• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
delgioconda

Pop-ups and more pop-ups

11 posts in this topic

Hello,

 

I have tried removing some of the addware but some are still there. Run spybot, CWShredder and XoftSpy yet something else is still there. Finally I run Hijackthis and some strange apps are loaded along with registry keys. Please help me make sense of what is good or bad and how to remove them.

 

Here is the log file:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:41:38 AM, on 6/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\Wintab32.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\SK9910DM.EXE

C:\cabs\7511568\USB\Win Me - XP\Preload.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINNT\GWMDMMSG.exe

C:\WINNT\Acecad\Wtxpload.exe

C:\WINNT\System32\ZPOINT32.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Sunbelt Software\iHateSpam\siService.exe

C:\documents and settings\david\local settings\temp\4.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINNT\System32\qttask.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\RFA\rfagent.exe

C:\WINNT\System32\dp-him.exe

C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe

C:\WINNT\System32\ctfmon.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINNT\Acecad\xpoint32.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\RECYCLER\S-1-5-21-233640192-1525524193-1984605266-1003\Dc160\WebshotsTray.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\WinPoET Broadband Connection\WrOS.EXE

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\System32\HPZipm12.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\WINNT\System32\taskmgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

C:\WINNT\System32\XpggP.exe

C:\WINNT\System32\YygFz.exe

D:\CNHS_Disc4.EXE

C:\WINNT\cdac14ba.exe

C:\Documents and Settings\Mona-Lisa.DAVE_MONA\My Documents\My Download FIles\HijackThis.exe

C:\WINNT\System32\toolhelp.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=DIST1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Keyboard Preload Check] c:\cabs\7511568\USB\Win Me - XP\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [Acecad.Wtxpload] C:\WINNT\Acecad\Wtxpload.exe Acecad

O4 - HKLM\..\Run: [ZPOINT32] C:\WINNT\System32\ZPOINT32.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe

O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"

O4 - HKLM\..\Run: [4] C:\documents and settings\david\local settings\temp\4.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [RFAgent] C:\Program Files\RFA\rfagent.exe

O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\May17_loader.exe" /HideUninstall /PC="AM.WILD" /ShowLegalNote=nonbranded

O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe

O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe

O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Unpu.exe

O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\David\Local Settings\Temp\msD146.tmp"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe

O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q

O4 - HKCU\..\Run: [toolhelp] C:\WINNT\System32\toolhelp.exe

O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

O4 - HKCU\..\Run: [cdac14ba] C:\WINNT\cdac14ba.exe

O4 - Startup: Webshots.lnk = C:\RECYCLER\S-1-5-21-233640192-1525524193-1984605266-1003\Dc160\WebshotsTray.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O9 - Extra button: Research (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {475E5A2B-6EAC-4EA3-880A-55207CB012B5} (CMA_X Class) - http://wucma.wyldfyre.com/bin/CMAX.dll

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37700.959224537

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx

 

Many thanks in advance, as I have run out of ideas... :scratchhead:

Share this post


Link to post
Share on other sites

First, right click the taskbar, and cancel this processes...

 

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\Program Files\Common files\WinTools\WSup.exe

 

Then start up HJT, and have HJT get rid of these...

 

C:\Program Files\Common files\WinTools\WToolsA.exe

 

C:\Program Files\Common files\WinTools\WToolsS.exe

 

C:\Program Files\Common files\WinTools\WSup.exe

 

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

 

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

 

O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)

 

Reboot, then let me know the result with a new log...

 

Bart

Share this post


Link to post
Share on other sites

I looked around for a sort of "recognition" for helpers, and missed it. I've signed up and hope to knock it out quickly. Thanks.

Share this post


Link to post
Share on other sites

BartInPC's directions are not harmful and can be followed. They may not succeed in removing the malware, though.

 

You appear to have several different infections.

You have a CoolWebSearch infection.

Download and run http://www.spywareinfo.com/~merijn/files/CWShredder.exe

from its own folder.

Click Fix and then Next, let it fix everything it asks about.

Run it again just in case.

 

You are infected with the peper trojan.

Download Peper Fix from here - http://downloads.subratam.org/PeperFix.exe

Then Run this fixer (you must be online for the uninstall to be successful, make sure you allow it access through any firewall you have).

Run it twice with a reboot in between, just to make sure.

 

Next:

 

Start | Run (type) Services.msc

 

Scroll down to the WinTools for IE service

Highlight, right-click and select: Properties

Select "Service Status" option to "Stop"

Select: "Startup type" set it to "Disabled", click Apply, OK

Close the Services Editor

 

 

In HijackThis,

Tick the boxes next to all these (some may be gone), then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=DIST1

 

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

 

O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)

 

O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe

O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

 

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab

 

 

Reboot in Safe Mode (hit the F8 key several times while booting until you get a menu).

Delete this whole folder:

C:\Program Files\Common files\WinTools\

 

Then post a fresh log and fill us in on the situation now.

There will be other things to fix.

Share this post


Link to post
Share on other sites

Hello cmd,

 

Thank you for all the advice. I followed it to the letter. However the WinTools was a bitch to remove. They seem to be gone now. Thanks for the Peper trojan remover, tried the HijackThis and it kept coming back! I do think this time I got them all, however there are one or two entries that are still questionable. Please see the updated log file below.

 

Logfile of HijackThis v1.97.7

Scan saved at 4:05:28 PM, on 6/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\Wintab32.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\SK9910DM.EXE

C:\cabs\7511568\USB\Win Me - XP\Preload.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINNT\GWMDMMSG.exe

C:\WINNT\Acecad\Wtxpload.exe

C:\WINNT\System32\ZPOINT32.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\Sunbelt Software\iHateSpam\siService.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINNT\System32\qttask.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\RFA\rfagent.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe

C:\WINNT\System32\ctfmon.exe

C:\WINNT\Acecad\xpoint32.exe

C:\Program Files\Spyware\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe

C:\RECYCLER\S-1-5-21-233640192-1525524193-1984605266-1003\Dc160\WebshotsTray.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINNT\System32\drivers\CDAC11BA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\WinPoET Broadband Connection\WrOS.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\System32\HPZipm12.exe

C:\WINNT\twain_32.exe

C:\WINNT\cdac14ba.exe

C:\WINNT\System32\toolhelp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Computer Security\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spyware\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Keyboard Preload Check] c:\cabs\7511568\USB\Win Me - XP\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [Acecad.Wtxpload] C:\WINNT\Acecad\Wtxpload.exe Acecad

O4 - HKLM\..\Run: [ZPOINT32] C:\WINNT\System32\ZPOINT32.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe

O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [RFAgent] C:\Program Files\RFA\rfagent.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [toolhelp] C:\WINNT\System32\toolhelp.exe

O4 - HKCU\..\Run: [cdac14ba] C:\WINNT\cdac14ba.exe

O4 - HKCU\..\Run: [twain_32] C:\WINNT\twain_32.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spyware\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

O4 - Startup: Webshots.lnk = C:\RECYCLER\S-1-5-21-233640192-1525524193-1984605266-1003\Dc160\WebshotsTray.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: officejet 6100.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {475E5A2B-6EAC-4EA3-880A-55207CB012B5} (CMA_X Class) - http://wucma.wyldfyre.com/bin/CMAX.dll

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37700.959224537

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{3CF6885C-DB2B-49FB-B86C-70873B98B36C}: NameServer = 207.69.188.187 207.69.188.186

O17 - HKLM\System\CS1\Services\Tcpip\..\{3CF6885C-DB2B-49FB-B86C-70873B98B36C}: NameServer = 207.69.188.187 207.69.188.186

 

Please let me know if things have imporved.

Once again thank you.

:cool:

Share this post


Link to post
Share on other sites

I would tick and fix this one, it shouldn't be running from the Recycle Bin.

O4 - Startup: Webshots.lnk = C:\RECYCLER\S-1-5-21-233640192-1525524193-1984605266-1003\Dc160\WebshotsTray.exe

 

Your log looks basically clean to me now. Good work! :)

 

You do have a lot of Startups (the O4s).

Go here: http://www.pacs-portal.co.uk/startup_conte...hp#THE_PROGRAMS

Download the .EXE - it will give you a searchable list. The ones marked N are not needed as startups.

 

Some are unknown to me -

O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe

You can try fixing - this will not affect the file itself.

 

Is your Spybot SD updated? You should have the new rev 1.3, as 1.2 is not maintained any more. http://www.safer-networking.org/index.php?page=mirrors

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0