thanks so much!
-meg
http://www.crossedfingers.net
  • 0

Advertisements


#2
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Hello and Welcome to Geeks to Go!

I am in the process of looking through your log and will return shortly to assist you with your malware infestation.
Please be patient and keep checking back on this thread for my reply.

Bricat. :tazz:
  • 0

#3
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Hello and Welcome to Geeks to Go!


Step 1

Please download Process Explorer by Systernals from here

Also download KillBox by Option^Explicit from here

Step 2

Download the FixVundo Registry File from here and save it to your desktop.

Step 3

Print out the following instructions as you will not have Internet Access for the rest of this fix.

Then boot up in SAFE MODE

The rest of this fix must be done in safe mode.


Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Exlporer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ddcca.dll once and then click the kill button.

After you have killed all of the ddcca.dll's under winlogon click OK.

If you see any .ini or ,bak files with either the same name or the file name in reverse, kill them as well

Next double-click on explorer.exe, select the Threads tab, and again click once on each instance of ddcca.dll then click the kill button.

If you see any .ini or ,bak files with either the same name or the file name in reverse, kill them as well

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.


O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\ddcca.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll



Now click fix checked and close HijackThis.


Now double-click on the vundo.reg file that you saved on your desktop earlier and allow it to merge with the registry.

Step 4

Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box


C:\WINDOWS\system32\ddcca.dll


Click the red circle with the white x and say yes to the delete prompt but no to reboot now
then repeat with any of the reverse named .bak or .ini files

after you have input the last file name then reboot

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.
  • 0

#4
crossedfingers

crossedfingers

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
hi, thanks for helping! i'm having a bit of problem with your instructions though...i downloaded process explorer, and first off the version i had, i didn't see the 'threads' tab you referred to. edit: okay i guess it defaulted to threads being open. ignore that part. secondly, while i could find ddcca.dll in both explorer and winlogon, i'm not sure-- is it supposed to be that you can kill the file without killing the entire process? because when i found the dll it was in the bottom window, not in the thread of winlogon in the top window, so when i clicked on kill, that took out the entire winlogon process. when i kill the processes, the computer restarts. that can't be right, can it?

can you help me out? sorry, while i'm not new to computers i've never had to inspect them this deeply before, so i obviously need help here :tazz:

Edited by crossedfingers, 01 September 2005 - 08:21 PM.

  • 0

#5
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
In the top section of the Process Exlporer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

make sure you double click on winlogon.exe in the top section.
  • 0

#6
crossedfingers

crossedfingers

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
first off, thanks! i just realized this morning you said that in your original instructions. guess i was a little spacey from the computer.

here's my new hjt log. the good news? ddcca.dll seems to be gone. the bad news? the computer slowed down to a crawl for the first five minutes it was logged on, and then snapped into action. any idea what might've caused the lagginess? it was never like this before i deleted the file. also, my norton antivirus has gotten shut off again- last time i ran one of the spyware scans (which one it was eludes me at the moment, i think it was spybot s&d) it popped up with problems that were shutting off the antivirus system, so i think i'll run it again and maybe since the dll file's not with me now, it'll delete it for good.

Logfile of HijackThis v1.99.1
Scan saved at 9:57:50 AM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\aim\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.google....515hDXKVsR1zfLr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...e=WWW.ABC15.COM
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125599395468
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Megan Hunt\Desktop\cwshredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

thanks so much for all your help!
  • 0

#7
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
your log looks clean now, but i think we need to dig a little deeper.

Download WINPFIND.ZIP and extract it to your C:\ folder. This will create a folder called WinPFind
in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe.
Double-click on this file to launch the program. Once it is launched,
click on the Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer
for known patterns so please be patient while it works as it can
take a while.
When it is done, it will show the results of the scan.
Click on the Copy to Clipboard button and then paste the contents of the log in your next post.
  • 0

#8
crossedfingers

crossedfingers

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
here you go....

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 3/31/2003 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 8/4/2005 9:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2005 9:31:38 PM 1449304 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
PEC2 2/28/2002 3:42:54 PM 13107200 C:\WINDOWS\SYSTEM32\oembios.bin
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 3/31/2003 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/2/2005 9:49:26 AM S 2048 C:\WINDOWS\bootstat.dat
8/26/2005 1:56:18 PM H 54156 C:\WINDOWS\QTFont.qfn
7/5/2005 4:40:48 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
9/1/2005 10:18:16 PM H 0 C:\WINDOWS\inf\oem36.inf
8/25/2005 1:18:50 PM HS 178679 C:\WINDOWS\system32\accdd.bak1
9/2/2005 9:20:30 AM HS 182545 C:\WINDOWS\system32\accdd.bak2
8/26/2005 1:18:54 PM HS 182913 C:\WINDOWS\system32\accdd.ini
9/2/2005 9:40:04 AM HS 183429 C:\WINDOWS\system32\accdd.ini2
8/26/2005 11:12:22 PM HS 183367 C:\WINDOWS\system32\accdd.tmp
7/31/2005 12:48:10 AM HS 2828 C:\WINDOWS\system32\KGyGaAvL.sys
8/28/2005 4:29:00 PM HS 303 C:\WINDOWS\system32\lnnmp.ini
7/8/2005 4:23:18 PM S 12143 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB893756.cat
7/19/2005 7:18:10 PM S 18913 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896727.cat
9/2/2005 12:45:40 PM H 1024 C:\WINDOWS\system32\config\default.LOG
9/2/2005 1:20:06 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/2/2005 10:49:56 AM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
9/2/2005 1:29:16 PM H 1024 C:\WINDOWS\system32\config\software.LOG
9/2/2005 1:28:12 PM H 1024 C:\WINDOWS\system32\config\system.LOG
8/20/2005 3:02:00 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
7/28/2005 2:43:10 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\23796108-b746-4a89-8f21-f834f0a9ec00
7/28/2005 2:43:10 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
9/2/2005 9:49:34 AM H 6 C:\WINDOWS\Tasks\SA.DAT
9/1/2005 9:21:56 PM H 0 C:\WINDOWS\temp\CS041CE8A2-6A78-40FC-8789-9C984CD52144.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS08AEFD7A-4FA5-4115-BD77-359FFC53B188.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS09FC3863-6A52-4FE2-9ACF-76BB2814CD3D.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS0A390DAF-E801-448F-ACF8-51B693A122D9.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS0B0571EC-08FE-4A4C-8BF7-07C6EB34B499.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS0E87F962-97DC-4498-BA1F-F4C6E9323333.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS1734CB16-4EAB-45E2-BF0A-D2E8E3AEBD9F.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS18BF7CB6-6252-442A-BE79-543E226FE5D0.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS19BA70F5-D81E-49AA-928B-83B3757B0BFF.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS1C989CE6-84D6-4989-842C-BE206FE4FCE4.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS1E815500-2702-4C0B-91F6-DDF667F9B6D6.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS1F72BF69-E3F2-4A5B-BDC1-20C86F1B0C59.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS214BD423-C0A5-46E3-A56A-FDCC11ACA020.tmp
9/1/2005 9:22:02 PM H 1281332 C:\WINDOWS\temp\CS22CAC347-DC81-4527-9F30-84FB3752E9A3.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS26C5A90B-3010-4105-A31A-4E792FF1C03F.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS27446115-219C-4C6E-9032-5C338E918268.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS28797890-7526-47B6-85BC-87235030458D.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS2AA1B8FE-EF34-4921-B1DF-4F4B018FBDE7.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS2B7149D6-289E-4667-B50F-D18F70D8FE95.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS2F9C61AB-37EC-443F-AD50-7D02A3FD866F.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS2FBDF42F-767D-43AB-AE64-06B627175EF3.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS30694547-EB0E-49A5-A637-85FA28BD96E3.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS306BC5B1-2F32-4F85-8041-757AFCCC67C4.tmp
9/1/2005 9:21:56 PM H 0 C:\WINDOWS\temp\CS3114EA72-BC4B-4C33-AD3D-20D57CA2ECAF.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS34A6FD99-0298-4026-8867-ED975FE72212.tmp
9/1/2005 9:21:56 PM H 0 C:\WINDOWS\temp\CS3677CAF4-F113-443E-AE2C-FAE206D0F377.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS36CA3A2A-5C1B-4F52-A957-DA4A89241C67.tmp
9/1/2005 9:21:56 PM H 0 C:\WINDOWS\temp\CS39243C42-F90B-4739-A8EA-564752021425.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS396C7B27-5E46-4640-AD5B-86BAFC9E5F15.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS3DFF9DFB-43AE-4437-82A6-B281B5F50468.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS3F5F01E9-BC3B-4224-B339-EB01609C8527.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS4630AE02-CAAA-4C4A-9CC9-AD8C32385CC6.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS4664389C-C295-4F77-95C9-D1252E82F490.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS498019C1-D179-4D4F-98DF-CC97BB4164EB.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS4B13999E-6F57-4834-8558-E954A0AC9AAA.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS50FFC717-E15C-4AB5-8341-8125EC5FBAB7.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS5318A09D-9FE6-4A55-B447-9453D429FA32.tmp
9/1/2005 9:22:02 PM H 2196726 C:\WINDOWS\temp\CS54513118-1AF2-4EB7-A749-4FB033AE00B8.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS58E93ED1-683D-4A29-B0BC-21274475C8C6.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS5B453874-4966-4734-A5A0-B6C1946C2C51.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS5FB8B539-FDAB-40F9-BB63-01BD521C3AFA.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS608FCD4D-0DC3-4353-A7B0-EDCB656ADC63.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS6190822A-E1E1-4F31-B768-DC0DE4EEEBB4.tmp
9/1/2005 9:21:56 PM H 0 C:\WINDOWS\temp\CS62172208-0A9E-4090-882D-254D1C798335.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS6497411C-3F64-4E43-A26E-1AFBBA55EB82.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS654BD8DD-B6F2-4549-B295-00735CCBC770.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS673ED1BC-2868-4575-AA84-9A9F315EBC66.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS69153A44-7BF6-472A-B639-6E9B785B51D8.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS69AAC70E-B994-4AFE-AE02-19AE4ACD7312.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS6A333905-7EF3-4ED0-99E9-4E3639D42A94.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS6B92248B-E5C7-47C6-9C8C-A9F851D0F402.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS6D47FEBA-EC41-4658-9567-9AA1A76CC9B6.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS6F6E4E05-5243-4DAB-A68B-6AE4D7A6C4F7.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS71DE3A6E-C7EE-4C49-82F8-E0468D46F338.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS79702B1F-8982-45DE-B363-E7D330C67676.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS7CF56321-FB59-41EB-ACD6-B4849F88D9A7.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS7FDAD6AA-1BA2-4B62-AA13-62CB45787ED4.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS804877E9-739D-4372-AB4D-9CB5B2FB833A.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS80489D71-B6D0-438C-A799-C6CEDAB924D9.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS88128CFF-EFEC-41C9-A0BF-4E0D249EE0C2.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS883985BF-B262-432A-AD23-632B822C6396.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS8BEBD323-2DC9-4E19-B6E9-70DA2CEFAA2A.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS8C878135-2650-4EDB-A6EA-F6A41B7765BB.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS959B590B-957C-486E-BB4D-755955F0B76F.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS95B4F797-74CC-44F4-ADCA-FCEA00A4196C.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS96AAD5BE-322A-4799-91E5-5E65B538B956.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS973C43EF-5D6D-4CB3-91AB-1291839B165E.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CS9B41C7CC-E4D5-45EA-A09C-39D4367E8D92.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CS9C85AB3A-6999-4E6E-83D2-F409CDE3B1DC.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSA3104582-FCA4-41F8-9946-F0BCBB89B53C.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSA8C1E2D2-ABA9-4275-A58C-63B071DFEF4F.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSAAF58D23-8BDC-4E35-A45D-820675233D04.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSAF2E4976-5EAB-48AC-A976-AEF9919A7DE4.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSAF8BDDE8-E497-4BEA-AB68-CD62B530131E.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CSB34E2DEB-93A4-4DD1-B2A7-672975C6A22C.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CSB539740C-8C2E-4AC4-A6F4-7A89DDABEAE0.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSBB4FDAAA-FE85-4FC0-A427-9E5AF1841BD4.tmp
9/1/2005 9:21:56 PM H 0 C:\WINDOWS\temp\CSBC36F15E-EDC8-4759-A2E9-1A0258D68F42.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSBD169640-7E4B-47DC-A0EE-7CBB5239C051.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSBD7C40FA-EF34-467E-9DE3-E7E29D47070E.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSBEE47019-3BD7-4B5E-BCBB-10D940C78E6B.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSBFE9B12C-9183-4953-8268-375C023F5DC8.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CSCA1CCA12-1CA9-4D51-BDC1-BFE7D359D14A.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSCF20DBF8-F219-4AF1-AFB7-EFC13A886F0D.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSCF3B702F-92CD-4DE2-A7C2-95BE764E72D4.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSD0C8456E-86D7-4CC0-84C0-81E373450BE6.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSD1E555BC-5C93-411F-A563-6824DB3982EA.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSD40D037E-C2F8-486B-91B3-CC074AECEC1C.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSD4F31B4B-F65D-4AFD-A3B1-8FDF1A75E540.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSDA530D6D-2684-43D0-9919-9B837E787EBB.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CSE70AC223-3FB3-4FC0-8CFF-4D445C2310B9.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSEB936291-6879-4936-BD90-C0C6D826DD5B.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CSECF3955A-4D92-4EE2-985E-AEBC6E62D4F5.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSEDE3F3F9-6FC2-4EB8-A87A-F003D1DE72C7.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSF42BB849-6E21-44D5-BFF3-8B510B43E4FD.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CSF468C496-DD06-4C1D-B089-2BC81CCB2BAB.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSF5F01179-1DD2-4FA2-9FEE-D40C3E5818FB.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CSF7D968E1-0D24-4E16-AA4F-8896467FE588.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSFA47FB81-7335-463C-BBED-A73965D82BBC.tmp
9/2/2005 9:35:00 AM H 0 C:\WINDOWS\temp\CSFE9794DD-EC4E-4316-BD03-7F85C9D45E51.tmp
9/1/2005 9:22:02 PM H 0 C:\WINDOWS\temp\CSFFA7D713-7AA5-4845-9983-170F97F529BF.tmp
9/1/2005 9:19:22 PM HS 113 C:\WINDOWS\temp\History\History.IE5\desktop.ini
9/1/2005 9:19:22 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\desktop.ini
9/1/2005 9:19:22 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\01QJO963\desktop.ini
9/1/2005 9:19:22 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\CLYNST2F\desktop.ini
9/1/2005 9:19:22 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\GPIJ85AB\desktop.ini
9/1/2005 9:19:22 PM HS 67 C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\SPQ34PYB\desktop.ini

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 6/18/2003 2:14:48 AM 8605696 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/6/2003 12:14:30 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 6/3/2004 10:05:06 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/31/2003 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 5/6/2001 3:14:22 PM 24665 C:\WINDOWS\SYSTEM32\plugincpl131.cpl
Sun Microsystems 3/4/2002 7:38:02 PM 45148 C:\WINDOWS\SYSTEM32\plugincpl131_02.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
11/19/1999 2:54:12 PM 155648 C:\WINDOWS\SYSTEM32\PPPoEService.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 3/31/2003 8:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 3/31/2003 8:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 3/31/2003 8:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 4/6/2003 12:14:30 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0007\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/1/2003 5:26:12 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/1/2003 9:15:52 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
11/1/2003 5:26:12 PM HS 84 C:\Documents and Settings\Megan Hunt\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
11/1/2003 9:15:52 AM HS 62 C:\Documents and Settings\Megan Hunt\Application Data\desktop.ini
6/15/2005 11:54:16 PM 560 C:\Documents and Settings\Megan Hunt\Application Data\ViewerApp.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Macromedia.FlashPaper.ContextMenu
{9DED7A30-D572-4D21-8D82-6945EA697400} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
= C:\Program Files\Microsoft Money\System\mnyside.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} = Easy-WebPrint : C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6224f700-cba3-4071-b251-47cb894244cd}
ButtonText = ICQ : C:\Program Files\ICQ\ICQ.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\aim\aim.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{40D41A8B-D79B-43D7-99A7-9EE0F344C385} = AIM Search : C:\Program Files\AIM Toolbar\AIMBar.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\Program Files\aim\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/2/2005 1:34:14 PM

thanks in advance!
-meg
  • 0

#9
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.



then post a fresh HJT log and give us an update on how the computer is performing.
  • 0

#10
crossedfingers

crossedfingers

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
ok, here's the new hjt file....

Logfile of HijackThis v1.99.1
Scan saved at 2:18:31 PM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WinPFind\WinPFind\WinPFind.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.google....515hDXKVsR1zfLr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...e=WWW.ABC15.COM
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125599395468
O17 - HKLM\System\CCS\Services\Tcpip\..\{97594398-BCD3-4364-9675-315AB602D2F0}: NameServer = 204.60.203.179 66.73.20.40
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Megan Hunt\Desktop\cwshredder.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

right now it's been running fine, apart from the very slow loadup time. also i did find traces of an adware delaying my norton antivirus software-- i deleted it but still when i open up its control options the email scanning and auto-scanning are off (email scanning says there's an error) and i can't get it to turn on. neither can i get the gmail notifier i had to work, but that's not a huge deal right now. a little confused there-- but the computer's working worlds better than it did!

thanks,
-meg
  • 0

#11
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
that looks clean now.

DISABLE SYSTEM RESTORE run your anti virus, when you get the all clear
restart your system restore.(same page).then create a new restore point :-

click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.


this is to ensure that if you have to do a system restore in the future that you don't get all the nasties reinstalled again.


Download CCLEANER

then run the scan under the windows tab.



then DEFRAG your C:\ drive.

to help speed up your system.

then let us know how the computer is running.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP