Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud Still Has My Computer! NOOOOO!


  • Please log in to reply
17 replies to this topic

#1 fathersdayfan

fathersdayfan

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 15 June 2005 - 10:37 PM

Hello!

I followed the "How to remove the Smitfraud" instructions on your other page, but I still have...

Blue screen
No IE
No access to Windows Explorer...I can't backup files onto CD...not good!

Here is my hJT log...can you help me?!?!?!?!?!?!?!?!?! It's almost father's day and I would really love to get my husband's computer back and working!!!

THANKS for your time, knowledge, experience, guidance, understanding!!!!



Logfile of HijackThis v1.99.1
Scan saved at 11:30:02 PM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\EPOAgent\naimas32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\SBCSEL~1\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\SBC Self Support Tool\bin\mad.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.capella.edu/DEFAULT.ASPX"); (C:\Documents and Settings\Ted A. Jones\Application Data\Mozilla\Profiles\default\xbhvusj9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ted A. Jones\Application Data\Mozilla\Profiles\default\xbhvusj9.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {729087AF-F985-6D35-58ED-1A52E73988DF} - C:\WINDOWS\iptn.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect Home\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D04425A3-43FC-4C17-9873-87FD791D998A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D04425A3-43FC-4C17-9873-87FD791D998A} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5F9B50E-2BEB-4D3F-ABB8-A829021F4F7C}: NameServer = 67.36.13.26 66.73.20.40
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NAI ePolicy Orchestrator Agent (NAIMAGENT32) - Network Associates, Inc. - C:\EPOAgent\naimas32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE



Let me know what I can do...I'm at your mercy!!!

Talk with you later!

Mrs. My Husband is not Too Happy!

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:42 AM

Posted 16 June 2005 - 03:21 AM

Hello fathersdayfan and welcome tothe BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {729087AF-F985-6D35-58ED-1A52E73988DF} - C:\WINDOWS\iptn.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O9 - Extra button: Microsoft AntiSpyware helper - {D04425A3-43FC-4C17-9873-87FD791D998A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D04425A3-43FC-4C17-9873-87FD791D998A} - (no file) (HKCU)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\iptn.dll
Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you rebooted into Safe Mode just stay in Safe Mode until I tell you to reboot normally.

Step #4

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #5

Reboot normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix" or "clean".

Step #6

AdAware SE v1.06

Download, install, update, configure and run a scan with Ad-aware SE v1.06:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window.
  • Right-click on the list and choose Select All
  • Click the Next button to finish removing the items that were found
  • When finished, REBOOT to complete the removal of what Ad-Aware SE found
Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 fathersdayfan

fathersdayfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 16 June 2005 - 11:04 AM

Good morning, OT:

Thanks for the info. I was able to complete some, but not all steps. Here's the "story:"

Step 1: Completed

Step 2: Completed

Step 3: Could not complete, because I cannot open Windows Explorer or My Computer. I do not have a "Start" menu and have been working through Windows Task Manager for everything that I have been doing. I did "browse" through Task Manager and did not find the file (c:\windows\iptn.dll), but I know that I may not be "seeing" everything.

Step 4: Completed (in Safe Mode)

Step 5: Could not complete, becuase I cannot open Internet Explorer. When I try to open IE via c:\programfiles\internetexplorer\iexplorer.exe, I get the "Windows cannot find.." warning message. All four of the sites you listed require IE to execute.

Step 6: Complete

Step 7: Here you go for the most current HJT



Logfile of HijackThis v1.99.1
Scan saved at 11:51:29 AM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\EPOAgent\naimas32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SBCSEL~1\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\SBC Self Support Tool\bin\mad.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.capella.edu/DEFAULT.ASPX"); (C:\Documents and Settings\Ted A. Jones\Application Data\Mozilla\Profiles\default\xbhvusj9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ted A. Jones\Application Data\Mozilla\Profiles\default\xbhvusj9.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect Home\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5F9B50E-2BEB-4D3F-ABB8-A829021F4F7C}: NameServer = 67.36.13.26 66.73.20.40
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NAI ePolicy Orchestrator Agent (NAIMAGENT32) - Network Associates, Inc. - C:\EPOAgent\naimas32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE



Thanks again for your time and help! I am starting to have HOPE that we will get this back and going!!!

Also, will my donation go directly to you?!?

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:42 AM

Posted 16 June 2005 - 07:42 PM

Hi fathersdayfan. Your log is now clean so let's see if we can get your desktop and taskbar back. You might have to create the file below on a different computer and then put it on a floppy disk to run on the affected computer.

Open Notepad and copy/paste the text in the quotebox below into the new document:

Set WSHShell = WScript.CreateObject("WScript.Shell")

Message = "To work correctly, the script will close" & vbCR
Message = Message & "and restart the Windows Explorer shell." & vbCR
Message = Message & "This will not harm your system." & vbCR & vbCR
Message = Message & "Continue?"

X = MsgBox(Message, vbYesNo, "Notice")

If X = 6 Then

On Error Resume Next

WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects2\"
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU\"
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop\"

WshShell.RegDelete "HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\BarSize"

P1 = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"

WshShell.RegWrite p1 & "NoBandCustomize", 0, "REG_DWORD"
WshShell.RegWrite p1 & "NoMovingBands", 0, "REG_DWORD"
WshShell.RegWrite p1 & "NoCloseDragDropBands", 0, "REG_DWORD"
WshShell.RegWrite p1 & "NoSetTaskbar", 0, "REG_DWORD"
WshShell.RegWrite p1 & "NoToolbarsOnTaskbar", 0, "REG_DWORD"
WshShell.RegWrite p1 & "NoSaveSettings",0,"REG_DWORD"
WshShell.RegWrite p1 & "NoToolbarsOnTaskbar", 0, "REG_DWORD"
WshShell.RegWrite p1 & "NoSetTaskbar",0,"REG_DWORD"
WshShell.RegWrite p1 & "NoActiveDesktop",0,"REG_DWORD"
WshShell.RegWrite p1 & "ClassicShell",0,"REG_DWORD"

p1 = "HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"

WshShell.RegWrite p1 & "NoCloseDragDropBands", 0, "REG_DWORD"
WshShell.RegDelete p1 & "NoMovingBands"

p1 = "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"

WshShell.RegWrite p1, "explorer.exe", "REG_SZ"

p1 = "HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\"
WshShell.RegDelete p1 & "BarSize"
WshShell.RegWrite p1, "Media Band", "REG_SZ"

On Error Goto 0

For Each Process in GetObject("winmgmts:"). _
ExecQuery ("select * from Win32_Process where name='explorer.exe'")
  Process.terminate(0)
Next

MsgBox "Finished." & vbcr & vbcr & "Done"

Else

MsgBox "No changes were made to your system." & vbcr & vbcr & "User Cancelled"

End If


Save the document to your desktop as fixdesktop.vbs and close Notepad. Locate the fixdesktop.vbs file on your desktop and double-click on it to tun it.

Reboot your machine and see if your taskbar and desktop return.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 fathersdayfan

fathersdayfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 16 June 2005 - 09:23 PM

Good evening, OT:

GREAT on having a clean log (that just doesn't sound right!!!).

I was not successful with this other one.

I was able to copy / paste the entire content of the Quote into a fixdesktop.vbs file, double click on that file that opened a small "Notice" window telling me, "To work correctly, the script will close and restart the Windows Explorer shell. This will not harm your system. Continue?" I said yes and got the "Finished. Done" message. After a reboot, I still have the all-blue screen, no start menu, no IE, no Windows Explorer.

What's next!?!?!?!

BTW...are we having fun yet!!?!!

Thank you, again, though, for all your help! You are keeping me focused on a positive outcome!

Mrs. Optimism!

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:42 AM

Posted 17 June 2005 - 12:31 AM

Hey fathersdayfan. We are always having fun!

Ok, let's try this:

Open Notepad and copy/paste the text in the quotebox below into the new document:

'Enable or Disable Desktop Icons

Message = "To work correctly, the script will close" & vbCR
Message = Message & "and restart the Windows Explorer shell." & vbCR
Message = Message & "This will not harm your system." & vbCR & vbCR
Message = Message & "Continue?"

X = MsgBox(Message, vbYesNo, "Notice")

If X = 6 Then

On Error Resume Next

Dim WSHShell, n, MyBox, p, t, errnum, vers
Dim itemtype
Dim enab, disab, jobfunc

Set WSHShell = WScript.CreateObject("WScript.Shell")
p = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop"

itemtype = "REG_DWORD"

enab = "ENABLED"
disab = "DISABLED"
jobfunc = "Desktop Icons are now "

t = "Confirmation"
Err.Clear
n = WSHShell.RegRead (p)
errnum = Err.Number

if errnum <> 0 then

WSHShell.RegWrite p, 0, itemtype
End If


If n = 0 Then
n = 1
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & disab & vbCR, 4096, t)
ElseIf n = 1 then
n = 0
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & enab & vbCR, 4096, t)
End If


Set WshShell = Nothing

On Error GoTo 0

For Each Process in GetObject("winmgmts:"). _
ExecQuery ("select * from Win32_Process where name='explorer.exe'")
  Process.terminate(0)
Next

MsgBox "Finished." & vbcr & vbcr , 4096, "Done"

Else

MsgBox "No changes were made to your system." & vbcr & vbcr, 4096, "User Cancelled"

End If


Save the document to your desktop as dekstop2.vbs and close Notepad. Locate the desktop.vbs file on your desktop and double-click on it to run it. Answer Yes to any prompts to enable the desktop.

Reboot your computer when the script finishes running and see if the desktop is back.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 fathersdayfan

fathersdayfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 17 June 2005 - 08:22 AM

Good morning, OT:

I did not have any luck with getting my Desktop back, again.

I was wondering, when I Save the file in Notepad, there is an Encoding option (i.e., ANSI, Unicode, Unicode big endian, and UTF-8). I have just been using the first one listed; ANSI. Is this correct or should I save the file using one of the other Encoding options?

Otherwise, let me know my next steps!

I patiently await your continued wisdom and knowledge!!!

Mrs. Still Smiling

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:42 AM

Posted 17 June 2005 - 01:06 PM

Hi fathersdayfan. Ok, let's get a little information here. In your first post when you said you followed the directions on another page, what page was that and what exactly did you do at that time. Give me as much detail as possible such as files run, files deleted and settings changed. Since there are no signs of any infections at the moment there must be a problem with missing files or changes made that are preventing the desktop from appearing.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 fathersdayfan

fathersdayfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 17 June 2005 - 06:47 PM

Good afternoon, OT:

The first sign of the infection was when I had the warning message "Security Warning. A fatal error in IE has occurred..."

I ran AdAware, but with the "normal" default settings (I had never gone in and changed any of the settings).

Then, when I rebooted my computer, I still had the "Security Warning, A fatal error in IE has occurred..." but this time I had lost access to my start menu, IE, and Windows Explorer.

I then found your web site and followed the instructions from the following page, which has a picture of the exact same "Security Warning. A fatal error in IE has occurred..." at the beginning of that thread:

http://www.bleepingcomputer.com/forums/How...sFY-t17258.html

Since then, I have used your instructions.

I know enought to get myself in trouble, but I also know to keep myself out of trouble (when I can). So I have not done anything otherwise (removing files, etc) to this computer.

Is there a way for me to "search" for another way to open Windows Explorer? I am afraid that there might be something "hidden" that I have not removed. But, I can't unhide "stuff" without having access to Explorer. Not really the most fun, if you know what I mean!

Looking forward to your next recommendation!

Mrs. Still Working With You!!!

Edited by fathersdayfan, 17 June 2005 - 06:48 PM.


#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:42 AM

Posted 17 June 2005 - 09:06 PM

Hi fathersdayfan. When you go into the Task Manager and click onthe Processes tab is the Explorer.exe proxess running or missing from the list (you can click on the Image Name column heading to sort the running processes by alphabetical name to make it easier).

Also, let's get a different file manager for you to use until we can get Windows Explorer back up and running.

Download xplorer2 Lite and install it. This will give you a dual pane explorer so that you can at least view your drives files/folders.

Also, what happens when you boot to Safe Mode? Do you see your desktop there or is it a blank screen with no taskbar there also?

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 fathersdayfan

fathersdayfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 17 June 2005 - 10:23 PM

Hi OT:

Thanks for the alternative Explorer! I quickly checked for any hidden files from the previous list and did not find them!

Safe Mode is the blank (black) screen with Safe Mode in the corners...no taskbar there either.

In Task Manager, Explorer.exe is missing from the list. Here is a copy (recreated) of what appears in the Processes tab of Task Manager:


ALG.EXE
CSRSS.EXE
ewidoctrl.exe
FIREFOX.EXE
FramworkService.exe
KodakCCS.exe
LSASS.EXE
mad.exe
MCSHIELD.EXE
MOTIVE~1.EXE
MotiveSB.exe
NAIMAS32.EXE
naPrdMgr.exe
SERVICES.EXE
SMSS.EXE
SPOOLSV.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
System
System Idle Process
TASKMGR.EXE
VSTSKMGR.EXE
WDFMGR.EXE
WINLOGON.EXE
WINWORD.EXE


Talk with you in a bit!

FDF

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:42 AM

Posted 17 June 2005 - 10:40 PM

Hi fathersdayfan. Ok, now we know what the problem is. Explorer.exe is the process that runs everything else. Use xplorer2 and navigate to c:\windows and see if explorer.exe is there. If it is not then we will need to get a copy out of the cache or somewhere else to put in there. If it is there then we will need to dig into the registry and find out what is blocking it from running.

All of the processes that show in the process list appear to be ok. The only one I have a question about is the mad.exe one. that can be a legite file but it can also be an infection.

Hmm. Just thought of something else while I was typing this. Let's try this too while we are at it:

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as regfix.reg :

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]


Locate regfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Restart your computer.

Let me know what happens.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 fathersdayfan

fathersdayfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 17 June 2005 - 11:29 PM

Hello, OT:

IT WORKED AND I HAVE THE MAJORITY OF MY DESKTOP BACK! I have the Start Menu, quick launch menu, clock, but I can not view any of the items that should appear on the desktop (i.e., My computer, trash can, files saved to the desktop. Ultimately, though, I'm trying to hold back the excitement!!!

I was also able to open Windows Explorer and even copy / paste some files onto a CD! So, that appears to be working, also!

The only thing, though, is that I cannot get Internet Explorer to open. I have found the iexplorer.exe file in C:\program files\iexplorer.exe. However, when I double click directly on that file (the file via the Start menu did not work), I get a message that reads:

Windows cannot find 'C:\Program Files\Internet Explorer\iexplore.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Finally, I have no idea what MAD.EXE might be for. I have looked through the various programs on my computer and nothing comes close. Hold on...I just did a quick search on the Internet and found that this is some file for a Microsoft Exchange Server. This makes sense based on launching one of Microsoft's programs while connected to my office.

We're really close!!!

Mrs. So Very Happy!

Edited by fathersdayfan, 17 June 2005 - 11:50 PM.


#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:42 AM

Posted 18 June 2005 - 11:36 AM

Hi fathersdayfan. Ok, to show the desktop icons check this. Right-click on the desktop and choose Arrange Icons By item. If there is not a checkmark next to Show Desktop Icons then click on it.

Next let's work on Internet Explorer.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Now open Windows Explorer (or xplorer2) and navigate to c:\windows\inf. Locate the ie.inf and right-click on it. choose Install from the popup menu and let it reinstall. When it is finihsed go to the Windows Update site and install all Critical Updates that are available.

Post back with your results, a new HijackThis log and any further problems you are having.

Cheers.

OT

Edited by OldTimer, 18 June 2005 - 11:36 AM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 fathersdayfan

fathersdayfan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:42 AM

Posted 18 June 2005 - 09:37 PM

Good evening, OT:

Well, it's almost Father's Day and you almost have this computer back and running like it was!!!

Here's the latest that I have determined:

Desktop: I cannot right click or anything else on the desktop to open a menu. I can, though, still open files that were saved on the desktop via Explorer.

Internet Explorer: I do not have a specific folder or file that I can use to open IE, but I have figured out that if I open the Windows Update menu item it automatically launches IE. So, I know that it is working on this computer, but I do not know where to create a menu or short-cut to open it any other way.

Finally, here is my most recent copy of my HJT log:



Logfile of HijackThis v1.99.1
Scan saved at 10:30:21 PM, on 6/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\iPass\iPassConnect Home\downloader\ipccheck.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\EPOAgent\naimas32.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\SBC Self Support Tool\bin\mad.exe
C:\PROGRA~1\SBCSEL~1\ASSTCO~1\MOTIVE~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://online.franklin.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Franklin University
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.capella.edu/DEFAULT.ASPX"); (C:\Documents and Settings\Ted A. Jones\Application Data\Mozilla\Profiles\default\xbhvusj9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ted A. Jones\Application Data\Mozilla\Profiles\default\xbhvusj9.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKLM\..\Run: [iPCCheck] "C:\Program Files\iPass\iPassConnect Home\downloader\ipccheck.exe" /startup
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://online.franklin.edu
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5F9B50E-2BEB-4D3F-ABB8-A829021F4F7C}: NameServer = 67.36.13.26 66.73.20.40
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NAI ePolicy Orchestrator Agent (NAIMAGENT32) - Network Associates, Inc. - C:\EPOAgent\naimas32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE



Otherwise, I hope that you enjoy your father's day tomorrow, whether it be that you are a father, with your father, or anyone else that has earned the right to have his day be tomorrow!

Talk with you later!

Mrs. Happy Dance!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users