Winfixer [HijackThis log]

For some reason the last runs.bat I uploaded didn't save the changes right and it was the same as one I had you run already. I've fixed that. Please download and run again. Did you delete the runs.txt file from your desktop before re-running the new runs.bat? It's important that you do.

 

yes i deleted it heres the log


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
DebugOptions REG_SZ 2048
Documents REG_SZ
DosPrint REG_SZ no
NetMessage REG_SZ no
NullPort REG_SZ None
Programs REG_SZ com exe bat pif cmd

 

Heres my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:13:46 PM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

 

Hi Shari,

Log looks good. Fix the following.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Are those odd entries still on the startup tab of msconfig?

 

I ran HJT and that entry was not there i restarted my comp in between those times so maybe it fixed itself.......and yes those square things are still in msconfig......heres the log

Thanks Shari

Logfile of HijackThis v1.99.1
Scan saved at 9:59:57 PM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

 

I've uploaded another runs.bat to look at more keys (and re-visit others). Please download, run and post it's log.

 

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs REG_SZ
DeviceNotSelectedTimeout REG_SZ 15
GDIProcessHandleQuota REG_DWORD 0x2710
Spooler REG_SZ yes
swapdisk REG_SZ
TransmissionRetryTimeout REG_SZ 90
USERProcessHandleQuota REG_DWORD 0x2710

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DebugOptions REG_SZ 2048
Documents REG_SZ
DosPrint REG_SZ no
NetMessage REG_SZ no
NullPort REG_SZ None
Programs REG_SZ com exe bat pif cmd

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PopUpStopperFreeEdition REG_SZ "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast! REG_SZ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
RemoteControl REG_SZ "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
SunJavaUpdateSched REG_SZ C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe
SunKistEM REG_SZ C:\Program Files\Digital Media Reader\shwiconem.exe

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

Everything appears to be in order.

Please open msconfig, startup tab, make sure those two entries are visible and press Alt+PrntScrn (print screen). Now open Paint, click Edit>Paste. Save it and email me a copy please.

 

Lets try this. Open msconfig and check those entries, then apply. If they stay checked, do NOT allow restart. Run the runs.bat again and post the log.

 

they stayed checked but the runs.bat link is not working...it goes to geeks.com and it says its not available.......Shari

 

Oops....I took it down. If you still have the last one, just run it. If not, I uploaded again.

 

I sent you an email my comp went cookoo a minute ago but heres the runs log........Shari



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs REG_SZ
DeviceNotSelectedTimeout REG_SZ 15
GDIProcessHandleQuota REG_DWORD 0x2710
Spooler REG_SZ yes
swapdisk REG_SZ
TransmissionRetryTimeout REG_SZ 90
USERProcessHandleQuota REG_DWORD 0x2710

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DebugOptions REG_SZ 2048
Documents REG_SZ
DosPrint REG_SZ no
NetMessage REG_SZ no
NullPort REG_SZ None
Programs REG_SZ com exe bat pif cmd

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PopUpStopperFreeEdition REG_SZ "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast! REG_SZ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
RemoteControl REG_SZ "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
SunJavaUpdateSched REG_SZ C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe
SunKistEM REG_SZ C:\Program Files\Digital Media Reader\shwiconem.exe

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

Still not showing up.

Please download Startup Control Panel (the stand-alone is fine). Run it and see if those entries show up and can be deleted by right clicking the entry.

 

Nope I don't see them

startup (user) limewire
startup common big fix and adobe
hklm/run avast quicktime remote control sunjava and sunkist
hkcu/run popup stopper
run once (empty)
deleted (empty)

thats what I got.......Shari

 

Please download msconfig.bat to your desktop and run. Post the contents of the log it creates.

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "=" "
"hkey "= "HKLM "
"command "=" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load]
"key "= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows "
"item "= "Ỹﭬ粐ﭱ粐ư
粐粐⻸ཆ粑 "
"hkey "= "HKCU "
"command "= "Ỹﭬ粐ﭱ粐ư
粐粐⻸ཆ粑 "
"inimapping "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run]
"key "= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows "
"item "= "Ỹﭬ粐ﭱ粐ư
粐粐⻸ཆ粑 "
"hkey "= "HKCU "
"command "= "Ỹﭬ粐ﭱ粐ư
粐粐⻸ཆ粑 "
"inimapping "= "1 "

 

Please download msconfig.reg to your desktop. Double click and allow it to merge with the registry. Reboot and see if those entries are gone.

 

Yep they are gone Thanks so much I emailed you the print screen pic also....Thanks again......Shari

 

That's great!

I would like to check one more log to make sure nothing is hiding.

Please SilentRunners.vbs

• Save it to the desktop.
• Double click to run.
• You will receive a prompt:
  • Do you want to skip supplementary searches?
  • Click NO
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

 

I think i did it right..........heres the log.........Shari

"Silent Runners.vbs ", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PopUpStopperFreeEdition" = " "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" " [ "Panicware, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"QuickTime Task" = " "C:\Program Files\QuickTime\qttask.exe" -atboottime" [ "Apple Computer, Inc."]
"RemoteControl" = " "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" " [ "Cyberlink Corp."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe" [null data]
"SunKistEM" = "C:\Program Files\Digital Media Reader\shwiconem.exe" [ "Alcor Micro, Corp."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" [ "Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = "UberButton Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" [ "Yahoo!"]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = "YahooTaggedBM Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll" [ "Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail "
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" [ "Yahoo! Inc."]
"{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu "
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\B4FM.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast "
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip "
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip "
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip "
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip "
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" [ "Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24} "
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499} "
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" [ "Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24} "
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000} "
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [ "WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"LimeWire On Startup" -> shortcut to: "C:\Program Files\LimeWire\LimeWire.exe -startup" [ "Lime Wire, LLC"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" [ "Adobe Systems Incorporated"]
"BigFix" -> shortcut to: "C:\Program Files\BigFix\BigFix.exe /atstartup" [ "BigFix Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" [ "Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll" [ "Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" [ "Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" [ "Yahoo! Inc."]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings ")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.emachines.com

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, " "C:\Program Files\Alwil Software\Avast4\ashServ.exe" " [null data]
avast! iAVS4 Control Service, aswUpdSv, " "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" " [null data]
avast! Mail Scanner, avast! Mail Scanner, " "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" [ "ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, " "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" [ "ALWIL Software"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 49 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 13 seconds.
---------- (total run time: 94 seconds)