Jump to content


Photo

Pop-ups and more pop-ups


  • Please log in to reply
10 replies to this topic

#1 delgioconda

delgioconda

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 11 June 2004 - 08:20 PM

Hello,

I have tried removing some of the addware but some are still there. Run spybot, CWShredder and XoftSpy yet something else is still there. Finally I run Hijackthis and some strange apps are loaded along with registry keys. Please help me make sense of what is good or bad and how to remove them.

Here is the log file:

Logfile of HijackThis v1.97.7
Scan saved at 8:41:38 AM, on 6/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Wintab32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\cabs\7511568\USB\Win Me - XP\Preload.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\Acecad\Wtxpload.exe
C:\WINNT\System32\ZPOINT32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\documents and settings\david\local settings\temp\4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\qttask.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\RFA\rfagent.exe
C:\WINNT\System32\dp-him.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\Acecad\xpoint32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\RECYCLER\S-1-5-21-233640192-1525524193-1984605266-1003\Dc160\WebshotsTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINNT\System32\XpggP.exe
C:\WINNT\System32\YygFz.exe
D:\CNHS_Disc4.EXE
C:\WINNT\cdac14ba.exe
C:\Documents and Settings\Mona-Lisa.DAVE_MONA\My Documents\My Download FIles\HijackThis.exe
C:\WINNT\System32\toolhelp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium....h.php?dst=DIST1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Keyboard Preload Check] c:\cabs\7511568\USB\Win Me - XP\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Acecad.Wtxpload] C:\WINNT\Acecad\Wtxpload.exe Acecad
O4 - HKLM\..\Run: [ZPOINT32] C:\WINNT\System32\ZPOINT32.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [4] C:\documents and settings\david\local settings\temp\4.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RFAgent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\May17_loader.exe" /HideUninstall /PC="AM.WILD" /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Unpu.exe
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\David\Local Settings\Temp\msD146.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [toolhelp] C:\WINNT\System32\toolhelp.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [cdac14ba] C:\WINNT\cdac14ba.exe
O4 - Startup: Webshots.lnk = C:\RECYCLER\S-1-5-21-233640192-1525524193-1984605266-1003\Dc160\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {475E5A2B-6EAC-4EA3-880A-55207CB012B5} (CMA_X Class) - http://wucma.wyldfyre.com/bin/CMAX.dll
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37700.959224537
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx

Many thanks in advance, as I have run out of ideas... :scratchhead:
Cleaners - Ad-aware, Spy-bot S&D

#2 delgioconda

delgioconda

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 11 June 2004 - 11:40 PM

please help!
Cleaners - Ad-aware, Spy-bot S&D

#3 delgioconda

delgioconda

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 11 June 2004 - 11:41 PM

please help!
Cleaners - Ad-aware, Spy-bot S&D

#4 delgioconda

delgioconda

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 12 June 2004 - 11:34 AM

would someone please help???
Cleaners - Ad-aware, Spy-bot S&D

#5 BartInPC

BartInPC

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 12 June 2004 - 12:55 PM

First, right click the taskbar, and cancel this processes...

C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe

Then start up HJT, and have HJT get rid of these...

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\Program Files\Common files\WinTools\WSup.exe

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)

Reboot, then let me know the result with a new log...

Bart

#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 12 June 2004 - 01:07 PM

BartInPC and delgioconda, Please see http://www.spywarein...p?showtopic=148

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#7 delgioconda

delgioconda

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 12 June 2004 - 01:23 PM

Thank you cnm. I will await further instructions from an expert or the like.
Cleaners - Ad-aware, Spy-bot S&D

#8 BartInPC

BartInPC

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 12 June 2004 - 01:24 PM

I looked around for a sort of "recognition" for helpers, and missed it. I've signed up and hope to knock it out quickly. Thanks.

#9 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 12 June 2004 - 02:28 PM

BartInPC's directions are not harmful and can be followed. They may not succeed in removing the malware, though.

You appear to have several different infections.
You have a CoolWebSearch infection.
Download and run http://www.spywarein.../CWShredder.exe
from its own folder.
Click Fix and then Next, let it fix everything it asks about.
Run it again just in case.

You are infected with the peper trojan.
Download Peper Fix from here - http://downloads.sub...rg/PeperFix.exe
Then Run this fixer (you must be online for the uninstall to be successful, make sure you allow it access through any firewall you have).
Run it twice with a reboot in between, just to make sure.

Next:

Start | Run (type) Services.msc

Scroll down to the WinTools for IE service
Highlight, right-click and select: Properties
Select "Service Status" option to "Stop"
Select: "Startup type" set it to "Disabled", click Apply, OK
Close the Services Editor


In HijackThis,
Tick the boxes next to all these (some may be gone), then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium....h.php?dst=DIST1

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)

O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/roing.cab



Reboot in Safe Mode (hit the F8 key several times while booting until you get a menu).
Delete this whole folder:
C:\Program Files\Common files\WinTools\

Then post a fresh log and fill us in on the situation now.
There will be other things to fix.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#10 delgioconda

delgioconda

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 12 June 2004 - 06:18 PM

Hello cmd,

Thank you for all the advice. I followed it to the letter. However the WinTools was a bitch to remove. They seem to be gone now. Thanks for the Peper trojan remover, tried the HijackThis and it kept coming back! I do think this time I got them all, however there are one or two entries that are still questionable. Please see the updated log file below.

Logfile of HijackThis v1.97.7
Scan saved at 4:05:28 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Wintab32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\cabs\7511568\USB\Win Me - XP\Preload.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\Acecad\Wtxpload.exe
C:\WINNT\System32\ZPOINT32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\Acecad\xpoint32.exe
C:\Program Files\Spyware\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\RECYCLER\S-1-5-21-233640192-1525524193-1984605266-1003\Dc160\WebshotsTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\twain_32.exe
C:\WINNT\cdac14ba.exe
C:\WINNT\System32\toolhelp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Computer Security\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spyware\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Keyboard Preload Check] c:\cabs\7511568\USB\Win Me - XP\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Acecad.Wtxpload] C:\WINNT\Acecad\Wtxpload.exe Acecad
O4 - HKLM\..\Run: [ZPOINT32] C:\WINNT\System32\ZPOINT32.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RFAgent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [toolhelp] C:\WINNT\System32\toolhelp.exe
O4 - HKCU\..\Run: [cdac14ba] C:\WINNT\cdac14ba.exe
O4 - HKCU\..\Run: [twain_32] C:\WINNT\twain_32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spyware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Webshots.lnk = C:\RECYCLER\S-1-5-21-233640192-1525524193-1984605266-1003\Dc160\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {475E5A2B-6EAC-4EA3-880A-55207CB012B5} (CMA_X Class) - http://wucma.wyldfyre.com/bin/CMAX.dll
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37700.959224537
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CF6885C-DB2B-49FB-B86C-70873B98B36C}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CF6885C-DB2B-49FB-B86C-70873B98B36C}: NameServer = 207.69.188.187 207.69.188.186

Please let me know if things have imporved.
Once again thank you.
:cool:
Cleaners - Ad-aware, Spy-bot S&D

#11 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 12 June 2004 - 07:12 PM

I would tick and fix this one, it shouldn't be running from the Recycle Bin.
O4 - Startup: Webshots.lnk = C:\RECYCLER\S-1-5-21-233640192-1525524193-1984605266-1003\Dc160\WebshotsTray.exe

Your log looks basically clean to me now. Good work! :)

You do have a lot of Startups (the O4s).
Go here: http://www.pacs-port...hp#THE_PROGRAMS
Download the .EXE - it will give you a searchable list. The ones marked N are not needed as startups.

Some are unknown to me -
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
You can try fixing - this will not affect the file itself.

Is your Spybot SD updated? You should have the new rev 1.3, as 1.2 is not maintained any more. http://www.safer-net...hp?page=mirrors

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button