Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

smitfreud-c ????

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

smitfreud-c ????

Unread postby ReelAquaholic » August 16th, 2006, 12:44 pm

What can i clean with HJT, ewido will not work on windows 98 and ad-aware is locking up somewhere in the cab serch section.



Logfile of HijackThis v1.97.7
Scan saved at 10:30:48 AM, on 8/16/2006
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
C:\PROGRAM FILES\WEBSVR\SYSTEM\INETSW95.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSCHED.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\OPWARE32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware16.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\COREL\SUITE8\PROGRAMS\DAD8.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\HP OFFICEJET V SERIES\BIN\HPOANT07.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOFXM07.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQGALRY.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msn.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [VSchedule] C:\Program Files\Network Associates\McAfee VirusScan\VSCHED.EXE
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
O4 - HKLM\..\Run: [TMDevMon] C:\Program Files\ThrustMaster\Common\TMDEVMON.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [WM_LOGIN] C:\Program Files\McAfee\McAfee Firewall\MSGLOGIN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95.exe -w3svc
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [CPD_EXE] C:\Program Files\McAfee\McAfee Firewall\CPD.EXE AUTOSTART
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: Corel Desktop Application Director 8.LNK = C:\COREL\SUITE8\Programs\DAD8.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/o ... winrep.cab
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/ ... mv9VCM.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL
ReelAquaholic
Active Member
 
Posts: 6
Joined: August 16th, 2006, 11:55 am
Advertisement
Register to Remove

Unread postby Bob4 » August 16th, 2006, 5:30 pm

_________________________________
Welcome to the Malware removal forums. I will be more than happy to help you work on your problems.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!







It looks like you have been infected by a backdoor trojan.

winmain.exe

http://www.liutilities.com/products/win ... y/winmain/

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.


If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Should you decide to clean this machine start by doing the following.




______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked





O4 - HKLM\..\Run: [winmain] winmain.exe




___________________________________
Reconfigure Windows to show hidden files::

Click My Computer.
Select the Tools menu Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
___________________________________
Search for and remove
Now I want you to search for and delete the following folder and all it's contents if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Please just remove the files/folders I listed in BOLD

Do an all files search for this.
winmain.exe



______________________

Go to :www.trendmicro.com and click free Free tools on the top. .
Click Scan Now It's Free. Choose your location, then Start Free Scan Now. Select Complete Scan. If it asks about installing an ActiveX control, allow it. It'll take a few minutes to download, especially with a dialup connection, so be patient.
Check to Clean all drives and Scan.
When it completes, copy the full name of any virus, trojan, or spyware that cannot be cleaned or deleted and post them along with your next log.


_________________
Your HijackThis is not the latest version. Please download this self extracting file to your Downloads folder in My Documents or some other place where you will find it easily:
* Now go to the folder you saved "HijackThis_sfx.exe" in. Double click "HijackThis_sfx.exe" and select "Unzip". When done click "OK".
* Close the WinZip self Extractor window.
* To find HijackThis go to C:\Program Files\HijackThis.


Post a new HJT log

and anything that micro trend could not delete.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby ReelAquaholic » August 16th, 2006, 7:18 pm

Bob, I'm having to work the fix from my laptop. i'm still unable to access the internet from the infected computer. i was able to run the updated HJT and removed the "Winmaim.exe". in order to run the trendmico or any other scan it'll need to be site that can be downloadable so i can transfer it.
I do have Ad-Aware, which picked up "CometSystems"
here's the current HJT log

Logfile of HijackThis v1.99.1
Scan saved at 6:04:37 PM, on 8/16/2006
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
C:\PROGRAM FILES\WEBSVR\SYSTEM\INETSW95.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSCHED.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\OPWARE32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\COREL\SUITE8\PROGRAMS\DAD8.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware16.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\HP OFFICEJET V SERIES\BIN\HPOANT07.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOFXM07.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQGALRY.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [VSchedule] C:\Program Files\Network Associates\McAfee VirusScan\VSCHED.EXE
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
O4 - HKLM\..\Run: [TMDevMon] C:\Program Files\ThrustMaster\Common\TMDEVMON.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [WM_LOGIN] C:\Program Files\McAfee\McAfee Firewall\MSGLOGIN.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95.exe -w3svc
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [CPD_EXE] C:\Program Files\McAfee\McAfee Firewall\CPD.EXE AUTOSTART
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: Corel Desktop Application Director 8.LNK = C:\COREL\SUITE8\Programs\DAD8.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/o ... winrep.cab
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
ReelAquaholic
Active Member
 
Posts: 6
Joined: August 16th, 2006, 11:55 am

Unread postby Bob4 » August 16th, 2006, 7:45 pm

Didn't realize we didn't have Internet accsess. ;)

When was the last time you were able to update Macafee ?

Have you checked that your modem/ lan card are functioning correctly ?


________________________
Spybot1.4
Download spybot S&D here.
Be sure and update it .Heres how if you need help.

________________________
Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Put a check in the boxes next to the button ‘generate start up log’
Then press the button itself. It will open a notepad file.
Close HijackThis.
Copy and past the content of that file here in your answer.


_________________________
Open HJT

this time click on
Misc tools section

then:
Open uninstall Manager
click on save list.
Post that for me.


Please download WinPFind2.

  • Extract the files to a folder(eg: C:\WinPFind2).
  • Double click WinPFind2.exe to start the program.
  • Click the Select All button in the File Options box of the Configuration tab(this is the tab the program opens up to by default).
  • Click the Run all Scans button.
  • When its finished scanning you will see Scans Complete! at the bottom left of the program.
  • Click the Export to Text button.
  • Notepad will open with the results of the scan and the log will be saved to the folder that you extracted the program to(C:\WinPFind2\WinPFind2.txt)
  • Post the log in your next reply please. You may need to split the log over a couple posts so that it doesn't get cut off. If so please use the [Start Post #1] and [Start Post #2] deliminators in the log to split the log up.


Please post:
WinPfind log

the start up list from HJT

The uninstall list from HJT
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby ReelAquaholic » August 16th, 2006, 8:58 pm

Ok, here are the .txt files. the winpfind2 would return a "grid index out of range" error when selecting run all scans. but there was a log in the extended report, hope it's what you were looking for.

this is the un install post

225 Best Educational Programs
3Com Modem Manager
3Com Modem User Guide
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Acrobat Reader 3.01
Adobe Flash Player 9 ActiveX
Adobe ImageReady 1.0
Adobe PhotoDeluxe Home Edition 3.0
Adobe Photoshop 5.0
Amazon Trail 3rd Edition
Arthur's Birthday
Arthur's Computer Adventure
Atlantis - Search for the Journal
Attack Throttle
Caere Scan Manager 4.0
Casper Activity Center
Chutes and Ladders
ConnectDirect
Corel WordPerfect Suite 8
Data Access Objects (DAO) 3.0
Delete Windows 98 uninstall information
Delta Force 2
Delta Force Land Warrior
Delta Force Task Force Dagger
Disney's Extremely Goofy Skateboarding Preview
Encarta Encyclopedia 99
Extensis Intellihance Pro 4.0
Extensis PhotoTools 3.0
Eyewitness World Atlas
FlashPath
Google Toolbar for Internet Explorer
Greetings Workshop
Grey Olltwit's Dinosaur Hunt
HijackThis 1.99.1
Home and Business Lawyer Deluxe 2005
Hot Wheels(tm) Velocity X
HP Image Zone 4.2
hp instant support
hp officejet v series
HP Photo Printing Software
HP PrecisionScan LT Software
HP PSC & OfficeJet 4.2
HP Share-to-Web
HP Software Update
Indeo Codec
Internet Explorer Q916281
Iomega Tools for Windows 95
iQfx
JumpStart 1st Grade 2000
JumpStart Kindergarten 98 v2.1
JumpStart Math for First Graders v1.3
JumpStart Parent Resource Center
JumpStart Reading for First Graders v1.2
Kar Racing
Key Resume Designer
Lyra System File Update Utility
Macromedia Dreamweaver 2
Macromedia Shockwave Player
MapSource
Math Blaster Ages 8-9
McAfee Firewall
McAfee VirusScan v3.1.6 (OEM)
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Expedia Streets 98
Microsoft FrontPage 98
Microsoft Greetings
Microsoft Image Composer 1.5
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Money 99
Microsoft Outlook Express 6
Microsoft Picture It! Express 2.0
Microsoft PowerPoint Viewer 97
Microsoft Publisher 98
Microsoft VGX Q833989
Microsoft Visual Basic Professional Step by Step
Microsoft Visual Studio 6.0 Professional Edition
Microsoft Windows Critical Update Notification
Microsoft Windows Media Player 6.4
Microsoft Word 97
Microsoft Works 4.5
Microsoft Works Calendar 1.0
Microsoft Works Setup Launcher
Microsoft XML Parser and SDK
Modem Diagnostic Utility
MouseWare
OLYMPUS CAMEDIA Master 1.1
OmniPage Pro 9.0
OTOY
Outlook Express Q823353
PageKeeper Lite 3.0
Paint Shop Pro 7
Personal Web Server
PhoneTools
Phonics 4 Kids
PhotoRecall Deluxe
ProPilot
Putt-Putt Travels Through Time
Quick View Plus
QuickStitch
QuickTime 3.0
QuickTime for Windows (16-bit)
RD1021/1071 Lyra Personal Audio Player Applications
Ready for Math with Pooh
RealPlayer
RealPlayer 4.0
Science Blaster Junior
Shockwave
Sierra Utilities
Software CineMaster 98
Sports Illustrated Swimsuit'99 Screen Saver
Spybot - Search & Destroy 1.2
SpyHunter
TBS Montego AudioStation 2
TBS Montego Drivers
Theme Park World
Ulead PhotoImpact 3.0
Uninstall Windows 98
USA Explorer
Warbirds 277 R3
WarBirds III FPA
Windows 98 KB891711 Update
Windows 98 KB896358 Update
Windows 98 KB908519 Update
Windows 98 KB918547 Update
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q888113 Update
Windows Messaging Update 1
WinZip
World Explorer 2.0
Yahtzee
ReelAquaholic
Active Member
 
Posts: 6
Joined: August 16th, 2006, 11:55 am

Unread postby ReelAquaholic » August 16th, 2006, 9:00 pm

and here's the PF2 file.

Logfile created on: 08/16/2006 19:54
WinPFind2 by OldTimer - Version 1.0.3 Folder = C:\WINDOWS\DESKTOP\WINPFIND2\
(Version = )
Internet Explorer (Version - 6.0.2800.1106)


[Start Post #1]


Registry Entries

#Value
##(Version Info)

<<< Internet Explorer Settings >>>

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page
#http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default Page
#http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default Search
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page
#c:\windows\SYSTEM\blank.htm
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page
#http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page
#http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
##

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page
#C:\WINDOWS\SYSTEM\blank.htm
##

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable
#0
##

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride
#127.0.0.1
##

<<< BHO's >>>

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
#AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
##(( [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Date = 04/16/2001 16:39 | Attr = ])

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
#Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Date = 02/14/2006 14:05 | Attr = R ])

<<< Internet Explorer Bars, Toolbars and Extensions >>>

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
#Search Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1692 (xpsp2.050617-2102) | Size = 1017856 bytes | Date = 06/18/2005 00:16 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
#Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1692 (xpsp2.050617-2102) | Size = 1017856 bytes | Date = 06/18/2005 00:16 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
#Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1849 (xpsp2.060519-1300) | Size = 1339904 bytes | Date = 05/26/2006 15:40 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
#History Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1849 (xpsp2.060519-1300) | Size = 1339904 bytes | Date = 05/26/2006 15:40 | Attr = ])

HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
#Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1849 (xpsp2.060519-1300) | Size = 1339904 bytes | Date = 05/26/2006 15:40 | Attr = ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
#&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1849 (xpsp2.060519-1300) | Size = 1339904 bytes | Date = 05/26/2006 15:40 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
#&Address = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1692 (xpsp2.050617-2102) | Size = 1017856 bytes | Date = 06/18/2005 00:16 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
#&Links = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1692 (xpsp2.050617-2102) | Size = 1017856 bytes | Date = 06/18/2005 00:16 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
#&Google = c:\program files\google\googletoolbar1.dll
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Date = 02/14/2006 14:05 | Attr = R ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
#&Address = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1692 (xpsp2.050617-2102) | Size = 1017856 bytes | Date = 06/18/2005 00:16 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
#&Links = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1692 (xpsp2.050617-2102) | Size = 1017856 bytes | Date = 06/18/2005 00:16 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
#&Google = c:\program files\google\googletoolbar1.dll
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Date = 02/14/2006 14:05 | Attr = R ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{2318C2B1-4965-11d4-9B18-009027A5CD4F}
#&Google = c:\program files\google\googletoolbar1.dll
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Date = 02/14/2006 14:05 | Attr = R ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{8E718888-423F-11D2-876E-00A0C9082467}
#&Radio = C:\WINDOWS\SYSTEM\MSDXM.OCX
##(Microsoft Corporation [Ver = 6.4.07.1121 | Size = 846096 bytes | Date = 10/06/2003 10:21 | Attr = ])

HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\NextId
#8193
##

HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Google Search
#res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Date = 02/14/2006 14:05 | Attr = R ])

HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Translate English Word
#res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Date = 02/14/2006 14:05 | Attr = R ])

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Backward Links
#res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Date = 02/14/2006 14:05 | Attr = R ])

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Cached Snapshot of Page
#res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Date = 02/14/2006 14:05 | Attr = R ])

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Similar Pages
#res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Date = 02/14/2006 14:05 | Attr = R ])

HKCU\Software\Microsoft\Internet Explorer\MenuExt\Translate Page into English
#res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
##(Google Inc. [Ver = 3, 0, 131, 0 | Size = 1158656 bytes | Date = 02/14/2006 14:05 | Attr = R ])

HKLM\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\.spop
# = C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
##(Intertrust Technologies, Inc. [Ver = 1.0.0.32 | Size = 270336 bytes | Date = 08/01/2001 17:05 | Attr = ])

<<< Approved Shell Extensions (Non-Microsoft only) >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7dc69c14-014e-4f08-9f5a-87bdd20ee404}
#RD1021/1071 Lyra Personal Audio Player ApplicationsShell Hook = thmsn21h.dll
##(Thomson Inc. [Ver = 1, 78, 0, 139 | Size = 151552 bytes | Date = 03/26/2003 10:45 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9EF56D61-A50F-11ce-B105-0000C04B2D52}
#VirusScan 95 Shell Extension = C:\Program Files\Network Associates\McAfee VirusScan\S95EXT.DLL
##( [Ver = | Size = 34304 bytes | Date = 03/31/1998 03:16 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C56C4E21-706D-11d0-AFC5-444553540002}
#My Digital Camera = C:\Program Files\PhotoDeluxe HE 3.0\FotoNation Explorer\camview.dll
##(FotoNation Inc. [Ver = 1, 2, 1, 0 | Size = 199680 bytes | Date = 04/09/1998 14:52 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}
#Shell Extensions for RealOne Player = C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL
##(RealNetworks, Inc. [Ver = 1.0.1.1783 | Size = 49198 bytes | Date = 04/12/2004 18:56 | Attr = ])

<<< ContextMenuHandlers (Non-Microsoft only) >>>

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83BD3F}
# = c:\windows\SYSTEM\shellwp.dll
##(Corel Corporation Limited [Ver = 8.0.0.224 | Size = 125952 bytes | Date = 08/08/1997 08:00 | Attr = ])

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\QuickViewPlusMenu
#{F0F08737-0C36-101B-B086-0020AF07D0F4} = C:\Program Files\Quick View Plus\PROGRAM\QVPSE2.DLL
##(Inso Corporation [Ver = 4.0.0.635 [Sep.26.1996] | Size = 30720 bytes | Date = 02/01/1997 04:01 | Attr = ])

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\VersionsMenu
#{03170921-4754-11cf-AB9A-00C0F00683EB} = c:\Corel\Suite8\Versions\CVersion.dll
##(Corel Corporation Limited [Ver = 8.0.0.224 | Size = 94208 bytes | Date = 08/08/1997 08:00 | Attr = ])

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\WinZip
#{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
##( [Ver = | Size = 25088 bytes | Date = 09/07/1997 06:30 | Attr = ])

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
#{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1} = C:\COREL\SUITE8\PROGRAMS\PFSE80.DLL
##(Novell, Inc. [Ver = 8.0.0.225 | Size = 79872 bytes | Date = 08/08/1997 08:00 | Attr = ])

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
#{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
##( [Ver = | Size = 25088 bytes | Date = 09/07/1997 06:30 | Attr = ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\QuickFinderMenu
#{C0E10002-0028-0001-C0E1-C0E1C0E1C0E1} = C:\COREL\SUITE8\PROGRAMS\PFSE80.DLL
##(Novell, Inc. [Ver = 8.0.0.225 | Size = 79872 bytes | Date = 08/08/1997 08:00 | Attr = ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VersionsMenu
#{03170921-4754-11cf-AB9A-00C0F00683EB} = c:\Corel\Suite8\Versions\CVersion.dll
##(Corel Corporation Limited [Ver = 8.0.0.224 | Size = 94208 bytes | Date = 08/08/1997 08:00 | Attr = ])

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
#{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
##( [Ver = | Size = 25088 bytes | Date = 09/07/1997 06:30 | Attr = ])

<<< ColumnHandlers (Non-Microsoft only) >>>

<<< Registry Run Keys >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CriticalUpdate
#c:\windows\SYSTEM\wucrtupd.exe -startup
##(Microsoft Corporation [Ver = 5.4.3681.0 | Size = 131072 bytes | Date = 09/16/2002 09:21 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Disknag
#C:\DELL\DISKNAG.EXE
##(Dell Computer Corporation [Ver = 1.00 | Size = 30720 bytes | Date = 02/26/1998 14:10 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\EM_EXEC
#c:\mouse\system\em_exec.exe
##(Logitech Inc. [Ver = 8.02A.548 | Size = 35840 bytes | Date = 06/12/1998 08:02 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\HP Component Manager
#"C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
##(Hewlett-Packard Company [Ver = 2.1.1.0 | Size = 241664 bytes | Date = 05/12/2004 15:18 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\HP Software Update
#"c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
##(Hewlett-Packard Company [Ver = 2, 0, 39, 0 | Size = 49152 bytes | Date = 02/12/2004 13:38 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LoadPowerProfile
#Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
##(Microsoft Corporation [Ver = 4.10.1998 | Size = 24576 bytes | Date = 05/11/1998 19:01 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Microsoft WebServer
#C:\Program Files\WebSvr\System\svctrl /init
##(Microsoft Corporation [Ver = 4.70.1181 | Size = 7680 bytes | Date = 08/28/1996 16:46 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\OmniPage
#C:\Program Files\Caere\OmniPagePro90\opware32.exe
##(Caere Corporation [Ver = 9.0 | Size = 44032 bytes | Date = 12/08/1998 13:44 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QuickTime Task
#"C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
##(Apple Computer, Inc. [Ver = 6.0.2 | Size = 77824 bytes | Date = 06/30/2003 09:03 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ScanRegistry
#c:\windows\scanregw.exe /autorun
##(Microsoft Corporation [Ver = 4.10.1998 | Size = 86016 bytes | Date = 05/11/1998 19:01 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Share-to-Web Namespace Daemon
#C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
##(Hewlett-Packard [Ver = 2,4,0,26 | Size = 57344 bytes | Date = 07/03/2001 09:11 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpyHunter
#
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\StillImageMonitor
#C:\WINDOWS\SYSTEM\STIMON.EXE
##(Microsoft Corporation [Ver = 4.10.1998 | Size = 114688 bytes | Date = 05/11/1998 19:01 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SystemTray
#SysTray.Exe
##(Microsoft Corporation [Ver = 4.10.1998 | Size = 36864 bytes | Date = 05/11/1998 19:01 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\TaskMonitor
#c:\windows\taskmon.exe
##(Microsoft Corporation [Ver = 4.10.1998 | Size = 28672 bytes | Date = 05/11/1998 19:01 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\TkBellExe
#"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
##(RealNetworks, Inc. [Ver = 0.1.0.3018 | Size = 180269 bytes | Date = 04/12/2004 18:56 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\TMDevMon
#C:\Program Files\ThrustMaster\Common\TMDEVMON.EXE
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\VSchedule
#C:\Program Files\Network Associates\McAfee VirusScan\VSCHED.EXE
##(Network Associates Inc. [Ver = 3.1.6 | Size = 60928 bytes | Date = 03/31/1998 03:16 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\VsecomrEXE
#C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
##( [Ver = | Size = 15872 bytes | Date = 03/31/1998 03:16 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WM_LOGIN
#C:\Program Files\McAfee\McAfee Firewall\MSGLOGIN.EXE
##( [Ver = | Size = 15872 bytes | Date = 07/14/2000 02:10 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\\CPD_EXE
#C:\Program Files\McAfee\McAfee Firewall\CPD.EXE AUTOSTART
##(Network Associates Inc. [Ver = 2.12.002.0 | Size = 391168 bytes | Date = 07/14/2000 02:10 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\\Encompass_ENCMONTR
#C:\Program Files\Encompass\ENCMONTR.EXE
##(Encompass, Inc. [Ver = 2, 0, 0, 1 | Size = 99840 bytes | Date = 12/04/1998 02:20 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\\KB891711
#c:\windows\SYSTEM\KB891711\KB891711.EXE
##(Microsoft Corporation [Ver = 4.10.2223 | Size = 9088 bytes | Date = 03/23/2005 14:54 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\\KB918547
#C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
##(Microsoft Corporation [Ver = 4.10.2224 | Size = 8256 bytes | Date = 04/24/2006 02:24 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\\LoadPowerProfile
#Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
##(Microsoft Corporation [Ver = 4.10.1998 | Size = 24576 bytes | Date = 05/11/1998 19:01 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\\Machine Debug Manager
#C:\WINDOWS\SYSTEM\MDM.EXE
##(Microsoft Corporation [Ver = 6.00.8149 | Size = 119400 bytes | Date = 05/29/1998 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\\Microsoft WebServer
#C:\Program Files\WebSvr\System\inetsw95.exe -w3svc
##(Microsoft Corporation [Ver = 4.70.1181 | Size = 15872 bytes | Date = 08/28/1996 16:46 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\\SchedulingAgent
#c:\windows\SYSTEM\mstask.exe
##(Microsoft Corporation [Ver = 4.71.1769.1 | Size = 118784 bytes | Date = 05/11/1998 19:01 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\\winmodem
#WINMODEM.101\wmexe.exe
##(U.S. Robotics, Inc. [Ver = 1.60.007 | Size = 51680 bytes | Date = 04/29/1999 17:48 | Attr = ])

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\RealPlayer
#"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
##(RealNetworks, Inc. [Ver = 6.0.12.857 | Size = 1003520 bytes | Date = 05/21/2006 09:56 | Attr = ])

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Reminder
#C:\Program Files\Microsoft Money\System\reminder.exe
##(Microsoft Corporation [Ver = 7.00.0805 | Size = 36352 bytes | Date = 07/25/1998 | Attr = ])


#
##

C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.exe.lnk
#C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
##(Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 114688 bytes | Date = 10/02/1998 18:22 | Attr = ])

C:\WINDOWS\Start Menu\Programs\StartUp\Corel Desktop Application Director 8.LNK
#C:\COREL\SUITE8\Programs\DAD8.EXE
##(Corel Corporation Limited [Ver = 8.0.0.225 | Size = 200192 bytes | Date = 08/08/1997 08:00 | Attr = ])

C:\WINDOWS\Start Menu\Programs\StartUp\HP Digital Imaging Monitor.lnk
#C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
##(Hewlett-Packard Co. [Ver = 43.1.5.000 | Size = 241664 bytes | Date = 05/28/2004 22:31 | Attr = ])

C:\WINDOWS\Start Menu\Programs\StartUp\HP Image Zone Fast Start.lnk
#C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
##(Hewlett-Packard Co. [Ver = 043.001.005.000 | Size = 53248 bytes | Date = 05/28/2004 23:06 | Attr = ])

C:\WINDOWS\Start Menu\Programs\StartUp\HPAiODevice(hp officejet v series) - 1.lnk
#C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
##(Hewlett-Packard Co. [Ver = 2.00 | Size = 487487 bytes | Date = 04/25/2002 18:43 | Attr = ])

C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk
#C:\Program Files\Microsoft Office\Office\OSA.EXE
##( [Ver = | Size = 51984 bytes | Date = 08/19/1997 | Attr = ])

<<< Disabled MSConfig Items >>>

<<< User Agent Post Platform >>>

<<< AppInit DLLs >>>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
#Reg Data missing or invalid
##(File not found)

<<< Image File Execution Options >>>

<<< Shell Service Object Delay Load >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck
#{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1106 | Size = 258048 bytes | Date = 10/06/2003 10:20 | Attr = ])

<<< Shell Execute Hooks >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972}
#URL Exec Hook = shell32.dll
##(Microsoft Corporation [Ver = 4.72.3110.6 | Size = 1400832 bytes | Date = 05/11/1998 19:01 | Attr = ])

<<< Shared Task Scheduler >>>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{438755C2-A8BA-11D1-B96B-00A0C90312E1}
#Browseui preloader = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1692 (xpsp2.050617-2102) | Size = 1017856 bytes | Date = 06/18/2005 00:16 | Attr = ])

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{8C7461EF-2B13-11d2-BE35-3078302C2030}
#Component Categories cache daemon = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
##(Microsoft Corporation [Ver = 6.00.2800.1692 (xpsp2.050617-2102) | Size = 1017856 bytes | Date = 06/18/2005 00:16 | Attr = ])

<<< Winlogon >>>

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
#Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
#Reg Data missing or invalid
##(File not found)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\System
#Reg Data missing or invalid
##(File not found)

<<< DNS Name Servers >>>

<<< Winsock2 Catalogs (Non-Microsoft only) >>>

<<< Protocol Handlers (Non-Microsoft only) >>>

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\cetihpz
#C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL
##(Hewlett-Packard Company [Ver = 2.1.5 | Size = 81920 bytes | Date = 05/12/2004 15:18 | Attr = ])

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\pcn
#C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL
##(PointCast Inc. [Ver = 2.1.1997.1105 | Size = 118272 bytes | Date = 04/03/1998 17:48 | Attr = ])

<<< Protocol Filters (Non-Microsoft only) >>>
ReelAquaholic
Active Member
 
Posts: 6
Joined: August 16th, 2006, 11:55 am

Unread postby Bob4 » August 16th, 2006, 10:23 pm

Well nothing in those logs look bad. We seem to have very few if any options at this point. The computer is probably pretty old. Even if you reformat there are no security updates available for windows 98 any longer. Which means you would be very vunerable to attacks.

You didn't mention when was the last time you were able to update MacAfee. I am going to assume it's been a while. The main infection you had has been around for a long while. Possibly an updated Anti virus program may have caught it.

My best idea at this point is for you to try and fix the internet connection on this machine that you/we might do some online scans.

I will ask other helpers to look at this thread and maybe they will have some ideas.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Bob4 » August 16th, 2006, 10:41 pm

This just in from a good source to try.


____________________________
Restart your computer in Safe Mode.
__________________________

Restart the computer

Press the F8 key until the startup menu appears.

Choose the Command Prompt Only. option then press Enter.



At the C:> type in scanreg /restore. (Note that there is a space between scanreg and /restore) It will prompt you for your choice of registry to restore. Pick a date of a registry that used to work properly. Then you'll be prompted to reboot.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Bob4 » August 17th, 2006, 6:57 am

Ok looks like theres an older infection here I missed.

______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html


______________________
Download CWS shredder from here. You can copy this from the good machine to the bad machine.
http://www.trendmicro.com/cwshredder/

Open that and click on fix.


___________
NowI would like you to open a command window.

Click Start/run
Type in command
a window will open
type this in exactly.
There is a space between
the g in ping and 8

ping 82.165.180.19

hit enter

Copy and paste the reply you get for me here.
To do this is a bit different. Left click the top left of the command window,
choose select all/ click top left again and choose copy. Now paste it in here.

Post a new HJT log and the results from the command window.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby ReelAquaholic » August 18th, 2006, 9:34 am

Sorry about the delay. i was out of town yesterday.

The scanreg /restore came back...system restore operation failed.

I did delete the searchv.com entry with HJT

the CWshreader came back clean.

im unable to copy the command prompt screen, but all values were 100% loss these were the three points that were tried.

C:\windows\desktop>
C:\windows>
C:\>

destination host unreachable
for the four packets sent.
ReelAquaholic
Active Member
 
Posts: 6
Joined: August 16th, 2006, 11:55 am

Unread postby Bob4 » August 18th, 2006, 3:01 pm

Copy thisd from the good computer to the infected machine. Place it on the desktop. Do not run it from a floppy disk.

Download w2fix.exe to the desktop from here. (Important: w2fix.exe cannot be run from a floppy disk as the program reboots the computer and a floppy disk would interfere with the boot sequence.)


Double click on the w2fix file on your Desktop and follow the on-screen instructions. You will be prompted to reboot your computer twice before the fix is complete.

You can delete the w2fix.exe file from your computer after the fix is installed.

Let me know if that works.

____________________-

Open HJT

this time click on
Misc tools section

then:
Open uninstall Manager
click on save list.
Post that for me also.

Question:

Was this computer online OK until recently ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby ReelAquaholic » August 20th, 2006, 11:12 am

much thanks folks, i'm going to go will the full wipe and re install. not enough time in a day to get everything done!
ReelAquaholic
Active Member
 
Posts: 6
Joined: August 16th, 2006, 11:55 am

Unread postby 'KotaGuy » August 20th, 2006, 1:18 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware