Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't get rid of WinAntispyware 2005 completely [RESOLVED]


  • This topic is locked This topic is locked

#1
dmayspa

dmayspa

    New Member

  • Member
  • Pip
  • 6 posts
I have followed your directions precisely and have done more. I was finally able to stop Winfixer popups when I disabled from startup a byvsp.dll file using Spybot's advanced settings. However, Earthlink's spyware program which is webroot continues to find WinAntispyware 2005 on every scan. Can you please help? Here is my HijackThis log.

Thanks,

Logfile of HijackThis v1.99.1
Scan saved at 11:03:25 AM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wdfmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\1XConfig.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\WDC\SetIcon.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\THEWEA~2\The Weather Channel.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpywareBlocker.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\Documents and Settings\dmays1\Desktop\Spyware Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lsuhsc.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lsuhsc.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUSBrowserHelper Class - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINNT\System32\BhoCitUS.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [\\bobscomputer\EPSON Stylus Photo RX500] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P39 "\\bobscomputer\EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DW4] C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~2\The Weather Channel.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpywareBlocker.exe" /0
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Skyscape smARTupdate.lnk.disabled
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Logitech Desktop Messenger.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.regions.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivil...ve/makeover.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.c...eX/wlaninfo.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger...pDownloader.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = master.lsuhsc.edu
O17 - HKLM\Software\..\Telephony: DomainName = master.lsuhsc.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = master.lsuhsc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = master.lsuhsc.edu
O18 - Protocol: bw+0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: Sebring - c:\WINNT\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Unknown owner - C:\Program Files\OnePointDomainAgent\DCTAgentService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello dmayspa and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have a “Fort Knox” system, which is probably 90% of the problem. Let’s see what we can do with the first sweep.

Firstly could you please disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and click on Security Agents Status (Enabled) then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

Please open Spybot S & D, and turn off Resident Teatimer. Do this by clicking Mode at the top of the screen, choose Advanced Mode then Tools and then Resident and unchecking Teatimer. It will hinder our attempts to clear out some files that need to be removed.

Now please ensure the following programmes are also disabled from running in real-time: WinPatrol, Spyware Blocker and SpywareGuard. Ewido Guard does not appear to be enabled although installed.

When your PC has been declared clean, please only enable one of those six programmes to run in real-time. All others should be used as “on demand” scanners. Having more than one antispyware programme running in real-time will cause slowness and even conflicts.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O15 - Trusted Zone: www.regions.com
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: bw+0 - {3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
******ALL O18 ENTRIES******
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
******ALL O18 ENTRIES******
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.
  • Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
  • In the Killbox programme, select the Delete on Reboot option.
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log (from normal mode) and I will take another look. How is it running now?
  • 0

#3
dmayspa

dmayspa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello and thank you so much for your reply. My computer was configured for use on the network at school and it does have privileges for another person who is part of the IT team. I do have administrator privieges however. Since my original post I have added Mozilla Firefox and removed a lot of programs so I thought I should post another HiJackThis to make sure the directions you posted are still good.

Thank you again. I REALLY appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 10:11:48 AM, on 10/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\EARTHL~2\PROTEC~1\ADSSER~1.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink

TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wdfmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINNT\System32\alg.exe
C:\WINNT\System32\1XConfig.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe
C:\Program Files\WDC\SetIcon.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\WDBtnMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\EarthLink\Protection Control

Center\elnk_pcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\AuthFw.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\dmays1\Desktop\Spyware

Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://www.earthlink...button/search.h

tml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

Page =

http://www.earthlink...button/search.h

tml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.lsuhsc.edu
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.lsuhsc.edu
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection

Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - URLSearchHook: SrchHook Class -

{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program

Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) -

~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V2 -

{15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program

Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: CitiUSBrowserHelper Class -

{387EDF53-1CF2-4523-BC2F-13462651BE8C} -

C:\WINNT\System32\BhoCitUS.dll
O2 - BHO: SpywareGuard Download Protection -

{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program

Files\SpywareGuard\dlprotect.dll
O2 - BHO: EarthLink PopUp Blocker V2 -

{512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program

Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Earthlink Protection BHO -

{9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program

Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar -

{E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program

Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar -

{C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program

Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI

Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program

Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program

Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program

Files\Network Associates\Common Framework\UpdaterUI.exe"

/StartedFromRunKey
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter

4.2\THGuard.exe"
O4 - HKLM\..\Run: [\\bobscomputer\EPSON Stylus Photo

RX500]

C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P39

"\\bobscomputer\EPSON Stylus Photo RX500" /O6 "USB002" /M

"Stylus Photo RX500"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program

Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol]

C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center]

C:\Program Files\EarthLink\Protection Control

Center\elnk_pcc.exe /minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DW4] C:\Program Files\The Weather

Channel FW\Desktop Weather\DesktopWeather.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program

Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [Desktop Weather 3]

C:\PROGRA~1\THEWEA~2\The Weather Channel.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program

Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Skyscape smARTupdate.lnk.disabled
O4 - Startup: SpywareGuard.lnk = C:\Program

Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Logitech Desktop

Messenger.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Citi -

{4C730913-3961-439b-83D5-F4E445520422} - C:\Program

Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\Shdocvw.dll
O15 - Trusted Zone: www.regions.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED}

(Support.com Configuration Class) -

http://support.fasta...nload/tgctlcm.c

ab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02}

(HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}

(PCPitstop Utility) -

http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32

Class) - http://makeover.ivil...ve/makeover.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C}

(cpbrkpie Control) -

http://a19.g.akamai....coupons.com/v31

23/cpbrkpie.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid

Class) -

http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2}

(WLANinfo.WLANX) -

https://www.jiwire.c...eX/wlaninfo.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys

Content Update) -

http://www.linksysfi...all/gtdownls.ca

b
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://cdn.messenger...ssengerSetupDow

nloader.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =

master.lsuhsc.edu
O17 - HKLM\Software\..\Telephony: DomainName =

master.lsuhsc.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =

master.lsuhsc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =

master.lsuhsc.edu
O18 - Protocol: bw+0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 -

{9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim -

{828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 -

{3D98B6CA-D18D-438F-8F09-0C3B0181778A} - C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: ckpNotify -

C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: Sebring -

c:\WINNT\System32\LgNotify.dll
O23 - Service: ADSService - Aluria Software, LLC -

C:\PROGRA~1\EARTHL~2\PROTEC~1\ADSSER~1.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems,

Inc. - C:\Program Files\Common Files\Command

Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service

(EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program

Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLink Firewall Process Path Service

(ElnkFWPPService) - Aluria Software, LLC. -

C:\PROGRA~1\EARTHL~2\PROTEC~1\EFWPPS~1.EXE
O23 - Service: ewido security suite control - ewido

networks - C:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS)

- Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe

(file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework)

- Network Associates, Inc. - C:\Program Files\Network

Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) -

Network Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager

(McTaskManager) - Network Associates, Inc. - C:\Program

Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Active Directory Migration Agent

(OnePointDomainAdminService) - Unknown owner - C:\Program

Files\OnePointDomainAgent\DCTAgentService.exe (file

missing)
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINNT\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation -

C:\WINNT\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz

Development Corporation - C:\Program

Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development

Corporation - C:\Program

Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz

Development Corporation -

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor)

- Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service)

- Check Point Software Technologies - C:\Program

Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog

(SR_WatchDog) - Check Point Software Technologies -

C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Thanks for the info, but your HJT log is scattered, and they are difficult enough. Please turn off wordwrap in Notepad and resubmit. Check with the Preview Post before clicking Add Reply.

Thanks, I'll look after Dinner.
  • 0

#5
dmayspa

dmayspa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I apologize. I noticed afterwards that the post was scattered but didn't know what to do about it. I have removed the things you said to remove, ran KillBox and Ccleaner.

Here is my new HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:31:47 AM, on 10/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\EARTHL~2\PROTEC~1\ADSSER~1.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wdfmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\1XConfig.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\WDC\SetIcon.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\WDBtnMgr.exe
C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\system32\AuthFw.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dmays1\Desktop\Spyware Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lsuhsc.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lsuhsc.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: CitiUSBrowserHelper Class - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINNT\System32\BhoCitUS.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [\\bobscomputer\EPSON Stylus Photo RX500] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P39 "\\bobscomputer\EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe /minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DW4] C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~2\The Weather Channel.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Skyscape smARTupdate.lnk.disabled
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Logitech Desktop Messenger.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivil...ve/makeover.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.c...eX/wlaninfo.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = master.lsuhsc.edu
O17 - HKLM\Software\..\Telephony: DomainName = master.lsuhsc.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = master.lsuhsc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = master.lsuhsc.edu
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: Sebring - c:\WINNT\System32\LgNotify.dll
O23 - Service: ADSService - Aluria Software, LLC - C:\PROGRA~1\EARTHL~2\PROTEC~1\ADSSER~1.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~2\PROTEC~1\EFWPPS~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Unknown owner - C:\Program Files\OnePointDomainAgent\DCTAgentService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
  • 0

#6
dmayspa

dmayspa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
My computer seems to be working much better now. Thank you so much. Here is a final Hijack This to make sure everything looks OK. God bless you.

Logfile of HijackThis v1.99.1
Scan saved at 11:46:35 AM, on 10/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\EARTHL~2\PROTEC~1\ADSSER~1.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\1XConfig.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\WDC\SetIcon.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\WDBtnMgr.exe
C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\AuthFw.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe
C:\Program Files\Common Files\Skyscape\smARTupdate.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\dmays1\Desktop\Spyware Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lsuhsc.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lsuhsc.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: CitiUSBrowserHelper Class - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINNT\System32\BhoCitUS.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [\\bobscomputer\EPSON Stylus Photo RX500] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P39 "\\bobscomputer\EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] C:\Program Files\EarthLink\Protection Control Center\elnk_pcc.exe /minimize
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: Skyscape smARTupdate.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Logitech Desktop Messenger.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivil...ve/makeover.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {A57B79D8-9501-42B7-BA9B-B961454712F2} (WLANinfo.WLANX) - https://www.jiwire.c...eX/wlaninfo.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = master.lsuhsc.edu
O17 - HKLM\Software\..\Telephony: DomainName = master.lsuhsc.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = master.lsuhsc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = master.lsuhsc.edu
O20 - Winlogon Notify: ckpNotify - C:\WINNT\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: Sebring - c:\WINNT\System32\LgNotify.dll
O23 - Service: ADSService - Aluria Software, LLC - C:\PROGRA~1\EARTHL~2\PROTEC~1\ADSSER~1.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\PROGRA~1\EARTHL~2\PROTEC~1\EFWPPS~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINNT\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Unknown owner - C:\Program Files\OnePointDomainAgent\DCTAgentService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
  • 0

#7
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

May I firstly apologise for leaving you alone for a couple of days; the fact is that I did not know that you had replied, but I can now see that you did, almost immediately. There is a software glitch somewhere, whereby my subscription to this thread failed to inform me of your reply, it is fortuitous
that you reposted.

Now I have some bad news and some good news. Tha bad news is that I should have told you two days ago, and the good news is....................................

Congratulations! your new log is clean. :tazz: Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated. :)

I wish you happy safe surfing!
  • 0

#8
dmayspa

dmayspa

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you again. No problem about the 2 day time lapse. I actually have been trying during that time to post again and was not able. It never would go through to post until today so I thought something must be wrong with the website anyway. OK, thanks a bunch! It's so good to be clean. Actually, I was able to clean my husband's computer of isearch and other malware yesterday using what I've learned.
  • 0

#9
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
You are very welcome.

I will leave this thread open for a few days in case of misfortune.
  • 0

#10
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP