No response since 7/8?

Discussion in 'adware, spyware & hijack cleaning' started by LBD, Jul 12, 2004.

Thread Status:
Not open for further replies.
  1. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    :oops: I need help. I posted a thread last Thursday early in the morning and replied to myself 3 times, but no one else seems to be responding. Is there anyone who can look at my HJT log file below and at least get me started on solving my major PC problems?

    Thanks in advance,
    Lisa

    OS = Microsoft XP Home Edition
    Ran updated Ad-Aware program and fixed all problems.
    Ran updated Spybot S&D program and fixed all problems.

    Biggest problem is accessing the Internet in normal mode. Designated homepage (www.comcast.net/comcast.html) does not come up, Google doesn't come up, etc. - just get a blank white screen. If I boot up in safe mode, homepage still doesn't come up, but I can get to other websites by typing in the URLs. Other notable problems - something has changed extensions on several files like Notepad, NoAdware (the .exe has been changed to another extension); SpywareGuard and Spyware Blaster have been corrupted?; really can't easily download anything in my current problem state. Last night, worked on trying to eradicate www.look2me.com and about:blank. Still have to check on http://69.20.62.53 problem.

    Complete log file below.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:04:40 AM, on 7/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\hphmon03.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\HPHipm09.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.comcast.net/comcast.html
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [Hot Video] C:\WINDOWS\System32\ShellExt\cnhost.EXE -n
    O4 - HKLM\..\Run: [DivX Updater] C:\WINDOWS\System32\DivX.Exe
    O4 - HKLM\..\Run: [tG] C:\documents and settings\charles\local settings\temp\tG.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iehh.exe] C:\WINDOWS\system32\iehh.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
    O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD0.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/23a3e30523dad1...ip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin_US.cab
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    With all browser windows closed, have Hijack This fix the following items:

    O4 - HKLM\..\Run: [Hot Video] C:\WINDOWS\System32\ShellExt\cnhost.EXE -n
    O4 - HKLM\..\Run: [DivX Updater] C:\WINDOWS\System32\DivX.Exe
    O4 - HKLM\..\Run: [tG] C:\documents and settings\charles\local settings\temp\tG.exe
    O4 - HKLM\..\Run: [iehh.exe] C:\WINDOWS\system32\iehh.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/23a3e30523dad1...ip/RdxIE601.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin_US.cab

    Restart your computer, and delete the entire contents of your C:\documents and settings\charles\local settings\temp folder.

    Although this needs to be done, it may not in itself fix your problems...

    Go to Control Panel > Internet > Temp. Internet Files Section, and hit 'delete files'.

    If no joy, you may be dealing with a corrupted index.dat file; log in as Administrator, and delete the Docs and Settings\UserName\Local Settings\History and Temporary Internet Files folders.

    Windows will automatically create new ones on reboot.

    Or read this:

    How to safely delete the History and Temporary Internet Files folders

    Alternatively, download and install System Security Suite. It will easily delete those pesky index.dat files for you.

    Also do a search for a file called Hosts. It has no extension.
    You'll find it at c:\windows\system32\drivers\etc\hosts

    Open it up in Notepad, and delete all entries in there, or at least those referring to the page you can't visit.
    Save in File, close Hosts file, reboot (even if you probably won't need to) and try again.

    The extension on Notepad.exe and so on having been changed sounds slightly odd... What extension does it have at present?

    Go to Start > Run > enter "Notepad" (no quotation marks!) and press enter; does Notepad launch? Are other files OK? Can you launch applications by doubleclicking their executables?
     
    Last edited: Jul 13, 2004
  3. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    Tony,
    Thanks so much for your suggestions! I'm at work right now, but as soon as I get home, I'll work my way through your procedures and see what happens. About the Notepad extension, somehow during this whole hijacking/spyware mess, I noticed that the filename was changed from notepad.exe to notepad.exe.bak. I went ahead and naively re-named it back to notepad.exe, but that didn't do a darn thing. So at this point, I don't have Notepad to do part of what you suggested ...

    Lisa
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Lisa,

    you do have several copies of Notepad... The one you've been grappling with has probably been replaced by malware; do this:

    Find the Notepad.exe file in your C:\Windows folder, and copy (NOT move) it to the C:\Windows\System32 folder. Allow it to overwrite the one in there.
    That should fix that.

    Keep us posted on how that goes


    Cheers,
     
  5. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    Good morning, Tony,
    I let Hijack This fix everything that you indicated. I restarted by PC and deleted the contents of C:\documents and settings\charles\local settings\temp folder. I went to Control Panel and deleted the Temp. Internet Files, also deleted the history and temp internet file folders for specific usernames.
    About the hosts file - I found it, opened it in Notepad and here's what I got:

    C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

    #9.20.16.183 #uto.search.msn.com
    #9.20.16.183 #earch.netscape.com
    127.0.0.1 www.igetnet.com
    127.0.0.1 ignphrases.com
    127.0.0.1 clear-search.com
    127.0.0.1 r1.clrsch.com
    127.0.0.1 sds.clrsch.com
    127.0.0.1 status.clrsch.com
    127.0.0.1 www.clrsch.com
    127.0.0.1 clr-sch.com
    127.0.0.1 sds-qckads.com
    127.0.0.1 status.qckads.com

    I deleted everything and tried saving it and got a msg. that I couldn't do that. I persisted and it saved it as hosts.txt, but the original hosts file still exists, too. Dumb question: how do you save the new hosts file without an extension and where do I save it?
    About Notepad, I did what you suggested (finding it in C:\Windows and copying it to C:\Windows\System32 and now, it's working just fine.
    I can launch applications by doubleclicking their executables with the exception of the Internet. When I doubleclick on that, it looks like it's going to work and then, I just get a blank white screen homepage instead of the Comcast homepage (set to default page) and in the lower right task bar, it says Unknown Zone.
    On some of my applications and during my work last night, I occasionally had a dialog box pop up saying "Cannot find shell.dll."
    Where do I go from here? I know I have to get the hosts file stuff worked out with you, but then what?

    Appreciatively,
    Lisa
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    The 'original' Hosts file has no extension. Delete Host.txt, and open the original Hosts file in Notepad.

    Delete everything in it, then go to File > Save (NOT "Save AS"). That's it.

    As for the "Cannot find shell.dll." issue, I remember having seen that, and it could be related to a recent CoolWebSearch parasite variant;
    As I've been out of the loop for a while, I'd prefer asking a friend to drop by and have a look.

    Hold on, and I'm sure we'll get you fixed up! :)
     
  7. Mosaic1

    Mosaic1 Guest

    hi,

    Tony asked me to look in. You need to place a copy of shell.dll in the system32 folder.

    To do that, find shell.dll in system32\dllcache
    Right click on it and choose copy from the menu.
    Go back to the System32 folder. Right click on an empty space in the window and choose Paste from the menu.

    Mo
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Thanks Mo,

    I just found the topic you posted at CC about this issue myself...

    Thanks for helping out!
     
  9. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    Thanks, Tony and Mo,
    I will do the hosts file stuff first this evening and then the shell.dll copy/paste. Will that completely take care of the CoolWebSearch parasite variant problem?

    Lisa
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    As it's uncertain what exactly you already did yesterday while trying to get rid of L2M and about:blank, that remains to be seen, but we're getting there!
     
  11. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    Another day ... trying to fix a hijacked PC. I deleted the entries in the "hosts" file and saved it - that worked fine. Now, about the "shell.dll" issue; I went system32 and had NO dllcache folder o_O Looked to see if shell.dll was there in system32 anyway - no such luck. Did find it however in my C:\System, so I copied it and pasted it in the system32 folder. Re-booted and had exactly the same problem(s) as before. What do I do to get my dllcache folder back?

    Couple things noted, which may have nothing to do with anything, but yesterday evening, esp. when I was re-starting, I would get some dialog boxes popping up saying "SDII MFC Application has encountered a problem and needs to close; Windows Logon UI has encountered a problem and needs to close; Virus Scan System Scan has encountered a problem and needs to close." I didn't always get all of those at once, but I don't remember it happening regularly before last night.

    On my desktop, when I hover my mouse over my ISP icon (Comcast) and right-click, the menu has two choices not showing, word-wise ... you don't see the first one "Open" and the third one, which I'm not sure what that one is. Funny thing though when you double-click on the empty space where the word "Open" usually is, it does execute and try to go out to the Internet. Then I get my predictable blank white screen.

    I'm very grateful for all of your help and tips, and while we're making progress, we're obviously not there yet. Help, please!

    Lisa
     
  12. Mosaic1

    Mosaic1 Guest

    May we see another Hijackthis log ?

    HijackThis has been updated. Please go to this page and get the newer version.

    http://www.computercops.biz/downloads-cat-14.html

    See if you can find the dllcache folder after redoing these settings:
    Because XP will not always show you hidden files and folders by default.
    Reset your search settings first.

    Open Folder Options>view and check your settings:
    Select
    Show hidden files and folders
    Display the contents of system folders
    Uncheck: Hide protected operating system files
    Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
    Be sure the first three boxes are selected:
    Search System folders
    Search Hidden Files and folders
    Search SubFolders


    Also, go into System32 and find msgina.dll and rename it as oldmsgina.dll

    DO NOT REBOOT! Close system32 and wait about 10 seconds. Reopen system32 and look to see if there has been a new copy of msgina.dll added. If there has, restart the computer and see if the error is gone. If there hasn't then close and reopne system32 again. If still no msgina.dll then rename oldmsgina.dll back to msgina.dll

    If the replacing of the msgina does the trick then I would say you may have some file corruption and trying to replace certain files or reinstalling others may help.

    We'll have to see how your log looks and what else develops.



    We will look more closely at this after seeing the new log.
     
  13. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    Mo and Tony,
    Let me give you a quick update. I discovered the "protected OS folder/file" thing last night and did find the dllcache folder and the shell.dll file. I copied it and pasted it in \system32 folder. I'm at work right now and will have to wait 'til this evening to try Mo's suggestion(s) about msgina.dll and to download the new version of HijackThis and give you a new log file.
    I was able once last night to bring up my default homepage, but then I went back to the blank white screen. I ran Spybot (only found DSO Exploit), Ad-aware (2 new objects), SpywareBlaster, and did a Pest Scan. The Pest Scan reported a total of 24 pests in 5 different adware, hijacker programs, which surprised me 'cuz they didn't show up in the other programs: EUniverse - Hijacker; SandBoxer - Adware; Ebates-MoneyMaker - Adware; CWS - Hijacker; and Bingo Fun Games - Adware. I don't have the pay version of Pest Patrol to clean up this stuff and even though I have the location/registry list of where Pest Scan says this stuff is on my PC, I clicked on one of the pests and it brought up additional pages on the adware, hijacker, etc. and I was surprised at the much more elaborate removal procedures. I naively thought I fix this registry key and that's it. Nope. Haven't done anything with these five baddies - should I follow the manual removal processes indicated on the Pest Scan website or what?
    In any case, I will provide you with an updated HJT log file as soon as possible.

    Thanks,
    Lisa
     
  14. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    Fri. morning: I went into \system32, found msgina.dll, renamed it oldmsgina.dll, closed \system32, waited, and discovered that a new copy of msgina.dll had been added when I reopened \system32. Restarted the computer and the error is NOT gone.

    Got the newer version of HijackThis and here's the most recent log file:

    Logfile of HijackThis v1.98.0
    Scan saved at 5:49:48 AM, on 7/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\hphmon03.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\WINDOWS\System32\HPHipm09.exe
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    C:\Program Files\SWG\sgmain.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\SWG\sgbhp.exe
    C:\Documents and Settings\System Administrator\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
    C:\WINDOWS\System32\taskmgr.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/comcast.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R3 - Default URLSearchHook is missing
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SWG\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SWG\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
    O9 - Extra button: ComcastHSI - {08B54801-872C-48B6-A6E1-C82654633165} - http://www.comcast.net (file missing) (HKCU)
    O9 - Extra button: Support - {1E62ABE5-B3F6-4C97-94D3-DEA011F942BC} - http://www.comcastsupport.com (file missing) (HKCU)
    O9 - Extra button: Help - {277FF29F-D738-4FF0-9D59-8505264F5DB3} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O18 - Filter: text/html - {1D120488-D965-468F-8482-6708E02A2284} - C:\WINDOWS\System32\kcpjba.dll
    O18 - Filter: text/plain - {1D120488-D965-468F-8482-6708E02A2284} - C:\WINDOWS\System32\kcpjba.dll
    O20 - AppInit_DLLs: C:\WINDOWS\System32\sisbkup1028k.dll

    What to do now?

    Lisa
     
  15. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    "bump"
     
  16. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    "bump"
     
  17. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    "bump"
     
  18. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    OK, would you please do this for me:


    Copy the contents of the quote box to Notepad.

    Name the file Appinit.bat and save on your Desktop as type 'All Files'.

    Double click on Appinit.bat

    This will create a file on the desktop named windows.txt

    Upload windows.txt in your next reply. To do that do not use quick reply.
    Instead press the Reply button. When you do you will be able to attach a file to your reply. Attach Windows.txt
     
  19. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    Tony,
    I created the Appinit.bat file, saved it to the desktop, doubleclicked on it, and guess what, no windows.txt file was saved to the desktop. Went back, doublechecked my work, and the same results, so I have nothing to attach here. It does look like it ran, but I haven't a clue why windows.txt doesn't appear?
    Couple quick updates: Installed Bazooka and it found IEAccess and MS Media Player Guid on 7/19. Still don't know what to do with the PestScan finds of BingoFun Games, Ebates MoneyMaker, CWS, EUniverse, and Sandboxer. I did run an updated CW Shredder and also did the special variant removal (which did not find that I had that).
    I saw the message from yesterday about this sub-forum not doing any new HJT threads. I really hope something can still be done for those of us with pre-existing threads and ongoing problems. The last HijackThis log file I ran was on the 19th and is pasted below:

    Logfile of HijackThis v1.98.0
    Scan saved at 11:12:59 PM, on 7/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SWG\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [DelayShred] "C:\Program Files\McAfee\McAfee Shared Components\Shredder\SHRED32.EXE" /q C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.SH!
    O4 - HKCU\..\RunOnce: [RealPlayer0] "C:\Program Files\Real\RealPlayer\realplay.exe" "/firstrun C:\Program Files\Real\RealPlayer\firstrun.smi"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SWG\sgmain.exe
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O18 - Filter: text/plain - (no CLSID) - (no file)
    O20 - AppInit_DLLs: C:\WINDOWS\System32\sisbkup1028k.dll

    Thanks for taking a look and your advice, please,
    Lisa
     
  20. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Well, we need the name of the hidden installer file (at least I do think there will be one). Please do the following:

    Click here to download FindnFix.exe (2K/XP only!) by Freeatlast.

    Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program will take a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
     
  21. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    Hey Tony,
    Here's the log.txt file:


    »»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»»
    »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

    Microsoft Windows XP [Version 5.1.2600]
    »»»IE build and last SP(s)
    6.0.2800.1106 SP1-Q818529-Q330994-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
    The type of the file system is FAT32.
    C: is not dirty.

    Wed 21 Jul 04 18:20:51
    6:20pm up 0 days, 0:03

    »»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
    The list will produce a small database of files that will match certain criteria.
    You must know how to ID the file based on the filters provided in
    the scan, as not all the files flagged are bad.
    Ex: read only files, s/h files, last modified date. size, etc.
    The filters provided should help narrow down the list, and hopefully
    pinpoint the culprit.
    Along with that,registry scan logged at the end should match the
    corresponding file(s) listed.
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Unless the file match the entire criteria, it should not be pointed to remove
    without attempting to confirm it's nature!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
    If in doubt, always search the file(s) and properties according to criteria!

    The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder
    »»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/21)»»»»»»»»»»»»»»»»

    »»»*»»»*Use at your own risk!»»»*»»»*

    Scanning for file(s)...
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»» (*1*) »»»»» .........
    »»Locked or 'Suspect' file(s) found...


    »»»»» (*2*) »»»»»........
    **File C:\FINDnFIX\LIST.TXT

    »»»»» (*3*) »»»»»........

    No matches found.

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»»»»(*5*)»»»»»
    **File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

    »»»»»(*6*)»»»»»

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...


    No matches found.

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 522

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\sisbkup1028k.dll

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs = C:\WINDOWS\System32\sisbkup1028k.dll

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    »»Member of...: (Admin logon required!)
    User is a member of group PAVILION\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.


    »»»»»»Backups created...»»»»»»
    6:25pm up 0 days, 0:07
    Wed 21 Jul 04 18:25:18

    A C:\FINDnFIX\keyback.hiv
    --a-- - - - - - 8,192 07-21-2004 keyback.hiv
    A C:\FINDnFIX\keys1\winkey.reg
    --a-- - - - - - 326 07-21-2004 winkey.reg
    *Temp backups...
    .
    ..
    keyback2.hi_
    winkey2.re_


    C:\FINDNFIX\
    JUNKXXX Wed Jul 21 2004 6:20:50p .D... <Dir>

    1 item found: 0 files, 1 directory.

    »»Performing string scan....
    00001150: vk UDeviceNotSelecte
    00001190:dTimeout 1 5 ( h vk ' zGDIProce
    000011D0:ssHandleQuota" 9 0 =t vk Spooler2
    00001210: y e s _ vk 5swapdisk h
    00001250: X vk . TransmissionRetryTimeout vk
    00001290: ' s USERProcessHandleQuotal h X
    000012D0: vk J AppInit_DLLs C : \ W I N
    00001310:D O W S \ S y s t e m 3 2 \ s i s b k u p 1 0 2 8 k . d l l
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    AppInit_DLLsÿÿÿÿ°ÿÿÿC
    --------------
    --------------
    $0117F: UDeviceNotSelectedTimeout
    $011C7: zGDIProcessHandleQuota
    $01270: TransmissionRetryTimeout
    $012A0: USERProcessHandleQuotal
    $012F0: AppInit_DLLs
    --------------
    --------------
    C:\WINDOWS\System32\sisbkup1028k.dll
    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "AppInit_DLLs"="C:\\WINDOWS\\System32\\sisbkup1028k.dll"

    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 74 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : "C:\WINDOWS\System32\sisbkup1028k.dll"
    0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
    0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
    0020 6d 00 33 00 32 00 5c 00 73 00 69 00 73 00 62 00 | m.3.2.\.s.i.s.b.
    0030 6b 00 75 00 70 00 31 00 30 00 32 00 38 00 6b 00 | k.u.p.1.0.2.8.k.
    0040 2e 00 64 00 6c 00 6c 00 00 00 | ..d.l.l...
    

    Lisa
     
  22. Mosaic1

    Mosaic1 Guest

    This could have something to do with your startup error too. What exactly did you do?

    I am thinking that you might just restore to a previous date and then start fresh so we can see what shpae you are really in.

    But before you do, that, please post the answer and then do this:

    Download VX2 finder from this link:
    http://download.broadbandmedic.com/VX2Finder(126).exe
    Press the Click to Find VX2 Betterinternet Button at the bottom.

    Click the Make Log Button.
    Copy and paste the contents of the log which will open into your next reply here.
     
  23. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    Tony and Mo,
    Don't know if either of you have seen the FindNFix log file above - should I be doing something with the file "sisbkup1028k.dll"? HJT found that file also, see O20.
    As far as what I did to eradicate Look2Me, I worked through the manual removal instructions posted by Kephyr.com at http://www.kephyr.com/spywarescanner/library/look2me/index.phtml. After doing that, I did not have any more occurrences of look2me when I tried connecting to the Internet, so I thought that was a positive.
    About the VX2- download: In my current problem state, I can't successfully download on my PC unless I can save it to a disk. I'll go to that website today at work, download the .exe, run it tonight and then post the log. When I went to the broadbandmedic site and tried going through their download page though, it gives a URL with a cgi-bin path, and comes back with a message that the file cannot be found on their site. So, I'm hoping that the URL supplied by Mo is an active, working site for grabbing hold of that file.
    In the meantime, do I have HJT this fix the O20 line with the "sisbkup1028k.dll"?

    Lisa
     
  24. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Your FnF log indicates there's no hidden installer. I sugggest you Start your computer in Safe Mode, and delete C:\WINDOWS\System32\sisbkup1028k.dll.

    Next, still in Safe Mode, run Hijack This, and have it fix these two lines:

    O18 - Filter: text/plain - (no CLSID) - (no file)
    O20 - AppInit_DLLs: C:\WINDOWS\System32\sisbkup1028k.dll

    Now start your computer normally, and post a fresh log.

    Also download VX2 finder, and post the log as Mo suggested.
     
  25. LBD

    LBD Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    30
    Tony and Mo,
    In safe mode, I deleted the sisbkup1028k.dll file, ran HijackThis and had it fix the O18 and O20 problems. Then after a reboot, and in normal mode, I ran HijackThis again and did the VX2Finder routine. Both logs are below. What do you think?

    Lisa

    Log for VX2.BetterInternet File Finder (msg126)

    Files Found---

    Additional Files---

    Keys Under Notify---
    crypt32chain
    cryptnet
    cscdll
    ScCertProp
    Schedule
    sclgntfy
    SensLogn
    termsrv
    wlballoon


    Guardian Key--- is called:

    User Agent String---
    {9E93FD73-70C0-477D-AD2E-3C1B777BF9F3}

    Logfile of HijackThis v1.98.0
    Scan saved at 11:57:30 PM, on 7/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\hphmon03.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    C:\Program Files\SWG\sgmain.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\WINDOWS\System32\HPHipm09.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\SWG\sgbhp.exe
    C:\Program Files\newhjt\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/comcast.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R3 - Default URLSearchHook is missing
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SWG\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SWG\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\Twain_32\ScanWiz5\SDII.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: ComcastHSI - {08B54801-872C-48B6-A6E1-C82654633165} - http://www.comcast.net (file missing) (HKCU)
    O9 - Extra button: Support - {1E62ABE5-B3F6-4C97-94D3-DEA011F942BC} - http://www.comcastsupport.com (file missing) (HKCU)
    O9 - Extra button: Help - {277FF29F-D738-4FF0-9D59-8505264F5DB3} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
     
Thread Status:
Not open for further replies.