# W32 virus



## jcnagoins881 (Apr 14, 2006)

According to the free McAfee virus scan, I found that I have a form of the W32 virus. My Word documents weren't saving, and computer is slow. I ran HJT, and here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 4:01:22 PM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\TMI VPN\cvpnd.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\TrendMicro\ntrtscan.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\ProPatches\Scheduler\stAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TrendMicro\tmlisten.exe
C:\Program Files\TrendMicro\OfcPfwSvc.exe
C:\WINDOWS\TEMP\TOE863.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\TrendMicro\pccntmon.exe
C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\ioSoftware\Logitech.Pen.TrayIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\TrendMicro\pccntupd.exe
c:\program files\logitech\iosoftware\Logitech.Pen.LplsHost.exe
C:\Program Files\Logitech\ioSoftware\Logitech.FileSystem.AccessManager.Server.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\system32\verclsid.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\TrendMicro\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech.Pen.TrayIcon] C:\Program Files\Logitech\ioSoftware\Logitech.Pen.TrayIcon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Microsoft Service] msupdate.exe
O4 - HKLM\..\Run: [Cleanup] MCRG
O4 - HKLM\..\RunServices: [Microsoft Service] msupdate.exe
O4 - HKCU\..\Run: [Microsoft Service] msupdate.exe
O4 - Startup: Wireless Connection Manager Update.lnk = C:\Program Files\Novatel Wireless\WirelessConnectionManager\WiseUpdt.exe
O8 - Extra context menu item: &File to FileBound - C:\Program Files\FileBound\Integration Kit\AutoFile.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {C5619E9F-21CC-4adf-AB12-74B0692FCEAC} - C:\WINDOWS\System32\FBConfigure.exe
O9 - Extra 'Tools' menuitem: FileBound Settings - {C5619E9F-21CC-4adf-AB12-74B0692FCEAC} - C:\WINDOWS\System32\FBConfigure.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {0C34F1FD-B5EE-41F6-9D1D-BB19BBE402E7} (FBViewerCtrl.FBViewer) - https://mroy.acsimagesafe.com/includes/FBViewerCtrl.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.trippak.com/tpol/smsx.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwha.ops.placeware.com/etc/place/HOTEL/SCHpws-a2/5.1.2.150/lib/quicksilver.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {7E267608-79E3-4AC2-905B-5019EC9F314E} (SnapWebConference Class) - http://snapconferencing.com/snapConference.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4739/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - c:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - c:\centenn.ial\audit\xferwan.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\TMI VPN\cvpnd.exe
O23 - Service: TMI Export (ExportSvc) - TMI - C:\tmi\Services\Export.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\TrendMicro\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\TrendMicro\OfcPfwSvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: Shavlik Remote Agent Service (stAgent) - Unknown owner - C:\WINDOWS\ProPatches\Scheduler\stAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\TrendMicro\tmlisten.exe


----------



## MFDnNC (Sep 7, 2004)

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

* Click the *Free Trial link* under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.


----------



## jcnagoins881 (Apr 14, 2006)

********
4:19 PM: | Start of Session, Friday, April 14, 2006 |
4:19 PM: Spy Sweeper started
4:19 PM: Sweep initiated using definitions version 658
4:19 PM: Starting Memory Sweep
4:25 PM: Memory Sweep Complete, Elapsed Time: 00:05:40
4:25 PM: Starting Registry Sweep
4:25 PM: Registry Sweep Complete, Elapsed Time:00:00:22
4:25 PM: Starting Cookie Sweep
4:25 PM: Found Spy Cookie: 2o7.net cookie
4:25 PM: [email protected][2].txt (ID = 1957)
4:25 PM: Found Spy Cookie: yieldmanager cookie
4:25 PM: [email protected][2].txt (ID = 3751)
4:25 PM: Found Spy Cookie: nextag cookie
4:25 PM: [email protected][1].txt (ID = 5015)
4:25 PM: Found Spy Cookie: advertising cookie
4:25 PM: [email protected][1].txt (ID = 2175)
4:25 PM: Found Spy Cookie: atlas dmt cookie
4:25 PM: [email protected][1].txt (ID = 2253)
4:25 PM: [email protected][1].txt (ID = 5014)
4:25 PM: Found Spy Cookie: statcounter cookie
4:25 PM: [email protected][1].txt (ID = 3447)
4:25 PM: Found Spy Cookie: tacoda cookie
4:25 PM: [email protected][2].txt (ID = 6444)
4:25 PM: [email protected][2].txt (ID = 2253)
4:25 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
4:26 PM: Starting File Sweep
4:44 PM: Found Adware: apropos
4:44 PM: exec.exe (ID = 50118)
5:00 PM: File Sweep Complete, Elapsed Time: 00:34:25
5:00 PM: Full Sweep has completed. Elapsed time 00:40:41
5:00 PM: Traces Found: 10
6:28 PM: Removal process initiated
6:28 PM: Quarantining All Traces: apropos
6:28 PM: Quarantining All Traces: 2o7.net cookie
6:28 PM: Quarantining All Traces: advertising cookie
6:28 PM: Quarantining All Traces: atlas dmt cookie
6:28 PM: Quarantining All Traces: nextag cookie
6:28 PM: Quarantining All Traces: statcounter cookie
6:28 PM: Quarantining All Traces: tacoda cookie
6:28 PM: Quarantining All Traces: yieldmanager cookie
6:28 PM: Removal process completed. Elapsed time 00:00:03
********
4:18 PM: | Start of Session, Friday, April 14, 2006 |
4:18 PM: Spy Sweeper started
4:18 PM: Your spyware definitions have been updated.
4:19 PM: | End of Session, Friday, April 14, 2006 |


----------



## jcnagoins881 (Apr 14, 2006)

You had posted for me to post a new hijack this log. I don't know what that means. Sorry!


----------



## jcnagoins881 (Apr 14, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 6:38:52 PM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\TMI VPN\cvpnd.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\TrendMicro\ntrtscan.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\ProPatches\Scheduler\stAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TrendMicro\tmlisten.exe
C:\Program Files\TrendMicro\OfcPfwSvc.exe
C:\WINDOWS\TEMP\TOE863.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\TrendMicro\pccntmon.exe
C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\ioSoftware\Logitech.Pen.TrayIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\TrendMicro\pccntupd.exe
c:\program files\logitech\iosoftware\Logitech.Pen.LplsHost.exe
C:\Program Files\Logitech\ioSoftware\Logitech.FileSystem.AccessManager.Server.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\system32\verclsid.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\TrendMicro\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech.Pen.TrayIcon] C:\Program Files\Logitech\ioSoftware\Logitech.Pen.TrayIcon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Microsoft Service] msupdate.exe
O4 - HKLM\..\Run: [Cleanup] MCRG
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [Microsoft Service] msupdate.exe
O4 - HKCU\..\Run: [Microsoft Service] msupdate.exe
O4 - Startup: Wireless Connection Manager Update.lnk = C:\Program Files\Novatel Wireless\WirelessConnectionManager\WiseUpdt.exe
O8 - Extra context menu item: &File to FileBound - C:\Program Files\FileBound\Integration Kit\AutoFile.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {C5619E9F-21CC-4adf-AB12-74B0692FCEAC} - C:\WINDOWS\System32\FBConfigure.exe
O9 - Extra 'Tools' menuitem: FileBound Settings - {C5619E9F-21CC-4adf-AB12-74B0692FCEAC} - C:\WINDOWS\System32\FBConfigure.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {0C34F1FD-B5EE-41F6-9D1D-BB19BBE402E7} (FBViewerCtrl.FBViewer) - https://mroy.acsimagesafe.com/includes/FBViewerCtrl.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.trippak.com/tpol/smsx.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwha.ops.placeware.com/etc/place/HOTEL/SCHpws-a2/5.1.2.150/lib/quicksilver.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {7E267608-79E3-4AC2-905B-5019EC9F314E} (SnapWebConference Class) - http://snapconferencing.com/snapConference.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4739/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - c:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - c:\centenn.ial\audit\xferwan.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\TMI VPN\cvpnd.exe
O23 - Service: TMI Export (ExportSvc) - TMI - C:\tmi\Services\Export.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\TrendMicro\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\TrendMicro\OfcPfwSvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: Shavlik Remote Agent Service (stAgent) - Unknown owner - C:\WINDOWS\ProPatches\Scheduler\stAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\TrendMicro\tmlisten.exe


----------



## MFDnNC (Sep 7, 2004)

Please click here http://www.java.com/en/download/manual.jsp to download the latest version of JAVA 1.5.0.6. Install the application, then go to the Add/Remove Programs options in the Control Panel and *Remove ALL previous versions of JAVA*.

Run Hijack this  scan only
Click the box to the left of these entries, close IE, click fix checked

O4 - HKLM\..\Run: [Microsoft Service] msupdate.exe

O4 - HKLM\..\Run: [Cleanup] MCRG

O4 - HKLM\..\RunServices: [Microsoft Service] msupdate.exe

O4 - HKCU\..\Run: [Microsoft Service] msupdate.exe

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\msupdate.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START  RUN  type in %temp% OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

*Please give feedback on what worked/didnt work and the current status of your system*


----------



## jarydk311 (Apr 20, 2007)

your problem probably isnt virus or spyware related..

verclsid.exe is part of a recent windows security update. of course, it doesn't work very well, and it is known to have conflicts with hpgs2wnd.exe, from HP share-to-web. Since you have both processes running, it looks like that is probably your problem.

microsoft addresses the problem on their website:
http://support.microsoft.com/kb/918165

hope that helps


----------

