Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack This Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby ChrisRLG » June 5th, 2005, 4:50 pm

Client in chatroom.

Advised to get reglite - for possible registry fix.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove

Unread postby theglobal » June 5th, 2005, 5:52 pm

Chris... here is info from regscan ---- each item is separated by dashes ------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"S3TRAY2"="S3tray2.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HPHmon03"="C:\\WINDOWS\\System32\\hphmon03.exe"
"CXMon"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"checktime"="c:\\program files\\HPSelect\\Frontend\\ct.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
" gSafeOnload[gSafeOnload.length] "=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,\
53,79,73,74,65,6d,33,32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,67,53,\
61,66,65,4f,6e,6c,6f,61,64,2e,6c,65,6e,67,74,68,5d,20,3d,20,66,3b,00
" gSafeOnload[i"=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,\
32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,69,5d,28,29,3b,00
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"sunasDTServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasDTServ.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-------------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"S3TRAY2"="S3tray2.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HPHmon03"="C:\\WINDOWS\\System32\\hphmon03.exe"
"CXMon"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"checktime"="c:\\program files\\HPSelect\\Frontend\\ct.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
" gSafeOnload[gSafeOnload.length] "=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,\
53,79,73,74,65,6d,33,32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,67,53,\
61,66,65,4f,6e,6c,6f,61,64,2e,6c,65,6e,67,74,68,5d,20,3d,20,66,3b,00
" gSafeOnload[i"=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,\
32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,69,5d,28,29,3b,00
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"sunasDTServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasDTServ.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

---------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"S3TRAY2"="S3tray2.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HPHmon03"="C:\\WINDOWS\\System32\\hphmon03.exe"
"CXMon"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"checktime"="c:\\program files\\HPSelect\\Frontend\\ct.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
" gSafeOnload[gSafeOnload.length] "=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,\
53,79,73,74,65,6d,33,32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,67,53,\
61,66,65,4f,6e,6c,6f,61,64,2e,6c,65,6e,67,74,68,5d,20,3d,20,66,3b,00
" gSafeOnload[i"=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,\
32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,69,5d,28,29,3b,00
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"sunasDTServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasDTServ.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

--------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"S3TRAY2"="S3tray2.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HPHmon03"="C:\\WINDOWS\\System32\\hphmon03.exe"
"CXMon"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"checktime"="c:\\program files\\HPSelect\\Frontend\\ct.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
" gSafeOnload[gSafeOnload.length] "=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,\
53,79,73,74,65,6d,33,32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,67,53,\
61,66,65,4f,6e,6c,6f,61,64,2e,6c,65,6e,67,74,68,5d,20,3d,20,66,3b,00
" gSafeOnload[i"=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,\
32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,69,5d,28,29,3b,00
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"sunasDTServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasDTServ.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-------------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"S3TRAY2"="S3tray2.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HPHmon03"="C:\\WINDOWS\\System32\\hphmon03.exe"
"CXMon"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"checktime"="c:\\program files\\HPSelect\\Frontend\\ct.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
" gSafeOnload[gSafeOnload.length] "=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,\
53,79,73,74,65,6d,33,32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,67,53,\
61,66,65,4f,6e,6c,6f,61,64,2e,6c,65,6e,67,74,68,5d,20,3d,20,66,3b,00
" gSafeOnload[i"=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,\
32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,69,5d,28,29,3b,00
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"sunasDTServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasDTServ.exe"
@=""
"sunasServ"="C:\\Program Files\\Sunbelt Software\\CounterSpy Client\\sunasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

------------------------------

REGEDIT4

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="gSafeOnload"

-----------------------------

REGEDIT4

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1\\plugin\\bin\\PCHButton.exe"
"Extreme Messenger for AIM"="C:\\Program Files\\Extreme Messenger\\ExtremeMessenger.exe nosplash"
"NoAds"="\"C:\\Program Files\\NoAds\\NoAds.exe\""
"MoneyAgent"="\"c:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
" gSafeOnload[gSafeOnload.length] "=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,\
53,79,73,74,65,6d,33,32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,67,53,\
61,66,65,4f,6e,6c,6f,61,64,2e,6c,65,6e,67,74,68,5d,20,3d,20,66,3b,00
" gSafeOnload[i"=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,\
32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,69,5d,28,29,3b,00
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AOLCC"="\"C:\\Program Files\\AOL Computer Check-Up\\ACCAgnt.exe\" /startup"
"Adaware Bootup"="C:\\Documents and Settings\\Owner\\Desktop\\Patrick's Utilities\\Lavasoft Ad-Aware\\Ad-aware.exe /Auto /Log \"C:\\Documents and Settings\\Owner\\Desktop\\Patrick's Utilities\\Lavasoft Ad-Aware\\\""

---------------------------------------
REGEDIT4

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1\\plugin\\bin\\PCHButton.exe"
"Extreme Messenger for AIM"="C:\\Program Files\\Extreme Messenger\\ExtremeMessenger.exe nosplash"
"NoAds"="\"C:\\Program Files\\NoAds\\NoAds.exe\""
"MoneyAgent"="\"c:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
" gSafeOnload[gSafeOnload.length] "=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,\
53,79,73,74,65,6d,33,32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,67,53,\
61,66,65,4f,6e,6c,6f,61,64,2e,6c,65,6e,67,74,68,5d,20,3d,20,66,3b,00
" gSafeOnload[i"=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,\
32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,69,5d,28,29,3b,00
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AOLCC"="\"C:\\Program Files\\AOL Computer Check-Up\\ACCAgnt.exe\" /startup"
"Adaware Bootup"="C:\\Documents and Settings\\Owner\\Desktop\\Patrick's Utilities\\Lavasoft Ad-Aware\\Ad-aware.exe /Auto /Log \"C:\\Documents and Settings\\Owner\\Desktop\\Patrick's Utilities\\Lavasoft Ad-Aware\\\""

------------------------------
REGEDIT4

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1\\plugin\\bin\\PCHButton.exe"
"Extreme Messenger for AIM"="C:\\Program Files\\Extreme Messenger\\ExtremeMessenger.exe nosplash"
"NoAds"="\"C:\\Program Files\\NoAds\\NoAds.exe\""
"MoneyAgent"="\"c:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
" gSafeOnload[gSafeOnload.length] "=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,\
53,79,73,74,65,6d,33,32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,67,53,\
61,66,65,4f,6e,6c,6f,61,64,2e,6c,65,6e,67,74,68,5d,20,3d,20,66,3b,00
" gSafeOnload[i"=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,\
32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,69,5d,28,29,3b,00
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AOLCC"="\"C:\\Program Files\\AOL Computer Check-Up\\ACCAgnt.exe\" /startup"
"Adaware Bootup"="C:\\Documents and Settings\\Owner\\Desktop\\Patrick's Utilities\\Lavasoft Ad-Aware\\Ad-aware.exe /Auto /Log \"C:\\Documents and Settings\\Owner\\Desktop\\Patrick's Utilities\\Lavasoft Ad-Aware\\\""

----------------------------
REGEDIT4

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1\\plugin\\bin\\PCHButton.exe"
"Extreme Messenger for AIM"="C:\\Program Files\\Extreme Messenger\\ExtremeMessenger.exe nosplash"
"NoAds"="\"C:\\Program Files\\NoAds\\NoAds.exe\""
"MoneyAgent"="\"c:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
" gSafeOnload[gSafeOnload.length] "=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,\
53,79,73,74,65,6d,33,32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,67,53,\
61,66,65,4f,6e,6c,6f,61,64,2e,6c,65,6e,67,74,68,5d,20,3d,20,66,3b,00
" gSafeOnload[i"=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,\
32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,69,5d,28,29,3b,00
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AOLCC"="\"C:\\Program Files\\AOL Computer Check-Up\\ACCAgnt.exe\" /startup"
"Adaware Bootup"="C:\\Documents and Settings\\Owner\\Desktop\\Patrick's Utilities\\Lavasoft Ad-Aware\\Ad-aware.exe /Auto /Log \"C:\\Documents and Settings\\Owner\\Desktop\\Patrick's Utilities\\Lavasoft Ad-Aware\\\""

------------------------

REGEDIT4

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1\\plugin\\bin\\PCHButton.exe"
"Extreme Messenger for AIM"="C:\\Program Files\\Extreme Messenger\\ExtremeMessenger.exe nosplash"
"NoAds"="\"C:\\Program Files\\NoAds\\NoAds.exe\""
"MoneyAgent"="\"c:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
" gSafeOnload[gSafeOnload.length] "=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,\
53,79,73,74,65,6d,33,32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,67,53,\
61,66,65,4f,6e,6c,6f,61,64,2e,6c,65,6e,67,74,68,5d,20,3d,20,66,3b,00
" gSafeOnload[i"=hex(2):63,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,6d,33,\
32,5c,09,09,67,53,61,66,65,4f,6e,6c,6f,61,64,5b,69,5d,28,29,3b,00
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AOLCC"="\"C:\\Program Files\\AOL Computer Check-Up\\ACCAgnt.exe\" /startup"
"Adaware Bootup"="C:\\Documents and Settings\\Owner\\Desktop\\Patrick's Utilities\\Lavasoft Ad-Aware\\Ad-aware.exe /Auto /Log \"C:\\Documents and Settings\\Owner\\Desktop\\Patrick's Utilities\\Lavasoft Ad-Aware\\\""
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby ChrisRLG » June 5th, 2005, 7:42 pm

OK

a regfix to try.

Code: Select all
REGEDIT4 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
" gSafeOnload[gSafeOnload.length] "=- 
" gSafeOnload[i"=- 

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Search Assistant\ACMru\5603] 
"000"=- 

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Windows\CurrentVersion\Run] 
" gSafeOnload[gSafeOnload.length] "=- 
" gSafeOnload[i"=- 


Copy that to notepad, save as cjwd.reg (type all files) to the desktop.

the double click that new icon to merge to the registry.

Then reboot and post a fresh HJT log.

I am going to bed now 12:45 my time - so will check tomorrow.

Perculator

Sorry for jumnping in with this, if it has worked you can continue with the fix, which should now be easier.

Edit: fixed your /code tag Chris... you never closed it. 'KG
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby theglobal » June 5th, 2005, 8:08 pm

i copied the info into cjwd.reg.... as follows:

[code]REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" gSafeOnload[gSafeOnload.length] "=-
" gSafeOnload[i"=-

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"=-

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Windows\CurrentVersion\Run]
" gSafeOnload[gSafeOnload.length] "=-
" gSafeOnload[i"=-
[/code

I received the following error:

Cannot import C:\documents~\owner\desktop\cjwd.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.

I saved the file as instructed. Let me know if i need to do anything differently.

Thanks
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby 'KotaGuy » June 5th, 2005, 8:45 pm

Sorry to jump in on this... recopy the code box in ChrisRLG's previous post... don't copy Code. Just the text inside the white box.

Chris was tired when he posted and his sleepy mind forgot to close the /code tag. I fixed it as he stated he was heading to bed... wasn't quick enough I guess. Recopy it, and resave it like you did the last time. It should work now.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby Perculator » June 6th, 2005, 3:30 am

the text you have to copy is in the box, good luck

Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" gSafeOnload[gSafeOnload.length] "=-
" gSafeOnload[i"=-

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"=-

[HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Windows\CurrentVersion\Run]
" gSafeOnload[gSafeOnload.length] "=-
" gSafeOnload[i"=-



Copy that to notepad, save as cjwd.reg (type all files) to the desktop.

the double click that new icon to merge to the registry.

Then reboot and post a fresh HJT log.

Did you do it



and i do appreciate you guys dropping in, i have only 24 hours a day to do things :-)
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby theglobal » June 6th, 2005, 6:36 pm

It looks like the regedit did not work... :cry:

Here is the post of the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:54:45 AM, on 6/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKLM\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ gSafeOnload[gSafeOnload.length] ] c:\WINDOWS\System32\ gSafeOnload[gSafeOnload.length] = f;
O4 - HKCU\..\Run: [ gSafeOnload[i] c:\WINDOWS\System32\ gSafeOnload[i]();
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Adaware Bootup] C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7392481625
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby ChrisRLG » June 7th, 2005, 8:35 am

Well we will have to get you to try to do it manually with reglite.

The reason it failed was because of the use of '[' and spaces within the key. We were doubtful if it would work because of them.

We prefer to use a reg merge file as it is less prone to user errors, some of our users would have less knowledge than yourself.

start reglite - would be a good idea to take a backup of the registry at this point.

Copy this into the address bar of reglite - then hit the 'go' button
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Then find the first value in the right hand section of the window.
" gSafeOnload[gSafeOnload.length] "

Right click and try to delete.
If it tells you that you do not have permission, right click the run key itself (Left pane) 'properties' and 'take ownership' of the key. Retry to delete that value.

Then repeat for the value :-
" gSafeOnload[i"

Then for the key :-
HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Search Assistant\ACMru\5603
with the value:-
"000"

Then lastly for the key :-
HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Windows\CurrentVersion\Run
With the values:-
" gSafeOnload[gSafeOnload.length] "
and
" gSafeOnload[i"

Then exit reboot and post back with a new HJT log.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Perculator » June 7th, 2005, 8:53 am

I am investigation this safeonload problem ...will post soon.

oh i see chris jumped in we'll looking forward to see your log again....
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby theglobal » June 7th, 2005, 4:11 pm

Here's the new log.

Logfile of HijackThis v1.99.1
Scan saved at 2:05:10 PM, on 6/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Adaware Bootup] C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Documents and Settings\Owner\Desktop\Patrick's Utilities\Lavasoft Ad-Aware\"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Basic\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b28578.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engin ... core_1.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7392481625
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b28578.cab
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://E:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28578.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby theglobal » June 7th, 2005, 4:15 pm

Oops, I forgot to mention that the following Key (as noted in Chris' instructions) was not available to delete...

Then for the key :-
HKEY_USERS\S-1-5-21-2974146706-4179051517-1175015063-1003\Software\Microsoft\Search Assistant\ACMru\5603
with the value:-
"000"


When I got to the key the following values were noted:

Name: ab (Default)

Type: REG_SZ

Data: (value not set)

---------------------------

So, I did nothing with that entry.
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby admin1 » June 7th, 2005, 4:47 pm

Great.

Sorry using my admin account as I am away from my normal machines.

The registry keys I believe were not malware of thier own, but probably left from some previous badly written software, which may have been one previously removed malware.

Those lines were not actually doing anything, just looked dam funny.

Because of the codes used HJT and regfixes etc would not work, but a manual removal would.

Perculator

You can finish off.

:)
admin1
Administrator
Administrator
 
Posts: 28
Joined: December 16th, 2004, 9:53 am

Unread postby Perculator » June 7th, 2005, 4:56 pm

Great fixing, this sure is one for our library.


Ok global, i come back tomorrow with some actions you need to do, and also i will give you some advises for your brother in law how to protect his computer, and ofcourse i take a look at your log again to see i didn't forget anything...

it was a pleasure helping you, see you tomorrow.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby theglobal » June 7th, 2005, 4:58 pm

I'm not sure what you mean by "You can finish off."

In your instructions you asked me to list programs that are not known or seem to be malicious...they are as follows:

Display Utility
AOL Coach Version
Kazoo Studio
Movie Shop
P/c-Doctor for windows
PS2
S3 Gamma
Tcl 8.0.5 for Windows
USB
Windows AFA
Internet Enhancement

These are on my brother-in law's machine, so he's not sure what they do.

Also, we still cannot turn on Automatic Updates from within Control Panel, as the selection is grayed out.

Please let me know if I need to do anything else...

theglobal
theglobal
Regular Member
 
Posts: 85
Joined: March 1st, 2005, 3:55 am

Unread postby Perculator » June 7th, 2005, 5:04 pm

Don't worry i come back tomorrow and sort out the latest things.

finishing off in this case means we got the biggest problem behind us.....

be happy :lol:
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 291 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware