Another puppyboyz problem

odm420 · 10-21-2004, 05:29 AM

My previous thread ended up in the resolved HJT category because someone else posted a message and had their problem fixed. However, mine still exists. The title is "Puppyboyz.com is frustrating" and my last post has my most recent HJT log. I can't attatch the log to a new thread since it's already attatched to the last one. Can anyone help me out? Thanks.

**Horse** · 10-21-2004, 08:39 AM

Hi there

Run another scan, then copy and post your new log back here. I don't know how long ago you posted your original log, but it's probably better to post a newer now anyway.

odm420 · 10-22-2004, 05:12 AM

Here is my latest HJT log. Thanks.

greyknight17 · 10-22-2004, 07:15 AM

Please copy and paste the log in the message area next time. Don't attach it.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Make sure to select the Autoclean option. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\System32\sp2update.exe
C:\WINDOWS\System32\mscnfg32.exe
C:\WINDOWS\System32\ajwxlfjhjmy.exe
C:\WINDOWS\System32\svshost.exe
C:\WINDOWS\System32\soundblaster.exe
C:\WINDOWS\System32\winser32.exe
C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
C:\WINDOWS\System32\winmon32.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\crsss32.exe
C:\WINDOWS\System32\winser32.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SearchUpgrader
180Solutions
IncrediFind

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O4 - HKLM\..\Run: [Windows XP Service Pack 2] sp2update.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\swexun.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\Run: [WindowsReg% update] ajwxlfjhjmy.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKLM\..\Run: [Micr Update] soundblaster.exe
O4 - HKLM\..\Run: [Microsoft NotePad] notepad.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Windows32 Serivces] winser32.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [Window Monitor] winmon32.exe
O4 - HKLM\..\Run: [MSNMSGRS1] C:\swed.bat
O4 - HKLM\..\Run: [CRC Value Verifier] crsss32.exe
O4 - HKLM\..\Run: [BootCTRL] C:\bootctrl.exe
O4 - HKLM\..\RunServices: [Windows XP Service Pack 2] sp2update.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [WindowsReg% update] ajwxlfjhjmy.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] svshost.exe
O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe
O4 - HKLM\..\RunServices: [Microsoft NotePad] notepad.exe
O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe
O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss32.exe
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [WindowsReg% update] ajwxlfjhjmy.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - HKCU\..\Run: [Windows32 Serivces] winser32.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com/?fref=149024 (file missing)
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\System32\sp2update.exe
C:\WINDOWS\System32\mscnfg32.exe
C:\WINDOWS\System32\ajwxlfjhjmy.exe
C:\WINDOWS\System32\svshost.exe
C:\WINDOWS\System32\soundblaster.exe
C:\WINDOWS\System32\winser32.exe
C:\Program Files\Common files\SearchUpgrader\
C:\WINDOWS\System32\winmon32.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\crsss32.exe
C:\WINDOWS\System32\winser32.exe
C:\PROGRA~1\INCRED~1\
C:\WINDOWS\EliteToolBar\
c:\program files\180solutions\

Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED.

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Section and use the tools provided.

odm420 · 10-24-2004, 07:44 PM

Ran virus scan. Followed all instructions. Here is log.

Logfile of HijackThis v1.98.2
Scan saved at 8:37:02 PM, on 10/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\mscom32.exe
C:\WINDOWS\System32\mscnfg32.exe
C:\WINDOWS\System32\svshost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Win Comm\WinLock.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_p...ount_id=154445
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_p...ount_id=154445
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=154445
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=154445
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [Sys29] c:\windows\system32\wingau32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...31c81306a97bea
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab

CTSNKY · 10-24-2004, 07:59 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

I will assume System Restore is still off and hidden files are still visible.

Reboot into Safe Mode (hit F8 key until menu shows up).

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Program Files\Win Comm\WinComm.exe
C:\WINDOWS\System32\mscom32.exe
C:\WINDOWS\System32\mscnfg32.exe
C:\WINDOWS\System32\svshost.exe
C:\Program Files\Win Comm\WinLock.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WinComm
IncrediFind

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=154445
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=154445
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=154445
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=154445
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [Sys29] c:\windows\system32\wingau32.exe
O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f... 1c81306a97bea
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Win Comm\
C:\Program Files\IncrediFind\

BE VERY CAREFUL TO ONLY DELETE THESE EXACT FILE NAMES! THERE ARE SIMILARLY NAMED CRITICAL WINDOWS FILES, WHICH SHOULD NOT BE AFFECTED IN ANY WAY!

C:\WINDOWS\System32\mscom32.exe
C:\WINDOWS\System32\mscnfg32.exe
C:\WINDOWS\System32\svshost.exe

Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED.

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

odm420 · 10-25-2004, 06:01 PM

Here is my latest HJT log. Thanks for help.

Logfile of HijackThis v1.98.2
Scan saved at 6

24 PM, on 10/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\mscom32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [Microsoft NotePad] notepad.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKLM\..\RunServices: [Microsoft NotePad] notepad.exe
O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab

CTSNKY · 10-25-2004, 08:23 PM

Hey odm.....it's slow progress, but we are making some.

Is the online virus scanning turning up anything?
Have you tried do a full system scan with AVG? Results?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Reboot into Safe Mode (hit F8 key until menu shows up).

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\System32\mscom32.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKLM\..\RunServices: [Microsoft NotePad] notepad.exe
O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe

Delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED. BE VERY CAREFUL TO DELETE ONLY THOSE EXACT FILE NAMES!

[/b]Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

If it persists, do this next:

Download: StartDreck.

Unzip to its own folder and start the program:
Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

odm420 · 10-26-2004, 09:06 AM

I've run both Trendmicro and RAV on-line scans, both with autoclean option on. I saved both files to my hard drive. I also installed AVG and have run it. Only one virus left which can't be repaired or deleted or moved to virus vault. It is a Trojan Horse Downloader.Agent.3.AP in following directory c:\Documents and Settings\Jacqui Rizzo\Application Data\hgv?e.exe

I've gone on-line and the redirects have seemed to stop and speed has returned to normal. I've followed the instructions on greyknight's page regarding spyware protection. SpywareBlaster and SpywareGuard are running. Here is my HJT log. Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 11:34:52 AM, on 10/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winapa.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\mscom32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [Microsoft NotePad] notepad.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Winamp media player] winapa.exe
O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe
O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe
O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKCU\..\Run: [Winamp media player] winapa.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\RunOnce: [Winamp media player] winapa.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab

**jgvernonco** · 10-26-2004, 10:58 PM

Greetings!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Reboot into Safe Mode (hit F8 key until menu shows up).

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

winapa.exe
mscom32.exe
svshost.exe <- Don't confuse this with svchost.exe, which is necessary
winmon32.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O4 - HKLM\..\Run: [Winamp media player] winapa.exe
O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe
O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe
O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKCU\..\Run: [Winamp media player] winapa.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\RunOnce: [Winamp media player] winapa.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

winapa.exe
mscom32.exe
svshost.exe
winmon32.exe

Reboot.

Run an online virus scan at TrendMicro or RAV Antivirus. Select the Autoclean option if you use TrendMicro.

Post a new HJT log so we can make sure that it is clean.

odm420 · 10-28-2004, 05:22 AM

Followed your instructions, and also ran AVG, Ad-Aware and Spybot S&D. AVG says there is 2 or 3 virus that can't be removed, while Trendmicro said there is one. I'm still not getting re-directs or slow connection, which is good. I also got to see what SpywareGurad and SpywareBlaster do as they kept blocking autoinstalls and etc while I was running the on-line virus scan. I also noticed that when I start up, a blank document in notepad opens. However, if I try to run notepad(for example for HJTlog) I get options for customizing windows for blind/deaf people. Sorry to blab on like this, here is latest HJT log. Thanks for the help.

Logfile of HijackThis v1.98.2
Scan saved at 11:27:45 PM, on 10/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winapa.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\winser32.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\System32\mscom32.exe
C:\WINDOWS\System32\winser32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Win Comm\WinLock.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [Microsoft NotePad] notepad.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Windows32 Serivces] winser32.exe
O4 - HKLM\..\Run: [Winamp media player] winapa.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe
O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe
O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe
O4 - HKCU\..\Run: [Window Monitor] winmon32.exe
O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe
O4 - HKCU\..\Run: [Winamp media player] winapa.exe
O4 - HKCU\..\Run: [Windows32 Serivces] winser32.exe
O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe
O4 - HKCU\..\RunOnce: [Winamp media player] winapa.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...ec58ff8178110e
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab

10-21-2004, 05:29 AM	#1 (permalink)
odm420 Member Join Date: Oct 2004 Posts: 22 OS: xp	Another puppyboyz problem My previous thread ended up in the resolved HJT category because someone else posted a message and had their problem fixed. However, mine still exists. The title is "Puppyboyz.com is frustrating" and my last post has my most recent HJT log. I can't attatch the log to a new thread since it's already attatched to the last one. Can anyone help me out? Thanks.

10-21-2004, 08:39 AM	#2 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,127 OS: WIN XP PRO My System Blog Entries: 1	Hi there Run another scan, then copy and post your new log back here. I don't know how long ago you posted your original log, but it's probably better to post a newer now anyway. __________________ Please Read The 5 Step Process Before You post A Log Hijack This v2.02 :: Adaware SE :: Spybot Search & Destroy :: SpywareBlaster :: CWShredder To Donate :: Please Click Here :: PROUD MEMBER OF ASAP SINCE NOVEMBER 2004

10-22-2004, 07:15 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Please copy and paste the log in the message area next time. Don't attach it. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Make sure to select the Autoclean option. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\System32\sp2update.exe C:\WINDOWS\System32\mscnfg32.exe C:\WINDOWS\System32\ajwxlfjhjmy.exe C:\WINDOWS\System32\svshost.exe C:\WINDOWS\System32\soundblaster.exe C:\WINDOWS\System32\winser32.exe C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe C:\WINDOWS\System32\winmon32.exe C:\PROGRA~1\ISP50\bin\ppshared.exe C:\WINDOWS\System32\crsss32.exe C:\WINDOWS\System32\winser32.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: SearchUpgrader 180Solutions IncrediFind Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll O4 - HKLM\..\Run: [Windows XP Service Pack 2] sp2update.exe O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\swexun.exe O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe O4 - HKLM\..\Run: [WindowsReg% update] ajwxlfjhjmy.exe O4 - HKLM\..\Run: [Microsoft Update Machine] svshost.exe O4 - HKLM\..\Run: [Micr Update] soundblaster.exe O4 - HKLM\..\Run: [Microsoft NotePad] notepad.exe O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe O4 - HKLM\..\Run: [Windows32 Serivces] winser32.exe O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe O4 - HKLM\..\Run: [Window Monitor] winmon32.exe O4 - HKLM\..\Run: [MSNMSGRS1] C:\swed.bat O4 - HKLM\..\Run: [CRC Value Verifier] crsss32.exe O4 - HKLM\..\Run: [BootCTRL] C:\bootctrl.exe O4 - HKLM\..\RunServices: [Windows XP Service Pack 2] sp2update.exe O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe O4 - HKLM\..\RunServices: [WindowsReg% update] ajwxlfjhjmy.exe O4 - HKLM\..\RunServices: [Microsoft Update Machine] svshost.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Microsoft NotePad] notepad.exe O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe O4 - HKLM\..\RunServices: [Window Monitor] winmon32.exe O4 - HKLM\..\RunServices: [CRC Value Verifier] crsss32.exe O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe O4 - HKCU\..\Run: [WindowsReg% update] ajwxlfjhjmy.exe O4 - HKCU\..\Run: [Window Monitor] winmon32.exe O4 - HKCU\..\Run: [Micr Update] soundblaster.exe O4 - HKCU\..\Run: [Windows32 Serivces] winser32.exe O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com/?fref=149024 (file missing) O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\System32\sp2update.exe C:\WINDOWS\System32\mscnfg32.exe C:\WINDOWS\System32\ajwxlfjhjmy.exe C:\WINDOWS\System32\svshost.exe C:\WINDOWS\System32\soundblaster.exe C:\WINDOWS\System32\winser32.exe C:\Program Files\Common files\SearchUpgrader\ C:\WINDOWS\System32\winmon32.exe C:\PROGRA~1\ISP50\bin\ppshared.exe C:\WINDOWS\System32\crsss32.exe C:\WINDOWS\System32\winser32.exe C:\PROGRA~1\INCRED~1\ C:\WINDOWS\EliteToolBar\ c:\program files\180solutions\ Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED. Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Section and use the tools provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

10-24-2004, 07:59 PM	#6 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. I will assume System Restore is still off and hidden files are still visible. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\Program Files\Win Comm\WinComm.exe C:\WINDOWS\System32\mscom32.exe C:\WINDOWS\System32\mscnfg32.exe C:\WINDOWS\System32\svshost.exe C:\Program Files\Win Comm\WinLock.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: WinComm IncrediFind Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=154445 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=154445 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=154445 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=154445 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe O4 - HKLM\..\Run: [Sys29] c:\windows\system32\wingau32.exe O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe O4 - HKLM\..\Run: [Microsoft Update Machine] svshost.exe O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe O4 - HKLM\..\RunServices: [Microsoft Update Machine] svshost.exe O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe O4 - HKCU\..\Run: [Window Monitor] winmon32.exe O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f... 1c81306a97bea O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Program Files\Win Comm\ C:\Program Files\IncrediFind\ BE VERY CAREFUL TO ONLY DELETE THESE EXACT FILE NAMES! THERE ARE SIMILARLY NAMED CRITICAL WINDOWS FILES, WHICH SHOULD NOT BE AFFECTED IN ANY WAY! C:\WINDOWS\System32\mscom32.exe C:\WINDOWS\System32\mscnfg32.exe C:\WINDOWS\System32\svshost.exe Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED. Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. __________________ GO BIG BLUE!!

10-25-2004, 06:01 PM	#7 (permalink)
odm420 Member Join Date: Oct 2004 Posts: 22 OS: xp	Here is my latest HJT log. Thanks for help. Logfile of HijackThis v1.98.2 Scan saved at 624 PM, on 10/25/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\ISP50\bin\bartshel.exe C:\PROGRA~1\ISP50\bin\ppshared.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\WINDOWS\System32\mscom32.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing) O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe O4 - HKLM\..\Run: [Microsoft NotePad] notepad.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKLM\..\RunServices: [Microsoft NotePad] notepad.exe O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe O4 - HKCU\..\Run: [Window Monitor] winmon32.exe O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab

10-24-2004, 07:44 PM	#5 (permalink)
odm420 Member Join Date: Oct 2004 Posts: 22 OS: xp	Ran virus scan. Followed all instructions. Here is log. Logfile of HijackThis v1.98.2 Scan saved at 8:37:02 PM, on 10/24/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\ISP50\bin\bartshel.exe C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Win Comm\WinComm.exe C:\Program Files\ISTsvc\istsvc.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\WINDOWS\System32\mscom32.exe C:\WINDOWS\System32\mscnfg32.exe C:\WINDOWS\System32\svshost.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Win Comm\WinLock.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\PROGRA~1\ISP50\bin\ppshared.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\System32\wuauclt.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_p...ount_id=154445 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_p...ount_id=154445 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=154445 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=154445 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe O4 - HKLM\..\Run: [Sys29] c:\windows\system32\wingau32.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe O4 - HKLM\..\Run: [Microsoft Update Machine] svshost.exe O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe O4 - HKLM\..\RunServices: [Microsoft Update Machine] svshost.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe O4 - HKCU\..\Run: [Window Monitor] winmon32.exe O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...31c81306a97bea O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab

10-25-2004, 08:23 PM	#8 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Hey odm.....it's slow progress, but we are making some. Is the online virus scanning turning up anything? Have you tried do a full system scan with AVG? Results? Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\System32\mscom32.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing) O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKLM\..\RunServices: [Microsoft NotePad] notepad.exe O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe O4 - HKCU\..\Run: [Window Monitor] winmon32.exe O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe Delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED. BE VERY CAREFUL TO DELETE ONLY THOSE EXACT FILE NAMES! [/b]Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. If it persists, do this next: Download: StartDreck. Unzip to its own folder and start the program: Press 'Config' Press 'Unmark All' Check the following boxes only: Registry -> Run Keys System/drivers> Running processes Press 'Ok' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. __________________ GO BIG BLUE!!

10-26-2004, 09:06 AM	#9 (permalink)
odm420 Member Join Date: Oct 2004 Posts: 22 OS: xp	I've run both Trendmicro and RAV on-line scans, both with autoclean option on. I saved both files to my hard drive. I also installed AVG and have run it. Only one virus left which can't be repaired or deleted or moved to virus vault. It is a Trojan Horse Downloader.Agent.3.AP in following directory c:\Documents and Settings\Jacqui Rizzo\Application Data\hgv?e.exe I've gone on-line and the redirects have seemed to stop and speed has returned to normal. I've followed the instructions on greyknight's page regarding spyware protection. SpywareBlaster and SpywareGuard are running. Here is my HJT log. Thanks. Logfile of HijackThis v1.98.2 Scan saved at 11:34:52 AM, on 10/26/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\winapa.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\ISP50\bin\bartshel.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\PROGRA~1\ISP50\bin\ppshared.exe C:\WINDOWS\System32\mscom32.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing) O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe O4 - HKLM\..\Run: [Microsoft NotePad] notepad.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [Winamp media player] winapa.exe O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe O4 - HKCU\..\Run: [Window Monitor] winmon32.exe O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKCU\..\Run: [Winamp media player] winapa.exe O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe O4 - HKCU\..\RunOnce: [Winamp media player] winapa.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab

10-26-2004, 10:58 PM	#10 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,957 OS: Vista Home Premium, SP 27	Greetings! Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): winapa.exe mscom32.exe svshost.exe <- Don't confuse this with svchost.exe, which is necessary winmon32.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing) O4 - HKLM\..\Run: [Winamp media player] winapa.exe O4 - HKLM\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe O4 - HKLM\..\RunServices: [Windows Dcom2 Fix] mscom32.exe O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe O4 - HKCU\..\Run: [Window Monitor] winmon32.exe O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKCU\..\Run: [Winamp media player] winapa.exe O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe O4 - HKCU\..\RunOnce: [Winamp media player] winapa.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: winapa.exe mscom32.exe svshost.exe winmon32.exe Reboot. Run an online virus scan at TrendMicro or RAV Antivirus. Select the Autoclean option if you use TrendMicro. Post a new HJT log so we can make sure that it is clean. __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

10-28-2004, 05:22 AM	#11 (permalink)
odm420 Member Join Date: Oct 2004 Posts: 22 OS: xp	Followed your instructions, and also ran AVG, Ad-Aware and Spybot S&D. AVG says there is 2 or 3 virus that can't be removed, while Trendmicro said there is one. I'm still not getting re-directs or slow connection, which is good. I also got to see what SpywareGurad and SpywareBlaster do as they kept blocking autoinstalls and etc while I was running the on-line virus scan. I also noticed that when I start up, a blank document in notepad opens. However, if I try to run notepad(for example for HJTlog) I get options for customizing windows for blind/deaf people. Sorry to blab on like this, here is latest HJT log. Thanks for the help. Logfile of HijackThis v1.98.2 Scan saved at 11:27:45 PM, on 10/27/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\winapa.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\ISP50\bin\bartshel.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\WINDOWS\System32\winser32.exe C:\PROGRA~1\ISP50\bin\ppshared.exe C:\WINDOWS\System32\mscom32.exe C:\WINDOWS\System32\winser32.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Win Comm\WinComm.exe C:\Program Files\Win Comm\WinLock.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing) O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe /disabled O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe O4 - HKLM\..\Run: [Microsoft NotePad] notepad.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [Windows32 Serivces] winser32.exe O4 - HKLM\..\Run: [Winamp media player] winapa.exe O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe O4 - HKLM\..\RunServices: [Windows32 Serivces] winser32.exe O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Config 32bit] mscnfg32.exe O4 - HKCU\..\Run: [Microsoft Update Machine] svshost.exe O4 - HKCU\..\Run: [Window Monitor] winmon32.exe O4 - HKCU\..\Run: [Windows Dcom2 Fix] mscom32.exe O4 - HKCU\..\Run: [Winamp media player] winapa.exe O4 - HKCU\..\Run: [Windows32 Serivces] winser32.exe O4 - HKCU\..\RunServices: [Window Monitor] winmon32.exe O4 - HKCU\..\RunOnce: [Winamp media player] winapa.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...ec58ff8178110e O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab