| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 82415 | 2007-08-26 16:36:00 | explorer.exe MEM usage Internet browser issues coolwebsearch hidden | CWall0868 (12730) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 584953 | 2007-08-26 16:36:00 | I have noticed over the last few weeks issues with my internet browsers both Mozilla and IE7. explorer.exe is using 60k+. I have had traces of coolwebsearch with certain scanners but not with others and i randomly get a shutdown error for a program that is described with a bunch of square boxes with a S in the middle. My ZA firewall and PeerGuardian 2 blacklist was red flagging coolwebsearch ips. I think that is my main problem but don't know how to take care of it. I also tried to run Rootkit Revealer and could not get it to dump the software folder. I know these are probably multiple issues but any help I can get would be much appreciated. HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:49:58 AM, on 8/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess .exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess .exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\ehome\RMSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\ARPWRMSG.EXE C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ie.redirect.hp.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = ie.redirect.hp.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ie.redirect.hp.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ie.redirect.hp.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = webchart.med-web.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = ie.redirect.hp.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = ie.redirect.hp.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - a14.g.akamai.net EL_USA.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - h20270.www2.hp.com O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - www.mathxl.com O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - www.mathxl.com O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - upload.facebook.com O16 - DPF: {6491E7CB-F83B-4D31-8F99-6384A633FE58} (EconCVX Control) - www.mathxl.com O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - h20270.www2.hp.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - www3.ca.com O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - ipgweb.cce.hp.com O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - h17000.www1.hp.com O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - a248.e.akamai.net O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - ax.emsisoft.com O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - driveragent.com O16 - DPF: {EB0BEB6C-C5A7-4E4D-B327-E7F079C07F19} (MIEBinFileEditCtl Class) - webchart.med-web.com O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - h30155.www3.hp.com O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: DiamondCS ProcessGuard Service v3.410 (DCSPGSRV) - Unknown owner - C:\Program Files\ProcessGuard\dcsuserprot.exe (file missing) O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: FQTFJSU - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\FQTFJSU.exe (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing) O23 - Service: OUVIO - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\OUVIO.exe (file missing) O23 - Service: SHKVEV - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SHKVEV.exe (file missing) O23 - Service: UDPSUCO - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UDPSUCO.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: ZHZIWCJIK - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ZHZIWCJIK.exe (file missing) O24 - Desktop Component 0: (no name) - (no file) O24 - Desktop Component 1: (no name) - http://www.espn.com/ -- End of file - 11999 bytes I would really appreciate anything that would help me out its starting to be pretty annoying. Thanks in advance Chris |
CWall0868 (12730) | ||
| 584954 | 2007-08-26 17:22:00 | Wait for Sir Speedy..this is nasty looking..... | SurferJoe46 (51) | ||
| 584955 | 2007-08-26 22:12:00 | Run HJT again tick these entries then tick fix checked. Close browser/s. This entry is safe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" These maybe nasty O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - a14.g.akamai.net EL_USA.cab O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - www.mathxl.com O16 - DPF: {6491E7CB-F83B-4D31-8F99-6384A633FE58} (EconCVX Control) - www.mathxl.com O16 - DPF: {EB0BEB6C-C5A7-4E4D-B327-E7F079C07F19} (MIEBinFileEditCtl Class) - webchart.med-web.com These look suss These shouldnt be running from this folder. See if these files exists on the hdd, if they do delete them. You may have to disable system restore and do it in safe mode. O23 - Service: FQTFJSU - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\FQTFJSU.exe (file missing) O23 - Service: OUVIO - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\OUVIO.exe (file missing) O23 - Service: SHKVEV - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SHKVEV.exe (file missing) O23 - Service: UDPSUCO - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UDPSUCO.exe (file missing) O23 - Service: ZHZIWCJIK - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ZHZIWCJIK.exe (file missing) O24 - Desktop Component 0: (no name) - (no file) O24 - Desktop Component 1: (no name) - http://www.espn.com/ I would also get ccleaner (http://www.ccleaner.com) Install this (you can untick the toolbar), then close browser/s then click on run cleaner. I would also get Rogueremover and Trojan remover in my sig. Install both, update both then click on scan in both. Then select all options under the utilities menu in Trojan remover. |
Speedy Gonzales (78) | ||
| 584956 | 2007-08-27 06:40:00 | Slightly off topic ill admit - but you seem to be running a fair amount of random junk on your pc. Is it running a bit slower than, say 3 - 6 months ago? (i bet it does) Are you interested in fixing these or just the explorer.exe problem? |
Bozo (8540) | ||
| 584957 | 2007-09-18 04:17:00 | Okay Thanks for the response I still am having a few problems I check everything in hijack this except for… O16 - DPF: {EB0BEB6C-C5A7-4E4D-B327-E7F079C07F19} (MIEBinFileEditCtl Class) - webchart.med-web.com I use this for work I do from home NEW HIJACK THIS LOG Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:25:26 PM, on 9/17/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\ehome\RMSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\UPHClean\uphclean.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\ARPWRMSG.EXE C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\eHome\ehmsas.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ie.redirect.hp.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = ie.redirect.hp.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ie.redirect.hp.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ie.redirect.hp.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = webchart.med-web.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = ie.redirect.hp.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = ie.redirect.hp.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = : O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - h20270.www2.hp.com O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - upload.facebook.com O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - as00.estara.com m.%2Fas%2FOneCCDM.php&template=107051&sessionid=449012954_69.25.47.62_56709&=&req=1189620174421OneCC.cab O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - h20270.www2.hp.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - www3.ca.com O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - ipgweb.cce.hp.com O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - h17000.www1.hp.com O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - a248.e.akamai.net O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - ax.emsisoft.com O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - driveragent.com O16 - DPF: {EB0BEB6C-C5A7-4E4D-B327-E7F079C07F19} (MIEBinFileEditCtl Class) - webchart.med-web.com O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - h30155.www3.hp.com O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O24 - Desktop Component 0: (no name) - (no file) -- End of file - 10704 bytes Also something was fixed that uninstalled my Zone Alarm Internet Security Suite and after reboot brought up a notification that Zone Alarm Antivirus has expired please renew now ect I installed rouge remover pro with updates and it came back with nothing Trojan Remover Log ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.6.2.2488. For information, email simplysupsupport@aol.com [Unregistered version] Scan started at: 9/17/2007 11:21:00 PM Using Database v6863 Operating System: Windows XP Media Center Edition Service Pack 2 (Build 2600) Using data directory: C:\Documents and Settings\HP_Administrator\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\HP_Administrator\My Documents\Simply Super Software\Trojan Remover Logfiles\ Running with Administrator privileges ************************************************** Checking Registry exefile command for modifications Checking Registry comfile command for modifications Checking Registry piffile command for modifications Checking Registry batfile command for modifications Checking Registry regfile command for modifications Checking Registry cmdfile command for modifications Checking Registry scrfile command for modifications ************************************************** 11:21:00 PM: Scanning ----------WIN.INI----------- WIN.INI found in C:\WINDOWS ************************************************** 11:21:00 PM: Scanning --------SYSTEM.INI--------- SYSTEM.INI found in C:\WINDOWS ************************************************** 11:21:00 PM: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ************************************************** 11:21:00 PM: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): Explorer.exe - this entry has been left in place ---------- This key's "Userinit" value calls the following program(s): C:\WINDOWS\system32\userinit.exe - this entry has been left in place ---------- This key's "System" value appears to be blank ---------- This key's "UIHost" value calls the following program: logonui.exe - this entry has been left in place ---------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name = load The Data Value for this entry appears to be blank -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run This Registry Key attempts to run the following program(s): Value Name = ehTray Value Data = C:\WINDOWS\ehome\ehtray.exe - this command has been left in place -------------------- Value Name = AlwaysReady Power Message APP Value Data = ARPWRMSG.EXE - this command has been left in place -------------------- Value Name = ANIWZCS2Service Value Data = C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe - this command has been left in place -------------------- Value Name = ZoneAlarm Client Value Data = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe - this command has been left in place -------------------- Value Name = SunJavaUpdateSched Value Data = C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe - this command has been left in place -------------------- Value Name = TrojanScanner Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services This Registry Key appears to be empty -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OnceEx This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run This Registry Key attempts to run the following program(s): Value Name = ctfmon.exe Value Data = C:\WINDOWS\system32\ctfmon.exe - this command has been left in place -------------------- Value Name = H/PC Connection Agent Value Data = C:\Program Files\Microsoft ActiveSync\wcescomm.exe - this command has been left in place -------------------- -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx This Registry Key appears to be empty ************************************************** 11:21:01 PM: Scanning -----SHELLEXECUTEHOOKS----- ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972} File: shell32.dll - this file is expected and has been left in place ---------- ************************************************** 11:21:01 PM: Scanning -----HIDDEN REGISTRY ENTRIES----- Taskdir check completed ---------- No Hidden File-loading Registry Entries found ---------- ************************************************** 11:21:01 PM: Scanning -----ACTIVE SCREENSAVER----- ScreenSaver=C:\WINDOWS\system32\ssstars.scr - this command has been left in place -------------------- ************************************************** 11:21:02 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS ----- Checking the StubPath calls in the Active Setup\Installed Components registry keys: Key=<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} StubPath=C:\WINDOWS\system32\ieudinit.exe - this reference has been left in place ---------- Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place ---------- Key=>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place ---------- Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place ---------- Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=C:\WINDOWS\system32\regsvr32.exe - this reference has been left in place ---------- Key={44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place ---------- Key={7790769C-0471-11d2-AF11-00C04FA35D02} StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place ---------- Key={89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe - this reference has been left in place ---------- Key={89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place ---------- ************************************************** 11:21:03 PM: Scanning ----- SERVICEDLL REGISTRY KEYS ----- Checking DLL files called from the CurrentControlSet\Services Keys: -------------------- Key=Alerter ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place -------------------- Key=AppMgmt ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this reference has been left in place -------------------- Key=AudioSrv ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place -------------------- Key=BITS ServiceDLL=C:\WINDOWS\system32\qmgr.dll - this reference has been left in place -------------------- Key=Browser ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place -------------------- Key=CryptSvc ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place -------------------- Key=DcomLaunch ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place -------------------- Key=Dhcp ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place -------------------- Key=dmserver ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place -------------------- Key=Dnscache ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place -------------------- Key=ERSvc ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place -------------------- Key=EventSystem ServiceDLL=C:\WINDOWS\system32\es.dll - this reference has been left in place -------------------- Key=FastUserSwitchingCompatibility ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=helpsvc ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchs vc.dll - this reference has been left in place -------------------- Key=HidServ ServiceDLL=%SystemRoot%\System32\hidserv.dll - this reference has been left in place -------------------- Key=HTTPFilter ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place -------------------- Key=lanmanserver ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place -------------------- Key=lanmanworkstation ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place -------------------- Key=LmHosts ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place -------------------- Key=Messenger ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place -------------------- Key=MHN ServiceDLL=%SystemRoot%\System32\mhn.dll - this reference has been left in place -------------------- Key=Netman ServiceDLL=%SystemRoot%\System32\netman.dll - this reference has been left in place -------------------- Key=Nla ServiceDLL=%SystemRoot%\System32\mswsock.dll - this reference has been left in place -------------------- Key=NtmsSvc ServiceDLL=%SystemRoot%\system32\ntmssvc.dll - this reference has been left in place -------------------- Key=QWAVE ServiceDLL=%systemroot%\system32\qwave.dll - this reference has been left in place -------------------- Key=RasAuto ServiceDLL=%SystemRoot%\System32\rasauto.dll - this reference has been left in place -------------------- Key=RasMan ServiceDLL=%SystemRoot%\System32\rasmans.dll - this reference has been left in place -------------------- Key=RemoteAccess ServiceDLL=%SystemRoot%\System32\mprdim.dll - this reference has been left in place -------------------- Key=RemoteRegistry ServiceDLL=%SystemRoot%\system32\regsvc.dll - this reference has been left in place -------------------- Key=RpcSs ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place -------------------- Key=Schedule ServiceDLL=%SystemRoot%\system32\schedsvc.dll - this reference has been left in place -------------------- Key=seclogon ServiceDLL=%SystemRoot%\System32\seclogon.dll - this reference has been left in place -------------------- Key=SENS ServiceDLL=%SystemRoot%\system32\sens.dll - this reference has been left in place -------------------- Key=SharedAccess ServiceDLL=%SystemRoot%\System32\ipnathlp.dll - this reference has been left in place -------------------- Key=ShellHWDetection ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=srservice ServiceDLL=C:\WINDOWS\system32\srsvc.dll - this reference has been left in place -------------------- Key=SSDPSRV ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place -------------------- Key=stisvc ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place -------------------- Key=TapiSrv ServiceDLL=%SystemRoot%\System32\tapisrv.dll - this reference has been left in place -------------------- Key=TermService ServiceDLL=%SystemRoot%\System32\termsrv.dll - this reference has been left in place -------------------- Key=Themes ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=TrkWks ServiceDLL=%SystemRoot%\system32\trkwks.dll - this reference has been left in place -------------------- Key=upnphost ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place -------------------- Key=W32Time ServiceDLL=C:\WINDOWS\system32\w32time.dll - this reference has been left in place -------------------- Key=WebClient ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place -------------------- Key=winmgmt ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place -------------------- Key=WmdmPmSN ServiceDLL=C:\WINDOWS\system32\MsPMSNSv.dll - this reference has been left in place -------------------- Key=Wmi ServiceDLL=%SystemRoot%\System32\advapi32.dll - this reference has been left in place -------------------- Key=wscsvc ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place -------------------- Key=wuauserv ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place -------------------- Key=WudfSvc ServiceDLL=%SystemRoot%\System32\WUDFSvc.dll - this reference has been left in place -------------------- Key=WZCSVC ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place -------------------- Key=xmlprov ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place ************************************************** 11:21:07 PM: Scanning ----- SERVICES REGISTRY KEYS ----- Checking files called from the CurrentControlSet\Services Keys: Key=A3AB ImagePath=system32\DRIVERS\A3AB.sys - this reference has been left in place ---------- Key=ACPI ImagePath=system32\DRIVERS\ACPI.sys - this reference has been left in place ---------- Key=aec ImagePath=system32\drivers\aec.sys - this reference has been left in place ---------- Key=AFD ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place ---------- Key=ALCXWDM ImagePath=system32\drivers\ALCXWDM.SYS - this reference has been left in place ---------- Key=ALG ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place ---------- Key=AmdK8 ImagePath=system32\DRIVERS\AmdK8.sys - this reference has been left in place ---------- Key=ANIO ImagePath=\??\C:\WINDOWS\system32\ANIO.SYS - this reference has been left in place ---------- Key=ANIWZCSdService ImagePath=C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe - this reference has been left in place ---------- Key=AOL ACS ImagePath="C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" - this reference has been left in place ---------- Key=AOL TopSpeedMonitor ImagePath=C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe - this reference has been removed [file not found to scan] ---------- Key=Apple Mobile Device ImagePath="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" - this reference has been left in place ---------- Key=aracpi ImagePath=system32\DRIVERS\aracpi.sys - this reference has been left in place ---------- Key=arhidfltr ImagePath=system32\DRIVERS\arhidfltr.sys - this reference has been left in place ---------- Key=arkbcfltr ImagePath=system32\DRIVERS\arkbcfltr.sys - this reference has been left in place ---------- Key=armoucfltr ImagePath=system32\DRIVERS\armoucfltr.sys - this reference has been left in place ---------- Key=Arp1394 ImagePath=system32\DRIVERS\arp1394.sys - this reference has been left in place ---------- Key=ARPolicy ImagePath=system32\DRIVERS\arpolicy.sys - this reference has been left in place ---------- Key=ARSVC ImagePath=C:\WINDOWS\arservice.exe - this reference has been left in place ---------- Key=Aspi32 ImagePath=System32\drivers\aspi32.sys - this reference has been left in place ---------- Key=aspnet_state ImagePath=%SystemRoot%\Microsoft.NET\Framework\v2. 0.50727\aspnet_state.exe - this reference has been left in place ---------- Key=Asset Management Daemon ImagePath=C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe - this reference has been left in place ---------- Key=AsyncMac ImagePath=system32\DRIVERS\asyncmac.sys - this reference has been left in place ---------- Key=atapi ImagePath=system32\DRIVERS\atapi.sys - this reference has been left in place ---------- Key=Ati HotKey Poller ImagePath=%SystemRoot%\system32\Ati2evxx.exe - this reference has been left in place ---------- Key=ATI Smart ImagePath=C:\WINDOWS\system32\ati2sgag.exe - this reference has been left in place ---------- Key=ati2mtag ImagePath=system32\DRIVERS\ati2mtag.sys - this reference has been left in place ---------- Key=Atmarpc ImagePath=system32\DRIVERS\atmarpc.sys - this reference has been left in place ---------- Key=audstub ImagePath=system32\DRIVERS\audstub.sys - this reference has been left in place ---------- Key=bb-run ImagePath=system32\DRIVERS\bb-run.sys - this reference has been left in place ---------- Key=Bridge ImagePath=system32\DRIVERS\bridge.sys - this reference has been left in place ---------- Key=BridgeMP ImagePath=system32\DRIVERS\bridge.sys - this reference has been left in place ---------- Key=CA Personal Firewall ASEM ImagePath=C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe - this reference has been removed [file not found to scan] ---------- Key=Cdrom ImagePath=system32\DRIVERS\cdrom.sys - this reference has been left in place ---------- Key=CiSvc ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place ---------- Key=ClipSrv ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place ---------- Key=clr_optimization_v2.0.50727_32 ImagePath=C:\WINDOWS\Microsoft.NET\Framework\v2.0. 50727\mscorsvw.exe - this reference has been left in place ---------- Key=COMSysApp ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place ---------- Key=DCSPGSRV ImagePath="C:\Program Files\ProcessGuard\dcsuserprot.exe" - this reference has been removed [file not found to scan] ---------- Key=Disk ImagePath=system32\DRIVERS\disk.sys - this reference has been left in place ---------- Key=dmadmin ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place ---------- Key=dmboot ImagePath=System32\drivers\dmboot.sys - this reference has been left in place ---------- Key=dmio ImagePath=System32\drivers\dmio.sys - this reference has been left in place ---------- Key=dmload ImagePath=System32\drivers\dmload.sys - this reference has been left in place ---------- Key=DMusic ImagePath=system32\drivers\DMusic.sys - this reference has been left in place ---------- Key=drmkaud ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place ---------- Key=dtscsi ImagePath=\SystemRoot\System32\Drivers\dtscsi.sys - this reference has been left in place ---------- Key=DTSRVC ImagePath=C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe - this reference has been left in place ---------- Key=ehRecvr ImagePath=C:\WINDOWS\eHome\ehRecvr.exe - this reference has been left in place ---------- Key=ehSched ImagePath=C:\WINDOWS\eHome\ehSched.exe - this reference has been left in place ---------- Key=Eventlog ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place ---------- Key=FLEXnet Licensing Service ImagePath="C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" - this reference has been left in place ---------- Key=FltMgr ImagePath=system32\DRIVERS\fltMgr.sys - this reference has been left in place ---------- Key=FontCache3.0.0.0 ImagePath=C:\WINDOWS\Microsoft.Net\Framework\v3.0\ WPF\PresentationFontCache.exe - this reference has been left in place ---------- Key=FQTFJSU ImagePath=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\FQTFJ SU.exe - this reference has been removed [file not found to scan] ---------- Key=Ftdisk ImagePath=system32\DRIVERS\ftdisk.sys - this reference has been left in place ---------- Key=ftsata2 ImagePath=system32\DRIVERS\ftsata2.sys - this reference has been left in place ---------- Key=GEARAspiWDM ImagePath=System32\Drivers\GEARAspiWDM.sys - this reference has been left in place ---------- Key=Gpc ImagePath=system32\DRIVERS\msgpc.sys - this reference has been left in place ---------- Key=HidIr ImagePath=system32\DRIVERS\hidir.sys - this reference has been left in place ---------- Key=HidUsb ImagePath=system32\DRIVERS\hidusb.sys - this reference has been left in place ---------- Key=HPZid412 ImagePath=system32\DRIVERS\HPZid412.sys - this reference has been left in place ---------- Key=HPZipr12 ImagePath=system32\DRIVERS\HPZipr12.sys - this reference has been left in place ---------- Key=HPZius12 ImagePath=system32\DRIVERS\HPZius12.sys - this reference has been left in place ---------- Key=HSFHWBS2 ImagePath=system32\DRIVERS\HSFHWBS2.sys - this reference has been left in place ---------- Key=HSF_DP ImagePath=system32\DRIVERS\HSF_DP.sys - this reference has been left in place ---------- Key=HTTP ImagePath=System32\Drivers\HTTP.sys - this reference has been left in place ---------- Key=i8042prt ImagePath=system32\DRIVERS\i8042prt.sys - this reference has been left in place ---------- Key=iaStor ImagePath=system32\DRIVERS\iaStor.sys - this reference has been left in place ---------- Key=idsvc ImagePath="C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" - this reference has been left in place ---------- Key=IISADMIN ImagePath=C:\WINDOWS\system32\inetsrv\inetinfo.exe - this reference has been left in place ---------- Key=imagedrv ImagePath=System32\Drivers\imagedrv.sys - this reference has been left in place ---------- Key=imagesrv ImagePath=system32\DRIVERS\imagesrv.sys - this reference has been left in place ---------- Key=Imapi ImagePath=system32\DRIVERS\imapi.sys - this reference has been left in place ---------- Key=ImapiService ImagePath=C:\WINDOWS\system32\imapi.exe - this reference has been left in place ---------- Key=IntelIde ImagePath=system32\DRIVERS\intelide.sys - this reference has been left in place ---------- Key=intelppm ImagePath=system32\DRIVERS\intelppm.sys - this reference has been removed [file not found to scan] ---------- Key=Ip6Fw ImagePath=system32\DRIVERS\Ip6Fw.sys - this reference has been left in place ---------- Key=IpFilterDriver ImagePath=system32\DRIVERS\ipfltdrv.sys - this reference has been left in place ---------- Key=IpInIp ImagePath=system32\DRIVERS\ipinip.sys - this reference has been left in place ---------- Key=IpNat ImagePath=system32\DRIVERS\ipnat.sys - this reference has been left in place ---------- Key=iPod Service ImagePath="C:\Program Files\iPod\bin\iPodService.exe" - this reference has been left in place ---------- Key=IPSec ImagePath=system32\DRIVERS\ipsec.sys - this reference has been left in place ---------- Key=IrBus ImagePath=system32\DRIVERS\IrBus.sys - this reference has been left in place ---------- Key=IRENUM ImagePath=system32\DRIVERS\irenum.sys - this reference has been left in place ---------- Key=isapnp ImagePath=system32\DRIVERS\isapnp.sys - this reference has been left in place ---------- Key=Kbdclass ImagePath=system32\DRIVERS\kbdclass.sys - this reference has been left in place ---------- Key=kbdhid ImagePath=system32\DRIVERS\kbdhid.sys - this reference has been left in place ---------- Key=KLIF ImagePath=\??\C:\WINDOWS\system32\ZoneLabs\avsys\K LIF.SYS - this reference has been left in place ---------- Key=kmixer ImagePath=system32\drivers\kmixer.sys - this reference has been left in place ---------- Key=LightScribeService ImagePath="C:\Program Files\Common Files\LightScribe\LSSrvc.exe" - this reference has been removed [file not found to scan] ---------- Key=McrdSvc ImagePath=C:\WINDOWS\ehome\McrdSvc.exe - this reference has been left in place ---------- Key=MDM ImagePath="C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" - this reference has been left in place ---------- Key=mdmxsdk ImagePath=system32\DRIVERS\mdmxsdk.sys - this reference has been left in place ---------- Key=MHNDRV ImagePath=system32\DRIVERS\mhndrv.sys - this reference has been left in place ---------- Key=mnmsrvc ImagePath=C:\WINDOWS\system32\mnmsrvc.exe - this reference has been left in place ---------- Key=Mouclass ImagePath=system32\DRIVERS\mouclass.sys - this reference has been left in place ---------- Key=mouhid ImagePath=system32\DRIVERS\mouhid.sys - this reference has been left in place ---------- Key=MRxDAV ImagePath=system32\DRIVERS\mrxdav.sys - this reference has been left in place ---------- Key=MRxSmb ImagePath=system32\DRIVERS\mrxsmb.sys - this reference has been left in place ---------- Key=MSDTC ImagePath=C:\WINDOWS\system32\msdtc.exe - this reference has been left in place ---------- Key=MSFtpsvc ImagePath=%SystemRoot%\system32\inetsrv\inetinfo.e xe - this reference has been left in place ---------- Key=MSIServer ImagePath=C:\WINDOWS\system32\msiexec.exe /V - this reference has been left in place ---------- Key=MSKSSRV ImagePath=system32\drivers\MSKSSRV.sys - this reference has been left in place ---------- Key=MSPCLOCK ImagePath=system32\drivers\MSPCLOCK.sys - this reference has been left in place ---------- Key=MSPQM ImagePath=system32\drivers\MSPQM.sys - this reference has been left in place ---------- Key=mssmbios ImagePath=system32\DRIVERS\mssmbios.sys - this reference has been left in place ---------- Key=NdisTapi ImagePath=system32\DRIVERS\ndistapi.sys - this reference has been left in place ---------- Key=Ndisuio ImagePath=system32\DRIVERS\ndisuio.sys - this reference has been left in place ---------- Key=NdisWan ImagePath=system32\DRIVERS\ndiswan.sys - this reference has been left in place ---------- Key=NetBIOS ImagePath=system32\DRIVERS\netbios.sys - this reference has been left in place ---------- Key=NetBT ImagePath=system32\DRIVERS\netbt.sys - this reference has been left in place ---------- Key=NetDDE ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place ---------- Key=NetDDEdsdm ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place ---------- Key=Netlogon ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=NIC1394 ImagePath=system32\DRIVERS\nic1394.sys - this reference has been left in place ---------- Key=NtLmSsp ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=NuidFltr ImagePath=system32\DRIVERS\NuidFltr.sys - this reference has been left in place ---------- Key=NwlnkFlt ImagePath=system32\DRIVERS\nwlnkflt.sys - this reference has been left in place ---------- Key=NwlnkFwd ImagePath=system32\DRIVERS\nwlnkfwd.sys - this reference has been left in place ---------- Key=ohci1394 ImagePath=system32\DRIVERS\ohci1394.sys - this reference has been left in place ---------- Key=ose ImagePath="C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" - this reference has been left in place ---------- Key=OUVIO ImagePath=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\OUVIO .exe - this reference has been removed [file not found to scan] ---------- Key=P2k ImagePath=system32\DRIVERS\P2k.sys - this reference has been left in place ---------- Key=Parport ImagePath=system32\DRIVERS\parport.sys - this reference has been left in place ---------- Key=PCI ImagePath=system32\DRIVERS\pci.sys - this reference has been left in place ---------- Key=PCIIde ImagePath=system32\DRIVERS\pciide.sys - this reference has been left in place ---------- Key=pdiddcci ImagePath=System32\DRIVERS\pdiddcci.sys - this reference has been left in place ---------- Key=PdiPorts ImagePath=System32\Drivers\PdiPorts.sys - this reference has been left in place ---------- Key=PlugPlay ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place ---------- Key=Pml Driver HPZ12 ImagePath=C:\WINDOWS\system32\HPZipm12.exe - this reference has been left in place ---------- Key=Point32 ImagePath=system32\DRIVERS\point32.sys - this reference has been left in place ---------- Key=PolicyAgent ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=PptpMiniport ImagePath=system32\DRIVERS\raspptp.sys - this reference has been left in place ---------- Key=Processor ImagePath=system32\DRIVERS\processr.sys - this reference has been left in place ---------- Key=procguard ImagePath=\??\C:\WINDOWS\system32\drivers\procguar d.sys - this reference has been left in place ---------- Key=ProtectedStorage ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=Ps2 ImagePath=system32\DRIVERS\PS2.sys - this reference has been left in place ---------- Key=PSched ImagePath=system32\DRIVERS\psched.sys - this reference has been left in place ---------- Key=Ptilink ImagePath=system32\DRIVERS\ptilink.sys - this reference has been left in place ---------- Key=PxHelp20 ImagePath=System32\Drivers\PxHelp20.sys - this reference has been left in place ---------- Key=QWAVEDRV ImagePath=system32\DRIVERS\qwavedrv.sys - this reference has been left in place ---------- Key=RasAcd ImagePath=system32\DRIVERS\rasacd.sys - this reference has been left in place ---------- Key=Rasl2tp ImagePath=system32\DRIVERS\rasl2tp.sys - this reference has been left in place ---------- Key=RasPppoe ImagePath=system32\DRIVERS\raspppoe.sys - this reference has been left in place ---------- Key=Raspti ImagePath=system32\DRIVERS\raspti.sys - this reference has been left in place ---------- Key=Rdbss ImagePath=system32\DRIVERS\rdbss.sys - this reference has been left in place ---------- Key=RDPCDD ImagePath=System32\DRIVERS\RDPCDD.sys - this reference has been left in place ---------- Key=rdpdr ImagePath=system32\DRIVERS\rdpdr.sys - this reference has been left in place ---------- Key=RDSessMgr ImagePath=C:\WINDOWS\system32\sessmgr.exe - this reference has been left in place ---------- Key=redbook ImagePath=system32\DRIVERS\redbook.sys - this reference has been left in place ---------- Key=RMSvc ImagePath=C:\WINDOWS\ehome\RMSvc.exe - this reference has been left in place ---------- Key=RpcLocator ImagePath=%SystemRoot%\system32\locator.exe - this reference has been left in place ---------- Key=RSVP ImagePath=%SystemRoot%\system32\rsvp.exe - this reference has been left in place ---------- Key=RTL8023xp ImagePath=system32\DRIVERS\Rtnicxp.sys - this reference has been left in place ---------- Key=rtl8139 ImagePath=system32\DRIVERS\RTL8139.SYS - this reference has been left in place ---------- Key=SamSs ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=SCardSvr ImagePath=%SystemRoot%\System32\SCardSvr.exe - this reference has been left in place ---------- Key=Secdrv ImagePath=system32\DRIVERS\secdrv.sys - this reference has been left in place ---------- Key=SHKVEV ImagePath=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\SHKVE V.exe - this reference has been removed [file not found to scan] ---------- Key=SMTPSVC ImagePath=C:\WINDOWS\system32\inetsrv\inetinfo.exe - this reference has been left in place ---------- Key=splitter ImagePath=system32\drivers\splitter.sys - this reference has been left in place ---------- Key=Spooler ImagePath=%SystemRoot%\system32\spoolsv.exe - this reference has been left in place ---------- Key=sr ImagePath=system32\DRIVERS\sr.sys - this reference has been left in place ---------- Key=srescan ImagePath=system32\ZoneLabs\srescan.sys - this reference has been left in place ---------- Key=Srv ImagePath=system32\DRIVERS\srv.sys - this reference has been left in place ---------- Key=SSFS0BB8 ImagePath=SYSTEM32\Drivers\SSFS0BB8.SYS - this reference has been removed [file not found to scan] ---------- Key=SSHRMD ImagePath=SYSTEM32\Drivers\SSHRMD.SYS - this reference has been removed [file not found to scan] ---------- Key=SSIDRV ImagePath=SYSTEM32\Drivers\SSIDRV.SYS - this reference has been removed [file not found to scan] ---------- Key=swenum ImagePath=system32\DRIVERS\swenum.sys - this reference has been left in place ---------- Key=swmidi ImagePath=system32\drivers\swmidi.sys - this reference has been left in place ---------- Key=SwPrv ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{8DA84759-6C62-4695-9DB6-4789D64FAF43} - this reference has been left in place ---------- Key=sysaudio ImagePath=system32\drivers\sysaudio.sys - this reference has been left in place ---------- Key=SysmonLog ImagePath=%SystemRoot%\system32\smlogsvc.exe - this reference has been left in place ---------- Key=Tcpip ImagePath=system32\DRIVERS\tcpip.sys - this reference has been left in place ---------- Key=TermDD ImagePath=system32\DRIVERS\termdd.sys - this reference has been left in place ---------- Key=TlntSvr ImagePath=C:\WINDOWS\system32\tlntsvr.exe - this reference has been left in place ---------- Key=tmcomm ImagePath=\??\C:\WINDOWS\system32\drivers\tmcomm.s ys - this reference has been left in place ---------- Key=TSP ImagePath=\??\C:\WINDOWS\system32\ZoneLabs\avsys\K LIF.SYS - this reference has been left in place ---------- Key=TVICHW32 ImagePath=\??\C:\WINDOWS\system32\DRIVERS\TVICHW32 .SYS - this reference has been left in place ---------- Key=UDPSUCO ImagePath=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UDPSU CO.exe - this reference has been removed [file not found to scan] ---------- Key=Update ImagePath=system32\DRIVERS\update.sys - this reference has been left in place ---------- Key=UPHClean ImagePath=C:\Program Files\UPHClean\uphclean.exe - this reference has been left in place ---------- Key=UPS ImagePath=%SystemRoot%\System32\ups.exe - this reference has been left in place ---------- Key=usbaudio ImagePath=system32\drivers\usbaudio.sys - this reference has been left in place ---------- Key=usbccgp ImagePath=system32\DRIVERS\usbccgp.sys - this reference has been left in place ---------- Key=usbehci ImagePath=system32\DRIVERS\usbehci.sys - this reference has been left in place ---------- Key=usbhub ImagePath=system32\DRIVERS\usbhub.sys - this reference has been left in place ---------- Key=usbohci ImagePath=system32\DRIVERS\usbohci.sys - this reference has been left in place ---------- Key=usbprint ImagePath=system32\DRIVERS\usbprint.sys - this reference has been left in place ---------- Key=usbscan ImagePath=system32\DRIVERS\usbscan.sys - this reference has been left in place ---------- Key=usbser ImagePath=system32\DRIVERS\usbser.sys - this reference has been left in place ---------- Key=usbstor ImagePath=system32\DRIVERS\USBSTOR.SYS - this reference has been left in place ---------- Key=usbuhci ImagePath=system32\DRIVERS\usbuhci.sys - this reference has been left in place ---------- Key=usb_rndisx ImagePath=system32\DRIVERS\usb8023x.sys - this reference has been left in place ---------- Key=VgaSave ImagePath=\SystemRoot\System32\drivers\vga.sys - this reference has been left in place ---------- Key=ViaIde ImagePath=system32\DRIVERS\viaide.sys - this reference has been left in place ---------- Key=vsdatant ImagePath=System32\vsdatant.sys - this reference has been left in place ---------- Key=vsmon ImagePath=C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service - this file is globally excluded ---------- Key=VSS ImagePath=%SystemRoot%\System32\vssvc.exe - this reference has been left in place ---------- Key=W3SVC ImagePath=%SystemRoot%\system32\inetsrv\inetinfo.e xe - this reference has been left in place ---------- Key=Wanarp ImagePath=system32\DRIVERS\wanarp.sys - this reference has been left in place ---------- Key=wanatw ImagePath=system32\DRIVERS\wanatw4.sys - this reference has been left in place ---------- Key=wceusbsh ImagePath=system32\DRIVERS\wceusbsh.sys - this reference has been left in place ---------- Key=Wdf01000 ImagePath=system32\DRIVERS\Wdf01000.sys - this reference has been left in place ---------- Key=wdmaud ImagePath=system32\drivers\wdmaud.sys - this reference has been left in place ---------- Key=winachsf ImagePath=system32\DRIVERS\HSF_CNXT.sys - this reference has been left in place ---------- Key=WmiApSrv ImagePath=C:\WINDOWS\system32\wbem\wmiapsrv.exe - this reference has been left in place ---------- Key=WMPNetworkSvc ImagePath="C:\Program Files\Windows Media Player\WMPNetwk.exe" - this reference has been left in place ---------- Key=WpdUsb ImagePath=system32\DRIVERS\wpdusb.sys - this reference has been left in place ---------- Key=WudfPf ImagePath=system32\DRIVERS\WudfPf.sys - this reference has been left in place ---------- Key=ZHZIWCJIK ImagePath=C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ZHZIW CJIK.exe - this reference has been removed [file not found to scan] ---------- Key=ZuneNetworkSvc ImagePath="C:\Program Files\Zune\ZuneNss.exe" - this reference has been left in place ---------- ************************************************** 11:23:27 PM: Scanning -----VXD ENTRIES----- Checking VMM32 VxD files being loaded ************************************************** 11:23:27 PM: Scanning ----- WINLOGON\NOTIFY DLLS ----- Checking DLLs called from the Winlogon\Notify key: Key=AtiExtEvent DLLName=Ati2evxx.dll - this reference has been left in place ---------- Key=crypt32chain DLLName=crypt32.dll - this reference has been left in place ---------- Key=cryptnet DLLName=cryptnet.dll - this reference has been left in place ---------- Key=cscdll DLLName=cscdll.dll - this reference has been left in place ---------- Key=ScCertProp DLLName=wlnotify.dll - this reference has been left in place ---------- Key=Schedule DLLName=wlnotify.dll - this reference has been left in place ---------- Key=sclgntfy DLLName=sclgntfy.dll - this reference has been left in place ---------- Key=SensLogn DLLName=WlNotify.dll - this reference has been left in place ---------- Key=termsrv DLLName=wlnotify.dll - this reference has been left in place ---------- Key=WgaLogon DLLName=WgaLogon.dll - this reference has been left in place ---------- Key=wlballoon DLLName=wlnotify.dll - this reference has been left in place ---------- ************************************************** 11:23:28 PM: Scanning ----- CONTEXTMENUHANDLERS ----- Key = Adobe.Acrobat.ContextMenu CLSID = {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll - this ContextMenuHandler has been left in place ---------- Key = MagicISO CLSID = {DB85C504-C730-49DD-BEC1-7B39C6103B7A} C:\Program Files\MagicISO\misosh.dll - this ContextMenuHandler has been left in place ---------- Key = Offline Files CLSID = {750fdf0e-2a26-11d1-a3ea-080036587f03} %SystemRoot%\System32\cscui.dll - this ContextMenuHandler has been left in place ---------- Key = Open With CLSID = {09799AFB-AD67-11d1-ABCD-00C04FC30936} %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place ---------- Key = Open With EncryptionMenu CLSID = {A470F8CF-A1E8-4f65-8335-227475AA5C46} %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place ---------- Key = Trojan Remover CLSID = {52B87208-9CCF-42C9-B88E-069281105805} C:\PROGRA~1\TROJAN~1\Trshlex.dll - this ContextMenuHandler has been left in place ---------- Key = WinRAR CLSID = {B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Program Files\WinRAR\rarext.dll - this ContextMenuHandler has been left in place ---------- Key = ZLAVShExt CLSID = {D9872D13-7651-4471-9EEE-F0A00218BEBB} C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll - this ContextMenuHandler has been left in place ---------- Key = {a2a9545d-a0c2-42b4-9708-a0b2badd77c8} %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place ---------- ************************************************** 11:23:29 PM: Scanning ----- FOLDER\COLUMNHANDLERS ----- Key = {0D2E74C4-3C34-11d2-A27E-00C04FC30871} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {24F14F01-7B1C-11d1-838f-0000F80461CF} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {24F14F02-7B1C-11d1-838f-0000F80461CF} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {66742402-F9B9-11D1-A202-0000F81FEDEE} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {F9DB5320-233E-11D1-9F84-707F02C10627} C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll - this Folder\ColumnHandler has been left in place ---------- ************************************************** 11:23:29 PM: Scanning ----- BROWSER HELPER OBJECTS ----- Key = {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - this Browser Helper Object has been left in place ---------- Key = {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll - this Browser Helper Object has been left in place ---------- Key = {AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll - this Browser Helper Object has been left in place ---------- ************************************************** 11:23:29 PM: Scanning ----- SHELLSERVICEOBJECTS ----- Key = PostBootReminder CLSID = {7849596a-48ea-486e-8937-a2a3009f31a9} %SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place ---------- Key = CDBurn CLSID = {fbeb8a05-beee-4442-804e-409d6c4515e9} %SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place ---------- Key = WebCheck CLSID = {E6FB5E20-DE35-11CF-9C87-00AA005127ED} C:\WINDOWS\system32\webcheck.dll - this ShellServiceObject has been left in place ---------- Key = SysTray CLSID = {35CEC8A3-2BE6-11D2-8773-92E220524153} C:\WINDOWS\system32\stobject.dll - this ShellServiceObject has been left in place ---------- Key = WPDShServiceObj CLSID = {AAA288BA-9A4C-45B0-95D7-94D524869DB5} C:\WINDOWS\system32\WPDShServiceObj.dll - this ShellServiceObject has been left in place ---------- Key = UPnPMonitor CLSID = {e57ce738-33e8-4c51-8354-bb4de9d215d1} C:\WINDOWS\system32\upnpui.dll - this ShellServiceObject has been left in place ---------- ************************************************** 11:23:30 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES ----- Value = {438755C2-A8BA-11D1-B96B-00A0C90312E1} Comment = Browseui preloader File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place ---------- Value = {8C7461EF-2B13-11d2-BE35-3078302C2030} Comment = Component Categories cache daemon File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place ---------- ************************************************** 11:23:30 PM: Scanning ----- IMAGEFILE DEBUGGERS ----- No "Debugger" entries found. ************************************************** 11:23:30 PM: Scanning ----- APPINIT_DLLS ----- The AppInit_DLLs value is blank ************************************************** 11:23:30 PM: Scanning ----- SECURITY PROVIDER DLLS ----- msapsspc.dll - this entry has been left in place ---------- schannel.dll - this entry has been left in place ---------- digest.dll - this entry has been left in place ---------- msnsspc.dll - this entry has been left in place ---------- ************************************************** 11:23:30 PM: Scanning ------ COMMON STARTUP GROUP ------ [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] The Common Startup Group attempts to load the following file(s) at boot time: desktop.ini - this file has been left in place -------------------- ************************************************** 11:23:30 PM: Scanning ------ USER STARTUP GROUPS ------ -------------------- Checking Startup Group for Administrator [C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP] The Startup Group for Administrator attempts to load the following file(s): desktop.ini - this file has been left in place -------------------- Checking Startup Group for HP_Administrator [C:\Documents and Settings\HP_Administrator\START MENU\PROGRAMS\STARTUP] -------------------- Checking Startup Group for MCX1 [C:\Documents and Settings\MCX1\START MENU\PROGRAMS\STARTUP] The Startup Group for MCX1 attempts to load the following file(s): desktop.ini - this file has been left in place Pin.lnk - this links to C:\hp\bin\CLOAKER.EXE and has been left in place -------------------- Checking Startup Group for MCX2 [C:\Documents and Settings\MCX2\START MENU\PROGRAMS\STARTUP] The Startup Group for MCX2 attempts to load the following file(s): desktop.ini - this file has been left in place Pin.lnk - this links to C:\hp\bin\CLOAKER.EXE and has been left in place -------------------- Checking Startup Group for MCX3 [C:\Documents and Settings\MCX3\START MENU\PROGRAMS\STARTUP] The Startup Group for MCX3 attempts to load the following file(s): desktop.ini - this file has been left in place Pin.lnk - this links to C:\hp\bin\CLOAKER.EXE and has been left in place ************************************************** 11:23:31 PM: Scanning ----- SCHEDULED TASKS ----- Taskname: AppleSoftwareUpdate.job File: C:\Program Files\Apple Software Update\SoftwareUpdate.exe Parameters: -task Next Run Time: 9/24/2007 3:18:00 PM Status: The task has not yet run Creator: SYSTEM Comments: [blank] C:\Program Files\Apple Software Update\SoftwareUpdate.exe - this entry has been left in place ---------- ************************************************** 11:23:31 PM: ----- ADDITIONAL CHECKS ----- PE386 rootkit checks completed ---------- Winlogon registry rootkit checks completed ---------- Heuristic checks for hidden files/drivers completed ---------- ************************************************** 11:23:32 PM: Scanning ------ DOWNLOADED PROGRAM FILES ------ The following files are located in the DOWNLOADED PROGRAM FILES directory: C:\WINDOWS\Downloaded Program Files\ampAx3.0.84.2.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\arclib.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\asquared.ocx - this file has been left in place C:\WINDOWS\Downloaded Program Files\desktop.ini - this file has been left in place C:\WINDOWS\Downloaded Program Files\driveragent.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\driveragent.ocx - this file has been left in place C:\WINDOWS\Downloaded Program Files\exsmime.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.ocx - this file has been left in place C:\WINDOWS\Downloaded Program Files\HPGetDownloadManager.ocx - this file has been left in place C:\WINDOWS\Downloaded Program Files\hpobjinstaller_gmn.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\hpobjinstaller_gmn.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\install.log - this file has been left in place C:\WINDOWS\Downloaded Program Files\iuctl.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\MIEBinFileEdit.ocx - this file has been left in place C:\WINDOWS\Downloaded Program Files\mimectl.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx - this file has been left in place C:\WINDOWS\Downloaded Program Files\msxml4.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\muweb.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\OGAControl.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\OneCC.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\OneCC.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\qdiagh.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\setup.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\swflash.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\SymDlBrg.dll - this file has been left in place C:\WINDOWS\Downloaded Program Files\SymDlBrg.inf - this file has been left in place C:\WINDOWS\Downloaded Program Files\tvichw32.sys - this file has been left in place C:\WINDOWS\Downloaded Program Files\unagiuninst.exe - this file has been left in place C:\WINDOWS\Downloaded Program Files\vet.da1 - this file has been left in place C:\WINDOWS\Downloaded Program Files\vet.dat - this file has been left in place C:\WINDOWS\Downloaded Program Files\vete.dll - this file has been left in place C:\WINDOWS\Downloade |
CWall0868 (12730) | ||
| 584958 | 2007-09-18 05:51:00 | Problems like what?? Log looks ok to me, but you can run HJT again tick these then tick fix checked. Close browser/s. These are safe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe Did you do this? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present If not tick it. O24 - Desktop Component 0: (no name) - (no file) |
Speedy Gonzales (78) | ||
| 584959 | 2007-09-18 07:28:00 | no i will tick the iexplore restriction. i didn't do this i use mozilla for everything i can and try to stay away from IE. after all your advice im beginning to think it was issues with my zone alarm not being un installed correctly i got that taken care of. would it be possible that the desktop error has to do with iTunes i have a folder that pops up after iTunes update from an old importing directory path. every time iTunes tells me there is an update it pops back up. also i noticed your posts were night and day compared to daemons did u notice anything from the first log that would have been an issue like he made it out to be? thanks again for the help |
CWall0868 (12730) | ||
| 584960 | 2007-09-18 07:30:00 | oh and i tried HJT to fix the desktop error in both a normal boot and in safe mode with no luck...any ideas? | CWall0868 (12730) | ||
| 584961 | 2007-09-18 07:37:00 | If you use Adobe reader only for PDF files, (if its not the Pro version), you could use this instead (http://www.foxitsoftware.com/) Its a LOT smaller than Adobe reader, and does the same thing. And if you dont use Itunes for syncing the calendar and contacts, or buy anything in the store, you could use Winamp instead (http://www.winamp.com) It supports Ipods natively |
Speedy Gonzales (78) | ||
| 584962 | 2007-09-18 07:44:00 | i use adobe for work and iTunes is just my preferred thanks again for all the help i really appreciate it i think thats it | CWall0868 (12730) | ||
| 1 | |||||