c:\windows\system32\bridge.dll during boot

Discussion in 'adware, spyware & hijack cleaning' started by rescuerick, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. rescuerick

    rescuerick Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    problem with winxp pro. after serious adware,spyware virii,and the like all is good cept this bridge notice during boot. when ok'd it carrys on the boot and all seems ok. i dont think it is. here is my logfile,with which i am seeking some help in interpreting. i know therer are some pros out there. i am anew member and will probably be a freq. visitor.
    p-3 450 Mhz 13gb 384ram. thanx rick
    Logfile of HijackThis v1.97.7
    Scan saved at 4:45:40 PM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYSTEM~1\autocomp.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\ImapiRox.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\wintsvsu.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Free Surfer\fs20.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe
    O4 - HKLM\..\Run: [hil] C:\WINDOWS\hil.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [D.exe] C:\documents and settings\loretta may\local settings\temp\D.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [q88f36T] recmeui.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintsvsu.exe
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4367/mcfscan.cab
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Start your computer in Safe Mode (it may help if you print this out), and delete the following files:

    C:\WINDOWS\hil.exe
    C:\WINDOWS\sysupd.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\WINDOWS\System32\pc32.exe bg
    C:\WINDOWS\System32\wintsvsu.exe

    One or more of the above may no longer be there.

    Also delete the ENTIRE contents of the C:\documents and settings\loretta may\local settings\temp folder

    NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

    Next, still in Safe Mode, run Hijack This, and have it fix these items:

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

    O4 - HKLM\..\Run: [hil] C:\WINDOWS\hil.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [D.exe] C:\documents and settings\loretta may\local settings\temp\D.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
    O4 - HKLM\..\Run: [q88f36T] recmeui.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintsvsu.exe

    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab


    Now start your computer normally, and please post a fresh log.
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Also, would you please locate the "autocomp.exe" file on your computer, rightclick it, choose 'Properties', and tell us whether that will shed any light on its nature.

    While googling I came across the following Win NT service:

    Now that sure looks like the file you have among your running processes, but as I've never heard of that service before, it seems like a good idea to make sure that it actually belongs on your computer.
     
  4. rescuerick

    rescuerick Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    mr. klien and others, using several more removal tools,before reading your post, i have elimuinated the bridge errror mess. on boot up. yea! in fact the thing is running quite well all around. avg, spybot,ad-aware all report clean every time since. i will include a new boot log for your perusal.
    on to this "autocomp.exe" brouhaha,yep it be there in prog. files by that name.a view of proerties shows "system soap pro". with just a prolonged hold over the icon it shows included files of "UNWISE.EXE", "autocomp.exe","setting.dat","syslog.txt".

    Logfile of HijackThis v1.97.7
    Scan saved at 2:49:32 AM, on 7/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYSTEM~1\autocomp.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\ImapiRox.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Free Surfer\fs20.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe
    O4 - HKLM\..\Run: [hil] C:\WINDOWS\hil.exe
    O4 - HKLM\..\Run: [D.exe] C:\documents and settings\loretta may\local settings\temp\D.exe
    O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [q88f36T] recmeui.exe
    O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4370/mcfscan.cab

    appreciate all,and will wonder what to do with this newfound snafu. it has yet to do anything that iknow of so far. never noticed it there, but know i dont think it belongs there. rescue rick@ st. petersburg,fl.
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    A number of the items I asked you have fixed are still there; would you please try again?

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [hil] C:\WINDOWS\hil.exe
    O4 - HKLM\..\Run: [D.exe] C:\documents and settings\loretta may\local settings\temp\D.exe
    O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
    O4 - HKLM\..\Run: [q88f36T] recmeui.exe


    Also go to Start > Run Services.msc.
    Scroll down to the AutoComplete Service, shut it down, and set its Startup type to 'disabled'.

    Restart your computer, go to the C:\Program Files folder, and delete the subfolder in there containing those "UNWISE.EXE", "autocomp.exe","setting.dat" and "syslog.txt" files.
     
  6. rescuerick

    rescuerick Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    hi again sir, got all your requests done i believe. some things were not there,(unhid files and op system files as well). new log enclosed. in the subfolder "system soap pro" in program files,'autocomp.exe"&'UNWISE.exe" will not go away. no permission or full disk mess.appears. ihave used a prog called "remove on boot" sucessfully in this case before. might i should try it?
    also, there are 3-4 more instances of "unwise.exe" in other subfolders in prog. files. dont know if they should be. also i did find "pc32.exe but not with BG after it. so i left it. thanks, once again so much, rescue rick

    Logfile of HijackThis v1.97.7
    Scan saved at 8:48:07 PM, on 7/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYSTEM~1\autocomp.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\ImapiRox.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Free Surfer\fs20.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4370/mcfscan.cab
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Did you actually shut down that "AutoComplete Service", then reboot before trying to ditch that folder? That's imperative, as otherwise Autocomp.exe will be impossible to remove.

    You could also try Safe Mode.

    Other instances of "unwise.exe" should be left alone!
    And it is indeed "pc32.exe" you want to delete; ignore the 'bg' switch.
     
  8. rescuerick

    rescuerick Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    sorry, must have messed up that reboot . autocomplete now disabled in safe mode and rebootted. deleted "autocomp" and "unwize" in that folder. the "pc32.exe" is also gone. (encl. another log). while your here a ques. please. will the auto complete feature be turned back on or should be perm. disabled. seems to be running quite good. let me know. thanks,rescue

    Logfile of HijackThis v1.97.7
    Scan saved at 12:22:13 PM, on 7/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\ImapiRox.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Free Surfer\fs20.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WINFAX\WFXSWTCH.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4370/mcfscan.cab
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    This so-called "AutoComplete Service" is no Windows feature, but belongs to the System Soap Pro application I had you remove.

    It bears no relation to the Windows or Internet Explorer Autocomplete feature, and it should remain disabled.

    In fact, if you're at ease editing the Registry, go to Start > Run > Regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.

    Doubleclick that "Services" subkey in order to expand the branch, locate the the "Autocomplete" subkey, rightclick it, and choose 'delete' from the context menu.

    Good luck,
     
  10. rescuerick

    rescuerick Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    5
    i will do the registry today.l'm a little leery,havent done much of that. time to learn!. one other question i ran across, in the system tray auto hide feature,some(7) of the malware i have removed is still listed in there, of course set to 'always hide". search tells me these progs. are gone,and i'm pretty sure of that. how do i remove them from the "customize" auto-hidehidden icons list? there seems to be no delete option. thanks more,rescue
     
Thread Status:
Not open for further replies.