# sallueleh's hijackthis log for error: Access to specified device, path, or file is...



## sallueleh (Nov 22, 2004)

System Type: Desktop

System Manufacturer: quantex

Operating System: Windows 98se

Processor Type: celeron 400

Ammount of RAM: 512 MB

Hard Drive Capacity: 6 GB

Internet Connection Speed: DSL

Monitor Size: 15"

Printer Manufacturer: canon

Printer Type: inkjet

CD-ROM: 52x

notes of interest: Spybot search and destroy is on my PC holding my homepage so it does not switch to something else.

Errors received and hoping to fix, please advise.

Do not have access to any icons in Control Panel. When clicking Add/Remove Programs message comes up: Access to the specified device, path, or file is denied.

When attempting to gain access to Internet Options unders Tools in IE message comes up: This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.
note: Could this be in effect because of my Spybot S&D option 'Lock homepage from changes' is active? If so I wil feel very sheepish and silly.

Here is my HijackThis! log (please forgive me, could not find the attachment icon above). Anyone that knows a more efficient way of how I can should do this in the future please advise.

Thanks JSntgRvr for everything so far!

Logfile of HijackThis v1.98.2
Scan saved at 6:46:26 PM, on 11/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.cnn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://search-all.net/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.cnn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_6.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: InControl Desktop Manager.lnk = ?
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
O13 - DefaultPrefix: 
O13 - WWW Prefix: 
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_6.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O18 - Filter: text/plain - {E46A01A2-BFE8-11D8-9AD2-00E0E05E4F3B} - C:\WINDOWS\SYSTEM\JKKMJBB.DLL


----------



## sallueleh (Nov 22, 2004)

From my reading of the how the code is broken apart of HijackThis! I would assume that both O6 are my immediate problems.


----------



## mobo (Feb 23, 2003)

Rescan once again and insert a check next to each of the following , close all browser windows and click "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.cnn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.cnn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.cnn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.cnn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.cnn.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.cnn.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.cnn.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.cnn.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.cnn.com

R0- HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.cnn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.cnn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = www.cnn.com

R0 - HKLM\
Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.cnn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.cnn.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = www.cnn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.cnn.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://search-all.net/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.cnn.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.cnn.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.cnn.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net

O13 - DefaultPrefix:

O13 - WWW Prefix:

O18 - Filter: text/plain - {E46A01A2-BFE8-11D8-9AD2-00E0E05E4F3B} - C:\WINDOWS\SYSTEM\JKKMJBB.DLL[/QUOTE]


----------



## JSntgRvr (Jul 1, 2003)

See if this applies to you:

1. Click Start, click Run, and then type regedit in the Open box. 
2. Locate the following key in the registry:
HKEY_CURRENT_USER/SOFTWARE/Policies/Microsoft/Internet Explorer/Restrictions 
3. If a value called NoBrowserOptions exists, delete it. 
4. Restart the computer.


----------



## sallueleh (Nov 22, 2004)

Thanks for all the information. Couple of developments.

After checking and fixing the checked boxes about:blank was my homepage. Internet Options under Tools was still giving same error.

Worked with Spybot S&D and unchecked the box that keeps the changes from occuring in IE. Internet Options became available again.

After making homepage adjusted Spybot S&D again that keeps the changes from occuring in IE. Internet Options still available. This is the weird thing, would it take a bit for those changes to come into effect from fixing those checked from HijackThis! ?

Checked icon accessibility in Control Panel, still denied. Used the regedit and deleted NoBrowserOptions then restarted. Still denied from working icons in Control Panel.

Oh very important note about Control Panel. Before I was able to click Ok when it told me I was denied and that little box would disappear. Now it stays and will not leave. I have to end program from Close Program window in order for it to disappear.

Am I doing something wrong? Some bases I have no covered that I am missing? Suggestions on gaining access to my Control Panel again.

Thanks for all the help, I really appreciate it.

Before I forget. Did another HijackThis! scan and no about:blank file unlike before.


----------



## JSntgRvr (Jul 1, 2003)

Lets make this a little bit more drastic.

Run *Regedit*. Select Registry from the Menu and Export and save a copy of your Registry in your Desktop.

Make sure My Computer is highlighted in the Registry Editor. Select Edit, then Find. Check all boxes (Keys, Value, Data, and Match the whole string). Type *Restrictions*, click on Find Next.

Delete all instances of *Restrictions* in the Registry. Everytime an entry is found, hit the Delete key, confirm its deletion and press F3 for the next entry. Contiue this process until you have reached the end of the registry.

Upon completion, close the Registry Editor and all windows, and restart the computer.


----------



## sallueleh (Nov 22, 2004)

Worked with removing restrictions from registery and only one was found. Still no access to icons in my control panel. However, when I click ok to Access denied to device, path or file the box goes away.


----------



## JSntgRvr (Jul 1, 2003)

Lets test the computer with minimum programs in the background.

Go to Start->Run, type *Msconfig* and click Ok. Select the Startup tab. Deselect all programs from the list except for Systemtray and Scan Registry. Click Apply, then Ok, restart the computer when prompted. Test if you can access the icon in the Control Panel now.

To reverse this action, run *Msconfig * again and in the General tab select Normal Startup. Click Apply then Ok, restart the computer when prompted.

Let me know the outcome.


----------



## JSntgRvr (Jul 1, 2003)

Sallueleh, your HJT log reflects you are running two antivirus software, McAfee and AVG. You must uninstall one of these programs completely from your Computer. You can't run two applications for the same purpose.


----------



## sallueleh (Nov 22, 2004)

After unchecking all those boxes and restarting access to icons in Control Panel are still denied. A white window named Show.hta appeared. Oh, really quickly scan registry was not checked when I was unchecking boxes. After restarting with only those two checked the box that says acess denied will not disappear when clicking OK. Had to close the box through the close window program again.


----------



## JSntgRvr (Jul 1, 2003)

You must have gotten this one recently since does not appear in the HJT log.

Start the registry editor. Start->Run->, type regedit and click Ok.

Browse to the key:

'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'

In the right pane, delete the value called 'SystemBoot', if it exists.

Exit the registry editor.

Restart your computer.

Search and delete the following files:

Show.hta
Live_Show.hta

By any chance, do you have Spybot running in Advanced Mode and have checked under IE Tweaks the boxes to lock Start Page, Hosts and Control Panel? This Access Denied issue is so strange. I haven't been able to find a reference on this but, you mention in your first post the following:



> notes of interest: Spybot search and destroy is on my PC holding my homepage so it does not switch to something else.


Disable this feature in Spybot if you have enable them. If you have made any other changes, return Spybot to default settings. These entries are the responsible for the following Restriction:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel

After disabling these features in Spybot, run regedit and delete the above keys.

Also check if in the key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

There are entries such as the following in the right pane:

"NoDispCPL"=dword:00000001
"NoDispBackgroundPage"=dword:00000001
"NoDispScrSavPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"NoDispSettingsPage"=dword:00000001

If they exists, delete all these entries except for the Default Value.

After all these changes, restart the computer and test the Control panel. Run Hijackthis again and post the latest log.


----------



## sallueleh (Nov 22, 2004)

Logfile of HijackThis v1.98.2
Scan saved at 12:19:11 AM, on 11/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\MK9805.EXE
C:\PROGRAM FILES\NETZIP\NZFPROP.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\ICQ\NDETECT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSMAIN.EXE
C:\WINDOWS\SYSTEM\MSCONFIG.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.ce1.attbb.net
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_6.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [CHotKey] mk9805.exe
O4 - HKLM\..\Run: [NetZIPFolders] C:\Program Files\Netzip\nzfprop.exe /startup
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\SPYHUNTER\SPYHUNTER.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\MSXMIDI.EXE
O4 - HKCU\..\Run: [Service Manager] C:\windows\dxsound.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [UWDSATLKXSLX] C:\WINDOWS\PXTBOPUKTPK.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: InControl Desktop Manager.lnk = ?
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_6.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

OK, a few things to note (prepares to get yelled at). When I posted my first HijackThis! Almost half of the things in my msconfig were not checked. Here they are in their entirety. The Show.hta has been on my system and I was able to disable it from appearing at start up so that is why it was not apart of the log.

Still no access to Control Panel icons. Used find files and folders to search for Show.hta and Live_Show.hta and found nothing, should that have happened? If not where should I look for them? Made corrections to my spybot and put it back on default and still no access to control panel icons. Also there were no files with the name NoDisp... to be deleted.

Thanks at ton for all the help.


----------



## JSntgRvr (Jul 1, 2003)

There s a worm in your computer, the I-Worm.Magistr.a :

http://www.2-spyware.com/remove-i-worm-magistr-a.html

In addition you will need to remove McAfee entirely s well as the Weather bug.

Go to Start->Run, type *Control Appwiz.cpl*, and click Ok. See if the Application Wizard engages and remove these programs.

If you having problems reaching the Application Wizard in this way, click on Start->Settings->Folder Options. Click on FileTypes tab and scroll down to "Control Panel Extension" and click on it to highlight it. The File Association for CPL files is Rundll32.exe. If this has changed, edit the association to use C:\Windows\Rundll32.exe as the program to open these files.


----------



## sallueleh (Nov 22, 2004)

When I tried to use the application wizard it gave me a message saying it may be damaged.

I did not find rundll.32ex in folder options. Am I missing something here?

About this worm would norton antivirus 05 or pc-cillin 05 get rid of it?

Thanks again.


----------



## JSntgRvr (Jul 1, 2003)

Extract *Rundll32.exe* and *Appwiz.cpl* from your cabs folders. Follow these steps:

Search for the following files in your computer's C: drive or in your Windows 98 Installation CD and note their location:

Win98_28.cab 
Win98_46.cab

Run the System File Checker (Start->Run, type SFC and click Ok). Select "Extract one file from the Installation disk".

Type as the name of the file to be extracted *Appwiz.cpl * and click Start.

Use the location of the Win98_28.cab as the Restore From. For example, if the Win98_28.cab file is located in the C:\Windows\Otions\Cabs folder, the Restore from should read C:\Windows\Options\Cabs\Win98_28.cab.

As Save File in, type or browse to C:\Windows\System. Click on OK.

To extract the Rundll32.exe file use the same procedure.

Run the System File Checker (Start->Run, type SFC and click Ok). Select "Extract one file from the Installation disk".

Type as the name of the file to be extracted *Rundll32.exe* and click Start.

Use the location of the Win98_46.cab as the Restore From. For example, if the Win98_46.cab file is located in the C:\Windows\Otions\Cabs folder, the Restore from should read C:\Windows\Options\Cabs\Win98_46.cab.

As Save File in, type or browse to C:\Windows. Click on Ok.

Once these files have been extracted, go to the Cotrol Panel->Add/Remove Programs and remove Mcafee and the Weather Bug.

After completing this process, run HJT again and perform a new Scan. Save this log and post its contents in a reply.


----------



## sallueleh (Nov 22, 2004)

Is this why I do not have access to my control panel icons? Is because these two files are missing from my folder options? If so how would they have been deleted?


----------



## JSntgRvr (Jul 1, 2003)

We will now after you have performed this action. Both files are targets for Ad and Spyware, as well as viruses. They could be even modified by these worms and get corrupted.


----------



## sallueleh (Nov 22, 2004)

Ok what am I doing wrong? When I choose where to extract the information from and where to save it to there is a message,

The file was not found. Verify that you have selected the correct 'Restore from' location and try again.

the restore from was, E:\Win98\Win98_28.cab
the save file in was, C:\Windows\System

When I click ok, there is a prompt asking me if I want to make a backup and I click ok, then next time I clicked skip.

What am I doing wrong? Do I have to save those two files elsewhere and then do this save. I put them in My Documents and even tried pulling them from there and still the same error.


----------



## JSntgRvr (Jul 1, 2003)

JSntgRvr said:


> Extract *Rundll32.exe* and *Appwiz.cpl* from your cabs folders. Follow these steps:
> 
> Search for the following files in your computer's C: drive or in your Windows 98 Installation CD and note their location:
> 
> ...


First of all, I believe I made a booboo when advising you about the location of the appwiz.cpl. Sorry for this.

If you are using Windows 98 SE, you should not have a problem. If you are using Windows 98 First Edition, then the location of these files will be different.

On Windows 98 SE these are the locations:

Rundll32.exe [Win98_46.cab] Target= C:\Windows
Appwiz.cpl [Win98_25.cab] Target=C:\Windows\System

You can't switch the location. For example, the Rundll32.exe will not appear in the Win98_25.cab file folder.

Also, If you are not using the Windows 98 SE CD, but rather the Windows First Edition CD, the location will change.

You have not provided me with information if you have searched the CD and have been able to find these .cab folders.

Rundll32.exe [Win98_42.cab] Target=C:\Windows
Appwiz.cpl [Win98_28] Target=C:\Windows\System

See if now you are able to extract these files. Sorry for the confusion.


----------



## sallueleh (Nov 22, 2004)

Ok, clearly I am doing something wrong.

I do have the 98SE disc and have been attempting to restore from the disc.

I have found the location of the file on my PC.

C:\WINDOWS\OPTIONS\CABS

I have found the location of the file on my 98SE disc

E:\win98\WIN98_25.CAB

The following is filled out in Extract File window

Restore from is E:\win98\WIN98_25.CAB
Save file in is C:\WINDOWS\OPTIONS\CABS

And this is for Appwiz.cpl

So when I click start a System File Checker (same one as last night) comes up.

The file was not found. Verify that you have selected the correct 'Restore from' location and try again.

This makes me believe I am not putting the correct information in Restore from.

I am pretty good at following directions and extrapolating from the directions I do get into what they actually mean and how to "fill in the blanks" if there are some when doing something. But this is bothering me. What I am doing wrong?

JSntgRvr, can you break this down so that a 5th grader can do this in his sleep?

This is seriously bothering me. As far as I know I am doing everything right. Making sure that the current position on my drive is the area where it is going to save, taking the same name from the address in the Win98_25.cab from the disc showing its location and putting it in the Restore from but it is not working. There has to be something simple or SO blatantly obvious that I am over seeing because I'm thinking about it too hard.

Could you please label out steps exactly where I should type what when and where I can find the next thing. Such as directions for a toaster, step 1) put bread into vertical slots ontop of the device, step 2) depress button in the front of the device. I have this strange feeling that is exactly what I am missing. It is something simple that is escaping me.

So I am guessing;

Step 1) Start>Find>files/folders (named Win98_25.cab) (Look in C
Step 2) click start>Run>Open SFC>choose extract one file from installation disk (Appwiz.cpl) click start (Restore from E:\Win98\WIN98_25.CAB) (Save file in C:\WINDOWS\OPTIONS\CABS) click start

This confuses me and probably because I do not know what it means it is hindering me from completing this simple task. What do you mean "Target=C:\Windows"? Is that a place I should be saving the files. I just do not understand that.


----------



## sallueleh (Nov 22, 2004)

Can you please tell me exactly what to do and when to do it. I have the disc and will be extracting the files from there. Could you please make those steps like I thought so that I can not over think the directions. I am beginning to believe that there is something wrong with how I am doing this, there has to be I'm the only one working on the PC. I have the 2nd ed disc and will be working with that. Sorry for not putting that important piece of information on the post.

Thanks a ton.


----------



## JSntgRvr (Jul 1, 2003)

While in Windows, insert the Installation CD. Go to Start, then Find, select Files and folders. In the box labeled "Named", type Win98_25.cab. Look in E: and click the box labeled "Include subfolders". Click on Find now.

The computer will search the installation CD for the Win98_25.cab file. Once found, it will allow you to see its location in the CD. That will be you Extract from path.

Once you have located this file, go to Start, then Run, type SFC and click Ok. Select Extract one file from the installation disk. Type Appwiz.cpl, click on Start.

The Extract from will be [location of the Win98_25.cab]\Win98_25.cab. For example, If the file was found in the E:\Win98 folder, then the Extract from should read E:\Win98\Win98_25.cab. If the file was found in the E:\Win98\CABS folder, then the Extract from should read E:\Win98\CABS\Win98_25.cab.

The Save in for the Appwiz.cpl file should read C:\Windows\System.

Perform the same process and search for the Win98_46.cab. This time you will be extracting the Rundll32.exe file. It is the same process, except that the Save in, for the Rundll32.exe, should read C:\Windows.

Always check your spelling and do not leave spaces in between when typing the paths and file names.


----------



## sallueleh (Nov 22, 2004)

Ok a couple of developments.

In attempting to restore from Win98_25.cab it still comes up with the same error.

In attempting to restore from Win98_46.cab the Restore from field was filled out with C:\WINDOWS\OPTIONS\CAB I clicked start and backup file came up asking me if I want to make a back up, I clicked ok and then it made the restore and asked me if I wanted to restart my PC. I clicked no and when I attempt to do the same thing it gives me the message below.

In attempting to restore from Win98_46 I entered the extract location E:\win98\Win98_46.cab and it gave me a window named backup file with a red X, System File Checker could not make a backup copy of the file you selected. Click Retry to try again, or click Cancel. When I click Retry it continues to give me the same message.

Going to restart my machine and see if control panel has been fixed.

Thanks.


----------



## JSntgRvr (Jul 1, 2003)

Lets try this throughout a command prompt. Insert the Windows 98 SE CD in the CD_ROM drive. Go to Start, then Run, type Command, click Ok. A command prompt window will appear. At the prompt type the following and press Enter:

*cd..
Extract /Y /A E:\Win98\Win98_46.cab Rundll32.exe
cd System
Extract /Y /A E:\Win98\Win98_25.cab Appwiz.cpl
Exit*

Make sure you use the exact syntax. Just to make sure you leave one space between the switches and parameters, these commands will appear as follows:

Extract[space]/Y[space]/A[space]E:\Win98\Win98_46.cab[space]Rundll32.exe
Extract[space]/Y[space]/A[space]E:\Win98\Win98_25.cab[space]Appwiz.cpl

Let me know how it goes.


----------



## sallueleh (Nov 22, 2004)

Great news! After restarting my PC last night I once again have access to my control panel. THANKS a ton JSntgRvr!!! I went to register my broadband modem last night, which did not happen last night but will tonight, and that is why I did not post the results til now.

Again thanks. I will be removing McAfee tonight and cannot find weatherbug to remove. Any idea where that might be? Will also try your method to restore Appwiz.cpl.

Again thanks, JSntgRvr you have been instrumental in getting my real internet connection possible again.


----------



## JSntgRvr (Jul 1, 2003)

Have you been able to restore the Add/Remove Programs in the Control Panel?

Post a new HJT log.


----------



## sallueleh (Nov 22, 2004)

I do have access to add/remove programs on my control panel. So I believe that would be a yes, I have restored my accessability. Currently using the PC at work and will post my HJT log after I re-establish my broadband internet connection tonight. Once again I have a selected startup process, but will change that to everything starting up and post the complete log. Most likely will not have removed McAfee yet, because of it's firewall capabilities. Know a good firewall I can download so that I do not have AVG and McAfee doing the same job?

Thanks again.


----------



## JSntgRvr (Jul 1, 2003)

Then the appwz.cpl is working. Try Sygate. It is quite popular in the Forum:

http://www.tucows.com/preview/213160.html


----------



## sallueleh (Nov 22, 2004)

That is weird that Appwiz.cpl is working.

When I tried to restore the win98_25 for Appwiz.cpl it gave me the error. It was only when I did the restore win98_46 for rundll32.exe and the restore from field c:\windows\options\cabs was filled that made a change to my PC. Making me believe that 98_46 was the thing that needed to be changed on me PC.

I will check that site out after I get my broadband online, post full HJT, remove mcafee from my system.

Thanks again, you've been great!


----------



## sallueleh (Nov 22, 2004)

Ok, I have ran HJT. Couple of things to note. I have not deleted McAfee or Weatherbug yet, but I believe I have a good idea where it is located and will remove it soon. My internet options under tools is still inaccessable but this is because Spybot is in advance mode.

Logfile of HijackThis v1.98.2
Scan saved at 12:29:17 AM, on 12/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\MK9805.EXE
C:\PROGRAM FILES\NETZIP\NZFPROP.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\ICQ\NDETECT.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 24.34.242.8:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 24.34.242.8;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_6.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CHotKey] mk9805.exe
O4 - HKLM\..\Run: [NetZIPFolders] C:\Program Files\Netzip\nzfprop.exe /startup
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\SPYHUNTER\SPYHUNTER.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\MSXMIDI.EXE
O4 - HKCU\..\Run: [Service Manager] C:\windows\dxsound.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [UWDSATLKXSLX] C:\WINDOWS\PXTBOPUKTPK.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: InControl Desktop Manager.lnk = ?
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_6.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

Thanks for all the help, it feels great to have my broadband back!


----------



## JSntgRvr (Jul 1, 2003)

There are some malware in the log. First thing you need to do is to uninstall McAfee and the Weatherbug. These programs must appear in the Add/Remove Programs list. If they are not present in the list, provide me with the McAfee Version as to obtain the right removal instructions. In regard to the Weatherbug, if the program does not appears in the list, have Hijackthis fix the following:

O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1

Start the computer in Safe Mode and using Windows Explorer. delete the folder AWS under C:\Programs Files. Restart the computer.

You will need to download the following Programs if you haven't done it:

CWShreder

http://www.majorgeeks.com/download4086.html

Adaware (Update this program's definitions prior to a scan)

http://www.lavasoftusa.com/support/download/

Spybot Search and Destroy (Update this program's definitions prior to a scan)

http://spybot.eon.net.au/en/download/index.html

I would suggest you run these programs in Safe Mode and delete all malware found.

After removing McAfee and replacing its position with AVG, run a Full Virus-Scan in Safe mode.

Once done, post a new HJT log for review.

Best wishes!


----------



## sallueleh (Nov 22, 2004)

What is malware?


----------



## JSntgRvr (Jul 1, 2003)

Malware is Spyware and Adware. It also includes Trojans and Hijackers. These programs may interfere with the Normal Operations of your computer. The Weatherbug is associated with Adware.


----------

