Multiple xp problems

galefly · 03-01-2006, 02:44 PM

New member.. first post
xp pro sp2

1. no print out of ie... print preview shows blank page
2. Only text emails will print out of Outlook
3. Search in "My computer" and Windows Explorer do not work
4. Windows media player will not open
5. Version does not show up in IE6 Help/About
6. Cannot get to Windows Update
7. Links out of IE fail to open
8. Windows help does not open

The list goes on. and on. Th problems are so varied that i feel that it must be malware. My guess is that

I have run virus scans, ad aware, spybot, sober removal tool, re-registered dll's, scanned, etc. and tried to reinstall IE6 but, even though i have gone into the registry and modified the "IsInstalled" the Dword, I still get the message that i have a newer version installed.

I may have to reinstall XP but would love to avoid it. This is a friend's business computer and i do not want to risk it.

thanks, g

03-01-2006, 03:00 PM

Welcome to TSF,

click here and follow the instructions for a clean up. Then post back with your remaining problems with the OS then we can try to find solutions for the corruptions might have been caused by malware.

Good Luck

galefly · 03-02-2006, 02:24 PM

1.Followed everything in instructions
2. avg anti-virus found a trojan but removed it
3. windows update will load but not execute in "safe mode with networking"
4. windows update will not load in "normal Mode"
5. None of the six online scans will work
6. nothing changed from original list in start of thread

many thanks for any help you guys can give me. i will following any instructions you may come up with

Logfile of HijackThis v1.99.1
Scan saved at 4:11:55 PM, on 3/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\SysAgent\SysAgent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SysAgent] C:\SysAgent\SysAgent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovio...liate=MEDIAGEN
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E5FF9D3-30BC-4810-B49E-9402D3E77489}: NameServer = 205.152.191.252,205.152.144.235
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: DeepSight Extractor CC Service (ccExtractorService) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

~~whodat~~ · 03-02-2006, 02:27 PM

i moved you to the security people

galefly · 03-03-2006, 07:19 AM

I am new to the forum... does this transfer to "Security" mean that the thread remains intact or do i look elsewhere? I am in trouble with this problem. Thanks again. g

~~whodat~~ · 03-03-2006, 07:31 AM

its in the hyjack log section now

Ried · 03-03-2006, 09:21 AM

Hello galefly and welcome,

Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

The following programs can be downloaded to a disc or other removable media and brought to this PC:

Download Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido. **Updates will transfer to removable media

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

---------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

---------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Viewpoint
AWS (Weatherbug)

Run a scan in HijackThis. 'Check' each of the following if they still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

Click 'Fix Checked' and close HijackThis.

---------------------------

Wsing Windows Explorer, navigate to and delete the following Folders if they still exist.

C:\Program Files\ Viewpoint
C:\PROGRA~1\ AWS

---------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

---------------------------

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Close Ewido

---------------------------

Reboot into Normal Mode.

---------------------------

See if you can get an online scan:

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.

Click on see report. Then click Save report

Please post that log in your next reply along with a new HijackThis log and the results of the Ewido scan.

galefly · 03-03-2006, 02:43 PM

Reid, I followed your instructiions.. on the scan i failed to remove an "adware" entry... i was thinking about Lacasoft..
here is the report..

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:24:44 PM, 3/3/2006
+ Report-Checksum: 3DA557B9

+ Scan result:

HKLM\SOFTWARE\180solutions -> Adware.180Solutions : Ignored
HKLM\SOFTWARE\Classes\SWRT01.RT -> Adware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Adware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100519.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100520.DLL -> Adware.SmartPops : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100521.exe -> Adware.SmartPops : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100522.exe -> Adware.Sqwire : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100523.dll -> Adware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100524.exe -> Adware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100525.exe -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100526.dll -> Adware.Xupiter : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100527.dll -> Adware.SQBar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100528.dll -> Adware.SQBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\SWRT01.dll -> Adware.VirtualBouncer : Cleaned with backup

::Report End

Hijack this report follows ..

Logfile of HijackThis v1.99.1
Scan saved at 4:42:19 PM, on 3/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\SysAgent\SysAgent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\HPBPRO.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SysAgent] C:\SysAgent\SysAgent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovio...liate=MEDIAGEN
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E5FF9D3-30BC-4810-B49E-9402D3E77489}: NameServer = 205.152.191.252,205.152.144.235
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: DeepSight Extractor CC Service (ccExtractorService) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ried · 03-03-2006, 06:45 PM

Hi galefly,

Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions.

You have 2 Anti-Virus programs running. (AVG and Symantec) While this may seem to be added protection for your system, it in fact can leave you more vulnerable because they will conflict with one another, as well as cause system instability. Please choose and run only 1.

I see you were previously infected with L2M. I would like to be certain all traces were removed.

Download L2mfix from one of these two locations:

http://www.downloads.subratam.org/l2mfix.exe
http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option # 1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Since you didnt' post a report from an online scan, I'm assuming you are still having browser problems. I'd like to try this tool and see what it can ferret out for us.

You can download this tool to any removable media and bring to this PC to install it. You will then have to update the definitions file. This should not be a problem as a browser is not needed for the updates to download.

Please download and install the trial version of Webroot SpySweeper (8.3MB) .

When SpySweeper starts, please accept any prompts to update definitions.
Configure it as follows:
*From the left pane, click Options
*Select the Sweep Options tab & ensure the following are ticked:
-Sweep Memory
-Sweep Registry
-Sweep Cookies
-Sweep All Users accounts
*Do Not Sweep System Restore Folder
*Enable Direct Disk Sweeping
*Sweep For Rootkits
After that's done, select Sweep from the left pane & click on the Start button

Allow Spysweeper to reboot your machine to remove the infected files.
*After rebooting, launch SpySweeper & select Results from the left pane
*Click the 'Session Log' tab & choose Save to File to create a log.

## IMPORTANT - do not use your computer as you scan.

Post that in your next reply along with a new HJT log and the log from the l2mfix. Also, please provide an update on how your system is performing.

galefly · 03-04-2006, 06:11 AM

Niel,

Thanks again

1. I installed AVG because something was wrong with Symantec and i

did not want to take the time to debug that proble with this other

hanging over my head. I am inclined to uninstall Symantec and stick

with AVG, it is simpler and trouble-free. Money is no object but i

a not sure that AVG is as good as AVG.

2. As I step along in your instructions I periodically check the

browser to see if a. the version shows up in "Help/About" and if

"Printpreview" shows something other than a blank page... no

change.

3. I did not run the online scan for the reason you guessed. the

browser would not perform the link.

4. This computer is unattended and physically unavailable to me but

I have online access via "LogMeIn". I see nothing in these latest

instructions to boot in "Safe Mode" so iI would guess that I can

perform these steps remotely. If I reboot and am not able to get

back to the PC it is no big deal. What do you think?

5. By the way, in your instructions to boot into safe mode is it

acceptable to boot "Safe Mode With Networking"?

6. I would surely like to understand what your are up to here... is

there any book or online help that I can use to educate me? I am

more of a programmer (ACCESS, et al) and networker than one who

gets into or enjoys this kind of work. If it were not a friend I

would not have taken it on. I am curious though.This is new to me.

I was unaware of "HiJack This" until i found this site.

I will await yur reply before I take this on remotely..

thanks again, gsf

Ried · 03-04-2006, 12:44 PM

Hi gsf,

AVG is a very good program. Myself and many other Security Analysts use it as well. You are correct that AVG is not the resource hog that Norton is.

Uninstall Symantec via the Add/Remove panel. Using Windows Explorer, navigate to and delete the following folders if they exist:

C:\Program Files\ Symantec
C:\Program Files\ LiveUpdate

What I am trying to do is ascertain whether the problems this machine is experiencing are due to OS problems or malware. I am looking for malware. Since we are limited by the instability of the browser, I am using other methods to try to see what may be going on with this system.

You can perform my previous instructions from Normal Mode. If Webroot hangs during it's scanning process, at that time you would want to scan from Safe Mode.

It is acceptable to enter Safe Mode with Networking, but bear in mind the Anti-Virus program will not be running to protect the system while online.

Another check you can do is to invoke Windows System File Checker:

Go to the Run box on the Start Menu and type in sfc /scannow (there is a space between sfc and /)

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. You would be prompted for the XP Install disc if any problems are found so, even if you are unable to carry out that step since you are working remotely, at least it would give you some insight into the issues you are facing.

Quote:

I would surely like to understand what your are up to here... is there any book or online help that I can use to educate me?

Feel free to join the Academy. It is a work at your own pace training.

galefly · 03-05-2006, 03:10 PM

Niel, (I think that i fianally have spelled your name

correctly)

1. Uninstalled Symantec Antivirus but could not delete the

folder because of other Symantec (Ghost, etc) in folder
2. Eliminated quarantined files with uninstall
3. Downloaded,installed, and ran Spysweeper without any

problems.
4 Spysweeper found 12 instances of spyware but would not allow

me to eliminate with trial version. I do not mind buying if you

think it best.. it found
a. 180searchassistant /zango
b. 2-nd thought
c. Kitten free sex dialer (I love this one <G>)
d. hotbar
e. sidesearch
f. squire webhelper
g. clipgenie
h. interads
i. mypcsearch
j. tvmedia
k. virtual bouncer
l. zesty find desktop links

5. Ran l2mfix but ran into a problem with a brief message

"system cannot find file specified". It ran VERY quickly and

produced the following log

L2MFIX find log 010406
These are the registry keys present
****************************************************************

******************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex

(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,

\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex

(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,

\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\LMIinit]
"Asynchronous"=dword:00000000
"DllName"=hex

(2):4c,00,4d,00,49,00,69,00,6e,00,69,00,74,00,2e,00,64,00,6c,00,

\
6c,00,00,00
"Impersonate"=dword:00000000
"Lock"="WLEventLock"
"Logoff"="WLEventLogoff"
"Logon"="WLEventLogon"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartShell"
"Startup"="WLEventStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\PCANotify]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Unlock"="WLEventUnlock"
"Lock"="WLEventLock"
"Startup"="WLEventStartup"
"DllName"="PCANotify.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex

(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,

\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex

(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,

\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex

(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,

\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

****************************************************************

******************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\In

ternet Settings\User Agent\Post Platform]
"{9156F1C2-1E39-4E3F-A4DF-FAFD352BD1F7}"=""
"SV1"=""

****************************************************************

******************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Sh

ell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File

Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner

Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property

Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for

sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL

Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL

Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL

Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL

Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap

DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for

Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor

Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer

Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for

file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell

Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context

Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon

Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security

Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for

sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot

CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL

Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for

Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon

Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell

Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start

Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties

Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties

Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties

Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties

Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties

Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail

Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet

Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell

Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder

2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options

Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft

AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU

AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History

AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder

AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple

AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder

Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation

Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject

Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser

Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History

Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet

Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet

Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search

Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash

Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy

Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr

Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application

Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps

Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data

Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail

extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail

handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail

Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property

Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the

Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing

Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped)

Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped)

Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler

Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp

Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp

Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp

Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp

Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp

Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp

Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a

DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search

Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu

Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder

Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent

Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%

DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player

Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player

Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player

Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML

Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook

Custom Icon Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}"="6 Months of AOL

Included"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell

Extension"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property

Sheet Extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{9A1BACB1-5A4A-43B5-8E27-DF70D1C59404}"=""
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and

Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions

Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager

Folder"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}"="Window Washer

Shredding Utility"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper

Context Menu Integration"

****************************************************************

******************
HKEY ROOT CLASSIDS:
****************************************************************

******************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
gdi32.dll Wed Dec 28 2005 8:54:36p A....

280,064 273.50 K
lmiinit.dll Thu Dec 15 2005 2:57:26p A....

10,472 10.23 K
lmimirr.dll Thu Dec 15 2005 2:57:28p A....

21,608 21.10 K
lmimirr2.dll Thu Dec 15 2005 2:57:28p A....

8,936 8.73 K
lmiport.dll Thu Dec 15 2005 2:57:30p A....

13,032 12.73 K
ractrl~1.dll Wed Dec 14 2005 3:54:20p A....

7,912 7.73 K
webclnt.dll Tue Jan 3 2006 9:35:06p A....

68,096 66.50 K
wmp.dll Mon Dec 19 2005 7:30:46p .....

4,730,880 4.51 M
wrlogo~1.dll Fri Feb 3 2006 3:00:00p A....

492,544 481.00 K
wrlzma.dll Fri Feb 3 2006 2:59:56p A....

17,920 17.50 K

10 items found: 10 files, 0 directories.
Total of file sizes: 5,651,464 bytes 5.39 M
Locate .tmp files:

No matches found.
****************************************************************

******************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is F402-A7A0

Directory of C:\WINDOWS\System32

03/01/2006 12:40 PM <DIR> DLLCACHE
02/24/2003 08:09 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 103,241,207,808 bytes free

6. Re-ran AVG ... no viruses detected.
7. Re-ran Lavasoft's Ad-Aware (nothing)
8. Re-ran Spybot (found "NewDotNet to be fixed on next reboot)
9. I think that i will take you up on the "Academy". I prefer

servers, networking, and application development but like to

know what is going on.. thanks for the information.
10. Now for the latest HiJackThis.. thanks again

Logfile of HijackThis v1.99.1
Scan saved at 5:02:47 PM, on 3/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec\DeepSight

Extractor\ExtractorService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Symantec\Norton Ghost 2003

\GhostStartTrayApp.exe
C:\SysAgent\SysAgent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-

Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Microsoft

Shared\PhotoEd\PHOTOED.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\LogMeIn\LogMeIn.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI

Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program

Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program

Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SysAgent] C:\SysAgent\SysAgent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program

Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program

Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-

Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-

Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program

Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1

\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot -

Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft

Money\System\Money Express.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell

Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Window Washer] C:\Program

Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program

Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-

11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06

\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-

00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-

A9046DEA8A21} - C:\Program Files\Microsoft

Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110

-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpga: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7}

(BlueStream_Flash Class) -

http://www.rovion.com/Controls/Rovio...liate=MEDIAGEN
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}

(MiniBugTransporterX Class) -

http://wdownload.weatherbug.com/mini...AWS/MiniBugTra

nsporter.cab?
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance

Viewer Activex Control) -

https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E5FF9D3-30BC-4810-

B49E-9402D3E77489}: NameServer = 205.152.191.252,205.152.144.235
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32

\PCANotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32

\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT,

s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec

Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: DeepSight Extractor CC Service

(ccExtractorService) - Unknown owner - C:\Program

Files\Symantec\DeepSight Extractor\ccExtractorService.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) -

Unknown owner - C:\Program Files\Symantec\DeepSight

Extractor\ExtractorService.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation -

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc.

- C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am

Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program

Files\LogMeIn\LogMeIn.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation -

C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32

\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown

owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file

missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot

Software, Inc. - C:\Program Files\Webroot\Spy

Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\CCPD-

LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot

Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Ried · 03-05-2006, 04:06 PM

Hi gsf,

Quote:

Niel, (I think that i fianally have spelled your name correctly)

, you're close--it's Ried.

Quote:

Spysweeper found 12 instances of spyware but would not allow me to eliminate with trial version. I do not mind buying if you think it best..

Did you choose 'Launch the Diagnostic Version'? It should clean those for you even during the Trial phase. Webroot spySweeper is an excellent tool and one of the few that we feel is actually worth the money should you choose to buy it. All of those entries it found, need to go.

We really need an online scan here.

Download and install Mozilla FireFox and let's see if we can get on online scan done with Trend Europe

TrendMicro-Europe supports these browsers

* Microsoft Internet Explorer
* Netscape (6+)
* Mozilla (1+)
* Firefox (all)
* Opera (7.5+)

Save the log it produces and post it here along with the following:

Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet, as it must be run in Safe Mode.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here.

Restart one more time back into Normal Mode, run a scan with HijackThis and save the log to post here.

galefly · 03-09-2006, 11:47 AM

RIED,

I regret not getting back to you as fast this time. I have had some problems scheduling time for physical access to the machine.

Everything seems to be unchanged.. IE still will not print and printpreview produces a blank page. The number of general functions affected by this problem is amazing to me... things that seem unrelated.

IE help/about is still missing the version information, no find function will work, even on this site i can not go to my posts (view posts) directly (FireFox works fine), email (html) will not print out of Outlook, etc, etc.

I continue to thank you much for your help.. I would never have taken this on if it were not a friend's problem.

!. RE-ran Spysweeper and here is the log.. SP told me that it had found a trojan hijacking IE but removed it. The log also contains the sunday log...

********
3:11 PM: | Start of Session, Wednesday, March 08, 2006 |
3:11 PM: Spy Sweeper started
3:11 PM: Sweep initiated using definitions version 629
3:11 PM: Starting Memory Sweep
3:17 PM: Memory Sweep Complete, Elapsed Time: 00

12
3:17 PM: Starting Registry Sweep
3:17 PM: Found Trojan Horse: 2nd-thought
3:17 PM: HKCR\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 101977)
3:17 PM: HKCR\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101978)
3:17 PM: HKCR\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101979)
3:17 PM: HKCR\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101980)
3:17 PM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
3:17 PM: HKCR\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101982)
3:17 PM: HKCR\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101983)
3:17 PM: HKCR\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101984)
3:17 PM: HKCR\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 101985)
3:17 PM: HKCR\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 101986)
3:17 PM: HKLM\software\classes\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101993)
3:17 PM: HKLM\software\classes\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101994)
3:17 PM: HKLM\software\classes\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101995)
3:17 PM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
3:17 PM: HKLM\software\classes\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101997)
3:17 PM: HKLM\software\classes\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101998)
3:17 PM: HKLM\software\classes\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101999)
3:17 PM: HKLM\software\classes\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 102000)
3:17 PM: HKLM\software\classes\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 102001)
3:17 PM: Found Trojan Horse: kitten free sex dialer
3:17 PM: HKLM\software\sds software\ (9 subtraces) (ID = 129640)
3:17 PM: Found Adware: 180search assistant/zango
3:17 PM: HKLM\software\180solutions\ (ID = 135618)
3:17 PM: Found Adware: virtualbouncer
3:17 PM: HKLM\software\classes\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 145549)
3:17 PM: HKLM\software\classes\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145551)
3:17 PM: HKCR\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145565)
3:17 PM: Found Adware: interads
3:17 PM: HKLM\software\interads\ (35456 subtraces) (ID = 645794)
3:17 PM: Found Adware: hotbar
3:17 PM: HKU\S-1-5-21-2818146379-640212105-3790383986-1005\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
3:17 PM: Found Adware: sidesearch
3:17 PM: HKU\S-1-5-21-2818146379-640212105-3790383986-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
3:17 PM: Registry Sweep Complete, Elapsed Time:00:00:18
3:17 PM: Starting Cookie Sweep
3:17 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:17 PM: Starting File Sweep
3:17 PM: Found Adware: squire webhelper
3:17 PM: c:\program files\sqwire (3 subtraces) (ID = -2147480240)
3:17 PM: c:\program files\lycos\sidesearch (ID = -2147480322)
3:17 PM: Found Adware: clipgenie
3:17 PM: c:\program files\clipgenie (ID = -2147481243)
3:23 PM: Found Adware: mypcsearch
3:23 PM: mypcsearch.exe (ID = 70341)
3:32 PM: m.dat (ID = 76825)
3:36 PM: innervbinstall.log (ID = 82805)
3:41 PM: Found Adware: tvmedia
3:41 PM: tvmknwrd.dll (ID = 81726)
3:41 PM: Found Adware: zestyfind desktop links
3:41 PM: iconz.exe (ID = 119139)
3:47 PM: File Sweep Complete, Elapsed Time: 00:29:34
3:47 PM: Full Sweep has completed. Elapsed time 00:36:08
3:47 PM: Traces Found: 35675
3:48 PM: Removal process initiated
3:48 PM: Quarantining All Traces: 180search assistant/zango
3:48 PM: Quarantining All Traces: 2nd-thought
3:48 PM: Quarantining All Traces: kitten free sex dialer
3:48 PM: Quarantining All Traces: hotbar
3:48 PM: Quarantining All Traces: sidesearch
3:48 PM: Quarantining All Traces: squire webhelper
3:48 PM: Quarantining All Traces: clipgenie
3:48 PM: Quarantining All Traces: interads
3:49 PM: Quarantining All Traces: mypcsearch
3:49 PM: Quarantining All Traces: tvmedia
3:49 PM: Quarantining All Traces: virtualbouncer
3:49 PM: Quarantining All Traces: zestyfind desktop links
3:50 PM: Removal process completed. Elapsed time 00:01:32
********
2:52 PM: | Start of Session, Wednesday, March 08, 2006 |
2:52 PM: Spy Sweeper started
2:52 PM: Sweep initiated using definitions version 629
2:52 PM: Starting Memory Sweep
2:59 PM: Memory Sweep Complete, Elapsed Time: 00

29
2:59 PM: Starting Registry Sweep
2:59 PM: Found Trojan Horse: 2nd-thought
2:59 PM: HKCR\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 101977)
2:59 PM: HKCR\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101978)
2:59 PM: HKCR\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101979)
2:59 PM: HKCR\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101980)
2:59 PM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
2:59 PM: HKCR\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101982)
2:59 PM: HKCR\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101983)
2:59 PM: HKCR\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101984)
2:59 PM: HKCR\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 101985)
2:59 PM: HKCR\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 101986)
2:59 PM: HKLM\software\classes\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101993)
2:59 PM: HKLM\software\classes\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101994)
2:59 PM: HKLM\software\classes\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101995)
2:59 PM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
2:59 PM: HKLM\software\classes\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101997)
2:59 PM: HKLM\software\classes\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101998)
2:59 PM: HKLM\software\classes\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101999)
2:59 PM: HKLM\software\classes\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 102000)
2:59 PM: HKLM\software\classes\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 102001)
2:59 PM: Found Trojan Horse: kitten free sex dialer
2:59 PM: HKLM\software\sds software\ (9 subtraces) (ID = 129640)
2:59 PM: Found Adware: 180search assistant/zango
2:59 PM: HKLM\software\180solutions\ (ID = 135618)
2:59 PM: Found Adware: virtualbouncer
2:59 PM: HKLM\software\classes\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 145549)
2:59 PM: HKLM\software\classes\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145551)
2:59 PM: HKCR\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145565)
2:59 PM: Found Adware: interads
2:59 PM: HKLM\software\interads\ (35456 subtraces) (ID = 645794)
2:59 PM: Found Adware: hotbar
2:59 PM: HKU\S-1-5-21-2818146379-640212105-3790383986-1005\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
2:59 PM: Found Adware: sidesearch
2:59 PM: HKU\S-1-5-21-2818146379-640212105-3790383986-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
2:59 PM: Registry Sweep Complete, Elapsed Time:00:00:19
2:59 PM: Starting Cookie Sweep
2:59 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:59 PM: Starting File Sweep
2:59 PM: Found Adware: squire webhelper
2:59 PM: c:\program files\sqwire (3 subtraces) (ID = -2147480240)
2:59 PM: c:\program files\lycos\sidesearch (ID = -2147480322)
2:59 PM: Found Adware: clipgenie
2:59 PM: c:\program files\clipgenie (ID = -2147481243)
3:07 PM: Found Adware: mypcsearch
3:07 PM: mypcsearch.exe (ID = 70341)
3:09 PM: Sweep Canceled
3:09 PM: File Sweep Complete, Elapsed Time: 00:10:07
3:09 PM: Traces Found: 35671
3:11 PM: | End of Session, Wednesday, March 08, 2006 |
********
10:11 PM: | Start of Session, Monday, March 06, 2006 |
10:11 PM: Spy Sweeper started
10:11 PM: Sweep initiated using definitions version 625
10:11 PM: Starting Memory Sweep
10:16 PM: Memory Sweep Complete, Elapsed Time: 00:05:02
10:16 PM: Starting Registry Sweep
10:16 PM: Found Trojan Horse: 2nd-thought
10:16 PM: HKCR\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 101977)
10:16 PM: HKCR\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101978)
10:16 PM: HKCR\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101979)
10:16 PM: HKCR\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101980)
10:16 PM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
10:16 PM: HKCR\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101982)
10:16 PM: HKCR\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101983)
10:16 PM: HKCR\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101984)
10:16 PM: HKCR\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 101985)
10:16 PM: HKCR\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 101986)
10:16 PM: HKLM\software\classes\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101993)
10:16 PM: HKLM\software\classes\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101994)
10:16 PM: HKLM\software\classes\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101995)
10:16 PM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
10:16 PM: HKLM\software\classes\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101997)
10:16 PM: HKLM\software\classes\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101998)
10:16 PM: HKLM\software\classes\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101999)
10:16 PM: HKLM\software\classes\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 102000)
10:16 PM: HKLM\software\classes\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 102001)
10:17 PM: Found Trojan Horse: kitten free sex dialer
10:17 PM: HKLM\software\sds software\ (9 subtraces) (ID = 129640)
10:17 PM: Found Adware: 180search assistant/zango
10:17 PM: HKLM\software\180solutions\ (ID = 135618)
10:17 PM: Found Adware: virtualbouncer
10:17 PM: HKLM\software\classes\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 145549)
10:17 PM: HKLM\software\classes\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145551)
10:17 PM: HKCR\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145565)
10:17 PM: Found Adware: interads
10:17 PM: HKLM\software\interads\ (35456 subtraces) (ID = 645794)
10:17 PM: Found Adware: hotbar
10:17 PM: HKU\S-1-5-21-2818146379-640212105-3790383986-1005\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
10:17 PM: Found Adware: sidesearch
10:17 PM: HKU\S-1-5-21-2818146379-640212105-3790383986-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:17 PM: Registry Sweep Complete, Elapsed Time:00:00:29
10:17 PM: Starting Cookie Sweep
10:17 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:17 PM: Starting File Sweep
10:17 PM: Found Adware: squire webhelper
10:17 PM: c:\program files\sqwire (3 subtraces) (ID = -2147480240)
10:17 PM: Found Adware: clipgenie
10:17 PM: c:\program files\clipgenie (ID = -2147481243)
10:17 PM: c:\program files\lycos\sidesearch (ID = -2147480322)
10:25 PM: Found Adware: mypcsearch
10:25 PM: mypcsearch.exe (ID = 70341)
10:36 PM: m.dat (ID = 76825)
10:41 PM: innervbinstall.log (ID = 82805)
10:46 PM: Found Adware: tvmedia
10:46 PM: tvmknwrd.dll (ID = 81726)
10:46 PM: Found Adware: zestyfind desktop links
10:46 PM: iconz.exe (ID = 119139)
10:53 PM: File Sweep Complete, Elapsed Time: 00:35:50
10:53 PM: Full Sweep has completed. Elapsed time 00:41:27
10:53 PM: Traces Found: 35675
2:50 PM: Your spyware definitions have been updated.
2:52 PM: Updating spyware definitions
2:52 PM: Your definitions are up to date.
2:52 PM: | End of Session, Wednesday, March 08, 2006 |
********
2:00 AM: | Start of Session, Monday, March 06, 2006 |
2:00 AM: Spy Sweeper started
2:00 AM: Sweep initiated using definitions version 625
2:00 AM: Starting Memory Sweep
2:15 AM: Memory Sweep Complete, Elapsed Time: 00:15:47
2:15 AM: Starting Registry Sweep
2:15 AM: Found Trojan Horse: 2nd-thought
2:15 AM: HKCR\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 101977)
2:15 AM: HKCR\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101978)
2:15 AM: HKCR\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101979)
2:15 AM: HKCR\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101980)
2:15 AM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
2:15 AM: HKCR\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101982)
2:15 AM: HKCR\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101983)
2:15 AM: HKCR\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101984)
2:15 AM: HKCR\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 101985)
2:15 AM: HKCR\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 101986)
2:15 AM: HKLM\software\classes\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101993)
2:15 AM: HKLM\software\classes\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101994)
2:15 AM: HKLM\software\classes\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101995)
2:15 AM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
2:15 AM: HKLM\software\classes\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101997)
2:15 AM: HKLM\software\classes\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101998)
2:15 AM: HKLM\software\classes\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101999)
2:15 AM: HKLM\software\classes\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 102000)
2:15 AM: HKLM\software\classes\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 102001)
2:16 AM: Found Trojan Horse: kitten free sex dialer
2:16 AM: HKLM\software\sds software\ (9 subtraces) (ID = 129640)
2:16 AM: Found Adware: 180search assistant/zango
2:16 AM: HKLM\software\180solutions\ (ID = 135618)
2:16 AM: Found Adware: virtualbouncer
2:16 AM: HKLM\software\classes\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 145549)
2:16 AM: HKLM\software\classes\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145551)
2:16 AM: HKCR\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145565)
2:16 AM: Found Adware: interads
2:16 AM: HKLM\software\interads\ (35456 subtraces) (ID = 645794)
2:16 AM: Found Adware: hotbar
2:16 AM: HKU\S-1-5-21-2818146379-640212105-3790383986-1005\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
2:16 AM: Found Adware: sidesearch
2:16 AM: HKU\S-1-5-21-2818146379-640212105-3790383986-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
2:16 AM: Registry Sweep Complete, Elapsed Time:00:00:41
2:16 AM: Starting Cookie Sweep
2:16 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:16 AM: Starting File Sweep
2:16 AM: c:\program files\lycos\sidesearch (ID = -2147480322)
2:16 AM: Found Adware: squire webhelper
2:16 AM: c:\program files\sqwire (3 subtraces) (ID = -2147480240)
2:16 AM: Found Adware: clipgenie
2:16 AM: c:\program files\clipgenie (ID = -2147481243)
2:23 AM: Found Adware: mypcsearch
2:23 AM: mypcsearch.exe (ID = 70341)
2:36 AM: m.dat (ID = 76825)
2:40 AM: innervbinstall.log (ID = 82805)
2:45 AM: Found Adware: zestyfind desktop links
2:45 AM: iconz.exe (ID = 119139)
2:45 AM: Found Adware: tvmedia
2:45 AM: tvmknwrd.dll (ID = 81726)
2:53 AM: File Sweep Complete, Elapsed Time: 00:37:16
2:53 AM: Full Sweep has completed. Elapsed time 00:53:52
2:53 AM: Traces Found: 35675
********
9:01 PM: | Start of Session, Sunday, March 05, 2006 |
9:01 PM: Spy Sweeper started
9:01 PM: Sweep initiated using definitions version 625
9:01 PM: Starting Memory Sweep
9:03 PM: Sweep Canceled
9:03 PM: Memory Sweep Complete, Elapsed Time: 00:01:16
9:03 PM: Traces Found: 0
2:00 AM: A scheduled sweep will now start.
2:00 AM: | End of Session, Monday, March 06, 2006 |
********
10:16 AM: | Start of Session, Sunday, March 05, 2006 |
10:16 AM: Spy Sweeper started
10:16 AM: Sweep initiated using definitions version 625
10:16 AM: Starting Memory Sweep
10:25 AM: Memory Sweep Complete, Elapsed Time: 00:09:10
10:25 AM: Starting Registry Sweep
10:25 AM: Found Trojan Horse: 2nd-thought
10:25 AM: HKCR\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 101977)
10:25 AM: HKCR\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101978)
10:25 AM: HKCR\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101979)
10:25 AM: HKCR\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101980)
10:25 AM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
10:25 AM: HKCR\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101982)
10:25 AM: HKCR\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101983)
10:25 AM: HKCR\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101984)
10:25 AM: HKCR\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 101985)
10:25 AM: HKCR\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 101986)
10:25 AM: HKLM\software\classes\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101993)
10:25 AM: HKLM\software\classes\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101994)
10:25 AM: HKLM\software\classes\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101995)
10:25 AM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
10:25 AM: HKLM\software\classes\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101997)
10:25 AM: HKLM\software\classes\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101998)
10:25 AM: HKLM\software\classes\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101999)
10:25 AM: HKLM\software\classes\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 102000)
10:25 AM: HKLM\software\classes\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 102001)
10:25 AM: Found Trojan Horse: kitten free sex dialer
10:25 AM: HKLM\software\sds software\ (9 subtraces) (ID = 129640)
10:25 AM: Found Adware: 180search assistant/zango
10:25 AM: HKLM\software\180solutions\ (ID = 135618)
10:25 AM: Found Adware: virtualbouncer
10:25 AM: HKLM\software\classes\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 145549)
10:25 AM: HKLM\software\classes\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145551)
10:25 AM: HKCR\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145565)
10:25 AM: Found Adware: interads
10:25 AM: HKLM\software\interads\ (35456 subtraces) (ID = 645794)
10:25 AM: Found Adware: hotbar
10:25 AM: HKU\S-1-5-21-2818146379-640212105-3790383986-1005\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
10:25 AM: Found Adware: sidesearch
10:25 AM: HKU\S-1-5-21-2818146379-640212105-3790383986-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:26 AM: Registry Sweep Complete, Elapsed Time:00:00:21
10:26 AM: Starting Cookie Sweep
10:26 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:26 AM: Starting File Sweep
10:26 AM: Found Adware: squire webhelper
10:26 AM: c:\program files\sqwire (3 subtraces) (ID = -2147480240)
10:26 AM: c:\program files\lycos\sidesearch (ID = -2147480322)
10:26 AM: Found Adware: clipgenie
10:26 AM: c:\program files\clipgenie (ID = -2147481243)
10:32 AM: Found Adware: mypcsearch
10:32 AM: mypcsearch.exe (ID = 70341)
10:42 AM: m.dat (ID = 76825)
10:47 AM: innervbinstall.log (ID = 82805)
10:50 AM: Found Adware: tvmedia
10:50 AM: tvmknwrd.dll (ID = 81726)
10:50 AM: Found Adware: zestyfind desktop links
10:50 AM: iconz.exe (ID = 119139)
10:58 AM: File Sweep Complete, Elapsed Time: 00:32:16
10:58 AM: Full Sweep has completed. Elapsed time 00:41:52
10:58 AM: Traces Found: 35675
9:01 PM: | End of Session, Sunday, March 05, 2006 |
********
10:12 AM: | Start of Session, Sunday, March 05, 2006 |
10:12 AM: Spy Sweeper started
10:13 AM: Your spyware definitions have been updated.
10:16 AM: | End of Session, Sunday, March 05, 2006R

I ran the trend online scan and did not get a log as far as I can tell but it did produce the following advisory which i have copy/pasted...

(MS05-004) ASP.NET Path Validation Vulnerability (887219)

Vulnerability Identifier: CAN-2004-0847
Discovery Date: Feb 8, 2005
Risk: Important
Vulnerability Assessment Pattern File: 023
Affected Software:

* Microsoft .NET Framework 1.0
* Microsoft .NET Framework 1.1

Description:

A canonicalization vulnerability exists in ASP.NET, which could allow a malicious user to access secure and protected files. The security mechanisms of an ASP.NET Web site can be bypassed to allow the malicious user unauthorized access.

Patch Information:

http://www.microsoft.com/technet/sec.../MS05-004.mspx

Workaround Fixes:

* Apply the mitigation code module discussed in Microsoft Knowledge Base Article 887289. The mitigation code module provides protection on a server-basis.

* Make the following changes in the GLOBAL.ASAX file in the application root directory for each application on an affected system as an alternative to installing the module on a per-application basis:

<script runat=server language=cs>
void Application_BeginRequest(object src, EventArgs e)
{ if (Request.Path.IndexOf('\\') >= 0 || System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) { throw new HttpException(404, "not found"); }}
</script>

* Install and use URLScan to help protect systems against a large number of issues stemming from improperly formed URL requests, including the publicly described issues addressed by this bulletin. Note however that URLScan does not protect your system as comprehensively as either the mitigation code module or the GLOBAL.ASAX script.

More information on URLScan is available in the following page: http://www.microsoft.com/windows2000...an/default.asp

Search for another Security Advisory
Keyword:

Tell us how we did. Take our quick survey.

Email this page Rate this page

*****WinPFind.exe Log for today

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 3/2/2006 7:15:02 AM 27262976 C:\VIRTPART.DAT

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 7/25/2005 1

20 AM 58368 C:\WINDOWS\Unwash6.exe

Checking %System% folder...
PEC2 8/29/2002 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
UPX! 1/13/2005 9:41:48 PM 11254 C:\WINDOWS\SYSTEM32\locate.com
PECompact2 2/7/2006 11:23:40 PM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2/7/2006 11:23:40 PM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 1/20/2005 1:47:50 PM 175616 C:\WINDOWS\SYSTEM32\strings.exe
winsync 8/29/2002 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
UPX! 3/2/2006 1:22:14 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 3/2/2006 1:22:14 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 3/2/2006 1:22:14 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 3/2/2006 1:22:14 PM 752608 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
3/9/2006 1:16:38 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
2/8/2006 7:07:02 AM H 54156 C:\WINDOWS\QTFont.qfn
3/9/2006 1:16:42 PM S 64 C:\WINDOWS\CSC\00000001
1/13/2006 1:28:32 PM S 10925 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB913446.cat
3/9/2006 1:17:00 PM H 12288 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
3/9/2006 1:17:02 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
3/9/2006 1:16:40 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
3/9/2006 1:17:02 PM H 94208 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
3/9/2006 1:17:04 PM H 163840 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
2/20/2006 5:16:56 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
3/1/2006 2:26:40 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\0bfe5c87-d7e5-4726-8389-64eaf8a5f705
3/1/2006 2:26:40 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
3/9/2006 1:15:56 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\NWC.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 2/24/2003 8:46:28 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Intel Corporation 11/8/2002 3:40:46 PM 774144 C:\WINDOWS\SYSTEM32\PROSetp.cpl
Apple Computer, Inc. 9/23/2004 5:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\DLLCACHE\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\DLLCACHE\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\DLLCACHE\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\DLLCACHE\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\DLLCACHE\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\DLLCACHE\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\DLLCACHE\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\DLLCACHE\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\DLLCACHE\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\DLLCACHE\joy.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\DLLCACHE\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\DLLCACHE\mmsys.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\DLLCACHE\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\DLLCACHE\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\DLLCACHE\nusrmgr.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\DLLCACHE\nwc.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\DLLCACHE\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\DLLCACHE\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155648 C:\WINDOWS\SYSTEM32\DLLCACHE\sapi.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\DLLCACHE\sysdm.cpl
Microsoft Corporation 8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\DLLCACHE\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\DLLCACHE\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\DLLCACHE\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
3/31/2003 11:38:28 AM 933 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
9/3/2002 1:36:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
6/25/2004 4:30:16 PM 1561 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 1:26:20 PM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 1:36:04 PM HS 84 C:\Documents and Settings\Brenda\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
9/3/2002 1:26:20 PM HS 62 C:\Documents and Settings\Brenda\Application Data\DESKTOP.INI
3/27/2003 10:36:18 AM 0 C:\Documents and Settings\Brenda\Application Data\dm.ini
12/19/2005 5:19:44 PM 75808 C:\Documents and Settings\Brenda\Application Data\GDIPFONTCACHEV1.DAT
8/2/2004 4:23:50 PM 56 C:\Documents and Settings\Brenda\Application Data\tvmcwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{9A1BACB1-5A4A-43B5-8E27-DF70D1C59404} =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Washer
{6EE51AA0-77A0-11D7-B4E1-000347126E46} = C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{21569614-B795-46B1-85F4-E737A8DC09AD}
Shell Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}
MoneySide = C:\Program Files\Microsoft Money\System\mnyviewer.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}
&Discuss = shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{C4069E3A-68F1-403E-B40E-20066696354B} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
zBrowser Launcher C:\Program Files\Logitech\iTouch\iTouch.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
GhostStartTrayApp C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
SysAgent C:\SysAgent\SysAgent.exe
RealTray C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mmtask C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
StatusClient 2.6 C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
TomcatStartup 2.5 C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
LogMeIn GUI "C:\Program Files\LogMeIn\LogMeInSystray.exe"
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
MoneyAgent "C:\Program Files\Microsoft Money\System\Money Express.exe"
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
Window Washer C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
item America Online 7.0 Tray Icon
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
item America Online 7.0 Tray Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup C:\WINDOWS\pss\Billminder.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\billmind.exe -startup
item Billminder
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup C:\WINDOWS\pss\Billminder.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\billmind.exe -startup
item Billminder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Qshelf.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Qshelf.lnk
backup C:\WINDOWS\pss\Qshelf.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MI50D7~1\BOOKSH~1\qshelf98.exe
item Qshelf
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Qshelf.lnk
backup C:\WINDOWS\pss\Qshelf.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MI50D7~1\BOOKSH~1\qshelf98.exe
item Qshelf

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Intuit\QUICKB~1\QBUpdate\qbupdate.exe
item QuickBooks Update Agent
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Intuit\QUICKB~1\QBUpdate\qbupdate.exe
item QuickBooks Update Agent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\bagent.exe
item Quicken Scheduled Updates
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\bagent.exe
item Quicken Scheduled Updates

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\QWDLLS.EXE
item Quicken Startup
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Quicken\QWDLLS.EXE
item Quicken Startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdaptecDirectCD
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DirectCD
hkey HKLM
command "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DirectCD
hkey HKLM
command "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIModeChange
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Ati2mdxx
hkey HKLM
command Ati2mdxx.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccApp
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccRegVfy
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccRegVfy
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ccRegVfy
hkey HKLM
command "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DVDSentry
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DSentry
hkey HKLM
command C:\WINDOWS\System32\DSentry.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DSentry
hkey HKLM
command C:\WINDOWS\System32\DSentry.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EM_EXEC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EM_EXEC
hkey HKLM
command C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EM_EXEC
hkey HKLM
command C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\GhostStartTrayApp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item GhostStartTrayApp
hkey HKLM
command C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item GhostStartTrayApp
hkey HKLM
command C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoneyStartUp10.0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Activation
hkey HKLM
command "C:\Program Files\Microsoft Money\System\Activation.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Activation
hkey HKLM
command "C:\Program Files\Microsoft Money\System\Activation.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NAV CfgWiz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CfgWiz
hkey HKLM
command "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item CfgWiz
hkey HKLM
command "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TV Media
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Tvm
hkey HKLM
command C:\Program Files\TV Media\Tvm.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Tvm
hkey HKLM
command C:\Program Files\TV Media\Tvm.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit
= LMIinit.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify
= PCANotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 3/9/2006 1:24:43 PM

**** HiJackThis
Logfile of HijackThis v1.99.1
Scan saved at 1:31:53 PM, on 3/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\SysAgent\SysAgent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\HPBPRO.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SysAgent] C:\SysAgent\SysAgent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovio...liate=MEDIAGEN
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E5FF9D3-30BC-4810-B49E-9402D3E77489}: NameServer = 205.152.191.252,205.152.144.235
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: DeepSight Extractor CC Service (ccExtractorService) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

|

Ried · 03-10-2006, 04:49 AM

Hi,

Reboot into Safe Mode.

Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following key and delete the file/folder/entry I highlighted in RED

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
{9A1BACB1-5A4A-43B5-8E27-DF70D1C59404} =

If the above registry key is giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

-------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if it exists:

TV Media

-------------------------

Using Windows Explorer, navigate to and delete the following folder:

C:\Program Files\ TV Media

-------------------------

Reboot into Normal Mode.

-------------------------

If IE still is not working properly, let's try this:

Copy/Paste the following below into Wordpad...

rem Script used to manually reregister Internet Explorer and Shell related *.dlls
rem Also included the Digital Signing and Cryptographic Provider *. dlls if needed
rem rundll32.exe advpack.dll /DelNodeRunDLL32 C:\WINNT\System32\dacui.dll
rem rundll32.exe advpack.dll /DelNodeRunDLL32 C:\WINNT\Catroot\icatalog.mdb
rem regsvr32 setupwbv.dll /s
rem regsvr32 wininet.dll /s
regsvr32 comcat.dll /s
regsvr32 CSSEQCHK.DLL /s
regsvr32 shdoc401.dll /s
regsvr32 shdoc401.dll /i /s
regsvr32 asctrls.ocx /s
regsvr32 oleaut32.dll /s
regsvr32 shdocvw.dll /I /s
regsvr32 shdocvw.dll /s
regsvr32 browseui.dll /s
regsvr32 browsewm.dll /s
regsvr32 browseui.dll /I /s
regsvr32 msrating.dll /s
regsvr32 mlang.dll /s
regsvr32 hlink.dll /s
rem regsvr32 mshtml.dll /s
regsvr32 mshtmled.dll /s
regsvr32 urlmon.dll /s
regsvr32 plugin.ocx /s
regsvr32 sendmail.dll /s
rem regsvr32 comctl32.dll /i /s
rem regsvr32 inetcpl.cpl /i /s
rem regsvr32 mshtml.dll /i /s
regsvr32 scrobj.dll /s
regsvr32 mmefxe.ocx /s
rem regsvr32 proctexe.ocx mshta.exe /register /s
regsvr32 corpol.dll /s
regsvr32 jscript.dll /s
regsvr32 msxml.dll /s
regsvr32 imgutil.dll /s
regsvr32 thumbvw.dll /s
regsvr32 cryptext.dll /s
regsvr32 rsabase.dll /s
rem regsvr32 triedit.dll /s
rem regsvr32 dhtmled.ocx /s
regsvr32 inseng.dll /s
regsvr32 iesetup.dll /i /s
rem regsvr32 hmmapi.dll /s
regsvr32 cryptdlg.dll /s
regsvr32 actxprxy.dll /s
regsvr32 dispex.dll /s
regsvr32 occache.dll /s
regsvr32 occache.dll /i /s
regsvr32 iepeers.dll /s
rem regsvr32 wininet.dll /i /s
regsvr32 urlmon.dll /i /s
rem regsvr32 digest.dll /i /s
regsvr32 cdfview.dll /s
regsvr32 webcheck.dll /s
regsvr32 mobsync.dll /s
regsvr32 pngfilt.dll /s
regsvr32 licmgr10.dll /s
regsvr32 icmfilter.dll /s
regsvr32 hhctrl.ocx /s
regsvr32 inetcfg.dll /s
rem regsvr32 trialoc.dll /s
regsvr32 tdc.ocx /s
regsvr32 MSR2C.DLL /s
regsvr32 msident.dll /s
regsvr32 msieftp.dll /s
regsvr32 xmsconf.ocx /s
regsvr32 ils.dll /s
regsvr32 msoeacct.dll /s
rem regsvr32 wab32.dll /s
rem regsvr32 wabimp.dll /s
rem regsvr32 wabfind.dll /s
rem regsvr32 oemiglib.dll /s
rem regsvr32 directdb.dll /s
regsvr32 inetcomm.dll /s
rem regsvr32 msoe.dll /s
rem regsvr32 oeimport.dll /s
regsvr32 msdxm.ocx /s
regsvr32 dxmasf.dll /s
rem regsvr32 laprxy.dll /s
regsvr32 l3codecx.ax /s
regsvr32 acelpdec.ax /s
regsvr32 mpg4ds32.ax /s
regsvr32 voxmsdec.ax /s
regsvr32 danim.dll /s
regsvr32 Daxctle.ocx /s
regsvr32 lmrt.dll /s
regsvr32 datime.dll /s
regsvr32 dxtrans.dll /s
regsvr32 dxtmsft.dll /s
rem regsvr32 vgx.dll /s
regsvr32 WEBPOST.DLL /s
regsvr32 WPWIZDLL.DLL /s
regsvr32 POSTWPP.DLL /s
regsvr32 CRSWPP.DLL /s
regsvr32 FTPWPP.DLL /s
regsvr32 FPWPP.DLL /s
rem regsvr32 FLUPL.OCX /s
regsvr32 wshom.ocx /s
regsvr32 wshext.dll /s
regsvr32 vbscript.dll /s
regsvr32 scrrun.dll mstinit.exe /setup /s
regsvr32 msnsspc.dll /SspcCreateSspiReg /s
regsvr32 msapsspc.dll /SspcCreateSspiReg /s
regsvr32 licdll.dll /s
regsvr32 regwizc.dll /s
regsvr32 softpub.dll /s
regsvr32 IEDKCS32.DLL /s
regsvr32 MSTIME.DLL /s
regsvr32 WINTRUST.DLL /s
regsvr32 INITPKI.DLL /s
regsvr32 DSSENH.DLL /s
regsvr32 RSAENH.DLL /s
regsvr32 CRYPTDLG.DLL /s
regsvr32 Gpkcsp.dll /s
regsvr32 Sccbase.dll /s
regsvr32 Slbcsp.dll /s
exit
Save the file as "All Filetypes" and name it fixie.bat

Make sure IE is closed and double click on fixie.bat to run the file.

Reboot the system.

-------------------------

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
Please copy and past the List from the notebook here.

Please let me know if TVMedia was not found in the Add/Remove and how the system is performing.

galefly · 03-15-2006, 08:56 AM

Ried,

I am not dragging my feet on this project but a combination of family illness and difficulty in getting access to the problem PC has slowed me down a bit.

I am trying to get to it early tomorrow morning. I thought of a symptom that i may not have conveyed to you... In "Control Panel/Users" there are no users displayed and I see not way to get to the funtion.

A question about AVG while I think about it... are some of your friends using the free version or a paid-for version in lieu of one of the major brands?

By the way, do you have a feel for how close we may be?

Webroot sent the following email message yesterday ....

date/time : 2006-03-15, 06:48:30, 468ms
computer name : BRENDAX
user name : SYSTEM
operating system : Windows XP Service Pack 2 build 2600
system language : English
system up time : 4 days 23 hours
program up time : 4 days 23 hours
processor : Intel(R) Pentium(R) 4 CPU 2.40GHz
physical memory : 279/511 MB (free/total)
free disk space : (C:) 95.59 GB
display mode : 1024x768, 32 bit
process id : $d8
allocated memory : 14.84 MB
executable : WRSSSDK.exe
exec. date/time : 2006-01-25 11:05
version : 2.0.9.509
madExcept version : 2.7g
exception class : EAccessViolation
exception message : Access violation at address 005524DC in module 'WRSSSDK.exe'. Read of address 00000034.

thread $b03c:
005524dc WRSSSDK.exe ShieldIEFavorites 123 TShieldIEFavorites.ActivateShield
0052d864 WRSSSDK.exe Shield 97 TShield.SetActive
0057ab26 WRSSSDK.exe IEFavoritesShield 74 TIEFavoritesShield.Set_Active
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $8288 at:
77e8760d RPCRT4.dll

main thread ($e8):
7c90eb94 ntdll.dll KiFastSystemCallRet
77d49416 user32.dll WaitMessage
00487c00 WRSSSDK.exe Forms TApplication.Idle
00487257 WRSSSDK.exe Forms TApplication.HandleMessage
0048ad13 WRSSSDK.exe SvcMgr TServiceApplication.Run
0058ba5c WRSSSDK.exe WRSSSDK 282 initialization

thread $174 (TCSIDLRefreshThread):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
004cfab2 WRSSSDK.exe CSIDLRefreshThread 90 TCSIDLRefreshThread.Execute
0042c59e WRSSSDK.exe madExcept HookedTThreadExecute
0044bfec WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($e8) at:
004cf9cc WRSSSDK.exe CSIDLRefreshThread 56 TCSIDLRefreshThread.Create

thread $1b0 (TDirectoryWatcher):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9a9 ntdll.dll NtWaitForMultipleObjects
7c8094ec kernel32.dll WaitForMultipleObjectsEx
7c809c81 kernel32.dll WaitForMultipleObjects
00514356 WRSSSDK.exe Watcher 141 TCustomWatcher.WaitForEvent
005143eb WRSSSDK.exe Watcher 164 TCustomWatcher.Execute
0042c59e WRSSSDK.exe madExcept HookedTThreadExecute
0044bfec WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($e8) at:
00514160 WRSSSDK.exe Watcher 72 TCustomWatcher.Create

thread $1c4 (TSpyDriverThread): <priority:2>
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90d85a ntdll.dll NtDelayExecution
7c8023e7 kernel32.dll SleepEx
7c80244c kernel32.dll Sleep
0053687d WRSSSDK.exe SpyDriver 536 TSpyDriverThread.Execute
00480057 WRSSSDK.exe Forms TCustomForm.DoDestroy
0042c59e WRSSSDK.exe madExcept HookedTThreadExecute
0044bfec WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($e8) at:
00536713 WRSSSDK.exe SpyDriver 488 TSpyDriverThread.Create

thread $1c8 (TWinlogonMgr):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
00538a49 WRSSSDK.exe WinlogonNotifierMgr 251 TWinlogonMgr.Execute
0042c59e WRSSSDK.exe madExcept HookedTThreadExecute
0044bfec WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($e8) at:
00538776 WRSSSDK.exe WinlogonNotifierMgr 190 TWinlogonMgr.Create

thread $1cc (TServiceStartThread):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e286 ntdll.dll NtReadFile
7c80186f kernel32.dll ReadFile
77e37dc7 advapi32.dll StartServiceCtrlDispatcherA
0048ab4f WRSSSDK.exe SvcMgr TServiceStartThread.Execute
0042c59e WRSSSDK.exe madExcept HookedTThreadExecute
0044bfec WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by main thread ($e8) at:
0048aae7 WRSSSDK.exe SvcMgr TServiceStartThread.Create

thread $1d0:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025d5 kernel32.dll WaitForSingleObjectEx
7c80253d kernel32.dll WaitForSingleObject
0044c524 WRSSSDK.exe Classes TThread.WaitFor
0048a021 WRSSSDK.exe SvcMgr TService.DoStart
00489f50 WRSSSDK.exe SvcMgr TService.Main
0048a433 WRSSSDK.exe SvcMgr TServiceApplication.DispatchServiceMain
0048a252 WRSSSDK.exe SvcMgr ServiceMain
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $1cc (TServiceStartThread) at:
77deb355 advapi32.dll

thread $1d4 (TServiceThread):
7c90eb94 ntdll.dll KiFastSystemCallRet
77d5107d user32.dll GetMessageA
004897bb WRSSSDK.exe SvcMgr TServiceThread.ProcessRequests
0049fe67 WRSSSDK.exe WRSSSDKService 132 TsvcWRSSSDK.ServiceExecute
0048962b WRSSSDK.exe SvcMgr TServiceThread.Execute
0042c59e WRSSSDK.exe madExcept HookedTThreadExecute
0044bfec WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $1d0 at:
0048953b WRSSSDK.exe SvcMgr TServiceThread.Create

thread $be4:
7c90eb94 ntdll.dll KiFastSystemCallRet
77d491ec user32.dll GetMessageW
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $b04 at:
7750cc4a ole32.dll

thread $8288:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90d85a ntdll.dll NtDelayExecution
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $b20c at:
77e8760d RPCRT4.dll

thread $ab4c:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90d85a ntdll.dll NtDelayExecution
7c8023e7 kernel32.dll SleepEx
7c80244c kernel32.dll Sleep
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $8288 at:
7750cc4a ole32.dll

thread $b160:
>> stack not accessible

thread $b08c:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e397 ntdll.dll NtReplyWaitReceivePortEx
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $b03c at:
77e8760d RPCRT4.dll

thread $ad50:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e397 ntdll.dll NtReplyWaitReceivePortEx
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $b08c at:
77e8760d RPCRT4.dll

thread $b238:
>> stack not accessible

thread $b144 (TDirectoryWatcher):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9a9 ntdll.dll NtWaitForMultipleObjects
7c8094ec kernel32.dll WaitForMultipleObjectsEx
7c809c81 kernel32.dll WaitForMultipleObjects
00514356 WRSSSDK.exe Watcher 141 TCustomWatcher.WaitForEvent
005143eb WRSSSDK.exe Watcher 164 TCustomWatcher.Execute
0042c59e WRSSSDK.exe madExcept HookedTThreadExecute
0044bfec WRSSSDK.exe Classes ThreadProc
00404b58 WRSSSDK.exe System ThreadWrapper
0042c533 WRSSSDK.exe madExcept ThreadExceptFrame
>> created by thread $b03c at:
00514160 WRSSSDK.exe Watcher 72 TCustomWatcher.Create

modules:
00400000 WRSSSDK.exe 2.0.9.509 C:\Program Files\Webroot\Spy Sweeper
20000000 xpsp2res.dll 5.1.2600.2180 C:\WINDOWS\system32
5ad60000 vdmdbg.dll 5.1.2600.2180 C:\WINDOWS\system32
5ad70000 uxtheme.dll 6.0.2900.2180 C:\WINDOWS\system32
5b860000 NETAPI32.dll 5.1.2600.2180 C:\WINDOWS\system32
5d090000 comctl32.dll 5.82.2900.2180 C:\WINDOWS\system32
5edd0000 olepro32.dll 5.1.2600.2180 C:\WINDOWS\system32
629c0000 LPK.DLL 5.1.2600.2180 C:\WINDOWS\system32
71aa0000 WS2HELP.dll 5.1.2600.2180 C:\WINDOWS\system32
71ab0000 WS2_32.dll 5.1.2600.2180 C:\WINDOWS\system32
71ad0000 wsock32.dll 5.1.2600.2180 C:\WINDOWS\system32
71b20000 mpr.dll 5.1.2600.2180 C:\WINDOWS\system32
71bf0000 SAMLIB.dll 5.1.2600.2180 C:\WINDOWS\System32
71c10000 ntlanman.dll 5.1.2600.2180 C:\WINDOWS\System32
71c80000 NETRAP.dll 5.1.2600.2180 C:\WINDOWS\System32
71c90000 NETUI1.dll 5.1.2600.2180 C:\WINDOWS\System32
71cd0000 NETUI0.dll 5.1.2600.2180 C:\WINDOWS\System32
745e0000 msi.dll 3.1.4000.2435 C:\WINDOWS\system32
74d90000 USP10.dll 1.420.2600.2180 C:\WINDOWS\system32
754d0000 CRYPTUI.dll 5.131.2600.2180 C:\WINDOWS\system32
75e90000 SXS.DLL 5.1.2600.2180 C:\WINDOWS\system32
75f60000 drprov.dll 5.1.2600.2180 C:\WINDOWS\System32
75f70000 davclnt.dll 5.1.2600.2180 C:\WINDOWS\System32
76390000 IMM32.DLL 5.1.2600.2180 C:\WINDOWS\system32
763b0000 comdlg32.dll 6.0.2900.2180 C:\WINDOWS\system32
769c0000 USERENV.dll 5.1.2600.2180 C:\WINDOWS\system32
76bf0000 PSAPI.dll 5.1.2600.2180 C:\WINDOWS\system32
76c30000 WINTRUST.dll 5.131.2600.2180 C:\WINDOWS\system32
76c90000 IMAGEHLP.DLL 5.1.2600.2180 C:\WINDOWS\system32
76d60000 iphlpapi.dll 5.1.2600.2180 C:\WINDOWS\system32
76f20000 dnsapi.dll 5.1.2600.2180 C:\WINDOWS\system32
76f60000 WLDAP32.dll 5.1.2600.2180 C:\WINDOWS\system32
76fd0000 CLBCATQ.DLL 2001.12.4414.308 C:\WINDOWS\system32
77050000 COMRes.dll 2001.12.4414.258 C:\WINDOWS\system32
77120000 oleaut32.dll 5.1.2600.2180 C:\WINDOWS\system32
771b0000 wininet.dll 6.0.2900.2781 C:\WINDOWS\system32
773d0000 comctl32.dll 6.0.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9

774e0000 ole32.dll 5.1.2600.2726 C:\WINDOWS\system32
77760000 shdocvw.dll 6.0.2900.2805 C:\WINDOWS\system32
77920000 SETUPAPI.dll 5.1.2600.2180 C:\WINDOWS\system32
77a80000 CRYPT32.dll 5.131.2600.2180 C:\WINDOWS\system32
77b20000 MSASN1.dll 5.1.2600.2180 C:\WINDOWS\system32
77c00000 version.dll 5.1.2600.2180 C:\WINDOWS\system32
77c10000 msvcrt.dll 7.0.2600.2180 C:\WINDOWS\system32
77d40000 user32.dll 5.1.2600.2622 C:\WINDOWS\system32
77dd0000 advapi32.dll 5.1.2600.2180 C:\WINDOWS\system32
77e70000 RPCRT4.dll 5.1.2600.2180 C:\WINDOWS\system32
77f10000 GDI32.dll 5.1.2600.2818 C:\WINDOWS\system32
77f60000 SHLWAPI.dll 6.0.2900.2781 C:\WINDOWS\system32
77fe0000 Secur32.dll 5.1.2600.2180 C:\WINDOWS\system32
7c800000 kernel32.dll 5.1.2600.2180 C:\WINDOWS\system32
7c900000 ntdll.dll 5.1.2600.2180 C:\WINDOWS\system32
7c9c0000 shell32.dll 6.0.2900.2763 C:\WINDOWS\system32

hardware:
+ Computer
- ACPI Uniprocessor PC
+ Disk drives
- MAXTOR 6L040J2
- WDC WD1200JB-75CRA0
+ Display adapters
- LogMeIn Mirror Driver (driver 6.0.436.0)
- RADEON 9500 PRO / 9700 Family (Microsoft Corporation) (driver 6.14.10.6462)
- RADEON 9500 PRO / 9700 SEC Family (Microsoft Corporation) (driver 6.14.10.6462)
+ DVD/CD-ROM drives
- SAMSUNG CD-R/RW SW-248F
- SAMSUNG DVD-ROM SD-616T
+ Floppy disk controllers
- Standard floppy disk controller
+ Floppy disk drives
- Floppy disk drive
+ Human Interface Devices
- Logitech Cordless USB Mouse (driver 9.42.0.0)
+ IDE ATA/ATAPI controllers
- Intel(r) 82801BA Bus Master IDE Controller
- Primary IDE Channel
- Secondary IDE Channel
+ Imaging devices
- EPSON Perfection2400 #4 (driver 5.6.0.0)
+ Keyboards
- Easy Internet Keyboard (driver 1.80.0.0)
+ Mice and other pointing devices
- HID-compliant Cordless Mouse (driver 9.42.0.0)
+ Modems
- Conexant SmartHSFi V92 56K Speakerphone PCI Modem (driver 5.3.29.1)
+ Monitors
- Plug and Play Monitor
+ Network adapters
- Intel(R) PRO/100 M Network Connection (driver 6.1.3.10)
+ Ports (COM

Ried · 03-15-2006, 08:04 PM

Hi galefly,

I'll have a better idea of where we are with this after you carry out my previous instructions and get back to me.

Have you tried Start>Run> and copy/paste sfc /scannow to check for system errors yet?

galefly · 03-16-2006, 08:40 AM

Ried,

1. I could find no sign of TV Media (including folder)
2. Re0ran sfc /scannow to be double sure... nothing to report
3. Did the regedit task with no trouble
4. Problems still existed so i ran fixie.bat
5. I checked for problems and things seem to be fixed. I will continue to check
6. I have some short questions about what happened here and how were they detected; and about the "Academy". Are these questions more appropriate as a private email?

Report from Hijackthis follows..

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
Adobe Photoshop Elements
Adobe SVG Viewer
America Online
ATI Control Panel
ATI Display Driver
Autodesk MapGuide(R) Viewer ActiveX Control Release 6
AVG Free Edition
Bejeweled 2 Deluxe 1.0
Belarc Advisor 7.0
ccCommon
Classic PhoneTools
CleanUp!
Conexant SmartHSFi V92 56K DF PCI Modem
DeepSight Extractor
Dell Digital Jukebox Driver
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Dell Solution Center
Dell Support 5.0.0 (766)
Digital Line Detect
DVDSentry
Earthlink Installer - uninstall 'Earthlink 5.0' entry first if present
Easy CD Creator 5 Basic
EPSON Copy Utility
EPSON Photo Print
EPSON Scanner Reference Guide
EPSON Smart Panel
EPSON TWAIN 5
ewido anti-malware
Google Earth
HijackThis 1.99.1
HP Color LaserJet 3550
hp LaserJet 4200 Uninstaller
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
iTunes
J2SE Runtime Environment 5.0 Update 6
Karen's Replicator
Lavasoft VX2 Cleaner
LiveReg (Symantec Corporation)
LiveUpdate 2.0 (Symantec Corporation)
Logitech iTouch Software
LogMeIn
Lookout
LSIAmortization
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.1
Microsoft Bookshelf 1998 (Remove ONLY)
Microsoft Data Access Components KB870669
Microsoft Expedia Streets 98
Microsoft Interactive Training
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Modem Helper
MouseWare 9.41 .3
Mozilla Firefox (1.5.0.1)
MUSICMATCH® Jukebox
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus SYMLT MSI
Norton Ghost
Paint Shop Pro 7
Pdf995
PdfEdit995
Photo Finale
PowerDVD
PowerQuest Drive Image 2002
PowerQuest PartitionMagic 8.0
QuickBooks Basic Edition 2003
Quicken 2003 Basic
QuickTime
Radio@Netscape Plus
RealPlayer Basic
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Spy Sweeper
Spybot - Search & Destroy 1.4
Symantec
Symantec pcAnywhere
System Agent
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
USB MassStorage CardReader
Volo View Express
Weight Commander 8.0
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
Word Slinger

Full HiJackThis follows...

Logfile of HijackThis v1.99.1
Scan saved at 10:32:29 AM, on 3/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\SysAgent\SysAgent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SysAgent] C:\SysAgent\SysAgent.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovio...liate=MEDIAGEN
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E5FF9D3-30BC-4810-B49E-9402D3E77489}: NameServer = 205.152.191.252,205.152.144.235
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: DeepSight Extractor CC Service (ccExtractorService) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ried · 03-16-2006, 10:29 AM

Hi,

Since TVMedia is not in the Add/Remove, we have a bit more to do as I saw remnants of this program in the WinPFind log earlier.

Right click on this link http://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it to the desktop. Now run that program and do a search for each of the following:

TV Media
tvmedia

Save the file/files and post them in your next reply.

-----------------------

Now that you have browser access, let's see if anything else is lurking about:

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.

Click on see report. Then click Save report

Please post that log in your next reply as well.

To answer your previous question about AVG Free, most of us do use the free version, along with additional layered protection (i.e. Spybot, AdAware and a few others I will give you links to), and find it to be most effective.

Quote:

I have some short questions about what happened here and how were they detected; and about the "Academy". Are these questions more appropriate as a private email?

Your questions may be short, but the answers can be quite involved.

The first step in how they were detected is to enroll in the Academy. Other portions of detection and resolution are based on experience.

galefly · 03-16-2006, 05:33 PM

1. Found the following instances of TV Media, found none for

tvmedia

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "TV Media" 3/16/2006

6:17:34 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want

to refer to it again later.
; (If you save the file with a .reg extension, you can use it to

restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared

Tools\MSConfig\startupreg\TV Media]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared

Tools\MSConfig\startupreg\TV Media]
"command"="C:\\Program Files\\TV Media\\Tvm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ap

p Management\ARPCache\TV Media]

2. Panda scan results...

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "TV Media" 3/16/2006

6:17:34 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want

to refer to it again later.
; (If you save the file with a .reg extension, you can use it to

restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared

Tools\MSConfig\startupreg\TV Media]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared

Tools\MSConfig\startupreg\TV Media]
"command"="C:\\Program Files\\TV Media\\Tvm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ap

p Management\ARPCache\TV Media]

3. Ried, I had no intention asking for of an extended dialog or

lesson on the solution recap of this problem. I can appreciate

why that would be inappropriate. I was looking for a short

paragraph. But i see that that is also an imposition.

Thanks, gsf

03-01-2006, 02:44 PM	#1 (permalink)
galefly Registered User Join Date: Mar 2006 Posts: 19 OS: XP	Multiple xp problems New member.. first post xp pro sp2 1. no print out of ie... print preview shows blank page 2. Only text emails will print out of Outlook 3. Search in "My computer" and Windows Explorer do not work 4. Windows media player will not open 5. Version does not show up in IE6 Help/About 6. Cannot get to Windows Update 7. Links out of IE fail to open 8. Windows help does not open The list goes on. and on. Th problems are so varied that i feel that it must be malware. My guess is that I have run virus scans, ad aware, spybot, sober removal tool, re-registered dll's, scanned, etc. and tried to reinstall IE6 but, even though i have gone into the registry and modified the "IsInstalled" the Dword, I still get the message that i have a newer version installed. I may have to reinstall XP but would love to avoid it. This is a friend's business computer and i do not want to risk it. thanks, g

03-02-2006, 02:24 PM	#3 (permalink)
galefly Registered User Join Date: Mar 2006 Posts: 19 OS: XP	Multiple XP Problems 1.Followed everything in instructions 2. avg anti-virus found a trojan but removed it 3. windows update will load but not execute in "safe mode with networking" 4. windows update will not load in "normal Mode" 5. None of the six online scans will work 6. nothing changed from original list in start of thread many thanks for any help you guys can give me. i will following any instructions you may come up with Logfile of HijackThis v1.99.1 Scan saved at 4:11:55 PM, on 3/2/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Symantec\pcAnywhere\awhost32.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\LogMeIn\RaMaint.exe C:\Program Files\LogMeIn\LogMeIn.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\SysAgent\SysAgent.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\LogMeIn\LogMeInSystray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\cidaemon.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [SysAgent] C:\SysAgent\SysAgent.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU) O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovio...liate=MEDIAGEN O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab? O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6E5FF9D3-30BC-4810-B49E-9402D3E77489}: NameServer = 205.152.191.252,205.152.144.235 O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: DeepSight Extractor CC Service (ccExtractorService) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

03-03-2006, 09:21 AM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,952 OS: WinXP and Vista	Hello galefly and welcome, Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. The following programs can be downloaded to a disc or other removable media and brought to this PC: Download Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Updates will transfer to removable media The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. --------------------------- Go to My Computer->Tools->Folder Options->View** tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. --------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Viewpoint AWS (Weatherbug) Run a scan in HijackThis. 'Check' each of the following if they still exist: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU) Click 'Fix Checked' and close HijackThis. --------------------------- Wsing Windows Explorer, navigate to and delete the following Folders if they still exist. C:\Program Files\ Viewpoint C:\PROGRA~1\ AWS --------------------------- Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Standard CleanUp!" *Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility --------------------------- Run Ewido: Click on scanner Click on Complete System Scan and the scan will begin. NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action. DO NOT select "Perform action on all infections" If you are unsure of any entry found select none for now. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop Close Ewido --------------------------- Reboot into Normal Mode. --------------------------- See if you can get an online scan: Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report Please post that log in your next reply along with a new HijackThis log and the results of the Ewido scan. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-03-2006, 06:45 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,952 OS: WinXP and Vista	Hi galefly, Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. You have 2 Anti-Virus programs running. (AVG and Symantec) While this may seem to be added protection for your system, it in fact can leave you more vulnerable because they will conflict with one another, as well as cause system instability. Please choose and run only 1. I see you were previously infected with L2M. I would like to be certain all traces were removed. Download L2mfix from one of these two locations: http://www.downloads.subratam.org/l2mfix.exe http://www.atribune.org/downloads/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option # 1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! Since you didnt' post a report from an online scan, I'm assuming you are still having browser problems. I'd like to try this tool and see what it can ferret out for us. You can download this tool to any removable media and bring to this PC to install it. You will then have to update the definitions file. This should not be a problem as a browser is not needed for the updates to download. Please download and install the trial version of Webroot SpySweeper (8.3MB) . When SpySweeper starts, please accept any prompts to update definitions. Configure it as follows: From the left pane, click Options Select the Sweep Options tab & ensure the following are ticked: -Sweep Memory -Sweep Registry -Sweep Cookies -Sweep All Users accounts *Do Not Sweep System Restore Folder *Enable Direct Disk Sweeping *Sweep For Rootkits After that's done, select *Sweep* from the left pane & click on the *Start* button Allow Spysweeper to reboot your machine to remove the infected files. After rebooting, launch SpySweeper* & select Results from the left pane Click the 'Session Log'* tab & choose Save to File to create a log. ## IMPORTANT - do not use your computer as you scan. Post that in your next reply along with a new HJT log and the log from the l2mfix. Also, please provide an update on how your system is performing. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-04-2006, 06:11 AM	#10 (permalink)
galefly Registered User Join Date: Mar 2006 Posts: 19 OS: XP	Sat morning 030406 Niel, Thanks again 1. I installed AVG because something was wrong with Symantec and i did not want to take the time to debug that proble with this other hanging over my head. I am inclined to uninstall Symantec and stick with AVG, it is simpler and trouble-free. Money is no object but i a not sure that AVG is as good as AVG. 2. As I step along in your instructions I periodically check the browser to see if a. the version shows up in "Help/About" and if "Printpreview" shows something other than a blank page... no change. 3. I did not run the online scan for the reason you guessed. the browser would not perform the link. 4. This computer is unattended and physically unavailable to me but I have online access via "LogMeIn". I see nothing in these latest instructions to boot in "Safe Mode" so iI would guess that I can perform these steps remotely. If I reboot and am not able to get back to the PC it is no big deal. What do you think? 5. By the way, in your instructions to boot into safe mode is it acceptable to boot "Safe Mode With Networking"? 6. I would surely like to understand what your are up to here... is there any book or online help that I can use to educate me? I am more of a programmer (ACCESS, et al) and networker than one who gets into or enjoys this kind of work. If it were not a friend I would not have taken it on. I am curious though.This is new to me. I was unaware of "HiJack This" until i found this site. I will await yur reply before I take this on remotely.. thanks again, gsf

03-01-2006, 03:00 PM	#2 (permalink)
PurpleSky Guest Posts: n/a OS:	Welcome to TSF, click here and follow the instructions for a clean up. Then post back with your remaining problems with the OS then we can try to find solutions for the corruptions might have been caused by malware. Good Luck

03-02-2006, 02:27 PM	#4 (permalink)
~~whodat~~ Register user Join Date: Mar 2005 Posts: 5,931 OS: XP	i moved you to the security people

03-03-2006, 07:19 AM	#5 (permalink)
galefly Registered User Join Date: Mar 2006 Posts: 19 OS: XP	I am new to the forum... does this transfer to "Security" mean that the thread remains intact or do i look elsewhere? I am in trouble with this problem. Thanks again. g

03-03-2006, 07:31 AM	#6 (permalink)
~~whodat~~ Register user Join Date: Mar 2005 Posts: 5,931 OS: XP	its in the hyjack log section now

03-03-2006, 02:43 PM	#8 (permalink)
galefly Registered User Join Date: Mar 2006 Posts: 19 OS: XP	Reid, I followed your instructiions.. on the scan i failed to remove an "adware" entry... i was thinking about Lacasoft.. here is the report.. --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 4:24:44 PM, 3/3/2006 + Report-Checksum: 3DA557B9 + Scan result: HKLM\SOFTWARE\180solutions -> Adware.180Solutions : Ignored HKLM\SOFTWARE\Classes\SWRT01.RT -> Adware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Adware.SecondThought : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100519.exe -> Adware.WebSearch : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100520.DLL -> Adware.SmartPops : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100521.exe -> Adware.SmartPops : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100522.exe -> Adware.Sqwire : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100523.dll -> Adware.BookedSpace : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100524.exe -> Adware.BiSpy : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100525.exe -> Adware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100526.dll -> Adware.Xupiter : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100527.dll -> Adware.SQBar : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0100528.dll -> Adware.SQBar : Cleaned with backup C:\WINDOWS\SYSTEM32\SWRT01.dll -> Adware.VirtualBouncer : Cleaned with backup ::Report End Hijack this report follows .. Logfile of HijackThis v1.99.1 Scan saved at 4:42:19 PM, on 3/3/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Symantec\pcAnywhere\awhost32.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\LogMeIn\RaMaint.exe C:\Program Files\LogMeIn\LogMeIn.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\SysAgent\SysAgent.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\LogMeIn\LogMeInSystray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\HJT\HijackThis.exe C:\WINDOWS\system32\HPBPRO.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [SysAgent] C:\SysAgent\SysAgent.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovio...liate=MEDIAGEN O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab? O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6E5FF9D3-30BC-4810-B49E-9402D3E77489}: NameServer = 205.152.191.252,205.152.144.235 O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: DeepSight Extractor CC Service (ccExtractorService) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

03-10-2006, 04:49 AM	#15 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,952 OS: WinXP and Vista	Hi, Reboot into Safe Mode. Click START…RUN…Type in regedit. Make sure just "My Computer" is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to the following key and delete the file/folder/entry I highlighted in RED [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved] {9A1BACB1-5A4A-43B5-8E27-DF70D1C59404} = If the above registry key is giving you problems deleting, right click on it and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. ------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if it exists: TV Media ------------------------- Using Windows Explorer, navigate to and delete the following folder: C:\Program Files\ TV Media ------------------------- Reboot into Normal Mode. ------------------------- If IE still is not working properly, let's try this: Copy/Paste the following below into Wordpad... rem Script used to manually reregister Internet Explorer and Shell related .dlls rem Also included the Digital Signing and Cryptographic Provider . dlls if needed rem rundll32.exe advpack.dll /DelNodeRunDLL32 C:\WINNT\System32\dacui.dll rem rundll32.exe advpack.dll /DelNodeRunDLL32 C:\WINNT\Catroot\icatalog.mdb rem regsvr32 setupwbv.dll /s rem regsvr32 wininet.dll /s regsvr32 comcat.dll /s regsvr32 CSSEQCHK.DLL /s regsvr32 shdoc401.dll /s regsvr32 shdoc401.dll /i /s regsvr32 asctrls.ocx /s regsvr32 oleaut32.dll /s regsvr32 shdocvw.dll /I /s regsvr32 shdocvw.dll /s regsvr32 browseui.dll /s regsvr32 browsewm.dll /s regsvr32 browseui.dll /I /s regsvr32 msrating.dll /s regsvr32 mlang.dll /s regsvr32 hlink.dll /s rem regsvr32 mshtml.dll /s regsvr32 mshtmled.dll /s regsvr32 urlmon.dll /s regsvr32 plugin.ocx /s regsvr32 sendmail.dll /s rem regsvr32 comctl32.dll /i /s rem regsvr32 inetcpl.cpl /i /s rem regsvr32 mshtml.dll /i /s regsvr32 scrobj.dll /s regsvr32 mmefxe.ocx /s rem regsvr32 proctexe.ocx mshta.exe /register /s regsvr32 corpol.dll /s regsvr32 jscript.dll /s regsvr32 msxml.dll /s regsvr32 imgutil.dll /s regsvr32 thumbvw.dll /s regsvr32 cryptext.dll /s regsvr32 rsabase.dll /s rem regsvr32 triedit.dll /s rem regsvr32 dhtmled.ocx /s regsvr32 inseng.dll /s regsvr32 iesetup.dll /i /s rem regsvr32 hmmapi.dll /s regsvr32 cryptdlg.dll /s regsvr32 actxprxy.dll /s regsvr32 dispex.dll /s regsvr32 occache.dll /s regsvr32 occache.dll /i /s regsvr32 iepeers.dll /s rem regsvr32 wininet.dll /i /s regsvr32 urlmon.dll /i /s rem regsvr32 digest.dll /i /s regsvr32 cdfview.dll /s regsvr32 webcheck.dll /s regsvr32 mobsync.dll /s regsvr32 pngfilt.dll /s regsvr32 licmgr10.dll /s regsvr32 icmfilter.dll /s regsvr32 hhctrl.ocx /s regsvr32 inetcfg.dll /s rem regsvr32 trialoc.dll /s regsvr32 tdc.ocx /s regsvr32 MSR2C.DLL /s regsvr32 msident.dll /s regsvr32 msieftp.dll /s regsvr32 xmsconf.ocx /s regsvr32 ils.dll /s regsvr32 msoeacct.dll /s rem regsvr32 wab32.dll /s rem regsvr32 wabimp.dll /s rem regsvr32 wabfind.dll /s rem regsvr32 oemiglib.dll /s rem regsvr32 directdb.dll /s regsvr32 inetcomm.dll /s rem regsvr32 msoe.dll /s rem regsvr32 oeimport.dll /s regsvr32 msdxm.ocx /s regsvr32 dxmasf.dll /s rem regsvr32 laprxy.dll /s regsvr32 l3codecx.ax /s regsvr32 acelpdec.ax /s regsvr32 mpg4ds32.ax /s regsvr32 voxmsdec.ax /s regsvr32 danim.dll /s regsvr32 Daxctle.ocx /s regsvr32 lmrt.dll /s regsvr32 datime.dll /s regsvr32 dxtrans.dll /s regsvr32 dxtmsft.dll /s rem regsvr32 vgx.dll /s regsvr32 WEBPOST.DLL /s regsvr32 WPWIZDLL.DLL /s regsvr32 POSTWPP.DLL /s regsvr32 CRSWPP.DLL /s regsvr32 FTPWPP.DLL /s regsvr32 FPWPP.DLL /s rem regsvr32 FLUPL.OCX /s regsvr32 wshom.ocx /s regsvr32 wshext.dll /s regsvr32 vbscript.dll /s regsvr32 scrrun.dll mstinit.exe /setup /s regsvr32 msnsspc.dll /SspcCreateSspiReg /s regsvr32 msapsspc.dll /SspcCreateSspiReg /s regsvr32 licdll.dll /s regsvr32 regwizc.dll /s regsvr32 softpub.dll /s regsvr32 IEDKCS32.DLL /s regsvr32 MSTIME.DLL /s regsvr32 WINTRUST.DLL /s regsvr32 INITPKI.DLL /s regsvr32 DSSENH.DLL /s regsvr32 RSAENH.DLL /s regsvr32 CRYPTDLG.DLL /s regsvr32 Gpkcsp.dll /s regsvr32 Sccbase.dll /s regsvr32 Slbcsp.dll /s exit Save the file as "All Filetypes" and name it fixie.bat Make sure IE is closed and double click on fixie.bat to run the file. Reboot the system. ------------------------- Open HijackThis Click on the "Configure" button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Please copy and past the List from the notebook here. Please let me know if TVMedia was not found in the Add/Remove and how the system is performing. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-15-2006, 08:56 AM	#16 (permalink)
galefly Registered User Join Date: Mar 2006 Posts: 19 OS: XP	Ried, I am not dragging my feet on this project but a combination of family illness and difficulty in getting access to the problem PC has slowed me down a bit. I am trying to get to it early tomorrow morning. I thought of a symptom that i may not have conveyed to you... In "Control Panel/Users" there are no users displayed and I see not way to get to the funtion. A question about AVG while I think about it... are some of your friends using the free version or a paid-for version in lieu of one of the major brands? By the way, do you have a feel for how close we may be? Webroot sent the following email message yesterday .... date/time : 2006-03-15, 06:48:30, 468ms computer name : BRENDAX user name : SYSTEM operating system : Windows XP Service Pack 2 build 2600 system language : English system up time : 4 days 23 hours program up time : 4 days 23 hours processor : Intel(R) Pentium(R) 4 CPU 2.40GHz physical memory : 279/511 MB (free/total) free disk space : (C:) 95.59 GB display mode : 1024x768, 32 bit process id : $d8 allocated memory : 14.84 MB executable : WRSSSDK.exe exec. date/time : 2006-01-25 11:05 version : 2.0.9.509 madExcept version : 2.7g exception class : EAccessViolation exception message : Access violation at address 005524DC in module 'WRSSSDK.exe'. Read of address 00000034. thread $b03c: 005524dc WRSSSDK.exe ShieldIEFavorites 123 TShieldIEFavorites.ActivateShield 0052d864 WRSSSDK.exe Shield 97 TShield.SetActive 0057ab26 WRSSSDK.exe IEFavoritesShield 74 TIEFavoritesShield.Set_Active 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by thread $8288 at: 77e8760d RPCRT4.dll main thread ($e8): 7c90eb94 ntdll.dll KiFastSystemCallRet 77d49416 user32.dll WaitMessage 00487c00 WRSSSDK.exe Forms TApplication.Idle 00487257 WRSSSDK.exe Forms TApplication.HandleMessage 0048ad13 WRSSSDK.exe SvcMgr TServiceApplication.Run 0058ba5c WRSSSDK.exe WRSSSDK 282 initialization thread $174 (TCSIDLRefreshThread): 7c90eb94 ntdll.dll KiFastSystemCallRet 7c90e9be ntdll.dll NtWaitForSingleObject 7c8025d5 kernel32.dll WaitForSingleObjectEx 7c80253d kernel32.dll WaitForSingleObject 004cfab2 WRSSSDK.exe CSIDLRefreshThread 90 TCSIDLRefreshThread.Execute 0042c59e WRSSSDK.exe madExcept HookedTThreadExecute 0044bfec WRSSSDK.exe Classes ThreadProc 00404b58 WRSSSDK.exe System ThreadWrapper 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by main thread ($e8) at: 004cf9cc WRSSSDK.exe CSIDLRefreshThread 56 TCSIDLRefreshThread.Create thread $1b0 (TDirectoryWatcher): 7c90eb94 ntdll.dll KiFastSystemCallRet 7c90e9a9 ntdll.dll NtWaitForMultipleObjects 7c8094ec kernel32.dll WaitForMultipleObjectsEx 7c809c81 kernel32.dll WaitForMultipleObjects 00514356 WRSSSDK.exe Watcher 141 TCustomWatcher.WaitForEvent 005143eb WRSSSDK.exe Watcher 164 TCustomWatcher.Execute 0042c59e WRSSSDK.exe madExcept HookedTThreadExecute 0044bfec WRSSSDK.exe Classes ThreadProc 00404b58 WRSSSDK.exe System ThreadWrapper 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by main thread ($e8) at: 00514160 WRSSSDK.exe Watcher 72 TCustomWatcher.Create thread $1c4 (TSpyDriverThread): <priority:2> 7c90eb94 ntdll.dll KiFastSystemCallRet 7c90d85a ntdll.dll NtDelayExecution 7c8023e7 kernel32.dll SleepEx 7c80244c kernel32.dll Sleep 0053687d WRSSSDK.exe SpyDriver 536 TSpyDriverThread.Execute 00480057 WRSSSDK.exe Forms TCustomForm.DoDestroy 0042c59e WRSSSDK.exe madExcept HookedTThreadExecute 0044bfec WRSSSDK.exe Classes ThreadProc 00404b58 WRSSSDK.exe System ThreadWrapper 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by main thread ($e8) at: 00536713 WRSSSDK.exe SpyDriver 488 TSpyDriverThread.Create thread $1c8 (TWinlogonMgr): 7c90eb94 ntdll.dll KiFastSystemCallRet 7c90e9be ntdll.dll NtWaitForSingleObject 7c8025d5 kernel32.dll WaitForSingleObjectEx 7c80253d kernel32.dll WaitForSingleObject 00538a49 WRSSSDK.exe WinlogonNotifierMgr 251 TWinlogonMgr.Execute 0042c59e WRSSSDK.exe madExcept HookedTThreadExecute 0044bfec WRSSSDK.exe Classes ThreadProc 00404b58 WRSSSDK.exe System ThreadWrapper 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by main thread ($e8) at: 00538776 WRSSSDK.exe WinlogonNotifierMgr 190 TWinlogonMgr.Create thread $1cc (TServiceStartThread): 7c90eb94 ntdll.dll KiFastSystemCallRet 7c90e286 ntdll.dll NtReadFile 7c80186f kernel32.dll ReadFile 77e37dc7 advapi32.dll StartServiceCtrlDispatcherA 0048ab4f WRSSSDK.exe SvcMgr TServiceStartThread.Execute 0042c59e WRSSSDK.exe madExcept HookedTThreadExecute 0044bfec WRSSSDK.exe Classes ThreadProc 00404b58 WRSSSDK.exe System ThreadWrapper 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by main thread ($e8) at: 0048aae7 WRSSSDK.exe SvcMgr TServiceStartThread.Create thread $1d0: 7c90eb94 ntdll.dll KiFastSystemCallRet 7c90e9be ntdll.dll NtWaitForSingleObject 7c8025d5 kernel32.dll WaitForSingleObjectEx 7c80253d kernel32.dll WaitForSingleObject 0044c524 WRSSSDK.exe Classes TThread.WaitFor 0048a021 WRSSSDK.exe SvcMgr TService.DoStart 00489f50 WRSSSDK.exe SvcMgr TService.Main 0048a433 WRSSSDK.exe SvcMgr TServiceApplication.DispatchServiceMain 0048a252 WRSSSDK.exe SvcMgr ServiceMain 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by thread $1cc (TServiceStartThread) at: 77deb355 advapi32.dll thread $1d4 (TServiceThread): 7c90eb94 ntdll.dll KiFastSystemCallRet 77d5107d user32.dll GetMessageA 004897bb WRSSSDK.exe SvcMgr TServiceThread.ProcessRequests 0049fe67 WRSSSDK.exe WRSSSDKService 132 TsvcWRSSSDK.ServiceExecute 0048962b WRSSSDK.exe SvcMgr TServiceThread.Execute 0042c59e WRSSSDK.exe madExcept HookedTThreadExecute 0044bfec WRSSSDK.exe Classes ThreadProc 00404b58 WRSSSDK.exe System ThreadWrapper 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by thread $1d0 at: 0048953b WRSSSDK.exe SvcMgr TServiceThread.Create thread $be4: 7c90eb94 ntdll.dll KiFastSystemCallRet 77d491ec user32.dll GetMessageW 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by thread $b04 at: 7750cc4a ole32.dll thread $8288: 7c90eb94 ntdll.dll KiFastSystemCallRet 7c90d85a ntdll.dll NtDelayExecution 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by thread $b20c at: 77e8760d RPCRT4.dll thread $ab4c: 7c90eb94 ntdll.dll KiFastSystemCallRet 7c90d85a ntdll.dll NtDelayExecution 7c8023e7 kernel32.dll SleepEx 7c80244c kernel32.dll Sleep 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by thread $8288 at: 7750cc4a ole32.dll thread $b160: >> stack not accessible thread $b08c: 7c90eb94 ntdll.dll KiFastSystemCallRet 7c90e397 ntdll.dll NtReplyWaitReceivePortEx 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by thread $b03c at: 77e8760d RPCRT4.dll thread $ad50: 7c90eb94 ntdll.dll KiFastSystemCallRet 7c90e397 ntdll.dll NtReplyWaitReceivePortEx 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by thread $b08c at: 77e8760d RPCRT4.dll thread $b238: >> stack not accessible thread $b144 (TDirectoryWatcher): 7c90eb94 ntdll.dll KiFastSystemCallRet 7c90e9a9 ntdll.dll NtWaitForMultipleObjects 7c8094ec kernel32.dll WaitForMultipleObjectsEx 7c809c81 kernel32.dll WaitForMultipleObjects 00514356 WRSSSDK.exe Watcher 141 TCustomWatcher.WaitForEvent 005143eb WRSSSDK.exe Watcher 164 TCustomWatcher.Execute 0042c59e WRSSSDK.exe madExcept HookedTThreadExecute 0044bfec WRSSSDK.exe Classes ThreadProc 00404b58 WRSSSDK.exe System ThreadWrapper 0042c533 WRSSSDK.exe madExcept ThreadExceptFrame >> created by thread $b03c at: 00514160 WRSSSDK.exe Watcher 72 TCustomWatcher.Create modules: 00400000 WRSSSDK.exe 2.0.9.509 C:\Program Files\Webroot\Spy Sweeper 20000000 xpsp2res.dll 5.1.2600.2180 C:\WINDOWS\system32 5ad60000 vdmdbg.dll 5.1.2600.2180 C:\WINDOWS\system32 5ad70000 uxtheme.dll 6.0.2900.2180 C:\WINDOWS\system32 5b860000 NETAPI32.dll 5.1.2600.2180 C:\WINDOWS\system32 5d090000 comctl32.dll 5.82.2900.2180 C:\WINDOWS\system32 5edd0000 olepro32.dll 5.1.2600.2180 C:\WINDOWS\system32 629c0000 LPK.DLL 5.1.2600.2180 C:\WINDOWS\system32 71aa0000 WS2HELP.dll 5.1.2600.2180 C:\WINDOWS\system32 71ab0000 WS2_32.dll 5.1.2600.2180 C:\WINDOWS\system32 71ad0000 wsock32.dll 5.1.2600.2180 C:\WINDOWS\system32 71b20000 mpr.dll 5.1.2600.2180 C:\WINDOWS\system32 71bf0000 SAMLIB.dll 5.1.2600.2180 C:\WINDOWS\System32 71c10000 ntlanman.dll 5.1.2600.2180 C:\WINDOWS\System32 71c80000 NETRAP.dll 5.1.2600.2180 C:\WINDOWS\System32 71c90000 NETUI1.dll 5.1.2600.2180 C:\WINDOWS\System32 71cd0000 NETUI0.dll 5.1.2600.2180 C:\WINDOWS\System32 745e0000 msi.dll 3.1.4000.2435 C:\WINDOWS\system32 74d90000 USP10.dll 1.420.2600.2180 C:\WINDOWS\system32 754d0000 CRYPTUI.dll 5.131.2600.2180 C:\WINDOWS\system32 75e90000 SXS.DLL 5.1.2600.2180 C:\WINDOWS\system32 75f60000 drprov.dll 5.1.2600.2180 C:\WINDOWS\System32 75f70000 davclnt.dll 5.1.2600.2180 C:\WINDOWS\System32 76390000 IMM32.DLL 5.1.2600.2180 C:\WINDOWS\system32 763b0000 comdlg32.dll 6.0.2900.2180 C:\WINDOWS\system32 769c0000 USERENV.dll 5.1.2600.2180 C:\WINDOWS\system32 76bf0000 PSAPI.dll 5.1.2600.2180 C:\WINDOWS\system32 76c30000 WINTRUST.dll 5.131.2600.2180 C:\WINDOWS\system32 76c90000 IMAGEHLP.DLL 5.1.2600.2180 C:\WINDOWS\system32 76d60000 iphlpapi.dll 5.1.2600.2180 C:\WINDOWS\system32 76f20000 dnsapi.dll 5.1.2600.2180 C:\WINDOWS\system32 76f60000 WLDAP32.dll 5.1.2600.2180 C:\WINDOWS\system32 76fd0000 CLBCATQ.DLL 2001.12.4414.308 C:\WINDOWS\system32 77050000 COMRes.dll 2001.12.4414.258 C:\WINDOWS\system32 77120000 oleaut32.dll 5.1.2600.2180 C:\WINDOWS\system32 771b0000 wininet.dll 6.0.2900.2781 C:\WINDOWS\system32 773d0000 comctl32.dll 6.0.2900.2180 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 774e0000 ole32.dll 5.1.2600.2726 C:\WINDOWS\system32 77760000 shdocvw.dll 6.0.2900.2805 C:\WINDOWS\system32 77920000 SETUPAPI.dll 5.1.2600.2180 C:\WINDOWS\system32 77a80000 CRYPT32.dll 5.131.2600.2180 C:\WINDOWS\system32 77b20000 MSASN1.dll 5.1.2600.2180 C:\WINDOWS\system32 77c00000 version.dll 5.1.2600.2180 C:\WINDOWS\system32 77c10000 msvcrt.dll 7.0.2600.2180 C:\WINDOWS\system32 77d40000 user32.dll 5.1.2600.2622 C:\WINDOWS\system32 77dd0000 advapi32.dll 5.1.2600.2180 C:\WINDOWS\system32 77e70000 RPCRT4.dll 5.1.2600.2180 C:\WINDOWS\system32 77f10000 GDI32.dll 5.1.2600.2818 C:\WINDOWS\system32 77f60000 SHLWAPI.dll 6.0.2900.2781 C:\WINDOWS\system32 77fe0000 Secur32.dll 5.1.2600.2180 C:\WINDOWS\system32 7c800000 kernel32.dll 5.1.2600.2180 C:\WINDOWS\system32 7c900000 ntdll.dll 5.1.2600.2180 C:\WINDOWS\system32 7c9c0000 shell32.dll 6.0.2900.2763 C:\WINDOWS\system32 hardware: + Computer - ACPI Uniprocessor PC + Disk drives - MAXTOR 6L040J2 - WDC WD1200JB-75CRA0 + Display adapters - LogMeIn Mirror Driver (driver 6.0.436.0) - RADEON 9500 PRO / 9700 Family (Microsoft Corporation) (driver 6.14.10.6462) - RADEON 9500 PRO / 9700 SEC Family (Microsoft Corporation) (driver 6.14.10.6462) + DVD/CD-ROM drives - SAMSUNG CD-R/RW SW-248F - SAMSUNG DVD-ROM SD-616T + Floppy disk controllers - Standard floppy disk controller + Floppy disk drives - Floppy disk drive + Human Interface Devices - Logitech Cordless USB Mouse (driver 9.42.0.0) + IDE ATA/ATAPI controllers - Intel(r) 82801BA Bus Master IDE Controller - Primary IDE Channel - Secondary IDE Channel + Imaging devices - EPSON Perfection2400 #4 (driver 5.6.0.0) + Keyboards - Easy Internet Keyboard (driver 1.80.0.0) + Mice and other pointing devices - HID-compliant Cordless Mouse (driver 9.42.0.0) + Modems - Conexant SmartHSFi V92 56K Speakerphone PCI Modem (driver 5.3.29.1) + Monitors - Plug and Play Monitor + Network adapters - Intel(R) PRO/100 M Network Connection (driver 6.1.3.10) + Ports (COM

03-15-2006, 08:04 PM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,952 OS: WinXP and Vista	Hi galefly, I'll have a better idea of where we are with this after you carry out my previous instructions and get back to me. Have you tried Start>Run> and copy/paste sfc /scannow to check for system errors yet? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-16-2006, 08:40 AM	#18 (permalink)
galefly Registered User Join Date: Mar 2006 Posts: 19 OS: XP	Ried, 1. I could find no sign of TV Media (including folder) 2. Re0ran sfc /scannow to be double sure... nothing to report 3. Did the regedit task with no trouble 4. Problems still existed so i ran fixie.bat 5. I checked for problems and things seem to be fixed. I will continue to check 6. I have some short questions about what happened here and how were they detected; and about the "Academy". Are these questions more appropriate as a private email? Report from Hijackthis follows.. Ad-Aware SE Personal Adobe Acrobat 5.0 Adobe Download Manager (Remove Only) Adobe Photoshop Elements Adobe SVG Viewer America Online ATI Control Panel ATI Display Driver Autodesk MapGuide(R) Viewer ActiveX Control Release 6 AVG Free Edition Bejeweled 2 Deluxe 1.0 Belarc Advisor 7.0 ccCommon Classic PhoneTools CleanUp! Conexant SmartHSFi V92 56K DF PCI Modem DeepSight Extractor Dell Digital Jukebox Driver Dell Picture Studio - Dell Image Expert Dell ResourceCD Dell Solution Center Dell Support 5.0.0 (766) Digital Line Detect DVDSentry Earthlink Installer - uninstall 'Earthlink 5.0' entry first if present Easy CD Creator 5 Basic EPSON Copy Utility EPSON Photo Print EPSON Scanner Reference Guide EPSON Smart Panel EPSON TWAIN 5 ewido anti-malware Google Earth HijackThis 1.99.1 HP Color LaserJet 3550 hp LaserJet 4200 Uninstaller Intel(R) PRO Ethernet Adapter and Software Intel(R) PROSet II iTunes J2SE Runtime Environment 5.0 Update 6 Karen's Replicator Lavasoft VX2 Cleaner LiveReg (Symantec Corporation) LiveUpdate 2.0 (Symantec Corporation) Logitech iTouch Software LogMeIn Lookout LSIAmortization Microsoft .NET Framework (English) Microsoft .NET Framework (English) v1.0.3705 Microsoft .NET Framework 1.1 Microsoft Bookshelf 1998 (Remove ONLY) Microsoft Data Access Components KB870669 Microsoft Expedia Streets 98 Microsoft Interactive Training Microsoft Money 2002 Microsoft Money 2002 System Pack Microsoft Office XP Media Content Microsoft Office XP Professional Microsoft Publisher 2002 Modem Helper MouseWare 9.41 .3 Mozilla Firefox (1.5.0.1) MUSICMATCH® Jukebox Norton AntiVirus 2006 (Symantec Corporation) Norton AntiVirus SYMLT MSI Norton Ghost Paint Shop Pro 7 Pdf995 PdfEdit995 Photo Finale PowerDVD PowerQuest Drive Image 2002 PowerQuest PartitionMagic 8.0 QuickBooks Basic Edition 2003 Quicken 2003 Basic QuickTime Radio@Netscape Plus RealPlayer Basic ScanToWeb Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 9 (KB911565) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893066) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901190) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Spy Sweeper Spybot - Search & Destroy 1.4 Symantec Symantec pcAnywhere System Agent Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB910437) USB MassStorage CardReader Volo View Express Weight Commander 8.0 Windows Installer 3.1 (KB893803) Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 WinZip Word Slinger Full HiJackThis follows... Logfile of HijackThis v1.99.1 Scan saved at 10:32:29 AM, on 3/16/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Symantec\pcAnywhere\awhost32.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE C:\Program Files\LogMeIn\RaMaint.exe C:\Program Files\LogMeIn\LogMeIn.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\wanmpsvc.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\SysAgent\SysAgent.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\LogMeIn\LogMeInSystray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [SysAgent] C:\SysAgent\SysAgent.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovio...liate=MEDIAGEN O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab? O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6E5FF9D3-30BC-4810-B49E-9402D3E77489}: NameServer = 205.152.191.252,205.152.144.235 O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: DeepSight Extractor CC Service (ccExtractorService) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

03-16-2006, 05:33 PM	#20 (permalink)
galefly Registered User Join Date: Mar 2006 Posts: 19 OS: XP	1. Found the following instances of TV Media, found none for tvmedia REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "TV Media" 3/16/2006 6:17:34 PM ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TV Media] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TV Media] "command"="C:\\Program Files\\TV Media\\Tvm.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ap p Management\ARPCache\TV Media] 2. Panda scan results... REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "TV Media" 3/16/2006 6:17:34 PM ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TV Media] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TV Media] "command"="C:\\Program Files\\TV Media\\Tvm.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ap p Management\ARPCache\TV Media] 3. Ried, I had no intention asking for of an extended dialog or lesson on the solution recap of this problem. I can appreciate why that would be inappropriate. I was looking for a short paragraph. But i see that that is also an imposition. Thanks, gsf