Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help bad

Started by Hawaii Boy , Oct 27 2005 08:38 PM

  • Please log in to reply

#1
Hawaii Boy
Posted 27 October 2005 - 08:38 PM

Hawaii Boy

    Member

  • Member
  • PipPip
  • 10 posts
here is my log. I've tried everything I could. But I just can't figure out what register's to fix or to check. I also can't run nothing in safe mode. I'm leaving for Iraq soon and I want to help my wife out with this stinkin virus or what ever she has on the computer.

Logfile of HijackThis v1.99.1
Scan saved at 4:19:40 PM, on 10/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - C:\WINDOWS\system32\asyqogln.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129922592402
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

Advertisements

#2
Wizard
Posted 29 October 2005 - 10:21 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Hawaii Boy and Welcome to GeekstoGo!


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#3
Hawaii Boy
Posted 29 October 2005 - 01:56 PM

Hawaii Boy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
First I would like to thank you for responding. Here is the session log.
********
9:32 AM: | Start of Session, Saturday, October 29, 2005 |
9:32 AM: Spy Sweeper started
9:32 AM: Sweep initiated using definitions version 564
9:32 AM: Starting Memory Sweep
9:34 AM: Memory Sweep Complete, Elapsed Time: 00:01:34
9:34 AM: Starting Registry Sweep
9:34 AM: Registry Sweep Complete, Elapsed Time:00:00:10
9:34 AM: Starting Cookie Sweep
9:34 AM: Found Spy Cookie: 66.230.183 cookie
9:34 AM: [email protected][1].txt (ID = 1993)
9:34 AM: [email protected][2].txt (ID = 1993)
9:34 AM: Found Spy Cookie: advertising cookie
9:34 AM: justine@advertising[2].txt (ID = 2175)
9:34 AM: Found Spy Cookie: atlas dmt cookie
9:34 AM: justine@atdmt[2].txt (ID = 2253)
9:34 AM: Found Spy Cookie: morwillsearch cookie
9:34 AM: justine@morwillsearch[2].txt (ID = 3008)
9:34 AM: Found Spy Cookie: mygeek cookie
9:34 AM: justine@mygeek[1].txt (ID = 3041)
9:34 AM: Found Spy Cookie: servedby advertising cookie
9:34 AM: [email protected][2].txt (ID = 3335)
9:34 AM: Found Spy Cookie: reliablestats cookie
9:34 AM: [email protected][2].txt (ID = 3254)
9:34 AM: Found Spy Cookie: tribalfusion cookie
9:34 AM: justine@tribalfusion[1].txt (ID = 3589)
9:34 AM: Found Spy Cookie: commission junction cookie
9:34 AM: [email protected][1].txt (ID = 2454)
9:34 AM: Found Spy Cookie: xren_cj cookie
9:34 AM: justine@xren_cj[1].txt (ID = 3723)
9:34 AM: serena@atdmt[1].txt (ID = 2253)
9:34 AM: Found Spy Cookie: burstnet cookie
9:34 AM: serena@burstnet[1].txt (ID = 2336)
9:34 AM: Found Spy Cookie: casalemedia cookie
9:34 AM: serena@casalemedia[1].txt (ID = 2354)
9:34 AM: Found Spy Cookie: go.com cookie
9:34 AM: serena@go[1].txt (ID = 2728)
9:34 AM: Found Spy Cookie: overture cookie
9:34 AM: serena@overture[1].txt (ID = 3105)
9:34 AM: [email protected][1].txt (ID = 2729)
9:34 AM: [email protected][2].txt (ID = 3254)
9:34 AM: Found Spy Cookie: burstbeacon cookie
9:34 AM: [email protected][1].txt (ID = 2335)
9:34 AM: [email protected][1].txt (ID = 2337)
9:34 AM: [email protected][1].txt (ID = 2729)
9:34 AM: Found Spy Cookie: 2o7.net cookie
9:34 AM: owner@2o7[2].txt (ID = 1957)
9:34 AM: [email protected][2].txt (ID = 1993)
9:34 AM: [email protected][3].txt (ID = 1993)
9:34 AM: Found Spy Cookie: websponsors cookie
9:34 AM: [email protected][2].txt (ID = 3665)
9:34 AM: owner@advertising[2].txt (ID = 2175)
9:34 AM: owner@atdmt[1].txt (ID = 2253)
9:34 AM: Found Spy Cookie: belnk cookie
9:34 AM: [email protected][2].txt (ID = 2293)
9:34 AM: Found Spy Cookie: atwola cookie
9:34 AM: owner@atwola[1].txt (ID = 2255)
9:34 AM: owner@belnk[2].txt (ID = 2292)
9:34 AM: owner@burstnet[2].txt (ID = 2336)
9:34 AM: Found Spy Cookie: enhance cookie
9:34 AM: [email protected][1].txt (ID = 2614)
9:34 AM: Found Spy Cookie: goclick cookie
9:34 AM: [email protected][2].txt (ID = 2733)
9:34 AM: owner@casalemedia[2].txt (ID = 2354)
9:34 AM: Found Spy Cookie: centrport net cookie
9:34 AM: owner@centrport[1].txt (ID = 2374)
9:34 AM: Found Spy Cookie: clickbank cookie
9:34 AM: owner@clickbank[1].txt (ID = 2398)
9:34 AM: Found Spy Cookie: did-it cookie
9:34 AM: owner@did-it[1].txt (ID = 2523)
9:34 AM: [email protected][1].txt (ID = 2293)
9:34 AM: Found Spy Cookie: ru4 cookie
9:34 AM: [email protected][2].txt (ID = 3269)
9:34 AM: Found Spy Cookie: metareward.com cookie
9:34 AM: owner@metareward[2].txt (ID = 2990)
9:34 AM: owner@morwillsearch[2].txt (ID = 3008)
9:34 AM: Found Spy Cookie: realmedia cookie
9:34 AM: owner@realmedia[2].txt (ID = 3235)
9:34 AM: [email protected][1].txt (ID = 3335)
9:34 AM: owner@tribalfusion[1].txt (ID = 3589)
9:34 AM: Found Spy Cookie: ebates cookie
9:34 AM: [email protected][2].txt (ID = 2558)
9:34 AM: owner@xren_cj[1].txt (ID = 3723)
9:34 AM: Found Spy Cookie: zedo cookie
9:34 AM: owner@zedo[2].txt (ID = 3762)
9:34 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02
9:34 AM: Starting File Sweep
9:46 AM: Warning: Invalid file - not a PKZip file
9:47 AM: Warning: Invalid Stream
9:47 AM: Warning: Invalid Stream
9:47 AM: Warning: Invalid Stream
9:47 AM: Warning: Invalid Stream
9:47 AM: Warning: Invalid Stream
9:47 AM: Warning: Invalid Stream
9:47 AM: Warning: Invalid Stream
9:47 AM: Warning: Invalid Stream
9:47 AM: Warning: Invalid Stream
9:47 AM: Warning: Invalid Stream
9:47 AM: File Sweep Complete, Elapsed Time: 00:12:51
9:47 AM: Full Sweep has completed. Elapsed time 00:14:41
9:47 AM: Traces Found: 47
9:50 AM: Removal process initiated
9:51 AM: Quarantining All Traces: 2o7.net cookie
9:51 AM: Quarantining All Traces: 66.230.183 cookie
9:51 AM: Quarantining All Traces: advertising cookie
9:51 AM: Quarantining All Traces: atlas dmt cookie
9:51 AM: Quarantining All Traces: atwola cookie
9:51 AM: Quarantining All Traces: belnk cookie
9:51 AM: Quarantining All Traces: burstbeacon cookie
9:51 AM: Quarantining All Traces: burstnet cookie
9:51 AM: Quarantining All Traces: casalemedia cookie
9:51 AM: Quarantining All Traces: centrport net cookie
9:51 AM: Quarantining All Traces: clickbank cookie
9:51 AM: Quarantining All Traces: commission junction cookie
9:51 AM: Quarantining All Traces: did-it cookie
9:51 AM: Quarantining All Traces: ebates cookie
9:51 AM: Quarantining All Traces: enhance cookie
9:51 AM: Quarantining All Traces: go.com cookie
9:51 AM: Quarantining All Traces: goclick cookie
9:51 AM: Quarantining All Traces: metareward.com cookie
9:51 AM: Quarantining All Traces: morwillsearch cookie
9:51 AM: Quarantining All Traces: mygeek cookie
9:51 AM: Quarantining All Traces: overture cookie
9:51 AM: Quarantining All Traces: realmedia cookie
9:51 AM: Quarantining All Traces: reliablestats cookie
9:51 AM: Quarantining All Traces: ru4 cookie
9:51 AM: Quarantining All Traces: servedby advertising cookie
9:51 AM: Quarantining All Traces: tribalfusion cookie
9:51 AM: Quarantining All Traces: websponsors cookie
9:51 AM: Quarantining All Traces: xren_cj cookie
9:51 AM: Quarantining All Traces: zedo cookie
9:51 AM: Removal process completed. Elapsed time 00:00:12
********
9:29 AM: | Start of Session, Saturday, October 29, 2005 |
9:29 AM: Spy Sweeper started
9:29 AM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
9:30 AM: Updating spyware definitions
9:30 AM: Your spyware definitions have been updated.
9:32 AM: | End of Session, Saturday, October 29, 2005 |

I tested it out and the morwill search thingy is still happening. Is there anything else I need to do.
  • 0

#4
Wizard
Posted 29 October 2005 - 02:49 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Save it as RKR.log
  • Open RKR.log on your desktop and copy the entire contents and paste them here

Before posting those results-> Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!


Post back with a fresh HijackThis log and the reports from RootKitRevealer and WinPFind!
  • 0

#5
Hawaii Boy
Posted 30 October 2005 - 03:58 PM

Hawaii Boy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is my new Hijack log and all the rest you have requested. I also would like to thank you once again for your quick responses.

Logfile of HijackThis v1.99.1
Scan saved at 11:53:47 AM, on 10/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - C:\WINDOWS\system32\asyqogln.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129922592402
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: FLH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\FLH.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: YOCTMMFW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\YOCTMMFW.exe



WinPFind log


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/15/2003 9:40:04 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 10/4/2005 4:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/4/2005 4:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/3/2004 9:56:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/3/2004 9:56:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/15/2003 4:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 7:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/30/2005 11:34:46 AM S 2048 C:\WINDOWS\bootstat.dat
10/18/2005 9:51:38 PM H 54156 C:\WINDOWS\QTFont.qfn
10/8/2005 10:37:38 PM H 10820 C:\WINDOWS\Help\update.GID
10/22/2005 9:58:40 AM H 0 C:\WINDOWS\inf\oem37.inf
10/20/2005 9:28:04 PM H 0 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3057925866089dfbd20ab09ff71e90a4\BIT8.tmp
9/1/2005 5:35:36 PM HS 26112 C:\WINDOWS\system32\mllji.dll
9/2/2005 1:38:02 PM HS 178718 C:\WINDOWS\system32\rttss.bak1
10/25/2005 6:46:52 AM HS 195226 C:\WINDOWS\system32\rttss.bak2
9/6/2005 12:24:00 AM HS 180453 C:\WINDOWS\system32\rttss.ini
10/26/2005 7:29:14 AM HS 179945 C:\WINDOWS\system32\rttss.ini2
9/6/2005 12:24:00 AM HS 179881 C:\WINDOWS\system32\rttss.tmp
10/4/2005 3:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 7:15:08 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
10/30/2005 11:34:38 AM H 8192 C:\WINDOWS\system32\config\default.LOG
10/30/2005 11:38:12 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/30/2005 11:34:46 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
10/30/2005 11:38:12 AM H 131072 C:\WINDOWS\system32\config\software.LOG
10/30/2005 11:34:50 AM H 1052672 C:\WINDOWS\system32\config\system.LOG
10/15/2005 10:04:40 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
9/21/2005 11:21:12 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\44b18082-d970-4497-82d9-acddbe7af4f7
9/21/2005 11:21:12 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/30/2005 11:32:50 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/3/2004 9:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/3/2004 9:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 4/2/2004 11:11:24 AM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 3:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 3:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 4:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 9:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/15/2003 3:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/15/2003 3:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/15/2003 4:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 2/10/2004 3:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/9/2004 10:19:32 PM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0019\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/2/2004 9:55:28 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 1:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
9/25/2004 5:23:00 PM 786 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 9:55:28 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 1:46:32 AM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EFDAC3FE-F44A-4030-8589-1E23BC6573D5}
Bho Class = C:\WINDOWS\system32\asyqogln.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
hpsysdrv c:\windows\system\hpsysdrv.exe
KBD C:\HP\KBD\KBD.EXE
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
VTTimer VTTimer.exe
PS2 C:\WINDOWS\system32\ps2.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
AlcxMonitor ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMPAQ~1\1940576\Program\BACKWE~1.EXE -startup
item Compaq Connections
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMPAQ~1\1940576\Program\BACKWE~1.EXE -startup
item Compaq Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Desktop Firewall Tray.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Desktop Firewall Tray.lnk
backup C:\WINDOWS\pss\McAfee Desktop Firewall Tray.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireTray.exe
item McAfee Desktop Firewall Tray
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Desktop Firewall Tray.lnk
backup C:\WINDOWS\pss\McAfee Desktop Firewall Tray.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireTray.exe
item McAfee Desktop Firewall Tray

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\bagent.exe
item Quicken Scheduled Updates
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\bagent.exe
item Quicken Scheduled Updates

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup C:\WINDOWS\pss\IMStart.lnkStartup
location Startup
command C:\PROGRA~1\INTERM~1\IMStart.exe
item IMStart
path C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup C:\WINDOWS\pss\IMStart.lnkStartup
location Startup
command C:\PROGRA~1\INTERM~1\IMStart.exe
item IMStart

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AGRSMMSG
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AGRSMMSG
hkey HKLM
command AGRSMMSG.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AGRSMMSG
hkey HKLM
command AGRSMMSG.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd2
hkey HKLM
command "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd2
hkey HKLM
command "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IntelliPoint
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item point32
hkey HKLM
command "C:\Program Files\Microsoft IntelliPoint\point32.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item point32
hkey HKLM
command "C:\Program Files\Microsoft IntelliPoint\point32.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\McAfeeUpdaterUI
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdaterUI
hkey HKLM
command "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UpdaterUI
hkey HKLM
command "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Network Associates Error Reporting Service
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TBMon
hkey HKLM
command "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TBMon
hkey HKLM
command "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ShStatEXE
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SHSTAT
hkey HKLM
command "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SHSTAT
hkey HKLM
command "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/30/2005 11:43:30 AM

RKR Log

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 10/30/2005 11:23 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 10/30/2005 11:23 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwFilesScanned 10/30/2005 11:25 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\szLastScanned 10/30/2005 11:25 AM 90 bytes Windows API length not consistent with raw hive data.
D: 0 bytes Error mounting volume


I really hope this helps.

Thanks Hawaii Boy
  • 0

#6
Wizard
Posted 31 October 2005 - 03:55 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Thanks for all your patience,those scans were to confirm there wasnt something hiding that neither of us could see.


Download Pocket KillBox from here:
http://www.atribune....ads/KillBox.exe

Highlight the list below and press Ctrl+C to Copy!

C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.bak2
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.ini2
C:\WINDOWS\system32\rttss.tmp
C:\WINDOWS\system32\asyqogln.dll

Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot and Unregister .dll before Deleting-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!


Restart in Safe Mode and Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ario&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...ario&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...ario&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ario&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: Bho - {EFDAC3FE-F44A-4030-8589-1E23BC6573D5} - C:\WINDOWS\system32\asyqogln.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O23 - Service: FLH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\FLH.exe

O23 - Service: YOCTMMFW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\YOCTMMFW.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Restart Normal and have the PC scanner here
http://support.f-sec.../home/ols.shtml

Save any results from the Online Scan and post them here with a fresh HijackThis log.
  • 0

#7
Hawaii Boy
Posted 31 October 2005 - 08:17 PM

Hawaii Boy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I did everything I could to try and start the online scan. But it's telling me that I don't have sufficent rights to install Active X. But I do have the new HiJack This log.

Logfile of HijackThis v1.99.1
Scan saved at 4:15:03 PM, on 10/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.rr.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129922592402
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

I hope we can work with this. I'm also doing a spybot, spysweeper, and mcafee scan.
  • 0

#8
Wizard
Posted 01 November 2005 - 04:02 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Are you logged in as the Administrator of the PC?

Something else that occured to me,we need to run the Vundo Reg file from the Vundo Fix!

Attached is a Zip folder,download to the desktop and unzip it!

Locate and double click Vundo.reg and allow it to merge into the resgistry.

Restart and try the F-Secure Online Scan again.

Edited by Cretemonster, 01 November 2005 - 04:07 AM.

  • 0

#9
Hawaii Boy
Posted 01 November 2005 - 07:46 PM

Hawaii Boy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Scanned files: 75210 Warning: 2 file(s) still infected!


C:\!KillBox\mllji.dll Trojan.Win32.Crypt.o

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP269\A0033379.dll Trojan.Win32.Crypt.o



Up | Down | Top | Bottom

This is what came up with F-Secure Online scan
  • 0

#10
Hawaii Boy
Posted 01 November 2005 - 07:50 PM

Hawaii Boy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Scanned files: 75210 Warning: 2 file(s) still infected!


C:\!KillBox\mllji.dll Trojan.Win32.Crypt.o

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP269\A0033379.dll Trojan.Win32.Crypt.o



Up | Down | Top | Bottom

This is what came up with F-Secure Online scan
  • 0

#11
Wizard
Posted 02 November 2005 - 03:16 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
How did you like that invisible attachment? :tazz:

Lord,I musta been tired!


Lets try this again,download the attachment which is a Zip folder with the Vundo reg file inside.

Unzip it and double click Vundo.reg and allow it to merge into the registry.


Post back and let me know how this goes and if the PC is acting any better?

Attached Files


  • 0

#12
Hawaii Boy
Posted 02 November 2005 - 10:31 AM

Hawaii Boy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Actually, I already had the Vundoreg thing already on my computer. So I just used that file. But the last post I had mentioned the fact that F Scan Online found two more virus's. But when I conduct a Spy Sweeper, Spy Bot, and Mcafee virus scans they all tell me nothing found. Kind of weird to me though. Can you explain this to me.

Also my computer is running alot more smoother. Thanks a bunch. This forum is the best. I wish I knew how to read code and all that stuff you folks can read.
  • 0

#13
Wizard
Posted 03 November 2005 - 03:32 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,good deal!


C:\!KillBox\mllji.dll Trojan.Win32.Crypt.o<-- Killbox folder

C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP269\A0033379.dll The above is System Restore


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know how things are?

Edited by Cretemonster, 03 November 2005 - 03:34 AM.

  • 0

#14
Hawaii Boy
Posted 03 November 2005 - 12:41 PM

Hawaii Boy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Cretemonster,

I would like to thank you for all your help. :tazz:

Now my wife's computer has no virus's or malware. I just hope she keeps it that way. I'll be checking in from time to time to see how everything is going.

I was wondering if there is an monitoring software that I can track where she goes on the internet? Also, I will need to be able to access it from another computer without her knowing. Please pass any info to me.

Once again thanks for all your help.

Hawaii Boy
  • 0

#15
Wizard
Posted 03 November 2005 - 04:48 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
As far as mobile access,I havent a clue,dont use it!

To tell where they go,IE History and any other Browsers history will always tell the story.

Im sure Mcafee has some sort of function that will tell you lots of good info about the PCs tracks.


Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP