Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Logfile:Please Help Diagnose


  • Please log in to reply
16 replies to this topic

#1 barbtrd

barbtrd

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 06 February 2005 - 11:26 AM

Hello. I have the infected computer running in safe mode. It was the only way to get it started, otherwise it kept getting hungup with warnings about low virtual memory and attempts to get me to download spyware fixes in Internet Explorer windows. The last time the PC was turned on, a family member must have stumbled onto spyware because there were about 15 windows all open at once, all were sales pitches. I've been in this forum in the past with my own PC and fortunately have all of the recommended spyware software fixes here so was able to transfer them to the infected one and run Adware and Spybot. As you will see from Hijackthis logfile there is much more to be removed.

Logfile of HijackThis v1.97.3
Scan saved at 11:03:18 AM, on 2/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TrojanHunter 3.7\THGuard.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hphms.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.ebay.com/
O2 - BHO: (no name) - {10ABDCE8-0FE1-1F00-353B-C722D83B9139} - C:\WINDOWS\system32\netib32.dll
O2 - BHO: (no name) - {631E335A-CBB2-BC4B-B039-E316B39F2731} - (no file)
O2 - BHO: (no name) - {9F2C6F1E-BD5A-5EB5-F5CB-FAB3F6ECE7CE} - (no file)
O2 - BHO: (no name) - {E6A802FF-0370-480C-9B66-398DB374FE07} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cris.exe] C:\WINDOWS\system32\cris.exe
O4 - HKLM\..\Run: [4A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\4A.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [4C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\4C.tmp.exe 0 10001
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKLM\..\Run: [4A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\4A.tmp.exe 2 10001
O4 - HKLM\..\Run: [4C.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\4C.tmp.exe 0 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [jvummh] c:\windows\system32\jvummh.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvntu32.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir /PC= CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [372R3mS] paqayx.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [kfcpdoma] C:\WINDOWS\System32\kfcpdoma.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.hta
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx


Thank you.

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:09 AM

Posted 06 February 2005 - 09:43 PM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site


Download cwshredder 2.12 from here:

http://cwshredder.net/bin/CWShredder.exe

Run the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.

When its done run hijackthis again post a new log

#3 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 07 February 2005 - 07:25 AM

Did CWShredder first, here's new logfile. Thanks.

Logfile of HijackThis v1.99.0
Scan saved at 7:18:55 AM, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hphms.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.royalsearch.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {631E335A-CBB2-BC4B-B039-E316B39F2731} - (no file)
O2 - BHO: (no name) - {9F2C6F1E-BD5A-5EB5-F5CB-FAB3F6ECE7CE} - (no file)
O2 - BHO: (no name) - {E6A802FF-0370-480C-9B66-398DB374FE07} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cris.exe] C:\WINDOWS\system32\cris.exe
O4 - HKLM\..\Run: [4A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\4A.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [4C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\4C.tmp.exe 0 10001
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKLM\..\Run: [4A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\4A.tmp.exe 2 10001
O4 - HKLM\..\Run: [4C.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\4C.tmp.exe 0 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [jvummh] c:\windows\system32\jvummh.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvntu32.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir /PC= CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [372R3mS] paqayx.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [kfcpdoma] C:\WINDOWS\System32\kfcpdoma.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.hta
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: mnhriyqohjor - Unknown - C:\WINDOWS\System32\zulytqbx5.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:09 AM

Posted 07 February 2005 - 10:55 AM

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

C:\WINDOWS\System32\zulytqbx5.exe

To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder and rename submit.zip to yourmembername.zip (for example grinler.zip). If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com/submit-malware.php fill in the required fields, and browse to the file. Then click on the Send File button.


Now please Download LSPFix from:

LSP-Fix

Disconnect from the Internet and close all Internet Explorer Windows. Run then program and check the "I know what I'm doing" Button and place all listings of c:\windows\system32\aklsp.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button.

Then Reboot.

To see a tutorial on how to use this program click the link below:

Using LSP-Fix to remove LSP Spyware & Hijackers

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hphms.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.royalsearch.net/search.php?qq=%s
O2 - BHO: (no name) - {631E335A-CBB2-BC4B-B039-E316B39F2731} - (no file)
O2 - BHO: (no name) - {9F2C6F1E-BD5A-5EB5-F5CB-FAB3F6ECE7CE} - (no file)
O2 - BHO: (no name) - {E6A802FF-0370-480C-9B66-398DB374FE07} - (no file)
O4 - HKLM\..\Run: [cris.exe] C:\WINDOWS\system32\cris.exe
O4 - HKLM\..\Run: [4A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\4A.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [4C.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\4C.tmp.exe 0 10001
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKLM\..\Run: [4A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\4A.tmp.exe 2 10001
O4 - HKLM\..\Run: [4C.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\4C.tmp.exe 0 10001
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [jvummh] c:\windows\system32\jvummh.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvntu32.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\cxtpls_loader.exe" /HideUninstall /HideDir /PC= CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [372R3mS] paqayx.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\Run: [kfcpdoma] C:\WINDOWS\System32\kfcpdoma.exe
O4 - Global Startup: Microsoft Office.hta
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: mnhriyqohjor - Unknown - C:\WINDOWS\System32\zulytqbx5.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


C:\WINDOWS\system32\cris.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\4A.tmp.exe
C:\WINDOWS\System32\tibs3.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\4C.tmp.exe
C:\WINDOWS\System32\sm.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\4A.tmp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\4C.tmp.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
c:\windows\system32\jvummh.exe
C:\windows\system32\kalvntu32.exe
C:\WINDOWS\cxtpls_loader.exe
c:\windows\system32\paqayx.exe
C:\Program Files\AutoUpdate\
c:\windows\system32\wnim.dll
C:\WINDOWS\System32\kfcpdoma.exe
C:\WINDOWS\System32\zulytqbx5.exe

Reboot your computer to go back to normal mode and post a new log.

#5 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 07 February 2005 - 02:02 PM

The barbtrd.zip file is uploaded and I am now on the last phase of your original instructions. I am not yet connected back to the Internet on the infected PC - I'm sending this from another PC. Thanks again.

#6 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 07 February 2005 - 02:39 PM

I haven't connected that PC to the Internet yet. After I rebooted it in normal mode I can see 5 icons on the desktop that weren't there previously. They are the plain style icons and are named paco, c4t, eerre, preotect, wines I can also see by this logile that some things I deleted are back and even looks like some new ones. Thank you for your help. This one is a huge puzzle to me.

Newest Logfile:

Logfile of HijackThis v1.99.0
Scan saved at 2:30:12 PM, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\soft.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = mail.adelphia.net
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe
O2 - BHO: (no name) - {631E335A-CBB2-BC4B-B039-E316B39F2731} - (no file)
O2 - BHO: (no name) - {9F2C6F1E-BD5A-5EB5-F5CB-FAB3F6ECE7CE} - (no file)
O2 - BHO: (no name) - {E6A802FF-0370-480C-9B66-398DB374FE07} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKCU\..\Run: [Iwt5RgeFl] osute.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2bleeped.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:09 AM

Posted 08 February 2005 - 03:47 PM

Fix these with hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hphms.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.royalsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hphms.dll/sp.html#12345
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\System32\soft.exe
O2 - BHO: (no name) - {631E335A-CBB2-BC4B-B039-E316B39F2731} - (no file)
O2 - BHO: (no name) - {9F2C6F1E-BD5A-5EB5-F5CB-FAB3F6ECE7CE} - (no file)
O2 - BHO: (no name) - {E6A802FF-0370-480C-9B66-398DB374FE07} - (no file)
O4 - HKCU\..\Run: [Iwt5RgeFl] osute.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2bleeped.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

Reboot into safe mode and delete:

C:\WINDOWS\System32\soft.exe
C:\Program Files\Web_Rebates\
c:\windows\system32\osute.exe

Reboot and post a new log. You can delete those icons off of your desktop

#8 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 08 February 2005 - 08:12 PM

I followed your instructions and did all except that I couldn't find osute.exe tp be able to delete it. As you can see there is still one 015 trusted zone line here but I've tried several times to delete it - both in safe mode and in regular and it just keeps coming back.

I'll keep the PC turned on but out of use until your next directive. Thanks. :thumbsup:

Logfile of HijackThis v1.99.0
Scan saved at 8:03:42 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = mail.adelphia.net
O2 - BHO: (no name) - {631E335A-CBB2-BC4B-B039-E316B39F2731} - (no file)
O2 - BHO: (no name) - {9F2C6F1E-BD5A-5EB5-F5CB-FAB3F6ECE7CE} - (no file)
O2 - BHO: (no name) - {E6A802FF-0370-480C-9B66-398DB374FE07} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:09 AM

Posted 08 February 2005 - 10:54 PM

Download the attached zip file and unzip it to your desktop.

http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O2 - BHO: (no name) - {631E335A-CBB2-BC4B-B039-E316B39F2731} - (no file)
O2 - BHO: (no name) - {9F2C6F1E-BD5A-5EB5-F5CB-FAB3F6ECE7CE} - (no file)
O2 - BHO: (no name) - {E6A802FF-0370-480C-9B66-398DB374FE07} - (no file)
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\sm.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz


Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\System32\sm.exe


Reboot your computer to go back to normal mode and post a new log.

#10 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 09 February 2005 - 09:00 AM

I followed your instructions and booted into safe mode but when I opened hijackthis again the 015 line was missing. The three BHO files keep coming back, I tried to fix them twice but they are still present.

I could not find sm.exe in system32 folder but it was in the C directory so I deleted it from there.

I don't know if it's important but there are three other files on the C drive that were all created at the same time as the sm.exe and most of the other "problem" files we've been fixing. They are hcwckunx.exe, 4c55338e.exe and an html application named ntdetect.

Here's the latest hijackthis logfile:
Logfile of HijackThis v1.99.0
Scan saved at 8:52:42 AM, on 2/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = mail.adelphia.net
O2 - BHO: (no name) - {631E335A-CBB2-BC4B-B039-E316B39F2731} - (no file)
O2 - BHO: (no name) - {9F2C6F1E-BD5A-5EB5-F5CB-FAB3F6ECE7CE} - (no file)
O2 - BHO: (no name) - {E6A802FF-0370-480C-9B66-398DB374FE07} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

Thank you for helping.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:09 AM

Posted 09 February 2005 - 03:25 PM

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.

REGEDIT4

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{631E335A-CBB2-BC4B-B039-E316B39F2731}]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9F2C6F1E-BD5A-5EB5-F5CB-FAB3F6ECE7CE}]
[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E6A802FF-0370-480C-9B66-398DB374FE07}]


Double-click on the fix.reg file you saved on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

#12 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 09 February 2005 - 04:10 PM

Okay that's done. Here's a new hijack this log. I didn't reboot before I ran this log since you didn't say I should.

Logfile of HijackThis v1.99.0
Scan saved at 4:07:09 PM, on 2/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = mail.adelphia.net
O2 - BHO: (no name) - {631E335A-CBB2-BC4B-B039-E316B39F2731} - (no file)
O2 - BHO: (no name) - {9F2C6F1E-BD5A-5EB5-F5CB-FAB3F6ECE7CE} - (no file)
O2 - BHO: (no name) - {E6A802FF-0370-480C-9B66-398DB374FE07} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:09 AM

Posted 09 February 2005 - 09:11 PM

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

And press enter. You will now be presented with new information in the right section of the screen. Right click and delete the keys on the right side that are:

{631E335A-CBB2-BC4B-B039-E316B39F2731}
{9F2C6F1E-BD5A-5EB5-F5CB-FAB3F6ECE7CE}
{E6A802FF-0370-480C-9B66-398DB374FE07}

Reboot and post a new log

#14 barbtrd

barbtrd
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 10 February 2005 - 08:11 AM

I foolishly attempted to connect to the Internet to download that file directly to the infected PC and the second I connected an "about blank" address appeared in the homepage window so I closed out immediately. I was then left with a new desktop appearance that was a spyware warning advertisement. I went back to plan A and downloaded the file to my own PC and transferred it to the infected one via disc. The fix apparantly worked because the hijack this log showed that the BHO files were gone.

I then "viewed source" on the desktop and found a file called desktop.html so I deleted that from windows and deleted desktop.ini with it. I rebooted and now have a white desktop background that won't allow a windows desktop background pic to appear. The view source command shows the file called C_WINDOWS_desktop[1].html

The new hijack this log appears below and I have also copied the C_WINDOWS_desktop[1].html file If you can help me get rid of this problem then it looks like I'll be all clear. Thank you for your help. This is my son's PC and he has been deployed overseas for the past year and another family member used it. I'd like to have it fixed before my son comes home in a few weeks.

Hijack this log:
Logfile of HijackThis v1.99.0
Scan saved at 7:58:32 AM, on 2/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = mail.adelphia.net
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:09 AM

Posted 10 February 2005 - 09:53 AM

Good job! To fix your desktop simply right click on an empty portion of your desktop and click on properties to enter the display properties.

Then click on the desktop tab, clickj advanced then click on Web. Remove the item listed in the web section




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users