Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop Note Pad...


  • Please log in to reply
12 replies to this topic

#1 mistressbluz

mistressbluz

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:25 PM

Posted 24 July 2006 - 08:40 PM

[font=Book Antiqua][size=4][color=#6666CC] Hi everyone, I haven't been here for quite awhile, you guys are truly awesome and most of the time when I run everything that you've taught me, I dont seem to run into any problems, lately though, Everytime someone starts up the system, even under different users, the first thing to pop up is a blank desktop notepad square..I've tried to look up some information about this without success, here is a copy of my hijack this log, any ideas or suggestions would be most appreciated, it's not interferring in anything, it's more annoying then anything and I cant seem to figure out how to get it to stop.....God Bless....Tam

Logfile of HijackThis v1.99.1
Scan saved at 9:32:21 PM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mycablespeed.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Branden Plummer\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141959034171
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://dell.kodakgallery.com/downloads/BUM..._1/axofupld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
"What doesn't kill you, Makes you stronger"

BC AdBot (Login to Remove)

 


#2 mistressbluz

mistressbluz
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:25 PM

Posted 26 July 2006 - 02:45 PM

[font=Book Antiqua][size=4][color=#6666CC] I KNOW YOU GUYS ARE EXTREMELY BUSY!! BUT, Does ANYONE KNOW WHAT IS GOING ON AND WHAT I NEED TO FIX?? PLEASE LET ME KNOW!! Huggles :thumbsup:
"What doesn't kill you, Makes you stronger"

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 PM

Posted 03 August 2006 - 12:10 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

#4 mistressbluz

mistressbluz
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:25 PM

Posted 03 August 2006 - 03:51 PM

[font=Book Antiqua][size=2][color=#6666CC] Thank you for replying Grinler..here's a new hijack this log I hope it helps..and I have read the instructions and have all of those adaware and spyware etc.....but it seems like everytime one of us gets on the system, the first thing that pops up is a blank empty desktop notepad.. I've even opened it fully to see what it entails and nothing is there at all....Any help you can give me would be greatly appreciated.....Huggles...Tam

Logfile of HijackThis v1.99.1
Scan saved at 4:47:35 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mycablespeed.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\gui1.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Branden Plummer\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141959034171
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://dell.kodakgallery.com/downloads/BUM..._1/axofupld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
"What doesn't kill you, Makes you stronger"

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 PM

Posted 03 August 2006 - 04:01 PM

Download Silentrunners.zip from:

http://www.silentrunners.org/

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run. When it asks if you want to skip the supplemental search tests, press the No button.

When it has finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.

#6 mistressbluz

mistressbluz
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:25 PM

Posted 04 August 2006 - 12:53 AM

[font=Book Antiqua][color=#6666CC][b] Okies Mr. Grinler Here's what you asked me for..Hope it helps me because that may not seem like alot to some people, but whenever we open something and that blank desktop comes up, it's rather annoying..Hugs to you and Thanks..Tam! :thumbsup:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DellSupport" = ""C:\Program Files\Dell Support\DSAgnt.exe" /startup" ["Gteko Ltd."]
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ISUSPM Startup" = ""C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" ["InstallShield Software Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"MimBoot" = "C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" ["Musicmatch, Inc."]
"MMTray" = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"" ["Musicmatch, Inc."]
"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"OneCareUI" = ""C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"" [MS]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Creative WebCam Tray" = "C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" ["Creative Technology Ltd"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{35786D3C-B075-49b9-88DD-029876E11C01}" = "Portable Devices"
-> {HKLM...CLSID} = "Portable Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]
"{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}" = "Portable Devices Menu"
-> {HKLM...CLSID} = "Portable Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
fkkqxtxk\(Default) = "{53b0e92b-a60b-4fbe-a883-d033da780791}"
-> {HKLM...CLSID} = "ejjirurj.class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\fkklw.dll" [file not found]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssmypics.scr" [MS]


Startup items in "" & "All Users" startup folders:
----------------------------------------------------------------

C:\Documents and Settings\\Start Menu\Programs\Startup
"IMVU" -> shortcut to: "C:\Program Files\IMVU\gui1.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Run Full System Scan - " -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]
"{C4069E3A-68F1-403E-B40E-20066696354B}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]
"{C4069E3A-68F1-403E-B40E-20066696354B}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{D9288080-1BAA-4BC4-9CF8-A92D743DB949}\
"ButtonText" = "Run IMVU"
"Exec" = "C:\Documents and Settings\Branden Plummer\Start Menu\Programs\IMVU\Run IMVU.lnk" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "*b" (unwritable string)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Microsoft Protection Service, msfwsvc, ""C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"" [MS]
MSMPSVC, MSMPSVC, ""C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4" [MS]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
Norton Protection Center Service, NSCService, ""C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows Live OneCare, winss, "C:\Program Files\Microsoft Windows OneCare Live\winss.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 41 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 8 seconds.
---------- (total run time: 75 seconds)
"What doesn't kill you, Makes you stronger"

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 PM

Posted 04 August 2006 - 09:17 AM

Did you install Windows One Care on your computer?

Also download the attached reg file and save it to your desktop. Once saved, double-click on it and allow it to merge the data.

We are probably going to have to disable your startup items in msconfig one at a time until we find the culprit. I dont think this is malware but rather a buggy startup program.

Lets just check for one thing before we try that step:


* Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.

Attached Files



#8 mistressbluz

mistressbluz
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:25 PM

Posted 04 August 2006 - 12:54 PM

[font=Book Antiqua][color=#6666CC][size=3] Yes Sir I did download Windows onecare, please dont tell me that was a no no...I was concerned about that myself because alot of times when it's running, my spybot and norton can't obtain upgrades, if it's bad please let me know, I'll delete it ASAP, I have the most faith in you all n what you do here...Anyway, here's a copy of what you asked for, hope I did it correctly...Hugs to you...Tam!

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-04 13:51:12
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT 821C11F8 ZwConnectPort
SSDT SSI.SYS ZwCreateKey
SSDT SSI.SYS ZwCreateProcess
SSDT SSI.SYS ZwCreateProcessEx
SSDT SSI.SYS ZwDeleteKey
SSDT SSI.SYS ZwDeleteValueKey
SSDT SSI.SYS ZwRenameKey
SSDT SSI.SYS ZwSetInformationKey
SSDT SSI.SYS ZwSetValueKey

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP_POWER [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP_POWER [F830A20C] SSI.SYS
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE E1642008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN [F897D661] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN [F897D661] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN [F897D661] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SHUTDOWN [F897D661] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN [F897D661] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SHUTDOWN [F897D661] prosync1.sys
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE E158CCE8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP_POWER [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP_POWER [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [F830A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP_POWER [F830A20C] SSI.SYS
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL [A9B69D30] tfsnifs.sys

---- Files - GMER 1.0.10 ----

File C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat
File C:\Program Files\Microsoft Windows OneCare Live\ClientSD\prov
File C:\Program Files\Microsoft Windows OneCare Live\ClientSD\prov\prov.xml
File C:\Program Files\Microsoft Windows OneCare Live\ClientSD\prov\Service.xml
File C:\Program Files\Microsoft Windows OneCare Live\ClientSD\prov\service.xml.bak
File C:\Program Files\Microsoft Windows OneCare Live\ClientSD\prov\user.xml
File C:\Program Files\Microsoft Windows OneCare Live\ClientSD\prov\user.xml.bak
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}

---- EOF - GMER 1.0.10 ----
"What doesn't kill you, Makes you stronger"

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 PM

Posted 04 August 2006 - 02:06 PM

Hi Tam..no, one care is ok to have. Just wanted to make sure it was not malware trying to disguise itself.

I want you click on start, then run, and type msconfig and then press the ok button. When msconfig open starts, click on the startup tab. Then click on disable all button and then apply and ok. If it asks to reboot, allow it do so. When the computer reboots now that everything is disabled, does notepad still open?

#10 mistressbluz

mistressbluz
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:25 PM

Posted 04 August 2006 - 10:41 PM

[font=Book Antiqua][size=3][color=#6666CC] Yes sir Mr. Grinler, When I Disabled All Notepad did not come up at start up of computer at all..Now my next question is this, your getting sick of me right?? LOL, Because we did that, I need to enable norton and all other applications manually correct? Let me know please and TY TY TY sooo much, I cant tell you how bothersome that notepad coming up all the time was, I thought it was some type of virus or something, and also TY for letting me know that windows onecare is fine...Hugs to you..Tam!
"What doesn't kill you, Makes you stronger"

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 PM

Posted 04 August 2006 - 10:47 PM

No you are not bothering me even one bit :thumbsup: Thats why we are here!

Ok here comes the tedious part. Go back into msconfig , click on the startup tab, and enable the first item. Press apply and then ok and reboot when it says.

Now, i need you to this process over and over with each startup entry in msconfig until you enable one, reboot, and then notepad opens. At that point we will know that the entry that you started previously is the one causing the problem.

Once you determine that, let me know the msconfig entry that is opening the notepad.

This make sense?

#12 mistressbluz

mistressbluz
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:25 PM

Posted 06 August 2006 - 02:13 PM

[b][color=#6666CC][size=4] Yes Sweetie that makes alot of sense, because I dont know what happened but everything is coming back up again, so I'm gonna try this again..Urghhh....I'm glad I'm not bothering you, but this is just soo very frustrating..Hugs to you!! Tam!
"What doesn't kill you, Makes you stronger"

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:25 PM

Posted 06 August 2006 - 07:30 PM

Let me know how it goes. One of these entries in the startups tab is starting the notepad. Just gotta figure out which one.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users