• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
cephas47

Another dose of spyware, another HJT log...gah

9 posts in this topic

I say another, and it's my first. Let me qualify:

I'm pretty sure I picked up the same junk as MacGuffin (who came through recently), as it was probably from the same site (I know of him on said site.).

 

I found a bunch of stuff last night that I didn't put there, and proceeded to delete them straight up. Already cleared the Recycle Bin, and I don't remember what the specific names were. All I remember was something about a "May 17 launcher.exe", and that I don't remember that WhenUsearch bar being installed.... :oops:

 

Already uninstalled that, and MemoryWatcher. Lycos still pops up on the occasional Google search, however.

 

Also, I've noticed that I've got some addresses in my History folder at least 4 weeks back to an IP: 65.75.141.210. WhoIs was non-descript enough for me to have no idea what I was pointing at, but I haven't visited any IP domains for, um, well, since I was in college, at least 4 years ago.

 

The obligiatory HiJackThis log.....

 

Logfile of HijackThis v1.98.0

Scan saved at 8:41:12 PM, on 6/30/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\mcafee.com\VSO\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ICQLite\ICQLite.exe

C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

C:\Program Files\CallWave\IAM.exe

C:\Program Files\UOAM\uoam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Documents and Settings\Owner\My Documents\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [LObCYTS] c:\documents and settings\owner\local settings\temp\LObCYTS.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot

O4 - HKCU\..\RunOnce: [eZstub] C:\ezstub.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://cob.uakron.edu

O15 - Trusted Zone: http://viper.uakron.edu

O15 - Trusted Zone: http://webmail.uakron.edu

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab

O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15be4596badbf90ef902/...ip/RdxIE601.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9CA961CD-1040-447A-944B-686294CF30B2}: NameServer = 12.102.244.1 204.127.129.1

 

 

Quick asides (stuff I think would elicit a question if I didn't answer right away):

uoam.exe: Ultima Online AutoMap....http://www.uoam.net/ I leave it open because my custom marks resets each time I start the program.

Yes, my domain is through AT&T, yes, I have AOL 8.0 installed; I'm in the process of closing the AOL account and still picking up email addresses to forward/update.

 

Please help me, before I wrest the CPU from its tethers and send it through the window. :techsupport: Thanks in advance.

 

Byron W. Foret, E.I.

II Cor. 4:7

 

EDIT: Yes, I had already run Ad-Aware and Spybot Search & Destroy. They both culled out some garbage, but the Lycos pop up remains.

 

And in a hopefully unrelated note, McAfee has not been able to update reliably for about a year now, since my last full (back to "fresh from the HP factory") System Restore, and their tech support has been less helpful than what I've seen here.

 

SECOND EDIT (you'd think I'd remember all of this at one time): After browsing around other threads, I remember that Windows Media Player 9 has goofed up recently: the multicolored play button in the Quick Launch bar and the Start Menu has changed to what looks like a "typical" installation program icon. I checked the shortcut in the toolbar and it "looked" okay, and changed the icon back to the play button. The progam didn't load, however, on testing.

 

And also of note, my computer has not been restarted since running Ad-Aware et al.; I leave it on & powered down during the day, but not connected to the internet. Still, please help!

Edited by cephas47

Share this post


Link to post
Share on other sites

*surreptitious bump* :whistle:

 

Not because I've gotten no response thus far (18½ hours and no help arriving, but yes, I am a patient man. :) ), but because I have been watching this, my post today, and have seen that the only views it had received since my two edits...*points up*....have been my own.

In other words, to call attention to whomever might be helping me that my post has changed. Or, if research hasn't been started, to make sure info they have is current.

 

I did read through and attempt to follow the "Analyze your own HiJackThis log" guide, but admittedly I just got lost in it somewhere, and would sorely appreciate some directed advice in finishing the job.

 

Byron W. Foret, E.I.

II Cor. 4:7

Share this post


Link to post
Share on other sites

Hi,cephas47

 

First do not remove any of these without a Pro having a look at them

you may also have some items that need to be removed from Safe Mode

& Show Hidden and System files so hold for the Pros here

 

 

Check the following items in HIjackThis - close ALL windows\browsers except Hijackthis and click "Fix checked":

 

These here if you are not using them

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

 

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

 

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

 

This one is up to you

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

O4 - HKLM\..\Run: [LObCYTS] c:\documents and settings\owner\local settings\temp\LObCYTS.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

 

Not sure about this one guy's

O4 - HKCU\..\RunOnce: [eZstub] C:\ezstub.exe

 

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

 

only if you did not add them

O15 - Trusted Zone: http://cob.uakron.edu

O15 - Trusted Zone: http://viper.uakron.edu

O15 - Trusted Zone: http://webmail.uakron.edu

 

Gday

 

 

 

:wave:

Share this post


Link to post
Share on other sites

The O15's yes, I did add those, although I may end up removing them soon, as it's been a year since I've been there (grad school email).

 

In any case, not gonna do anyting until someone with reputation (Helper, etc.) makes a visit.

 

Byron W. Foret, E.I.

II Cor. 4:7

Share this post


Link to post
Share on other sites

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - Default URLSearchHook is missing

 

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

 

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

 

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [LObCYTS] c:\documents and settings\owner\local settings\temp\LObCYTS.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKCU\..\RunOnce: [eZstub] C:\ezstub.exe

 

O15 - Trusted Zone: http://cob.uakron.edu

O15 - Trusted Zone: http://viper.uakron.edu

O15 - Trusted Zone: http://webmail.uakron.edu

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15be4596badbf90ef902/...ip/RdxIE601.cab

Reboot and delete

 

files

All files in the c:\documents and settings\owner\local settings\temp folder

C:\WINDOWS\System32\IEHost.exe

C:\WINDOWS\System32\dp-him.exe

C:\ezstub.exe

 

folders

C:\Program Files\SEP

C:\Program Files\WildTangent

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

First, the homework.... Said HJT line items were fixed.

files

All files in the c:\documents and settings\owner\local settings\temp folder 1179 of 1181 deleted, the two remaining were currently in use...look kinda like legitimate temp files. What about the plethora of folders?

C:\WINDOWS\System32\IEHost.exe Found and smitten

C:\WINDOWS\System32\dp-him.exe Could not find this one.

C:\ezstub.exe I seem to have already killed that one when I deleted strange stuff I saw in the Task Manager.

 

folders

C:\Program Files\SEP Found and deleted.

C:\Program Files\WildTangent Found and...heh, Ad-Aware got to it first on a startup scan. It's gone :)

And then, the new log. *crosses fingers*

Logfile of HijackThis v1.98.0

Scan saved at 7:35:05 PM, on 7/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\mcafee.com\VSO\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\ICQLite\ICQLite.exe

C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

C:\Program Files\CallWave\IAM.exe

C:\WINDOWS\system32\NOTEPAD.EXE

c:\Program Files\Microsoft Money\System\urlmap.exe

C:\Documents and Settings\Owner\My Documents\lojackthat\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab

O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9CA961CD-1040-447A-944B-686294CF30B2}: NameServer = 204.127.129.2 12.102.244.2

Well, it seems a little lighter on its feet.

Am I clean?

 

EDIT: I guess I'm not.....Windows Media Player is not loading. Lycos does seem to be gone, though, which is good.

Edited by cephas47

Share this post


Link to post
Share on other sites

And a new twist enters the fray.....

 

Monday, being the observed holiday that it was, I happened to be home all day, and played witness to an, um, unsettling event:

 

Yesterday at roughly 8:30 AM, my computer started opening the default connection (dialup AT&T) without my prompting, or doing anything at the keyboard, trackball, heck the monitor was off. Were it not for the sound of the modem connecting, I wouldn't have had a clue it was happening.

 

This is unsettling because I typically leave for work at 6:30 AM/sleep in on Saturday/church at 8:15 AM Sunday, so I'm never around when it has been/would be doing this.

 

Needless to say, the modem cord is unplugged while I'm at work now. And again, the log has not changed (although I did remove the R0 - hpwis.com references in the previous clean, don't know how they ended up back there, nor am I all that enthused about it), and Windows Media Player 9 still will not load. Help is appreciated; I hate the thought of someone using/orchestrating my computer remotely and without my knowledge.

 

Byron W. Foret, E.I.

II Cor. 4:7

Share this post


Link to post
Share on other sites

Your log looks clean.

 

What error message do you get when opening Window Madis player?

Tis is a popular place for malware, and the correct file may have been deleted. Try reinstalling.the file from CD.

 

The diallup attempt. Hm...... Could it have been your Antivirus program looking for an update? These settings can change for no apparent reason!

Share this post


Link to post
Share on other sites

There is no error message. There is no message period.

I hit the shortcut and nothing happens. Well, something may be happening, but not Media Player loading. I don't look forward to uninstall/redownload from WindowsUpdate. And I'm still suspicious of the icon changing.

 

As far as updating, I haven't been able to get McAfee to download new virus definitions in, well......

....since I did a full System Restore about 13 months ago (deleted a file I shouldn't have on incomplete advice from HP tech support). Every time since then, I've gotten these log in errors or 500-100 errors when trying to actually get something from their site. Frustrating to no end. If it did dialup to get new definitions, why wouldn't it go ahead and get them when I'm already online? *mutters*

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0