# Solved: MRI_DISABLED and ctfmon



## fourspdtom (Oct 10, 2007)

hi,, i run windows xp sp2,, trendmicro anti-virus/spyware, and webroot spysweeper, and the xp firewall. after trying the cox internet scurity suite and a geeksquad trip, both of those are now current and updated. im now trying to learn to fix/clean things on my own to save another trip to g.s. the mri-disabled and ctfmon entries on the hjt log i cant seem to get rid of. i did "fix" a startup mri-disabled and global startup mri-disabled but the desktop one keeps coming back on startup. i thought i had the multi language thing checked in the contriol panel, but it might have been put back on a restore point fix. can you tell me what the mri thing is and if i need to even worry about ctfmon ??
thanx

this is my latest hjt log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:21 PM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus" 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://aolsvc.aol.com/onlinegames/f...rk-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143485507101
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component MRI_DISABLED: (no name) - (no file)

--
End of file - 5466 bytes


----------



## fourspdtom (Oct 10, 2007)

any help please???

ive fixed a few things and found most of my answers reading other threads, [thanx btw].

O24 - Desktop Component MRI_DISABLED: (no name) - (no file),,, this one i cant "fix", it just comes back,, dont know what it is??? i did "fix" [thru hjt of course] a startup and global startup mri-disabled line from reading another post,, but cant find anything on this particular one. can someone clue me in to what it is or means??

O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe ,,, this one i believe is connected to cox security suite which i no longer use,, can i just go ahead and "fix" that one too??

thanx once again

btw if im asking or posting these ?'s improperly, please let me know


----------



## fourspdtom (Oct 10, 2007)

through some more reading i think ive gotten most of my issues "fixed" but this one persists. ive seen similar "mri-disabled" entries in other posts but cant find out what it is/means. is it something to worry about or not? i dont know if its the same thing but desktop viewing/hijacking is one of the concerns of my earlier posts.

i fixed [thru hjt] an 04-startup and 04-global startup mri-disabled, but the 024-desktop mri-disabled comes back on restart. i did see 024-desktop components mri-disabled in a post that said to run smitfraudfix [and since smitfraudfix has to do with desktop hijacking], do i need to run it on mine?? i have downloaded it and ran the search function of it.

please any help or direction is appreciated

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:18 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus" 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://aolsvc.aol.com/onlinegames/f...rk-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143485507101
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component MRI_DISABLED: (no name) - (no file)

--
End of file - 5402 bytes

SmitFraudFix v2.240

Scan done at 23:33:48.91, Fri 10/12/2007
Run from C:\Documents and Settings\Owner\My Documents\toms\security downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=hex(7):43,3a,5c,50,52,4f,47,52,41,7e,31,5c,47,6f,6f,67,6c,65,5c,\

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.11
DNS Server Search Order: 68.105.29.11
DNS Server Search Order: 68.105.28.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A0A1753F-8ADC-4512-A705-D3F83CB1DBD4}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A0A1753F-8ADC-4512-A705-D3F83CB1DBD4}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A0A1753F-8ADC-4512-A705-D3F83CB1DBD4}: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.11 68.105.29.11 68.105.28.12

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## EAFiedler (Apr 25, 2000)

Hi *fourspdtom*

I have merged a few of your threads with other threads you have created.
As for learning how to clean your system using HijackThis, you will need to contact Cookiegal and she can point you in the right direction for Boot Camp.

Unfortunately, we do not train for that here.
As for posting in the Malware forum, it is best not to add any replies to your thread as the Security Experts look for threads with Zero replies first.
Threads with replies appear to be receiving help.


----------



## fourspdtom (Oct 10, 2007)

ummmm bump,,, could still use some info on the "024-desktop component mri disabled" entry

thanx again


----------



## cybertech (Apr 16, 2002)

O24 entries are related to Active Desktop

Try turning off Active Desktop. http://support.microsoft.com/kb/190228

You also wanted to know about ctfmon.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/ctfmon/
http://www.bleepingcomputer.com/startups/ctfmon.exe-1121.html


----------



## fourspdtom (Oct 10, 2007)

thank you very much,, 

i tried turning off active desktop,, cannot find it. right click desktop, doesnt show it,, display in control panel doesnt show it. 

we do have webshots desktop, which is alternating pictures for the background. would it be why active desktop doesnt show?? does mri-disabled mean active desktop is already turned off? i never did find what mri-disabled actually means or refers to. 

the ctfmon entry i think is resolved, turned off the multi language thing, the remaining entries in the hjt log were "fixed" and are gone now. 

thanx again
tom


----------



## fourspdtom (Oct 10, 2007)

just another quick note on subject,,

i just ran another hjt scan [havent run one in couple weeks],,, the 024 entry now says -24-desktop component 0: (no name) - (no file). it stayed whether i had webshots desktop on or off. should i try to "fix" it again? it always came back on startup when it said "mri-disabled".

once again i thank you


----------



## fourspdtom (Oct 10, 2007)

i was just looking for where the webshots store the picture archives and ran across a geek squad file in "documents and settings/all users/application data", the folder in "geeksquad" was titled "MRI". is it possible the "024-desktop component MRI disabled" had something to do with leftovers from the geeksquad repair trip?? they left a few files behind, remote desktop left on, etc. if so,, what to do??

reason i was looking was to see large the picture archive was becoming , and to see possibly how webshots and active desktop are connected. still havent found anything named active desktop or how to turn it back on. this is a gateway pc with nvidia display. the 024 listing in the hjt log stays whether webshots is on or off.


----------



## Cookiegal (Aug 27, 2003)

It likely is a leftover from the Geek Squad.

Go to *start *- *Control Panel* - Display Properties - *Desktop *- *Customize Desktop *and click on the Web tab.

Select everything listed there (except for "My current home page") and click on *Delete*. This will also delete the Webshots page so if you want to keep it don't select that one.

Click OK and on the next screen click *Apply*.


----------



## Cookiegal (Aug 27, 2003)

Here are the instructions for enabling/disabling active desktop in XP:

http://www.computerhope.com/issues/ch000593.htm


----------



## fourspdtom (Oct 10, 2007)

thanx cookiegal

when i went to the web content, the only thing listed was "my home page" and its unchecked.

the MRI thing is now showing "desktop component - no name no file" in hjt, but still come back on startup when "fixed". if its connected to geeksquad [or not] does it really matter if its there, other than its bugging me. i now , obsessive, lol. i dont seem to have any real problems other than trying to clean eveything up.

thanx once again


----------



## Cookiegal (Aug 27, 2003)

I'm attaching a LookDesktop.zip file to this post. Save it to your desktop and double click the LookDesktop.bat file and allow it to run. It will open up a report automatically in Notepad. Copy and paste the contents here please. This will look at the key in the registry where the desktop components are located.


----------



## fourspdtom (Oct 10, 2007)

tried to save the file,, winzip says the trial version has expired ?? i dont use it very much, didnt know it was a trial deal. can you send the file unzipped maybe??


----------



## Cookiegal (Aug 27, 2003)

We'll do it a different way then.

Copy and paste the text in the quote box to Notepad and save it to your desktop as LookDesktop.bat (you will need to change the "Save as type" to "All Files"). Double click the LookDesktop.bat file and allow it to run. It will open up a report in Notepad. Copy and paste that report here please.



> regedit /e C:\desktop_key.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop"
> Start notepad.exe C:\desktop_key.txt
> exit


----------



## fourspdtom (Oct 10, 2007)

thanx ,

appreciate your help and patience, the following is the report you asked for

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,ce,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,9c,00,00,00,00,00,00,00,64,03,00,00,ce,02,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,9c,00,00,00,00,00,00,00,64,03,00,00,ce,02,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
"BackupWallpaper"=hex(2):25,00,41,00,50,00,50,00,44,00,41,00,54,00,41,00,25,00,\
5c,00,57,00,65,00,62,00,73,00,68,00,6f,00,74,00,73,00,5c,00,54,00,68,00,65,\
00,20,00,57,00,65,00,62,00,73,00,68,00,6f,00,74,00,73,00,20,00,44,00,65,00,\
73,00,6b,00,74,00,6f,00,70,00,5c,00,57,00,65,00,62,00,73,00,68,00,6f,00,74,\
00,73,00,20,00,57,00,61,00,6c,00,6c,00,70,00,61,00,70,00,65,00,72,00,2e,00,\
62,00,6d,00,70,00,00,00
"WallpaperFileTime"=hex:20,7d,25,77,7e,34,c8,01
"WallpaperLocalFileTime"=hex:20,0d,8b,2c,4c,34,c8,01
"TileWallpaper"="0"
"WallpaperStyle"="2"
"Wallpaper"=hex(2):25,00,41,00,50,00,50,00,44,00,41,00,54,00,41,00,25,00,5c,00,\
57,00,65,00,62,00,73,00,68,00,6f,00,74,00,73,00,5c,00,54,00,68,00,65,00,20,\
00,57,00,65,00,62,00,73,00,68,00,6f,00,74,00,73,00,20,00,44,00,65,00,73,00,\
6b,00,74,00,6f,00,70,00,5c,00,57,00,65,00,62,00,73,00,68,00,6f,00,74,00,73,\
00,20,00,57,00,61,00,6c,00,6c,00,70,00,61,00,70,00,65,00,72,00,2e,00,62,00,\
6d,00,70,00,00,00
"ComponentsPositioned"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Old WorkAreas]
"NoOfOldWorkAreas"=dword:00000001
"OldWorkAreaRects"=hex:00,00,00,00,00,00,00,00,00,04,00,00,ce,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\General]
"Wallpaper"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,57,00,65,00,62,00,5c,00,53,00,61,00,66,00,65,00,4d,00,6f,\
00,64,00,65,00,2e,00,68,00,74,00,74,00,00,00
"VisitGallery"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Scheme]
"Edit"=""
"Display"=""


----------



## Cookiegal (Aug 27, 2003)

According to this you still have Webshots as your wallpaper. Is that the case?


----------



## fourspdtom (Oct 10, 2007)

yes it is still being used for the wall paper and screen saver,, wife has webshots desktop installed, loves it, says she wants it kept


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind3U.exe* to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program.

In the *Processes * group click *ALL* 
In the *Win32 Services * group click *ALL* 
In the *Driver Services * group click *ALL* 
In the *Registry * group click *ALL* 
In the *Files Created Within* group click *60 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *Files Modified Within* group select *30 days* Make sure Non-Microsoft only is *UNCHECKED*
In the *File String Search* group click *SELECT ALL*
in the *Additional Scans* sections please press select *ALL* and make sure Non-Microsoft only is *UNCHECKED*.
Now click the *Run Scan* button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Please post the resulting log here as an attachment.


----------



## fourspdtom (Oct 10, 2007)

here is the log file from WinPFind3,, will have to post in 2 parts,, site say its too large


----------



## fourspdtom (Oct 10, 2007)

haveing trouble posting that log file,, site says 30000 character long max, file is 295 kb large. how do i post it ??

i really appreciate you patiently carrying me through, 

thanx


----------



## Cookiegal (Aug 27, 2003)

Please upload it as an attachment. Under the reply dialog box click on "manage attachments" and then "browse" to locate the file on your computer then click on "open" and "upload" it then submit your reply.


----------



## fourspdtom (Oct 10, 2007)

ok got it now here goes


----------



## Cookiegal (Aug 27, 2003)

I'm signing off for the night so I'll check that log tomorrow.


----------



## fourspdtom (Oct 10, 2007)

no problem gal

get to it when ya can,, nothing urgent


----------



## Cookiegal (Aug 27, 2003)

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.


```
[Kill Explorer]
[Files/Folders - Created Within 60 days]
NY -> thxcfg.ini -> %System32%\thxcfg.ini
[Files/Folders - Modified Within 30 days]
NY -> @Alternate Data Stream - 100 bytes -> %AllUsersAppData%\TEMP:05BF1B63
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersAppData%\TEMP:090FB735
NY -> @Alternate Data Stream - 130 bytes -> %AllUsersAppData%\TEMP:0ED4AC2F
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersAppData%\TEMP:114BD271
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersAppData%\TEMP:13AA281B
NY -> @Alternate Data Stream - 100 bytes -> %AllUsersAppData%\TEMP:19F494DE
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersAppData%\TEMP:1F67CD26
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersAppData%\TEMP:22313216
NY -> @Alternate Data Stream - 106 bytes -> %AllUsersAppData%\TEMP:260575F1
NY -> @Alternate Data Stream - 109 bytes -> %AllUsersAppData%\TEMP:331B76C7
NY -> @Alternate Data Stream - 118 bytes -> %AllUsersAppData%\TEMP:3327BC4F
NY -> @Alternate Data Stream - 124 bytes -> %AllUsersAppData%\TEMP:38B32B54
NY -> @Alternate Data Stream - 102 bytes -> %AllUsersAppData%\TEMP:38E2864F
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersAppData%\TEMP:3B812EE0
NY -> @Alternate Data Stream - 98 bytes -> %AllUsersAppData%\TEMP:3BE7E50E
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersAppData%\TEMP:404390E0
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersAppData%\TEMP:409A775B
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersAppData%\TEMP:43301D1D
NY -> @Alternate Data Stream - 126 bytes -> %AllUsersAppData%\TEMP:43D34EF3
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersAppData%\TEMP:4673E9EA
NY -> @Alternate Data Stream - 125 bytes -> %AllUsersAppData%\TEMP:4DAE29C6
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersAppData%\TEMP:5433DBEF
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersAppData%\TEMP:548AE60C
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersAppData%\TEMP:55E3C0E0
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersAppData%\TEMP:55F44B88
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersAppData%\TEMP:567FC9C2
NY -> @Alternate Data Stream - 135 bytes -> %AllUsersAppData%\TEMP:5A823589
NY -> @Alternate Data Stream - 127 bytes -> %AllUsersAppData%\TEMP:5BC73C48
NY -> @Alternate Data Stream - 100 bytes -> %AllUsersAppData%\TEMP:62672BC8
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersAppData%\TEMP:63CFD724
NY -> @Alternate Data Stream - 119 bytes -> %AllUsersAppData%\TEMP:6641B59F
NY -> @Alternate Data Stream - 95 bytes -> %AllUsersAppData%\TEMP:6E97B83A
NY -> @Alternate Data Stream - 116 bytes -> %AllUsersAppData%\TEMP:70B3C619
NY -> @Alternate Data Stream - 122 bytes -> %AllUsersAppData%\TEMP:70E897B5
NY -> @Alternate Data Stream - 103 bytes -> %AllUsersAppData%\TEMP:726D640A
NY -> @Alternate Data Stream - 113 bytes -> %AllUsersAppData%\TEMP:7776B809
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersAppData%\TEMP:78E0DF72
NY -> @Alternate Data Stream - 112 bytes -> %AllUsersAppData%\TEMP:7972CF54
NY -> @Alternate Data Stream - 104 bytes -> %AllUsersAppData%\TEMP:7C412B92
NY -> @Alternate Data Stream - 102 bytes -> %AllUsersAppData%\TEMP:7C4DF735
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersAppData%\TEMP:7CA7BED1
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersAppData%\TEMP:7DC6E295
NY -> @Alternate Data Stream - 100 bytes -> %AllUsersAppData%\TEMP:8E7F155B
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersAppData%\TEMP:938EC881
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersAppData%\TEMP:94F67F32
NY -> @Alternate Data Stream - 105 bytes -> %AllUsersAppData%\TEMP:9547F1DB
NY -> @Alternate Data Stream - 102 bytes -> %AllUsersAppData%\TEMP:98DFF516
NY -> @Alternate Data Stream - 101 bytes -> %AllUsersAppData%\TEMP:A56D6987
NY -> @Alternate Data Stream - 108 bytes -> %AllUsersAppData%\TEMP:B5988350
NY -> @Alternate Data Stream - 98 bytes -> %AllUsersAppData%\TEMP:B63300D1
NY -> @Alternate Data Stream - 110 bytes -> %AllUsersAppData%\TEMP:BDCD8531
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersAppData%\TEMP:BEB6D0B2
NY -> @Alternate Data Stream - 121 bytes -> %AllUsersAppData%\TEMP:C20426BD
NY -> @Alternate Data Stream - 106 bytes -> %AllUsersAppData%\TEMP:C7A3B688
NY -> @Alternate Data Stream - 105 bytes -> %AllUsersAppData%\TEMP:CB0EB1DE
NY -> @Alternate Data Stream - 114 bytes -> %AllUsersAppData%\TEMP:CF31AEF5
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersAppData%\TEMP:D2C57161
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersAppData%\TEMP:D31BE97C
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersAppData%\TEMP:D507B5A8
NY -> @Alternate Data Stream - 105 bytes -> %AllUsersAppData%\TEMP:E32966C0
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersAppData%\TEMP:EB42AC3C
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersAppData%\TEMP:F42B5B0E
NY -> @Alternate Data Stream - 107 bytes -> %AllUsersAppData%\TEMP:F8342E7B
NY -> @Alternate Data Stream - 128 bytes -> %AllUsersAppData%\TEMP:FBFC061F
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersAppData%\TEMP:FD717D14
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## fourspdtom (Oct 10, 2007)

done as advised,, new hjt log and the log from the winpfind3u fix. 

do you want me to run the full winpfind3u scan and post new log or just that fix log

btw the 024 entry is gone


----------



## Cookiegal (Aug 27, 2003)

Pasting the log here for easier viewing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:22 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus" 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://aolsvc.aol.com/onlinegames/f...rk-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143485507101
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5390 bytes


----------



## Cookiegal (Aug 27, 2003)

That's good.  

Your WinpFind3u log showed that you have the Google and Webshots toolbars but they are not showing in your HijackThis log. Do you know why?


----------



## fourspdtom (Oct 10, 2007)

no idea on why those dont show in hjt

i dont use either toolbar in i.e.,, maybe they are installed and disabled?? although in the search window on the address bar, yahoo is the default, but google is listed twice in the choices. in hjt uninstall mgr "google toolbar for internet explorer" has two entries ,, webshots toolbar has one. they both show in add remove programs once each.

may i ask what the alt data stream entries we fixed were from or doing? it did seem to lose the 024 desktop component entry.


----------



## fourspdtom (Oct 10, 2007)

googled the definition,, yikes,,

still any way to know what they are doing etc. , without getting too far off on a tangent?

much appreciate the help cookiegal


----------



## Cookiegal (Aug 27, 2003)

It's impossible to know what the ADS were without obtaining and analyzing them but this is a way for malware to hide executable and other types of files.

Open HijackThis and click on "Config" and then on the "Misc Tools" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## fourspdtom (Oct 10, 2007)

thanx for the info, was just curious to possible cause, from what, etc.

heres the uninstall manager list [looks like son or wife installed another game or two today, lol].

btw the candyland game im haveing trouble removing, has a folder in program files, shows in add-remove and start porgram list, but wont uninstall ,, says install something file not found,,, another tangent away from the original question, sorry

3D Groove Playback Engine
ABBYY FineReader 5.0 Sprint
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player
ArcSoft PhotoStudio 5.5
ArcSoft Software Suite
Big Fish Games Client
BigFix
Blast! Software Spanish Tutor
Candy Land - Dora the Explorer Edition
Canon MP Navigator 2.0
Canon MP150
Canon Utilities Easy-PhotoPrint
Cartoon Cove
Diego`s Safari Adventure (remove only)
Digital Media Reader
Doyles Room Poker
Drug Lord 2
DX-Ball 2
Family Tree Maker
FaxTools
Full Tilt Poker
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
IHRA Drag Racing
iTunes
Java(TM) 6 Update 2
Journey to the Center of the Earth
Lexmark X1100 Series
Match-Up!
MegaCam
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Multimedia Keyboard Driver
Napster Burn Engine
Nero BurnRights
Nero OEM
Nikon Message Center
NVIDIA Drivers
OmniPage SE 2.0
PartyPokerNet
PhoTags Express 
PictureProject
Poker Tracker Version 2.16.03d
PokerStars
PokerStars.net
PowerDVD
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Rhapsody Player Engine
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
SoftV92 Data Fax Modem with SmartCP
Sonic Encoders
Spy Sweeper
Spybot - Search & Destroy
Super DX-Ball v1.00
Supercow (remove only)
Trend Micro AntiVirus
UltimateBet
UltimateBuddy
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update Rollup 2 for Windows XP Media Center Edition 2005
Virtools 3D Life Player
Webshots Desktop
Webshots Toolbar
Windows Backup Utility
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Media Center Edition 2005 KB925766
WinZip 11.1
World Class Poker


----------



## Cookiegal (Aug 27, 2003)

You should uninstall these if you're not using them:
*
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Webshots Toolbar*

Is everything fine now?


----------



## fourspdtom (Oct 10, 2007)

uninstalled webshots toolbar and google toolbar. all seems ok.

ran an hjt log and winpfind3u scan [non-microsoft only in the settings]. i did notice in the winpfind3u three more of those ads's, were those new or meant to be left?? otherwise, the original problem, the 024-desktop component entry is gone and staying gone.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:50 PM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus" 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://aolsvc.aol.com/onlinegames/f...rk-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143485507101
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5374 bytes


----------



## Cookiegal (Aug 27, 2003)

Disconnect from the Internet and disable your anti-virus and firewall programs. *Be sure to remember to re-start them before going on-line again.*

Open the WinPFind3u folder and double-click on *WinPFind3U.exe* to start the program. Copy and paste the information in the box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.



> [Kill Explorer]
> [Registry - Non-Microsoft Only]
> < Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
> YN -> MRI_DISABLED [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
> ...


----------



## fourspdtom (Oct 10, 2007)

did as advised ,, ran fix,, after fix winpfind3u stalled, white screen in winpfind3u window, task mgr said not responding. reconnected [to copy/paste again], followed instructions again ,same result.

hjt log and reran winpfind3u scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:05 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus" 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://aolsvc.aol.com/onlinegames/f...rk-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143485507101
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5372 bytes


----------



## Cookiegal (Aug 27, 2003)

It's not the same result as their are no longer and ADS attached to the TEMP folder.

Fix these with HijackThis:

*O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present*

How are things now?


----------



## fourspdtom (Oct 10, 2007)

i meant same result, i.e. winpfind3u stalled and went white at same point, apparantly after completing the fix.

ran hjt fix on -06 entries, one remained, rebooted tried again,still stayed.

all seems ok at the moment

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:50 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus" 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://aolsvc.aol.com/onlinegames/f...rk-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143485507101
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5296 bytes


----------



## Cookiegal (Aug 27, 2003)

Try fixing this one with HijackThis in safe mode please.

*O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present*


----------



## fourspdtom (Oct 10, 2007)

done as advised, in safe mode, hjt scan after reboot

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:06 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\WgaTray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus" 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://aolsvc.aol.com/onlinegames/f...rk-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143485507101
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5248 bytes


----------



## Cookiegal (Aug 27, 2003)

Everything looks fine. 

Here are some final instructions for you.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.


----------



## fourspdtom (Oct 10, 2007)

sorry i havent gotten back to you sooner cookiegal, we live in oklahoma and the ice storm took out our electricity early monday morning [dec 10]. we didnt get it back on until monday [dec 17]. this is the first chance ive had too see how things are running [the kids were on pc withdrawal too, lol].

late sunday night [dec 9] i had removed the scan programs you had me install and cleared and created new restore point. everything looks and seems fine. i havent checked out spyblaster or run cleanmgr yet. will get those done and am planning to thoroughly read the tighten security page sometime by the weekend.

appreciate the help very much
tom


----------



## Cookiegal (Aug 27, 2003)

I'm sorry to hear that but glad you got through it fine.

Thanks for posting back and letting me know how things are.


----------

