I was asked to update this post. As stated, when the AT&T guy was here, he discovered the file "1" and the "regedit" in the System Configuration Utility -> Start Up; it was he that unchecked the boxes for those items, as well as several others. Those boxes have only been unchecked for a few days, but my computer is still having all of the same slowing and stalling problems as before. Apparently, because those boxes are unchecked, there is nothing in the HijackThis report for those items and that is why I was asked to update this post. Sorry for any confusion. Another weirdo thing happening is that several of my file and document names have "turned blue." Here is a screen shot of my directory tree if you want to see what I mean, http://chicagolandwedding.com/images/snapshot-directorytree.jpg. Don't know if this is is part of whatever infection I may have or if this is altogether unassociated, but just happened one day in, I believe, the same timeframe as everything else.
Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop
and some of the entries we want to remove will not appear in HijackTHis.
Run HijackThis and just do a Scan only. Check then Fix Checked the following:
Hi Ron. Thanks a bunch for the help. I've done exactly what you said. Before running HijackThis again to give you a new log file, I surfed around a bit. For the most part, it was much, much better. When hardlined to my Linksys router, I didn't stall until, ironically enough, I logged in to reply to this post. Running wireless, however, was another story. I started out okay when I went wireless to the router, but within just a couple minutes, I was experiencing the same slow down and stalled page loads. Could be my adapter, but the timing would be quite a quinky-dink. Anyway, I did "reset" a couple of things prior to running the new log. I installed Macromedia's Flash Reader so my daughter can play on cartoonnetwork.com; that installed the Yahoo! toolbar, which I promptly removed. I also reset my home page to web-stat.com, which is the site I use for my website's stats tracking. And yesterday, I installed the Firefox browser to see if I was having the same problems on another browser...thinking IE might have been at the root of the problem. And yes, we did install Party Poker on our computer (hubby thinks he's Phil Helmuth).
Here's the new HijackThis log...and thanks again. Let me know what else may need fixing please. I see at the bottom there's a "file missing" reported for my Linksys wireless adapter (WMP54Gv4 is the model number of my adapter). Is that just because I tested my computer wireless and then went back to hardlining it to the router before I ran HijackThis again?
Logfile of HijackThis v1.99.1 Scan saved at 9:00:08 PM, on 4/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Log looks better but since you have removed the yahoo toolbar you might want to get rid of these too. They should go away if you close Internet Explorer and run Hijackthis (scan only) and check them then Fix Checked.
Wasn't sure about the home page - just didn't look like one most people would use. Sorry about killing it off.
Your log looks much better. The file missing is probably a problem with Hijackthis. If you look up at the top of the log you will see both files it mentions are running
so I don't think it's really missing. The format of the entry is a bit odd which may be why HijackThis is confused. Normally you don't call two files on the same line.
Reboot your router to make sure it is in a known state. (Just unplug it and count to 10 then plug it back up)
You can verify that the service actually started:
Start, Run,
cmd,
OK to bring up a black cmd screen. Type (with an Enter after each bold line)
net start
(this should give a list of active services. See if you see
WMP54Gv4SVC in the list.)
(While in cmd let's run some other checks:)
ipconfig /all
(this should show you the configuration of your network. Note the IP address of the default default gateway - usually something like 192.168.0.1 or 192.168.1.1 and that of your DNS server - usually the same. In the following commands I assume the address is 192.168.0.1 if not change it to the one you get from ipconfig.)
ping -n 100 192.168.0.1
(You should get back 100 replies with no timeouts when hardwired. Do you? Do you also get 100 replies when wireless? )
ping -n 100 -l 1500 192.168.0.1
(This is the same test but with much larger packets being sent. May take a bit longer.)
sigverif
(When the new program comes up press Start and wait for it to finish. Do you see wininet.dll? Sort the list by date by clicking on the Modified column header. Look for new files (since the problem started.) What do you find?)
cls
(just clears the screen of the previous commands)
netstat -as
(close all browsers and any other program you may have open. Let it sit for over 10 minutes then do)
netstat -an
netstat -as
nslookup dell.com
(highlight the results from all four (You can also right click on the blue stripe at the top of the cmd window and select Edit then Select All ) and press Enter to copy the text. Then open Internet Explorer and go to the forum and make a reply then Edit, Paste the text into the reply. This will show me if anything else is using your PC to talk to the net and how well the DNS is working. Go ahead and Submit then close your Internet Explorer. )
ipconfig
(Check Normal Startup, OK but don't let it reboot yet. We are going to reboot into Safe Mode so it should be safe enough to turn them back on. O4 entries do not load in Safe Mode unless they have a * in the name. We will remove them before we come out of Safe Mode.)
Run HijackThis and check everything that shows up then Add to Ignore List. Do a second Scan and Add to Ignor List anything that shows up. Your Scan should now be clean.
Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop.
Run Hijackthis and create a log and save it where you can find it again then do a second Scan and check ALL of the entries then Fix Checked.
Run ccleaner.exe,
Select Options then Advanced and uncheck the box in front of:
Only Delete file in Windows Temp folders older than 48 hours.
Now select Cleaner
Under Cleaner Settings, Windows
uncheck everything on the first page
except:
under Internet Explorer
- Temporary Internet Files
under System
- Empty Recycle Bin
- Temporary Files
Under Cleaner Settings, Applications uncheck everything
except:
Under Internet
- Sun Java
Run Cleaner.
This should clean out all of the temp files including those of your java program
(where recently we are finding a lot of garbage. You really should be running
the latest version of java and uninstall all old versions). The reason I have
you uncheck most of the options is that I have had problems with it deleting
too much so I want to limit it to things where I think malware might be hiding.
Reboot into regular mode.
Toggle System Restore Off and then back On.
Following site has very clear instructions for turning it off. To turn it back on you just repeat the instructions but uncheck the box where it says to Turn Off System Restore on all Drives.
The last two will also find a lot of tracking cookies which you can remove or not. They usually aren't anything to worry about.
download and run blacklight
F-Secure Blacklight:
http://www.f-secure.com/blacklight/try.shtml leave scan through windows explorer checked,
click > scan then > next,
If any items show have blacklight rename them except for wbemtest.exe"
Do not rename "wbemtest.exe" it's a windows file
The tool will ask if you want to reboot (restart) choose yes.
Then report back in a reply if the tools found anything interesting and if it's running any better. Also post the hijackthis log you made in Safe Mode. I want to see what we got rid of. It may tell us something about the infection. I may also have you restore some of the things if they are of use.
Hmm... I'm a tiny bit confused. I went off to do the rest after I posted the results. The next command you gave was ipconfig. I typed it in the command window, hit [Enter], and it replied with the results:
Media State . . . . . . . . . . . : Media disconnected
Then you said to "Check Normal Startup, OK, but don't reboot etc....) But there is nothing for me to "check" and no OK button... just the reply with the above results. What did I miss?
Okay... pasted below are the replies from the netstat and nslookup commands. With regard to the other checks I did prior to this... 1) after running
net start, I did find WMP54Gv4SVC in the list which, if you recall, is my Linksys wireless adapter; 2) after running
ipconfig /all, my Default Gateway showed an IP of 192.168.2.1, but the DNS was 192.168.0.1; 3) the first ping (I pinged 192.168.2.1 because that is what the Default Gateway IP was...hope that's right) resulted in 0% loss (100 sent & 100 received) when hardlined, but a 23% loss (100 sent & 77 received) when wireless; 4) the second ping test for larger packets (again, I pinged 192.168.2.1) resulted in 100 LOSS both wireless and hardlined; 5) and finally... ran
sigverif and did not see wininet.dll in the results... also nothing new since last October and there really isn't much in the list... took a screen shot and uploaded it (
http://chicagolandwedding.com/images/snapshot-sigverif.jpg). Was that wininet.dll supposed to be there or was that something malicious you were thinking you might see? Again, thanks! I'm off to do the other stuff.... Kim.
C:\Documents and Settings\Kim>netstat -as
IPv4 Statistics
Packets Received = 91378
Received Header Errors = 0
Received Address Errors = 51
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 1
Received Packets Delivered = 91369
Output Requests = 66387
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 200
Datagrams Failing Fragmentation = 0
Fragments Created = 400
Active Opens = 1525
Passive Opens = 35
Failed Connection Attempts = 33
Reset Connections = 418
Current Connections = 0
Segments Received = 78132
Segments Sent = 53971
Segments Retransmitted = 131
UDP Statistics for IPv4
Datagrams Received = 12813
No Ports = 572
Receive Errors = 17
Datagrams Sent = 11740
C:\Documents and Settings\Kim>nslookup dell.com
*** Can't find server name for address 192.168.0.1: Non-existent domain
*** Default servers are not available
Server: UnKnown
Address: 192.168.0.1
Hi Ron. Okay... I did the rest. I had some trouble downloading the Panda software...kept getting javascript errors when I clicked the image to download and was never able to get any further. I ran the Trend, Ad Aware, and Spybot (which I already use) and came up with only two new things (apart from more Alexa stuff)...Cytron and Coulomb Dialer, which I dumped. I also, when in safe mode, re-ran HijackThis and tried to create a new log for you, but it said "no suspicious items were found" which is good. Since then, I've had to install the latest Java and today I received the replacement wireless adapter, so I installed that too.
Here's the latest HijackThis log file. Please let me know if anything needs fixing. Also, are we leaving the items we checked on the Ignore List? Thanks again Ron!
Logfile of HijackThis v1.99.1 Scan saved at 3:41:05 PM, on 4/19/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Misunderstood. Once you did the msconfig normal boot and booted into Safe mode it and ran HJT is should have picked up the entries for 1 and his friend. At least I though it would.
We can leave the things in the Ignore list and even add the last 3 to it.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
Makes it easier to see if something pops up.
I guess now we are back to the problem of the wireless not working. I suspect we have a bad driver.
Also... We did the msconfig -> normal start up, which re-checked all of the items on the start up menu; therefore, the file named "1" and the "regedit" file as well as a bunch of other "Common" files are again checked. Are we leaving them checked? Apparently nothing we've done has gotten rid of the file named "1" and/or helped us to identify what it is.
Hi Ron... Well, after all is said and done, it appears that the problem may be fixed. Linksys sent me a replacement adapter, which I received today and installed. It was a mess to install, too. They sent me the wrong one (a v2 when I was using a v4), so I had to completely uninstall the v4. Then the v2 disk they sent wouldn't run; a blue screen would flash and disappear and then nothing...just wouldn't stay started. I finally had a brainstorm and used the v4 disk just long enough to get the start-up screen to stay up, then switched to the v2 disk, installed the software, shut down and installed the card (adapter), rebooted, then (because the v2 disk wouldn't finish installing the driver), went through the Control Panel -> System -> Hardware ->Device Manager -> etc... to do an "update driver" on the adapter driver. I've read the thread about the Linksys wireless problems you posted for me and it would appear that I'm not alone...lots of similar problems with the v4 and v2 adapters, possibly due to some new Windows update. Did I do that Windows update a few weeks back?... don't recall... it's possible. Regardless, everything seems to be running just fine now, in fact, even faster then before, I think. I'll attribute that to you for the many, many "clean ups" and fixes. Thanks again so much Ron. One last item... do we "uncheck" any of the items that are checked in the (
msconfig) System Configuration Utility - Start Up menu ("1," "regedit," etc...) or just leave everything checked and continue with the "Normal" start-ups?
Does anything show up in HijackThis? Go to Config then Ignore List and Delete All (Don't worry it only deletes them from the ignore list). Then run a new log and post it as a reply.
Here's the new log. I'm not seeing anything about this "1" file. Is there a way to get it, and the "regedit" file out of the start menu? Do I need to bother?
Logfile of HijackThis v1.99.1 Scan saved at 2:25:07 PM, on 4/20/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
kissels
21 Posts
0
April 16th, 2006 12:00
I was asked to update this post. As stated, when the AT&T guy was here, he discovered the file "1" and the "regedit" in the System Configuration Utility -> Start Up; it was he that unchecked the boxes for those items, as well as several others. Those boxes have only been unchecked for a few days, but my computer is still having all of the same slowing and stalling problems as before. Apparently, because those boxes are unchecked, there is nothing in the HijackThis report for those items and that is why I was asked to update this post. Sorry for any confusion. Another weirdo thing happening is that several of my file and document names have "turned blue." Here is a screen shot of my directory tree if you want to see what I mean, http://chicagolandwedding.com/images/snapshot-directorytree.jpg. Don't know if this is is part of whatever infection I may have or if this is altogether unassociated, but just happened one day in, I believe, the same timeframe as everything else.
Thanks,
Kim
kissels
21 Posts
0
April 16th, 2006 12:00
RKinner
2 Intern
•
5.9K Posts
0
April 18th, 2006 00:00
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop
and some of the entries we want to remove will not appear in HijackTHis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web-stat.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\system32\jkhhi.dll (file missing)
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINDOWS\system32\SHDOCVW.DLL
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ??? \WkDetect.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: (no name) - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra 'Tools' menuitem: Search the Internet - {307D80B7-6553-42FB-9C99-19841353B4F0} - http://www.searchalot.com (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll (file missing)
kissels
21 Posts
0
April 18th, 2006 01:00
Hi Ron. Thanks a bunch for the help. I've done exactly what you said. Before running HijackThis again to give you a new log file, I surfed around a bit. For the most part, it was much, much better. When hardlined to my Linksys router, I didn't stall until, ironically enough, I logged in to reply to this post. Running wireless, however, was another story. I started out okay when I went wireless to the router, but within just a couple minutes, I was experiencing the same slow down and stalled page loads. Could be my adapter, but the timing would be quite a quinky-dink. Anyway, I did "reset" a couple of things prior to running the new log. I installed Macromedia's Flash Reader so my daughter can play on cartoonnetwork.com; that installed the Yahoo! toolbar, which I promptly removed. I also reset my home page to web-stat.com, which is the site I use for my website's stats tracking. And yesterday, I installed the Firefox browser to see if I was having the same problems on another browser...thinking IE might have been at the root of the problem. And yes, we did install Party Poker on our computer (hubby thinks he's Phil Helmuth).
Here's the new HijackThis log...and thanks again. Let me know what else may need fixing please. I see at the bottom there's a "file missing" reported for my Linksys wireless adapter (WMP54Gv4 is the model number of my adapter). Is that just because I tested my computer wireless and then went back to hardlining it to the router before I ran HijackThis again?
Logfile of HijackThis v1.99.1
Scan saved at 9:00:08 PM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web-stat.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C5142630-9BC9-4236-BAC9-2E3C24566EC8} (XWord Control) - http://mirror.worldwinner.com/games/v40/xword/xword.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
RKinner
2 Intern
•
5.9K Posts
0
April 18th, 2006 14:00
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
from http://www.ccleaner.com.
(the actual download is at: http://www.filehippo.com/download_ccleaner/
click on on Download Latest Version)
Install it. Don't let it clean anything yet.
Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop.
Select Options then Advanced and uncheck the box in front of:
Only Delete file in Windows Temp folders older than 48 hours.
Now select Cleaner
uncheck everything on the first page
except:
under Internet Explorer
- Temporary Internet Files
under System
- Empty Recycle Bin
- Temporary Files
Under Cleaner Settings, Applications uncheck everything
except:
Under Internet
- Sun Java
Run Cleaner.
This should clean out all of the temp files including those of your java program
(where recently we are finding a lot of garbage. You really should be running
the latest version of java and uninstall all old versions). The reason I have
you uncheck most of the options is that I have had problems with it deleting
too much so I want to limit it to things where I think malware might be hiding.
www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
Also try Spybot S&D.
http://www.safer-networking.org/en/download/index.html
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
leave scan through windows explorer checked,
click > scan then > next,
If any items show have blacklight rename them except for wbemtest.exe"
Do not rename "wbemtest.exe" it's a windows file
The tool will ask if you want to reboot (restart) choose yes.
kissels
21 Posts
0
April 18th, 2006 22:00
Hmm... I'm a tiny bit confused. I went off to do the rest after I posted the results. The next command you gave was ipconfig. I typed it in the command window, hit [Enter], and it replied with the results:
Then you said to "Check Normal Startup, OK, but don't reboot etc....) But there is nothing for me to "check" and no OK button... just the reply with the above results. What did I miss?
Kim
kissels
21 Posts
0
April 18th, 2006 22:00
C:\Documents and Settings\Kim>netstat -as
Received Header Errors = 0
Received Address Errors = 51
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 1
Received Packets Delivered = 91369
Output Requests = 66387
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 200
Datagrams Failing Fragmentation = 0
Fragments Created = 400
Messages 245 515
Errors 0 0
Destination Unreachable 16 7
Time Exceeded 0 0
Parameter Problems 0 0
Source Quenches 0 0
Redirects 0 0
Echos 0 508
Echo Replies 229 0
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0
Passive Opens = 35
Failed Connection Attempts = 33
Reset Connections = 418
Current Connections = 0
Segments Received = 78132
Segments Sent = 53971
Segments Retransmitted = 131
No Ports = 563
Receive Errors = 17
Datagrams Sent = 11738
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1037 0.0.0.0:0 LISTENING
TCP 192.168.2.100:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1030 *:*
UDP 0.0.0.0:1128 *:*
UDP 0.0.0.0:1926 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.2.100:123 *:*
UDP 192.168.2.100:137 *:*
UDP 192.168.2.100:138 *:*
UDP 192.168.2.100:1900 *:*
Received Header Errors = 0
Received Address Errors = 51
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 1
Received Packets Delivered = 91381
Output Requests = 66396
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 200
Datagrams Failing Fragmentation = 0
Fragments Created = 400
Messages 248 522
Errors 0 0
Destination Unreachable 16 7
Time Exceeded 0 0
Parameter Problems 0 0
Source Quenches 0 0
Redirects 0 0
Echos 0 515
Echo Replies 232 0
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0
Passive Opens = 35
Failed Connection Attempts = 33
Reset Connections = 418
Current Connections = 0
Segments Received = 78132
Segments Sent = 53971
Segments Retransmitted = 131
No Ports = 572
Receive Errors = 17
Datagrams Sent = 11740
*** Can't find server name for address 192.168.0.1: Non-existent domain
*** Default servers are not available
Server: UnKnown
Address: 192.168.0.1
Name: dell.com
Addresses: 143.166.224.178, 143.166.83.230
C:\Documents and Settings\Kim>
RKinner
2 Intern
•
5.9K Posts
0
April 18th, 2006 23:00
My mistake. Should have been msconfig.
Ron
kissels
21 Posts
0
April 19th, 2006 19:00
Hi Ron. Okay... I did the rest. I had some trouble downloading the Panda software...kept getting javascript errors when I clicked the image to download and was never able to get any further. I ran the Trend, Ad Aware, and Spybot (which I already use) and came up with only two new things (apart from more Alexa stuff)...Cytron and Coulomb Dialer, which I dumped. I also, when in safe mode, re-ran HijackThis and tried to create a new log for you, but it said "no suspicious items were found" which is good. Since then, I've had to install the latest Java and today I received the replacement wireless adapter, so I installed that too.
Here's the latest HijackThis log file. Please let me know if anything needs fixing. Also, are we leaving the items we checked on the Ignore List? Thanks again Ron!
Logfile of HijackThis v1.99.1
Scan saved at 3:41:05 PM, on 4/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
RKinner
2 Intern
•
5.9K Posts
0
April 19th, 2006 19:00
Misunderstood. Once you did the msconfig normal boot and booted into Safe mode it and ran HJT is should have picked up the entries for 1 and his friend. At least I though it would.
We can leave the things in the Ignore list and even add the last 3 to it.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
Makes it easier to see if something pops up.
I guess now we are back to the problem of the wireless not working. I suspect we have a bad driver.
I found this:
http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&p=35429
Try the procedure given by Fred89
Ron
Message Edited by RKinner on 04-19-200604:03 PM
kissels
21 Posts
0
April 19th, 2006 19:00
Also... We did the msconfig -> normal start up, which re-checked all of the items on the start up menu; therefore, the file named "1" and the "regedit" file as well as a bunch of other "Common" files are again checked. Are we leaving them checked? Apparently nothing we've done has gotten rid of the file named "1" and/or helped us to identify what it is.
Kim
kissels
21 Posts
0
April 20th, 2006 03:00
RKinner
2 Intern
•
5.9K Posts
0
April 20th, 2006 12:00
kissels
21 Posts
0
April 20th, 2006 18:00
Oh... hold the boat... just spotted them.
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [regedit] C:\WINDOWS\System32\regedit.exe
Should I check & fix them or do you want to do something else first?
Kim
kissels
21 Posts
0
April 20th, 2006 18:00
Here's the new log. I'm not seeing anything about this "1" file. Is there a way to get it, and the "regedit" file out of the start menu? Do I need to bother?
Logfile of HijackThis v1.99.1
Scan saved at 2:25:07 PM, on 4/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\Program Files\Visioneer\OneTouch 4.0\OtMonEx.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web-stat.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [regedit] C:\WINDOWS\System32\regedit.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v44/wordcube/wordcube.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C5142630-9BC9-4236-BAC9-2E3C24566EC8} (XWord Control) - http://mirror.worldwinner.com/games/v40/xword/xword.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe