Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

ecbronte

19 Posts

1105

December 3rd, 2006 02:00

winantivirus or something else?

don't know what's wrong with my computer...

a few days ago i started getting pop-ups to download winantivirus, and then my computer crashed, giving me a message that it had been shut down to prevent damage to my computer because a problem had been detected. the message also told me to check with my hardware vendor for any BIOS updates, and to disable BIOS memory options such as caching or shadowing.

i don't know really understand what BIOS memory options are, let alone how to disable them, but i restarted in safe mode with networking to try to check for the updates. when i did so, i started getting the same weird background pop-ups, followed by messages asking me to download winantivirus, which i think i may have inadvertently done, even though i kept clicking "cancel." my computer isn't running slower than usual, but i think i can only run it in safe mode.

here's the hijackthis log, hope someone can help!

thanks in advance....

-----------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:10:53 PM, on 12/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://adblock.linkz.com/abho/bandsearch.abs
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: C:\WINDOWS\System32\xpRecovery.dll - {8A5849B5-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\System32\xpRecovery.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ShowIcon_Memorex_USB Product Driver v2.13r002] C:\Memorex\TravelDrive2B\shwicon.exe -t"Memorex\USB Product Driver v2.13r002"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [port windows] C:\WINDOWS\System32\ogysteo.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Message Edited by ecbronte on 12-02-200610:19 PM

bamajim

10.4K Posts

December 4th, 2006 20:00

ecbronte

Welcome to DCF

Thats a nasty infection you have there. If you are only able to get into Safe Mode you can run this tool in Safe Mode

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
bamajim   Graduate of Malware Removal University

 



ecbronte

19 Posts

December 5th, 2006 12:00

here's the log from combofix.... hope this tells you something! how could this have gotten on my computer? all my problems started after i went to this one website, www.global-ers.com, could it be that? anyway, here's the log, thanks for taking the time to help me!

p.s. i got this message when i tried to post my reply, hopefully this hasn't changed the results??

"Your message has been changed because an invalid or malformed HTML tag or attribute was found. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied. The following tags (and attributes) are allowed: p(align), blockquote(dir), b, font(color|size|face), em, i, strong, div(align), a(href|target), ul, strike, img(width|height|border|src|alt), u, center, br, li, hr(width|size), span(class), ol, pre."

here's the combofix log:

---------------------

Administrator - 06-12-05 23:26:42.02 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Administrator"

((((((((((((((((((((((((((((((( Files Created from 2006-11-05 to 2006-12-05 ))))))))))))))))))))))))))))))))))


2006-12-03 12:26d-------- C:\Program Files\HijackThis
2006-12-02 11:32 90,832 --a------ C:\Documents and Settings\Administrator\Application Data\winantiviruspro2006freeinstall_jp[1].exe
2006-12-01 18:58d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-11-30 20:04 33,792 --a------ C:\WINDOWS\ieuninst.exe
2006-11-29 20:41 53,248 --a------ C:\WINDOWS\SYSTEM32\DellSys.dll
2006-11-29 20:40 17,153 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys
2006-11-29 20:03d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-11-27 18:21d-------- C:\WINDOWS\Minidump
2006-11-27 16:20 15,000 --a------ C:\WINDOWS\SYSTEM32\xNlkop.dll
2006-11-27 16:20 15,000 --a------ C:\WINDOWS\SYSTEM32\ogysteo.exe
2006-11-27 16:20 10,000 --a------ C:\WINDOWS\SYSTEM32\xpRecovery.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-05 23:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-30 20:04 -------- d--h----- C:\Program Files\Uninstall Information
2006-11-29 20:44 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-29 20:41 -------- d-------- C:\Program Files\Dell
2006-11-06 21:02 -------- d-------- C:\Program Files\Red Chair Software
2006-11-04 12:43 -------- d-------- C:\Program Files\Picasa2
2006-10-14 11:56 -------- d-------- C:\Program Files\AdwareFilter-savelogs
2006-10-09 10:32 -------- d-------- C:\Program Files\JGsoft


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"ShowIcon_Memorex_USB Product Driver v2.13r002"="C:\\Memorex\\TravelDrive2B\\shwicon.exe -t\"Memorex\\USB Product Driver v2.13r002\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"port windows"="C:\\WINDOWS\\System32\\ogysteo.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{8A5849B5-93F3-429D-FF34-660A2068897C}"="OpenGL additional"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Utility Tray.lnk"
"backup"="C:\\WINDOWS\\pss\\Utility Tray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\SYSTEM32\\sistray.exe "
"item"="Utility Tray"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="C:\\Program Files\\Apoint\\Apoint.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCMService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyhook"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\keyhook.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job

Completion time: 06-12-05 23:27:50.48
C:\ComboFix.txt ... 06-12-05 23:27

bamajim

10.4K Posts

December 5th, 2006 14:00

ecbronte

We will review some prevention measures when your PC is clean. And the warning you got when you tried to post the results, don't be alarmed, the board is formatted in HTML so you may get that, just hit submit again. Do this fix in Safe Mode
1. We need to make sure we can see hidden files and folders

To enable the viewing of Hidden and System files follow these steps:
  • Right click on Start and select Explore.
    Select the Tools menu and click Folder Options.
    After the new window appears select the View tab.
    Put a checkmark in the checkbox labeled Display the contents of system folders.
    Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    Remove the checkmark from the checkbox labeled Hide protected operating system files.
    Click Yes To confirm
    Press the Apply button and then the OK button.
2. Next Using Windows Explorer
  • (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following folder
  • C:\Documents and Settings\Administrator\Application Data\winantiviruspro2006freeinstall_jp[1].exe
Locate and delete the following files
  • C:\WINDOWS\SYSTEM32\xNlkop.dll
    C:\WINDOWS\SYSTEM32\ogysteo.exe
    C:\WINDOWS\SYSTEM32\xpRecovery.dll
Close Windows Explorer->>Reboot your PC->>Rerun Hijackthis and psot a fresh log.

I would like you to see if when you reboot you can do so in Normal Windows Mode, then rerun Hijackhtis and post a fresh log
 
bamajim   Graduate of Malware Removal University

 

bamajim

10.4K Posts

December 6th, 2006 23:00

ecbronte
 
Try to boot in Safe Mode and see what you get? Then reply and we will work from there
 
bamajim   Graduate of Malware Removal University

 

ecbronte

19 Posts

December 7th, 2006 00:00

well, think i've messed up my computer for good.  would desperately like to hear otherwise, but i'm not particularly optimistic.  here's what happened:

in safe mode, i followed all the instructions given in the previous post, and found the folder and files i was supposed to delete:

C:\Documents and Settings\Administrator\Application Data\winantiviruspro2006freeinstall_jp[1].exe (though, i'm not 100% positive this was a folder as was indicated it was; it looked like a file to me...)
C:\WINDOWS\SYSTEM32\xNlkop.dll
C:\WINDOWS\SYSTEM32\ogysteo.exe
C:\WINDOWS\SYSTEM32\xpRecovery.dll

i deleted the first 3 with no problem, but when i tried to delete the 4th (xpRecovery.dll), i got this message:

"Access is denied.  Make sure the disk is not full or write-protected and that the file is not currently in use."

at this point i didn't know what to do, so i tried to restart the computer in Safe Mode with Networking so that i could post another message in this forum.  but, when i pressed F8 at start-up, it didn't give me the advanced start-up options prompt, and instead booted up normally.  so, i tried to shut down the computer when i got the screen to choose the user.  when i did so, i got a blue screen, sort of a shaded gradient, lighter on the left side than the right side.

at this point i fully panicked and simply closed my laptop and walked away from it before i caused anymore damage.  IS THERE HOPE???  i've more or less resigned myself to the permanent loss of my machine and all my files, and realize that i probably caused the damage by restarting after only having deleted 3 of the 4 items i was instructed to delete.

awaiting any response at all.............

ecbronte

19 Posts

December 7th, 2006 03:00

well, think i've messed up my computer for good....  would desperately like to hear otherwise, but i'm not particularly optimistic.  here's what happened:

in safe mode, i followed all the instructions given, and found the folder and files i was supposed to delete:

C:\Documents and Settings\Administrator\Application Data\winantiviruspro2006freeinstall_jp[1].exe (though, i'm not 100% positive this was a folder as was indicated it was; it looked like a file to me...)
C:\WINDOWS\SYSTEM32\xNlkop.dll
C:\WINDOWS\SYSTEM32\ogysteo.exe
C:\WINDOWS\SYSTEM32\xpRecovery.dll

i deleted the first 3 with no problem, but when i tried to delete the 4th (xpRecovery.dll), i got this message:

"Access is denied.  Make sure the disk is not full or write-protected and that the file is not currently in use."

at this point i didn't know what to do, so i tried to restart the computer in Safe Mode with Networking so that i could post another message in this forum.  but, when i pressed F8 at start-up, it didn't give me the advanced start-up options prompt, and instead booted up normally.  so, i tried to shut down the computer when i got the screen to choose the user.  when i did so, i got a blue screen, sort of a shaded gradient, lighter on the left side than the right side.

at this point i fully panicked and simply closed my laptop and walked away from it before i caused anymore damage.  IS THERE HOPE???  i've more or less resigned myself to the permanent loss of my machine and all my files, and realize that i probably caused the damage by restarting after only having deleted 3 of the 4 items i was instructed to delete.

awaiting any response at all.............

bamajim

10.4K Posts

December 12th, 2006 23:00

ecbronte
 
Are you able to boot into Normal or Safe mode?
 
bamajim   Graduate of MRU

 

ecbronte

19 Posts

December 12th, 2006 23:00

well, think i've messed up my computer for good.  would desperately like to hear otherwise, but i'm not particularly optimistic.  here's what happened:

in safe mode, i followed all the instructions given, and found the folder and files i was supposed to delete:

C:\Documents and Settings\Administratior\Application Data\winantiviruspro2006freeinstall_jp[1].exe (though, i'm not 100% positive this was a folder as was indicated it was; it looked like a file to me...)
C:\WINDOWS\SYSTEM32\xNlkop.dll
C:\WINDOWS\SYSTEM32\ogysteo.exe
C:\WINDOWS\SYSTEM32\xpRecovery.dll

i deleted the first 3 with no problem, but when i tried to delete the 4th (xpRecovery.dll), i got this message:

"Access is denied.  Make sure the disk is not full or write-protected and that the file is not currently in use."

at this point i didn't know what to do, so i tried to restart the computer in Safe Mode with Networking so that i could post another message in this forum.  but, when i pressed F8 at start-up, it didn't give me the advanced start-up options prompt, and instead booted up normally.  so, i tried to shut down the computer when i got the screen to choose the user.  when i did so, i got a blue screen, sort of a shaded gradient, lighter on the left side than the right side.

at this point i fully panicked and simply closed my laptop and walked away from it before i caused anymore damage.  IS THERE HOPE???  i've more or less resigned myself to the permanent loss of my machine and all my files, and realize that i probably caused the damage by restarting after only having deleted 3 of the 4 items i was instructed to delete.

awaiting any response at all............

ecbronte

19 Posts

December 13th, 2006 00:00

last time i tried, i couldn't boot into safe mode by pressing F8; it went straight into normal mode.  that worried me, so i tried to shut down the computer when i got the screen to choose the user. but when i did that, i got a blue screen, sort of a shaded gradient, lighter on the left side than the right side. at this point i fully panicked and simply closed my laptop and walked away from it before i caused anymore damage.
 
so, should i try to start it up again?  if so, should i try safe or normal mode?  sorry for all my hesitancy, but it just really worries me that i couldn't boot into safe mode last time... and i feel like i keep messing up. 

ecbronte

19 Posts

December 13th, 2006 00:00

bamajim,

safe mode works again.  what now?

ec

 

bamajim

10.4K Posts

December 13th, 2006 00:00

ecbronte
 
Yes we need to see if you are able to get on the PC. Either in Normal or Safe mode. I'll take either or. Just reply with the results. For right now just let me know what mode you are able to boot into :smileyhappy:
 
bamajim   Graduate of MRU

 

bamajim

10.4K Posts

December 13th, 2006 01:00

ecbronte
 
Good. In your next reply, let me know if you are able to get into Normal mode also.
 
Then Rerun Combofix again (hopefully in Normal mode, but Safe mode is O.K.) and post a fresh combofix log so I can see where we are at.
 
As we go along, please keep me posted as to where we are. In other words, yes I can get into Normal mode, no I can't get into Normal mode, etc. It will help me know which way to go. :smileyhappy:
 
Your reply should include
1. If you can get into Normal Mode
2. A fresh Combofix log
 
bamajim   Graduate of MRU

 

ecbronte

19 Posts

December 13th, 2006 01:00

bamajim,

also not sure if it's worth mentioning, but when i booted up, i got 3 dialog boxes, one after then other, that said "The system has recovered from a serious error," and then asked if i wanted to send the error report to microsoft (which i declined to do).

ec

ecbronte

19 Posts

December 13th, 2006 01:00

normal mode works! though i did start to get the winantivirus popups again...

here's the combofix log:



emily - 06-12-13 12:40:41.85 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((( Files Created from 2006-11-13 to 2006-12-13 ))))))))))))))))))))))))))))))))))


2006-12-03 12:26d-------- C:\Program Files\HijackThis
2006-11-30 20:04 33,792 --a------ C:\WINDOWS\ieuninst.exe
2006-11-29 20:41 53,248 --a------ C:\WINDOWS\SYSTEM32\DellSys.dll
2006-11-29 20:40 17,153 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys
2006-11-27 18:21d-------- C:\WINDOWS\Minidump
2006-11-27 16:20 10,000 --a------ C:\WINDOWS\SYSTEM32\xpRecovery.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-13 12:40 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-13 12:38 -------- d-------- C:\Documents and Settings\emily\Application Data\Skype
2006-11-30 20:04 -------- d--h----- C:\Program Files\Uninstall Information
2006-11-29 20:44 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-29 20:41 -------- d-------- C:\Program Files\Dell
2006-11-06 21:02 -------- d-------- C:\Program Files\Red Chair Software
2006-11-04 12:43 -------- d-------- C:\Program Files\Picasa2
2006-10-14 11:56 -------- d-------- C:\Program Files\AdwareFilter-savelogs
2006-09-22 09:12 0 --a------ C:\Documents and Settings\emily\Application Data\sversion.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"port windows"="C:\\WINDOWS\\System32\\ogysteo.exe"
"Avp monitor"="C:\\DOCUME~1\\emily\\LOCALS~1\\Temp\\svchost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"ShowIcon_Memorex_USB Product Driver v2.13r002"="C:\\Memorex\\TravelDrive2B\\shwicon.exe -t\"Memorex\\USB Product Driver v2.13r002\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"port windows"="C:\\WINDOWS\\System32\\ogysteo.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{8A5849B5-93F3-429D-FF34-660A2068897C}"="OpenGL additional"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Utility Tray.lnk"
"backup"="C:\\WINDOWS\\pss\\Utility Tray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\SYSTEM32\\sistray.exe "
"item"="Utility Tray"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="C:\\Program Files\\Apoint\\Apoint.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCMService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyhook"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\keyhook.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job

Completion time: 06-12-13 12:42:43.29
C:\ComboFix.txt ... 06-12-13 12:42
C:\ComboFix2.txt ... 06-12-05 23:35

bamajim

10.4K Posts

December 13th, 2006 12:00

ecbronte

It is o.k. to allow the error reports to Microsoft. You have had a crash or 2. I can tell by the presence of this file
  • C:\WINDOWS\Minidump

1. Using Windows Explorer
  • (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following files (making sure you get the right file in the right location)
  • C:\WINDOWS\SYSTEM32\xpRecovery.dll
    C:\\DOCUME~1\\emily\\LOCALS~1\\Temp\\svchost.exe"     <<-which should translate C:\Documents and Settings\emily\Local Settings\Temp\svchost.exe->>
Reboot your PC in Normal Windows mode

2. Please download F-Secure Blacklight (blbeta.exe)
  • and Save to your Desktop
    Double click the file to run it
    It will create the "fsbl-xxxxxxx.log" on your desktop.
    The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
    Exit Blacklight and post the contents of the log in your next reply.
your reply should include your blacklight log
 
bamajim   Graduate of MRU

 




Was this post helpful?

View All

No Events found!

Top