# Solved: How to remove System Alert icon



## smart_guy (Mar 7, 2007)

I have a System Alert icon in the bottom right hand corner of my laptop. I am using Windows XP Home Edition SP-2. This icon frequently generates messages telling me that the System has detected many spyware applications running that may impact the performance of my computer. I have used McAfee Virus Scan and Windows Defender to remove this icon. But this icon does not go away. Can you please tell me how to remove this System Alert icon.

Thanks,

Smart_Guy


----------



## MFDnNC (Sep 7, 2004)

Click here to download HJTsetup.exe:

http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item5

*Scroll down to the download section where the download button is*

Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## smart_guy (Mar 7, 2007)

I downloaded HJTsetup.exe. I scanned my laptop. Here is the log file. Please let me know what to keep and what to delete.

Logfile of HijackThis v1.99.1
Scan saved at 3:06:01 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SiteAdvisor\4144\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin.../storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r*.attbi.com;localhost
R3 - URLSearchHook: (no name) - {341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video Access ActiveX Object\iesplugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {33DA3B9A-A391-432E-B74C-FACB7DA6CCE6} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1d2a8890-3083-11d6-b649-00c04faedb18} (Oracle JInitiator 1.1.8.18) - 
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50029/QDow.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19106/flash.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://shaileshmishraji.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157038199006
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/Installer/nCaseInstaller.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://59.160.81.51/Media/visitorchat/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - (no file)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## MFDnNC (Sep 7, 2004)

Download Superantispyware (SAS)

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
·	It will ask if you want to update the program definitions, click Yes.
·	Under Configuration and Preferences, click the Preferences button.
·	Click the Scanning Control tab.
·	Under Scanner Options make sure the following are checked:
o	Close browsers before scanning
o	Scan for tracking cookies
o	Terminate memory threats before quarantining.
o	Please leave the others unchecked.
o	Click the Close button to leave the control center screen.
·	On the main screen, under Scan for Harmful Software click Scan your computer.
·	On the left check C:\Fixed Drive.
·	On the right, under Complete Scan, choose Perform Complete Scan.
·	Click Next to start the scan. Please be patient while it scans your computer.
·	After the scan is complete a summary box will appear. Click OK.
·	Make sure everything in the white box has a check next to it, then click Next.
·	It will quarantine what it found and if it asks if you want to reboot, click Yes.
·	To retrieve the removal information for me please do the following:
o	After reboot, double-click the SUPERAntispyware icon on your desktop.
o	Click Preferences. Click the Statistics/Logs tab.
o	Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o	It will open in your default text editor (such as Notepad/Wordpad).
o	Please highlight everything in the notepad, then right-click and choose copy.
·	Click close and close again to exit the program.
·	Please paste that information here for me *with a new HijackThis log*.


----------



## smart_guy (Mar 7, 2007)

Following is the Super Anti Spyware scan log:

SUPERAntiSpyware Scan Log
Generated 03/07/2007 at 05:50 PM

Application Version : 3.6.1000

Core Rules Database Version : 3195
Trace Rules Database Version: 1205

Scan type : Complete Scan
Total Scan Time : 01:02:11

Memory items scanned : 461
Memory threats detected : 0
Registry items scanned : 5801
Registry threats detected : 96
File items scanned : 44120
File threats detected : 125

Trojan.Media-Codec
HKLM\Software\Classes\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\Implemented Categories
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\InprocServer32
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\IESPLUGIN.DLL
HKLM\Software\Classes\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}
HKCR\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}
HKCR\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32
HKCR\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISADD.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{84938242-5C5B-4A55-B6B9-A1507543B418}
HKCR\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}
HKU\S-1-5-21-2974146706-2942328611-1021817841-1006\Software\Internet Security
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#ProductionEnvironment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#Publisher
C:\Program Files\Video Access ActiveX Object\iesuninst.exe
C:\Program Files\Video Access ActiveX Object\isamntr.exe
C:\Program Files\Video Access ActiveX Object\ot.ico
C:\Program Files\Video Access ActiveX Object\pmunst.exe
C:\Program Files\Video Access ActiveX Object\ts.ico
C:\Program Files\Video Access ActiveX Object\uninst.exe
C:\Program Files\Video Access ActiveX Object
C:\WINDOWS\Prefetch\ISAMNTR.EXE-0F22D124.pf

Adware.Tracking Cookie
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][3].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][3].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][4].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
 C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected]mediaplex[1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][1].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\shailesh mishra\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\shailesh [email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\shailesh [email protected][2].txt

Adware.IST/ISTBar (Slotch Bar)
HKU\S-1-5-21-2974146706-2942328611-1021817841-1006\Software\IST

Adware.WebNexus
HKU\S-1-5-21-2974146706-2942328611-1021817841-1006\Software\intexp

Adware.Ezula
HKCR\EZulaBootExe.InstallCtrl
HKCR\EZulaBootExe.InstallCtrl\CLSID
HKCR\EZulaBootExe.InstallCtrl\CurVer
HKCR\EZulaBootExe.InstallCtrl.1
HKCR\EZulaBootExe.InstallCtrl.1\CLSID
HKCR\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}
HKCR\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0
HKCR\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0\0
HKCR\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0\0\win32
HKCR\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0\FLAGS
HKCR\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}\1.0\HELPDIR
HKCR\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}
HKCR\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}\ProxyStubClsid
HKCR\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}\ProxyStubClsid32
HKCR\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}\TypeLib
HKCR\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}\TypeLib#Version
HKCR\AppId\eZulaBootExe.EXE
HKCR\AppId\eZulaBootExe.EXE#AppID
HKCR\AppId\{C0335198-6755-11D4-8A73-0050DA2EE1BE}

Adware.IEPlugin
HKCR\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}
HKCR\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}\ProxyStubClsid
HKCR\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}\ProxyStubClsid32
HKCR\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}\TypeLib
HKCR\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}\TypeLib#Version
HKCR\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}
HKCR\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}\ProxyStubClsid
HKCR\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}\ProxyStubClsid32
HKCR\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}\TypeLib
HKCR\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}\TypeLib#Version
HKCR\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}
HKCR\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}\ProxyStubClsid
HKCR\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}\ProxyStubClsid32
HKCR\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}\TypeLib
HKCR\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}\TypeLib#Version
HKCR\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}
HKCR\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}\ProxyStubClsid
HKCR\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}\ProxyStubClsid32
HKCR\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}\TypeLib
HKCR\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}\TypeLib#Version
HKCR\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}
HKCR\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}\ProxyStubClsid
HKCR\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}\ProxyStubClsid32
HKCR\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}\TypeLib
HKCR\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}\TypeLib#Version
HKCR\Remove
C:\WINDOWS\lu.dat

Adware.Spyware Labs/Virtual Bouncer
C:\Program Files\VBouncer

Adware.ClearSearch
HKCR\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
HKCR\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0
HKCR\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\0
HKCR\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\0\win32
HKCR\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\FLAGS
HKCR\TypeLib\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}\1.0\HELPDIR
C:\WINDOWS\SYSTEM32\C17B6S.DLL

Malware.SpyDawn
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\edaxFhwTHzxan
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\InprocServer32
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\InprocServer32#ThreadingModel
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\mczoqBmuQb
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\Mtrl
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\ProgID
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\qtzyUuvoi
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\txvmk
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\uthqe
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\VersionIndependentProgID
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\YJdaGJiUrx

Adware.Spyware Labs
C:\WINDOWS\SYSTEM32\BO2802040113.DLL

Adware.MyWay
C:\WINDOWS\SYSTEM32\XCITE.DLL

Trace.Known Threat Sources
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\C12ZKHMV\news_top1[1].jpg
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\0LYJ4TUN\box[1].jpg
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\0NZJIC5P\b_privacy[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\HPXRME36\btn_buy[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\YXTIJI9O\menu_right[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\D3NFXXW6\how[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\0DEJS9UN\btn_order[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\YXTIJI9O\protect[1].png
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\K7YLK3YP\icon_ignore[2].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\DCG3PTW1\btn_end[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\0BQHGHK8\copy_right[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\VJD37HKK\news_bottom1[1].jpg
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\HPXRME36\b_b[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\VJD37HKK\btn_download[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\C12ZKHMV\btn_win[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\DCG3PTW1\btn_company[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\WZ1FAQ7L\t_l[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\YXTIJI9O\main[1].css
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\M6GHUQJF\btn_support[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\SLC38F89\logotype[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\0LYJ4TUN\btn_download1[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\JMVL48OP\b_company[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\0NZJIC5P\btn_features[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\D3NFXXW6\icon_scan[1].gif
C:\Documents and Settings\shailesh mishra\Local Settings\Temporary Internet Files\Content.IE5\0BQHGHK8\b_affiliates[1].gif


----------



## smart_guy (Mar 7, 2007)

System Alert icon is still there. Please let me know what to do next.

Following is the Hijack This scan log:

Logfile of HijackThis v1.99.1
Scan saved at 6:35:23 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\4144\SiteAdv.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin.../storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r*.attbi.com;localhost
R3 - URLSearchHook: (no name) - {341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {33DA3B9A-A391-432E-B74C-FACB7DA6CCE6} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1d2a8890-3083-11d6-b649-00c04faedb18} (Oracle JInitiator 1.1.8.18) - 
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50029/QDow.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19106/flash.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://shaileshmishraji.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157038199006
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/Installer/nCaseInstaller.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://59.160.81.51/Media/visitorchat/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - (no file)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## MFDnNC (Sep 7, 2004)

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a *folder* named *SmitfraudFix*) to your Desktop.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*

Warning: running option #2 on a non infected computer will remove your Desktop background.
==============================

DownLoad EasyCleaner http://www.majorgeeks.com/download414.html

Use the clear files and Unnecessary files buttons  *I do not recommend 
using the Duplicates files button* as many dupes are there on purpose.

Not all files will delete  that is normal.

In the unnecessary button I check the top 4 entries


----------



## smart_guy (Mar 7, 2007)

I am not able to start Windows in safe mode. I press F8 and I get the option to start Windows in safe mode. When I select the option, after a few seconds, I get the message that the windows cannot be started in safe mode and then the Windows starts in normal mode. Can I run the smitfraudfix commands in normal mode? Is there any other option?


----------



## MFDnNC (Sep 7, 2004)

Yes do it in normal


----------



## smart_guy (Mar 7, 2007)

I do not see the System Alert icon now. Do I also need to download Easy Cleaner? Do I need to do anything else?

Following is the output from smitfraudfix scan log:

SmitFraudFix v2.148

Scan done at 19:11:52.54, Wed 03/07/2007
Run from C:\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{634be415-da12-496b-b89e-329b73c4807f}"="cam"

[HKEY_CLASSES_ROOT\CLSID\{634be415-da12-496b-b89e-329b73c4807f}\InProcServer32]
@="C:\WINDOWS\system32\tvomnc.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{634be415-da12-496b-b89e-329b73c4807f}\InProcServer32]
@="C:\WINDOWS\system32\tvomnc.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\tvomnc.dll Deleted
C:\DOCUME~1\SHAILE~1\FAVORI~1\Online Security Test.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Following is the output from hijack this scan log:

Logfile of HijackThis v1.99.1
Scan saved at 7:24:46 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\4144\SiteAdv.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r*.attbi.com;localhost
R3 - URLSearchHook: (no name) - {341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {33DA3B9A-A391-432E-B74C-FACB7DA6CCE6} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1d2a8890-3083-11d6-b649-00c04faedb18} (Oracle JInitiator 1.1.8.18) - 
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50029/QDow.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON19106/flash.cab
O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501031120/BundleOuter2501031120.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://shaileshmishraji.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157038199006
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/Installer/nCaseInstaller.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://59.160.81.51/Media/visitorchat/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - (no file)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## MFDnNC (Sep 7, 2004)

Yes run easy cleaner

Fix these with HiJackThis  mark them, close IE, click fix checked

R3 - URLSearchHook: (no name) - {341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 k

O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe

O16 - DPF: {1d2a8890-3083-11d6-b649-00c04faedb18} (Oracle JInitiator 1.1.8.18) 

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50029/QDow.cab

O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/...9106/flash.cab

O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistI...2501031120.EXE

O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexi...eInstaller.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://59.160.81.51/Media/visitorchat/TLIEFlash.CAB

START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

*Please give feedback on what worked/didnt work and the current status of your system*


----------



## smart_guy (Mar 7, 2007)

I have done the following. My system appears to be working normally. Do I need to do anything else?

- Ran easy cleaner

- Fixed the followng with HiJackThis

R3 - URLSearchHook: (no name) - {341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 k

O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe

O16 - DPF: {1d2a8890-3083-11d6-b649-00c04faedb18} (Oracle JInitiator 1.1.8.18) 

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50029/QDow.cab

O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/...9106/flash.cab

O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistI...2501031120.EXE

O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexi...eInstaller.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://59.160.81.51/Media/visitorchat/TLIEFlash.CAB

- START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

- Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

- Empty the recycle bin

- Boot and did a scan using Hijack This from normal NOT safe mode

Following is the scan log from Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 8:23:51 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window

Title = Microsoft Internet Explorer provided by Compaq
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.r*.attbi.com;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0

\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-

0048AE113215} - C:\Program Files\SiteAdvisor\4144

\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-

94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!

\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-

6309F01C5231} - c:\program

files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333

-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-

209B6AD74ACC} - c:\Program Files\Microsoft

Money\System\mnyviewer.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-

9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144

\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-

009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program

Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [InCD] C:\Program

Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program

Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe

/startup
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program

Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32

\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS -

file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-

94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!

\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-

00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-

A9046DEA8A21} - c:\Program Files\Microsoft

Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-

f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

(file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910

-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {33DA3B9A-A391-432E-B74C-

FACB7DA6CCE6} - C:\Program Files\COMPAQ\Compaq

Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF:

START_PAGE_URL=http://store.presario.net/scripts/redirector

s/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

(McAfee.com Operating System Class) -

http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101

/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN

Photo Upload Tool) -

http://shaileshmishraji.spaces.live.com//PhotoUpload/MsnPUp

ld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/e

n/x86/client/muweb_site.cab?1157038199006
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

(DwnldGroupMgr Class) -

http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/m

cgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-

8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file

missing)
O18 - Protocol: nim - {3D206AE2-3039-413B-B748-

3ACC562EC22A} - (no file)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-

AF4222BCF879} - C:\Program Files\SiteAdvisor\4144

\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32

\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet -

C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. -

C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc.

- C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google -

C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG -

C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS)

- Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe

(file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. -

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) -

McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) -

McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee,

Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) -

McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) -

McAfee, Inc. - c:\PROGRA~1\COMMON~1

\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) -

McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee,

Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) -

McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee,

Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service

(MpfService) - McAfee, Inc. - C:\Program

Files\McAfee\MPF\MPFSrv.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner -

C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America

Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: WAN Miniport (ATW) Service

(WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe


----------



## MFDnNC (Sep 7, 2004)

Clean








If you feel its is fixed mark it solved via Thread Tools above

Turn off restore points, boot, turn them back on  heres how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


----------



## smart_guy (Mar 7, 2007)

Thanks a lot for your help. You are a Genius.


----------

