# Solved: Help! cannot get rid of auto start virus



## c2phace (Jul 22, 2004)

I have windows 2000 and have many problems on startup.

Windows installer flashes several times, the event logger says this is due to WinTools IE service failing because it cannot find the specified file. ( I recently deleted WinTools.) I have no idea how to resolve this.

Another problem is that McAfee states that a virus has been detected at startup and to run a full system scan, but when I do scan everything it comes up clean. I have tried in scanning in safe mode and i have also tried various online scans, all come up clean.

Here is the HiJackThis Log.(also when trying to save the log mcafee stated there was an exploit and deleted the file. I had to disable it to save the file.)

Logfile of HijackThis v1.98.0 
Scan saved at 4:13:18 PM, on 7/14/2004 
Platform: Windows 2000 SP4 (WinNT 5.00.2195) 
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes: 
C:\WINDOWS\System32\smss.exe 
C:\WINDOWS\system32\winlogon.exe 
C:\WINDOWS\system32\services.exe 
C:\WINDOWS\system32\lsass.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\system32\spoolsv.exe 
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE 
C:\WINDOWS\System32\svchost.exe 
C:\WINDOWS\System32\nvsvc32.exe 
C:\WINDOWS\system32\regsvc.exe 
C:\WINDOWS\system32\MSTask.exe 
C:\WINDOWS\system32\stisvc.exe 
C:\WINDOWS\System32\WBEM\WinMgmt.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\Explorer.EXE 
C:\WINDOWS\system32\PV92TRAY.EXE 
c:\progra~1\mcafee.com\vso\mcvsescn.exe 
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe 
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe 
C:\Program Files\NetZero\exec.exe 
C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe 
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe 
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe 
C:\Program Files\NetZero\exec.exe 
C:\Program Files\Internet Explorer\iexplore.exe 
C:\My Documents\Security\hijack\HijackThis.exe 
C:\Program Files\McAfee.com\Agent\mcagent.exe 
C:\PROGRA~1\McAfee.com\Agent\McDash.exe 
c:\program files\mcafee.com\shared\mghtml.exe 
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.altavista.com/ 
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.altavista.com/ 
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.altavista.com/ 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.altavista.com/ 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.mamma.com 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mama.com/ 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hmbni.dll/sp.html (obfuscated) 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch 
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hmbni.dll/sp.html (obfuscated) 
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.mamma.com 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://find4u.net/sp.htm 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.mamma.com/index.html?cb=Mama 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.altavista.com/ 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll 
O1 - Hosts: 207.36.196.189 #uto.search.msn.com 
O1 - Hosts: 207.36.196.189 #earch.netscape.com 
O1 - Hosts: 207.36.196.189 #eautosearch 
O2 - BHO: (no name) - {6D18B6B7-3063-4C4E-9A33-7CA4EAB8A6C0} - (no file) 
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx 
O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file) 
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file) 
O3 - Toolbar: (no name) - {24F8637F-57A5-42B2-AFBC-2C970C3DD339} - (no file) 
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll 
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll 
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe 
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe 
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon 
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask 
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe 
O4 - HKLM\..\Run: [PV92TRAY] PV92TRAY.EXE 
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot 
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun 
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe" 
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w 
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun 
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe 
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE 
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe 
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe 
O4 - Global Startup: PowerReg Scheduler.exe 
O4 - Global Startup: StartupCleaner.exe 
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm 
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm 
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\PROGRAM FILES\WHISTLESOFTWARE\WSELSERVICES\WEBBAND.DLL 
O9 - Extra button: Microsoft® JavaScript® Console - {535E5078-CCF9-449C-96CE-6920E09186FD} - C:\WINDOWS\system32\comdlg32.ocx 
O9 - Extra 'Tools' menuitem: JavaScript Console - {535E5078-CCF9-449C-96CE-6920E09186FD} - C:\WINDOWS\system32\comdlg32.ocx 
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) 
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL 
O9 - Extra button: Microsoft® JavaScript® Console - {535E5078-CCF9-449C-96CE-6920E09186FD} - C:\WINDOWS\system32\comdlg32.ocx (HKCU) 
O9 - Extra 'Tools' menuitem: JavaScript Console - {535E5078-CCF9-449C-96CE-6920E09186FD} - C:\WINDOWS\system32\comdlg32.ocx (HKCU) 
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU) 
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll 
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB 
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe 
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab 
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe 
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share...insctl.cab 
O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} - http://mmm.roings.com/crack.cab 
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab 
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab 
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab 
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share...cgdmgr.cab 
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319 
O17 - HKLM\System\CCS\Services\Tcpip\..\{53237E04-85BC-4BC6-AB26-ACF732122158}: NameServer = 64.136.20.121 64.136.20.133 
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdg.dll

If you could please offer up any help or solutions to these problems I would be very grateful. Thank you for your time.


----------



## Flrman1 (Jul 26, 2002)

Hi c2phace

Welcome to TSG! 

You have a CWS browser hijacker among other things. First lets' get rid of the hijacker and then we'll get rid of the rest. This will take several steps so hang in there with me. First please do this:

Click here to download FindNFix.

Extract it (it should autoextract to C:\FindnFix when you double click it)

Go to the C:\FindnFix folder and doubleclick on *!LOG!.BAT* and let it run. It will generate a log.txt file. Copy and paste log.txt back here in your next reply.


----------



## c2phace (Jul 22, 2004)

»»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»»» 
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s) 
6.0.2800.1106 SP1-Q823353-Q832894
The type of the file system is NTFS.
C: is not dirty.

Sat 24 Jul 04 12:14:41
12:14am up 0 days, 0:23

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»» 
The list will produce a small database of files that will match certain criteria. 
You must know how to ID the file based on the filters provided in 
the scan, as not all the files flagged are bad. 
Ex: read only files, s/h files, last modified date. size, etc. 
The filters provided should help narrow down the list, and hopefully 
pinpoint the culprit. 
Along with that,registry scan logged at the end should match the 
corresponding file(s) listed. 
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
Unless the file match the entire criteria, it should not be pointed to remove 
without attempting to confirm it's nature! 
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)! 
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder 
»»»»»»»»»»»»»»»»»»***LOG!***(*updated 7/24)»»»»»»»»»»»»»»»»

»»»*»»»*Use at your own risk!»»»*»»»*

Scanning for file(s)... 
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»» 
»»»»» (*1*) »»»»» ......... 
»»Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\KBDG.DLL +++ File read error
\\?\C:\WINDOWS\System32\KBDG.DLL +++ File read error

»»»»» (*2*) »»»»»........ 
**File C:\FINDnFIX\LIST.TXT
KBDG.DLL Can't Open!

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
kbdg.dll Sun Apr 18 2004 11:38:46p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

»»»»» (*4*) »»»»»......... 
Sniffing.......... 
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\KBDG.DLL

»»»»»(*5*)»»»»» 
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... KBDG.DLL .....57344 18.04.2004

»»»»»(*6*)»»»»» 
fgrep: can't open input C:\WINDOWS\SYSTEM32\KBDG.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»» 
»»»»»Search by size...

C:\WINDOWS\SYSTEM32\
kbdg.dll Sun Apr 18 2004 11:38:46p A...R 57,344 56.00 K
wnaspint.dll Wed Jul 21 2004 8:25:56p A.... 57,344 56.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 114,688 bytes 112.00 K

C:\WINDOWS\SYSTEM32\
jgmd400.dll Wed Mar 3 2004 3:04:26p A.... 35,840 35.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 35,840 bytes 35.00 K

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\KBDG.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WNASPINT.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\JGMD400.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»Size of Windows key: 
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 506

»»Dumping Values........ 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs	SZ	C:\\WINDOWS\\system32\\kbdg.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout	SZ	15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota	DWORD	00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler	SZ	yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk	SZ	
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout	SZ	90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota	DWORD	00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = C:\WINDOWS\system32\kbdg.dll
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk = 
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

»»Member of...: (Admin logon required!) 
User is a member of group C2PHACE\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»»»»»»Backups created...»»»»»» 
12:16am up 0 days, 0:25
Sat 24 Jul 04 12:16:34

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-24-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 318 07-24-2004 winkey.reg
*Temp backups... 
. 
.. 
keyback2.hi_ 
winkey2.re_

C:\FINDNFIX\
JUNKXXX Sat Jul 24 2004 12:14:40p .D...

1 item found: 0 files, 1 directory.

»»Performing string scan.... 
00001150: ? 
00001190: 8 @ 
000011D0: vk : , AppInit_DLLs4 e C : \ W I N D O W S 
00001210:\ s y s t e m 3 2 \ k b d g . d l l vk h d 
00001250eviceNotSelectedTimeout 1 5 H vk ' 
00001290: 0 GDIProcessHandleQuota 0 vk 0 Spooler 
000012D0: y e s 0 0 vk 0 swapdisk vk 0 
00001310: , TransmissionRetryTimeout 9 0 vk ' 
00001350: 0 USERProcessHandleQuota0 
00001390: 
000013D0: 
00001410: 
00001450: 
00001490: 
000014D0: 
00001510: 
00001550: 
00001590: 
000015D0:

---------- WIN.TXT
AppInit_DLLs4
-------------- 
-------------- 
$011E8: AppInit_DLLs4
$01250: DeviceNotSelectedTimeout
$01298: GDIProcessHandleQuota
$01318: TransmissionRetryTimeout
$01358: USERProcessHandleQuota0
-------------- 
-------------- 
C:\WINDOWS\system32\kbdg.dll
-------------- 
-------------- 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\kbdg.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 58 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\system32\kbdg.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 73 00 79 00 73 00 74 00 65 00 | W.S.\.s.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 6b 00 62 00 64 00 67 00 | m.3.2.\.k.b.d.g.
0030 2e 00 64 00 6c 00 6c 00 00 00 | ..d.l.l...



----------



## Flrman1 (Jul 26, 2002)

Be sure to Follow the next set of steps carefully, in the exact order specified.

Get ready to restart:
First doubleClick on the *FIX.bat* file in the C:\FINDnFIX\*Keys1* folder.
Wait for the popup -Alert to restart your computer in 15 seconds.

After the computer restarts and you are back in Windows, navigate to C:\Windows\System32 folder:
Locate and select the *KBDG.DLL* file (as it will be visible)
And use the folder's top menu and got to Edit >
Move to Folder...
Select the C:\FINDnFIX\junkxxx as destination and move 
the *KBDG.DLL* there.
-----------------------------------------------------------------------------------------------------------

Now look in the C:\FINDnFIX folder and locate the *RESTORE.bat* file. Doubleclick it to run it.

Wait for it to run and it will and it will produce a 'log1.txt' file! Copy that log and paste it here!

-----------------------------------------------------------------------------------------------------------

**Note:*
Do not change/move around or 
tamper with any of the file(s) folder(s) and path 
included in the 'FINDnFIX' folder.


----------



## c2phace (Jul 22, 2004)

»»»»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»»»

Sat 24 Jul 04 18:20:05
6:20pm up 0 days, 0:05

Microsoft Windows 2000 [Version 5.00.2195]
»»»IE build and last SP(s) 
6.0.2800.1106 SP1-Q823353-Q832894
The type of the file system is NTFS.
C: is not dirty.

»»»»»»»»»»»»»»»»»»***LOG2!(*updated 7/24)***»»»»»»»»»»»»»»»»

This log will confirm if the file was successfully moved, and/or 
the right file was selected...

Scanning for file(s) in System32...

»»»»»»» (1) »»»»»»»

»»»»»»» (2) »»»»»»» 
**File C:\FINDnFIX\LIST.TXT

»»»»»»» (3) »»»»»»»

No matches found.
Unknown/hidden files...

No matches found.

»»»»»»» (4) »»»»»»» 
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»»»(5)»»»»» 
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

»»»»»(*6*)»»»»»

»»»»»»» Search by size...

C:\WINDOWS\SYSTEM32\
wnaspint.dll Wed Jul 21 2004 8:25:56p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

C:\WINDOWS\SYSTEM32\
jgmd400.dll Wed Mar 3 2004 3:04:26p A.... 35,840 35.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 35,840 bytes 35.00 K

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\WNASPINT.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\JGMD400.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

»»»*»»» Scanning for moved file... »»»*»»»

(***Note: If the file is listed as +++ read error it's security restrictions couldn't be stripped! 
RightClick on the file/properties/security 
and check the "Allow Inheritable permissions from parent..." box. 
Do the same for the folder (junkxxx) it's in, otherwise ignore and procceed)

* result\\?\C:\FINDnFIX\junkxxx\KBDG.222

C:\FINDNFIX\JUNKXXX\
kbdg.222 Sun Apr 18 2004 11:38:46p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\KBDG.222

**File C:\FINDNFIX\JUNKXXX\KBDG.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....à.

A----- KBDG .222 0000E000 23:38.46 18/04/2004

--a-- W32i - - - - 57,344 04-18-2004 kbdg.222
A C:\FINDnFIX\junkxxx\kbdg.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
KBDG.222 57344 04-18-104 23:38 c185b36f9969d3a6d2122ba7cbc02249 
File: <C:\FINDnFIX\junkxxx\kbdg.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249

»»Permissions: 
C:\FINDnFIX\junkxxx\kbdg.222 EveryoneOI)(CI)F 
BUILTIN\AdministratorsOI)(CI)F 
BUILTIN\Administrators:F 
BUILTIN\Administrators:F 
 NT AUTHORITY\SYSTEM:F 
Everyone:F

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: C2PHACE\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: C2PHACE\None

File "C:\FINDnFIX\junkxxx\kbdg.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x \Everyone

Owner: BUILTIN\Administrators

Primary Group: C2PHACE\None

C:\FINDnFIX\junkxxx\kbdg.222;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\kbdg.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\kbdg.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\kbdg.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO_
C:\FINDnFIX\junkxxx\kbdg.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\kbdg.222;Everyone:RrRaRepWwAWaWePXDDcO

»»Size of Windows key: 
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Dumping Values: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout	SZ	15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota	DWORD	00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler	SZ	yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk	SZ	
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout	SZ	90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota	DWORD	00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs	SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk = 
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

»»Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM

00001150: ? 
00001190: H x 
000011D0: vk d DeviceNotSelectedTimeout 1 5 
00001210:H vk ' 0 GDIProcessHandleQuota 0 vk 
00001250: h 0 Spooler y e s 0 0 vk 0 
00001290:swapdisk vk , TransmissionRetryTimeout 9 0 
000012D0: vk ' 0 USERProcessHandleQuota0 vk 
00001310: S AppInit_DLLsm 3 
00001350: 
00001390: 
000013D0: 
00001410: 
00001450: 
00001490: 
000014D0: 
00001510: 
00001550:

---------- NEWWIN.TXT
AppInit_DLLsm
-------------- 
-------------- 
$011E8: DeviceNotSelectedTimeout
$01230: GDIProcessHandleQuota
$012B0: TransmissionRetryTimeout
$012F0: USERProcessHandleQuota0
$01320: AppInit_DLLsm
-------------- 
-------------- 
No strings found.

d...a 0 Jul 24 18:20 . 
d...a 0 Jul 24 18:20 .. 
....a 57344 Apr 18 23:38 kbdg.222

3 files found occupying 55296 bytes

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
KBDG.222 : crc16=3138 crc32=D5C9FB2E

-------- C:\FINDNFIX\JUNKXXX\KBDG.222
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
57,344 bytes 5,734,400 cps 
Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.01

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. A 07-24-:4 18:20|KBDG 222 57344 A 04-18-:4 23:38
.. A 07-24-:4 18:20| 
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
19478528 bytes available on Drive C: Volume label: HP_PAVILION

...File dump...

DecAddr +4 +8 +12 (c) |ASCII Equiv or .| HexAddr
56880 00000000 4b45524e 454c3332 2e444c4c |....KERNEL32.DLL| 0de30
56896 00004c6f 61644c69 62726172 79410000 |..LoadLibraryA..| 0de40
56912 47657450 726f6341 64647265 73730000 |GetProcAddress..| 0de50
56928 00000000 00000000 00000000 a6f00100 |................| 0de60
56944 01000000 03000000 03000000 88f00100 |................| 0de70
56960 94f00100 a0f00100 05270000 9a230000 |.........'...#..| 0de80
56976 242a0000 a7f00100 bef00100 d3f00100 |$*..............| 0de90
56992 00000100 02000049 6e737461 6c6c5374 |.......InstallSt| 0dea0
57008 7265616d 696e6744 65766963 65005374 |reamingDevice.St| 0deb0
57024 7265616d 696e6744 65766963 65536574 |reamingDeviceSet| 0dec0
57040 75700053 74726561 6d696e67 44657669 |up.StreamingDevi| 0ded0
57056 63655365 74757032 |ceSetup2 | 0dee0

Detecting...

C:\FINDnFIX\junkxxx 
kbdg.222 ACL has 6 ACE(s)
SID = /Everyone S-1-1-0
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Administrators S-1-5-32-544
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 4 is an ACCESS_ALLOWED_ACE_TYPE
ACE 4 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
SID = /Everyone S-1-1-0
ACE 5 is an ACCESS_ALLOWED_ACE_TYPE
ACE 5 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN
ACL done...

Finished Detecting... _


----------



## Flrman1 (Jul 26, 2002)

-Open the FINDnFIX\*Files2*< Subfolder:
Run the -> *ZIPZAP.bat* file.
It will quickly clean the rest and 
will make a copy of the bad file(s) in the same 
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from 
the folder into the mail message and submit 
to the specified addresses! Thanks!

*Note:* If you encounter an error trying to email the file, just skip it and move on.

When done, restart your computer and 
Delete and entire C:\FINDnFIX folder and its subfolders
and be sure the junkxxx folder 
was deleted (as part of the cleanup process)

Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click *"Fix" (Not "Scan only")* and let it do it's thing.

When it is finished *restart your computer*.

Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on *Check for updates now* and download the latest referencefiles.

Make sure the following settings are made and on -------*ON=GREEN*

From main window :Click *Start* then *Activate in-depth scan (recommended)*

Click *Use custom scanning options* then click *Customize* and have these options selected: Under *Drives and Folders* put a check by *Scan within archives* and below that under *Memory and Registry* put a check by *all* the options there.

Now click on the *Tweak* button in that same window. Under *Scanning engine* select *Unload recognized processes during scanning* and under *Cleaning Engine* select *Let windows remove files in use at next reboot*

Click *proceed* to save your settings.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

*Restart your computer*.

Come back here and post another Hijack This log and we'll get rid of what's left.


----------



## c2phace (Jul 22, 2004)

Logfile of HijackThis v1.98.0
Scan saved at 12:45:48 PM, on 7/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\PV92TRAY.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\My Documents\Security\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.mamma.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.mamma.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.altavista.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O1 - Hosts: 207.36.196.189 #eautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: (no name) - {24F8637F-57A5-42B2-AFBC-2C970C3DD339} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [PV92TRAY] PV92TRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [System Mechanic Registry Compact Handler] "C:\Program Files\iolo\System Mechanic 4 Professional\SysMech4.exe" /PERSISTREGCOMPACT
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: StartupCleaner.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\PROGRAM FILES\WHISTLESOFTWARE\WSELSERVICES\WEBBAND.DLL
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: SEARCH - {FE5A1910-F121-11d2-BE9E-01C04A7936B1} - http://www.oborot.com/find.htm (file missing)
O9 - Extra button: ENTERTAINMENT - {FE5A1910-F121-11d2-BE9E-01C04A7936B2} - http://www.oborot.com/av.htm (file missing)
O9 - Extra button: PILLS - {FE5A1910-F121-11d2-BE9E-01C04A7936B3} - http://www.oborot.com/med.htm (file missing)
O9 - Extra button: SECURITY - {FE5A1910-F121-11d2-BE9E-01C04A7936B4} - http://www.oborot.com/check.htm (file missing)
O9 - Extra button: SEARCH - {FE5A1910-F121-11d2-BE9E-01C04A7936B5} - http://www.oborot.com (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} - http://mmm.roings.com/crack.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319


----------



## Flrman1 (Jul 26, 2002)

Do you use this?:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.mamma.com

Also do you use and want all that NetZero and AltaVista search stuff?


----------



## c2phace (Jul 22, 2004)

I dont even know what that stuff is and I highly doubt I ever use any of it.
Can I get rid of it through hijack?

Hey I also wanted to thank you for helping me, I really appreciate it.


----------



## Flrman1 (Jul 26, 2002)

Go to Add/Remove programs and uninstall the NetZero toolbar.

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.altavista.com/

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.altavista.com/

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.altavista.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.altavista.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.mamma.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.mamma.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.altavista.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll

O1 - Hosts: 207.36.196.189 #eautosearch

O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)

O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)

O3 - Toolbar: (no name) - {24F8637F-57A5-42B2-AFBC-2C970C3DD339} - (no file)

O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O4 - Global Startup: PowerReg Scheduler.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\PROGRAM FILES\WHISTLESOFTWARE\WSELSERVICES\WEBBAND.DLL

O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)

O9 - Extra button: SEARCH - {FE5A1910-F121-11d2-BE9E-01C04A7936B1} - http://www.oborot.com/find.htm (file missing)

O9 - Extra button: ENTERTAINMENT - {FE5A1910-F121-11d2-BE9E-01C04A7936B2} - http://www.oborot.com/av.htm (file missing)

O9 - Extra button: PILLS - {FE5A1910-F121-11d2-BE9E-01C04A7936B3} - http://www.oborot.com/med.htm (file missing)

O9 - Extra button: SECURITY - {FE5A1910-F121-11d2-BE9E-01C04A7936B4} - http://www.oborot.com/check.htm (file missing)

O9 - Extra button: SEARCH - {FE5A1910-F121-11d2-BE9E-01C04A7936B5} - http://www.oborot.com (file missing)

O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe

O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} - http://mmm.roings.com/crack.cab*

Restart your computer.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin


----------



## c2phace (Jul 22, 2004)

Do you have any suggestions about how to stop the wintools service from starting the windows installer on startup?

Also is there any way to clear the screensaver list, its full of all the pictures on my system.

Thank you


----------



## Flrman1 (Jul 26, 2002)

Post another Hijack This log.


----------



## c2phace (Jul 22, 2004)

Logfile of HijackThis v1.98.0
Scan saved at 4:10:19 PM, on 7/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\PV92TRAY.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\NetZero\exec.exe
C:\My Documents\Security\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mama.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [PV92TRAY] PV92TRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [System Mechanic Registry Compact Handler] "C:\Program Files\iolo\System Mechanic 4 Professional\SysMech4.exe" /PERSISTREGCOMPACT
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O4 - Global Startup: StartupCleaner.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - c:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319


----------



## Flrman1 (Jul 26, 2002)

I don't see anything there so please do this:

Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Owner\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.

Empty the Recycle Bin

Now do this:

Open Hijack This. Click on the "Config" button in the lower right corner. Now click on "Misc Tools" then under "Generate Startup List" put a check by "List also minor sections (full)" and "Calculate MD5 of files if possible". Now click on the "Generate Startup List" button and copy and paste the contents of the list back here in a reply.


----------



## c2phace (Jul 22, 2004)

StartupList report, 7/26/2004, 6:51:42 PM
StartupList version: 1.52.2
Started from : C:\My Documents\Security\hijack\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\My Documents\Security\hijack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
StartupCleaner.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

MCUpdateExe = C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
Synchronization Manager = mobsync.exe /logon
VSOCheckTask = "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
VirusScan Online = "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
PV92TRAY = PV92TRAY.EXE
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
C-Media Mixer = Mixer.exe /startup
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
InCD = C:\Program Files\Ahead\InCD\InCD.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

System Mechanic Popup Stopper = "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
uoltray = C:\Program Files\NetZero\exec.exe regrun
spc_w = "C:\Program Files\NZSearch\hcm.exe" -w
System Mechanic Registry Compact Handler = "C:\Program Files\iolo\System Mechanic 4 Professional\SysMech4.exe" /PERSISTREGCOMPACT

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINDOWS\system32\shmgrate.exe" OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINDOWS\system32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 2200 series#1059330685.job
Maintenance-Disk cleanup.job
McAfee.com Scan for Viruses - My Computer (C2PHACE-Chris Mrozewski).job
McAfee.com Update Check (C2PHACE-Chris Mrozewski).job
Tune-up Application Start.job
WINALIGN.JOB

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = c:\WINDOWS\system32\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\OCCACHE\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\system32\mcinsctl.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab

[mhLabel Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\mhLbl.dll
CODEBASE = http://www.pcpitstop.com/mhLbl.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\system32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38075.3175231482

[CRAVOnline Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ravonline.dll
CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

[DwnldGroupMgr Class]
InProcServer32 = C:\WINDOWS\system32\McGDMgr.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\swflash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[QDiagHUpdateObj Class]
InProcServer32 = C:\WINDOWS\system32\qdiagh.ocx
CODEBASE = http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
C-DillaSrv: C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE (autostart)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
InCD Helper: C:\Program Files\Ahead\InCD\InCDsrv.exe (autostart)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
McAfee.com VirusScan Online Realtime Engine: c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding (autostart)
NetBEUI Protocol: System32\DRIVERS\nbf.sys (autostart)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINDOWS\system32\NETSHELL.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 10,653 bytes
Report generated in 0.311 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Flrman1 (Jul 26, 2002)

I don't see anything there either. Have you restarted lately to see if it is still doing it?


----------



## c2phace (Jul 22, 2004)

Yeah I just restarted. The windows installer screen flashes several times then nothing else happens. in the event viewer it says "The wintools service for IE is unable to start because it cannot find the specified file"

I searched all over and I cannot find any info on wintools for IE, or even what it does. 
However i did come across it in the admin tools\component services menu.

(Wintools for the IE service)
under startup type I have it disabled.

It used to resides in the common files folder as WToolsS.exe
I deleted the program because SpyBot could not remove it.

I cannot delete the service key so I dont know what to do.
Hope the info helps 

thanks


----------



## c2phace (Jul 22, 2004)

I went through and deleted all instances of wtoolsa in my registry. I still get the istaller pop up but the error is gone from the event viewer. 

I then disabled every startup item that wasnt absolutely nessecary and restarted. I got the pop up again but the event viewer told me these two errors occured:

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date: 7/26/2004
Time: 10:16:06 PM
User: N/A
Computer:	C2PHACE
Description:
The following boot-start or system-start driver(s) failed to load: 
Cdr4_2K 



Event Type:	Error
Event Source:	Server
Event Category:	None
Event ID:	2506
Date: 7/26/2004
Time: 10:16:00 PM
User: N/A
Computer:	C2PHACE
Description:
The value named IRPStackSize in the server's Registry key LanmanServer\Parameters was invalid. The value was ignored, and processing continued. 
Data:
0000: 57 00 00 00 W... 


I have no idea what these errors could be or if they are even important.


----------



## Flrman1 (Jul 26, 2002)

Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and run it. If your antivirus inteferes you may have to disable script blocking in the antivirus. Put the following in the search box:

*wintools*

Post or upload the results here.


----------



## c2phace (Jul 22, 2004)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "wintools" 7/27/2004 3:06:12 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINTOOLSSVC\0000]
"Service"="WinToolsSvc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINTOOLSSVC\0000]
"DeviceDesc"="WinTools for IE service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINTOOLSSVC\0000]
"Service"="WinToolsSvc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINTOOLSSVC\0000]
"DeviceDesc"="WinTools for IE service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000]
"Service"="WinToolsSvc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000]
"DeviceDesc"="WinTools for IE service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WINTOOLSSVC\0000]


----------



## Flrman1 (Jul 26, 2002)

You need to go into regedit and delete all those references to LEGACY_WINTOOLSSVC.


----------



## wnapier (Aug 19, 2004)

What do you do when you hit delete and get the answer (for each of several entries) "Cannot delete . . . error while deleting key" ?


----------



## vss (Aug 22, 2004)

You can Use regedt32.exe, select the key, change the security permissions before you delete the key.


----------

