Click here for AnswerPool.com Home page


Google

    AnswerPool.com  Hop To Forum Categories  Computers  Hop To Forums  Security Issues    I have virus that's messing up Internet Explorer.

Moderators: Dwight
Go
Post
Find
Notify
Tools
Reply
  
  Login/Join 
Pace~Ace
Platinum
Enthusiast
Picture of Pace~Ace
Posted
I have a virus on my computer and it's making IE7 useless to me. The virus is making IE7 not load pictures and it tries to go to stupid sites on it's own. I've been using Google Chrome for some time now but I can't use Robo (a form filler) with Chrome. I use Robo to fill out online sweepstakes forms using IE7. I need IE7 to work so I can enter sweepstakes again online. Here's a HijackThis log of what running on my computer. Please help me find the virus and remove it...Thanks!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:51 PM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\vspc1300.exe
C:\WINDOWS\Fonts\svchost.exe
C:\DOCUME~1\default\LOCALS~1\Temp\winlogin.exe
C:\Documents and Settings\default\winlogin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\default\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Documents and Settings\default\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\default\Application Data\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\default\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presari...0&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario...c00&s=search&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SPC1300] C:\WINDOWS\vspc1300.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\default\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [Windows Logon] C:\Documents and Settings\default\winlogin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\default\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\default\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\default\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...vista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...vista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...lfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...lfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O15 - Trusted Zone: http://www.gsn.com
O15 - Trusted Zone: http://media.pineconeresearch.com
O16 - DPF: Win32 Classes -
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/F...okPhotoUploader5.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50CAF7F9-AF62-45F3-A564-7DE32E909760}: NameServer = 65.174.118.5 65.174.118.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{50CAF7F9-AF62-45F3-A564-7DE32E909760}: NameServer = 65.174.118.5 65.174.118.6
O20 - AppInit_DLLs: jvdwjm.dll psmpqg.dll gsfkcz.dll fpawqd.dll tkvnti.dll poomxg.dll aoxmub.dll laorml.dll sqhnxb.dll qmjelh.dll vbtgga.dll gcshlz.dll grngsz.dll mmytop.dll arfjjc.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jkse73hedfdgf.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\fci.exe.exe:ext.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 12065 bytes
 
Posts: 1985 | Location: Kentucky, USA | Registered: 06-04-02Reply With QuoteEdit or Delete MessageReport This Post
Dwight
Diamond
Enthusiast
Enthusiast
of the Year
Picture of Dwight
Posted Hide Post
You could first try uninstallng Windows Internet Explorer and reverting back to Internet Explorer 6.0. Then reinstall the later version except do not install the Beta versions of Chrome and Windows IE 8.0.

Uninstall Windows IE

Hope this helps!

Dwight
 
Posts: 4425 | Location: Anchorage, AK | Registered: 06-05-02Reply With QuoteEdit or Delete MessageReport This Post
cswchan
Gold Enthusiast
Posted Hide Post
http://www.prevx.com/filenames/X754276530174043231-X1/JKSE73HEDFDGF2EDLL.html

quote:
File Behavior
JKSE73HEDFDGF.DLL has been seen to perform the following behavior:

Enables an In Process Object/Server - Common with DLL Injections
Creation and Registration of a Browser Helper Object in Internet Explorer
Registers a Dynamic Link Libray (DLL) File
The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
Adds a Registry Key (EXPLORER) to auto start Programs on system start Boot up
Reads email address and phone book details
JKSE73HEDFDGF.DLL has been the subject of the following behavior:

Creation and Registered as a Browser Helper Object in Internet Explorer
Created as a process on disk
Registered as a Dynamic Link Libray (DLL) File
Enabled as an In Process Object/Server - Common with DLL Injections
Executed as a Process
Registered as a Dynamic Link Library File
The process is hooked into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
Deleted as a process from disk
 
Posts: 554 | Location: Mississauga, Ontario, Canada | Registered: 06-03-02Reply With QuoteEdit or Delete MessageReport This Post
cswchan
Gold Enthusiast
Posted Hide Post
quote:
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jkse73hedfdgf.dll


quote:
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\fci.exe.exe:ext.exe (file missing)


http://www.prevx.com/filenames/X1615331640755027717-0/F...2EEXE3AEXT2EEXE.html
 
Posts: 554 | Location: Mississauga, Ontario, Canada | Registered: 06-03-02Reply With QuoteEdit or Delete MessageReport This Post
Pace~Ace
Platinum
Enthusiast
Picture of Pace~Ace
Posted Hide Post
I deleted some things after I did searches on goggle on them and seen that they where bad. Internet Explorer is working better but just in case I missed something here's an updated HijackThis log below. Let me know if you see anything that I may of missed. Thanks!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:20 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\vspc1300.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Documents and Settings\default\winlogin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\default\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\default\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\default\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presari...0&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario...c00&s=search&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SPC1300] C:\WINDOWS\vspc1300.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [Windows Logon] C:\Documents and Settings\default\winlogin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\default\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...vista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...vista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...lfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...lfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O15 - Trusted Zone: http://www.gsn.com
O15 - Trusted Zone: http://media.pineconeresearch.com
O16 - DPF: Win32 Classes -
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/F...okPhotoUploader5.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50CAF7F9-AF62-45F3-A564-7DE32E909760}: NameServer = 65.174.118.5 65.174.118.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{50CAF7F9-AF62-45F3-A564-7DE32E909760}: NameServer = 65.174.118.5 65.174.118.6
O20 - AppInit_DLLs: jvdwjm.dll psmpqg.dll gsfkcz.dll fpawqd.dll tkvnti.dll poomxg.dll aoxmub.dll laorml.dll sqhnxb.dll qmjelh.dll vbtgga.dll gcshlz.dll grngsz.dll mmytop.dll arfjjc.dll xkmozk.dll hnkabd.dll ijtkgp.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jkse73hedfdgf.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\fci.exe.exe:ext.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11673 bytes
 
Posts: 1985 | Location: Kentucky, USA | Registered: 06-04-02Reply With QuoteEdit or Delete MessageReport This Post
cswchan
Gold Enthusiast
Posted Hide Post
quote:
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\fci.exe.exe:ext.exe (file missing)


Still there...

Try using this... may take several hours to scan your system.

http://prerelease.trendmicro-europe.com/hc66/launch/#

Good Luck
 
Posts: 554 | Location: Mississauga, Ontario, Canada | Registered: 06-03-02Reply With QuoteEdit or Delete MessageReport This Post
Pace~Ace
Platinum
Enthusiast
Picture of Pace~Ace
Posted Hide Post
quote:
Originally posted by cswchan:
quote:
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\fci.exe.exe:ext.exe (file missing)


Still there...

Try using this... may take several hours to scan your system.

http://prerelease.trendmicro-europe.com/hc66/launch/#

Good Luck


Deleted that after my last post and Internet Explorer seems to be working better..Thanks!!
 
Posts: 1985 | Location: Kentucky, USA | Registered: 06-04-02Reply With QuoteEdit or Delete MessageReport This Post
cswchan
Gold Enthusiast
Posted Hide Post
Post another Hijack This result & we'll have another look.
 
Posts: 554 | Location: Mississauga, Ontario, Canada | Registered: 06-03-02Reply With QuoteEdit or Delete MessageReport This Post
Pace~Ace
Platinum
Enthusiast
Picture of Pace~Ace
Posted Hide Post
I can not get this to delete. I keep getting an HijackThis error and then HijackThis closes.

O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jkse73hedfdgf.dll

Here's an updated HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:54 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\vspc1300.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Documents and Settings\default\winlogin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\default\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\default\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presari...0&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario...c00&s=search&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SPC1300] C:\WINDOWS\vspc1300.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [Windows Logon] C:\Documents and Settings\default\winlogin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\default\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\default\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...vista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...vista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...lfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...lfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O15 - Trusted Zone: http://www.gsn.com
O15 - Trusted Zone: http://media.pineconeresearch.com
O16 - DPF: Win32 Classes -
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/F...okPhotoUploader5.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50CAF7F9-AF62-45F3-A564-7DE32E909760}: NameServer = 65.174.118.5 65.174.118.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{50CAF7F9-AF62-45F3-A564-7DE32E909760}: NameServer = 65.174.118.5 65.174.118.6
O20 - AppInit_DLLs: jvdwjm.dll psmpqg.dll gsfkcz.dll fpawqd.dll tkvnti.dll poomxg.dll aoxmub.dll laorml.dll sqhnxb.dll qmjelh.dll vbtgga.dll gcshlz.dll grngsz.dll mmytop.dll arfjjc.dll xkmozk.dll hnkabd.dll ijtkgp.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jkse73hedfdgf.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11441 bytes
 
Posts: 1985 | Location: Kentucky, USA | Registered: 06-04-02Reply With QuoteEdit or Delete MessageReport This Post
cswchan
Gold Enthusiast
Posted Hide Post
quote:
I can not get this to delete. I keep getting an HijackThis error and then HijackThis closes.

O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jkse73hedfdgf.dll


Boot into "Safe Mode" by pressing the "F8" button while your computer is booting up (before you get to the Windows Screen)
Find the file & then delete it.
Reboot.
 
Posts: 554 | Location: Mississauga, Ontario, Canada | Registered: 06-03-02Reply With QuoteEdit or Delete MessageReport This Post
Pace~Ace
Platinum
Enthusiast
Picture of Pace~Ace
Posted Hide Post
quote:
Originally posted by cswchan:
quote:
I can not get this to delete. I keep getting an HijackThis error and then HijackThis closes.

O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jkse73hedfdgf.dll


Ok, did that and it now looks like it's gone. Thanks and here's a updated HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:23 AM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\vspc1300.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Documents and Settings\default\winlogin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\default\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\DOCUME~1\default\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presari...0&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario...c00&s=search&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SPC1300] C:\WINDOWS\vspc1300.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [Windows Logon] C:\Documents and Settings\default\winlogin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\default\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\default\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...vista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...vista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...lfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...lfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O15 - Trusted Zone: http://www.gsn.com
O15 - Trusted Zone: http://media.pineconeresearch.com
O16 - DPF: Win32 Classes -
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/F...okPhotoUploader5.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O20 - AppInit_DLLs: jvdwjm.dll psmpqg.dll gsfkcz.dll fpawqd.dll tkvnti.dll poomxg.dll aoxmub.dll laorml.dll sqhnxb.dll qmjelh.dll vbtgga.dll gcshlz.dll grngsz.dll mmytop.dll arfjjc.dll xkmozk.dll hnkabd.dll ijtkgp.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11100 bytes

Boot into "Safe Mode" by pressing the "F8" button while your computer is booting up (before you get to the Windows Screen)
Find the file & then delete it.
Reboot.
 
Posts: 1985 | Location: Kentucky, USA | Registered: 06-04-02Reply With QuoteEdit or Delete MessageReport This Post
Pace~Ace
Platinum
Enthusiast
Picture of Pace~Ace
Posted Hide Post
I noticed I have csrssc on my computer. It's Malware. The Task Manager does not work anymore on my computer when I hit (CTRL+ALT+DEL). I had to download a program called "Autoruns" to see what's running on my computer. It says I have csrssc running on my computer.

Here's a screen shot of it running in Autoruns: autorunslog01


How do I remove csrssc from my computer? I've tried safety mode using Autoruns to try to delete it but it keeps coming back and I think it's blocking my Task Manager and useing my Outlook Express email address to send spam because I get lots of return to sender spam. cswchan thanks again for all your help so far.
 
Posts: 1985 | Location: Kentucky, USA | Registered: 06-04-02Reply With QuoteEdit or Delete MessageReport This Post
Pace~Ace
Platinum
Enthusiast
Picture of Pace~Ace
Posted Hide Post
ignore this post.
 
Posts: 1985 | Location: Kentucky, USA | Registered: 06-04-02Reply With QuoteEdit or Delete MessageReport This Post
bedstor
Diamond Enthusiast

Picture of bedstor
Posted Hide Post
Matt
I have been looking through the "Removal" intructions given for csrssc and They all require a Download of a Spyware removal file
(Which I'd give a swerve to)
I did find 1 positive piece of advice on one Site which says it can be removed manually Through the HJT Log Smile

But where is it Hiding? Roll Eyes
Needs more experienced eyes!
My UK site connection has a Busy HJT reader service with Good clearup results
Email me for the site address/link
PS Had a quick scan of their archive and there are NO reports of this Pest yet ,but it has been seen a lot in the Wild Frown
 
Posts: 14540 | Location: 6 miles west of Wigan UK | Registered: 06-05-02Reply With QuoteEdit or Delete MessageReport This Post
bedstor
Diamond Enthusiast

Picture of bedstor
Posted Hide Post
Gotcha! Wink

Delete this first
quote:
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\default\LOCALS~1\Temp\csrssc.exe

then Delete

C:\DOCUME~1\default\LOCALS~1\Temp\csrssc.exe
If, its showing? (same thing)

Then Reset the computer
Restart run another HJT Log

Has it reappeared on the list? NO...Task Manager should Now work Smile
Next Download CCleaner (from www.ccleaner.com) and run it on the Registry Cleaner ...You may lose some Logins this will Pull any Remnants out of the Registry
Do an Update on your Security Programs too
I Do Note on your List your A/V Protection is Avira

Not for Me to criticize Isn't that supposed to stop things like this Happening? Roll Eyes
and how often does it Update?

Try out Avast! (www.avast.com )Its Free Updates Daily And Does keep the Nasties away

And have you got Broadband? A decent Firewall

Such as COMODO Is a Must www.comodo.com

May be Ok to use with Dialup? Opinions anyone (May be overkill?)

www.cyberwalker.com/quicktips/dialup-firewall.html
 
Posts: 14540 | Location: 6 miles west of Wigan UK | Registered: 06-05-02Reply With QuoteEdit or Delete MessageReport This Post
Pace~Ace
Platinum
Enthusiast
Picture of Pace~Ace
Posted Hide Post
Windows is loading better after I deleted
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\default\LOCALS~1\Temp\csrssc.exe
yesterday but I still see csrssc on autoruns this morning. Didn't see C:\DOCUME~1\default\LOCALS~1\Temp\csrssc.exe to delete. Task Manager still wont load. Maybe I'm missing something?

I use dial-up. I already have CCleaner on my computer and used it's Registry Cleaner like you said to. It found nothing to fix. I haven't updated Avira in about three or four months so maybe it's time for an update.


Here's a updated HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:52 AM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\vspc1300.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Documents and Settings\default\winlogin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\default\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presari...0&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario...c00&s=search&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario...&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SPC1300] C:\WINDOWS\vspc1300.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [Windows Logon] C:\Documents and Settings\default\winlogin.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\default\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...earch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...vista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...vista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...lfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario...lfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O15 - Trusted Zone: http://www.gsn.com
O15 - Trusted Zone: http://media.pineconeresearch.com
O16 - DPF: Win32 Classes -
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/F...okPhotoUploader5.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50CAF7F9-AF62-45F3-A564-7DE32E909760}: NameServer = 65.174.118.5 65.174.118.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{50CAF7F9-AF62-45F3-A564-7DE32E909760}: NameServer = 65.174.118.5 65.174.118.6
O20 - AppInit_DLLs: jvdwjm.dll psmpqg.dll gsfkcz.dll fpawqd.dll tkvnti.dll poomxg.dll aoxmub.dll laorml.dll sqhnxb.dll qmjelh.dll vbtgga.dll gcshlz.dll grngsz.dll mmytop.dll arfjjc.dll xkmozk.dll hnkabd.dll ijtkgp.dll lnlblu.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 10898 bytes
 
Posts: 1985 | Location: Kentucky, USA | Registered: 06-04-02Reply With QuoteEdit or Delete MessageReport This Post
bedstor
Diamond Enthusiast

Picture of bedstor
Posted Hide Post
Apart from Going into Regedit on the Start Button/Run box,and removing those entries with "csrssc" then Running the Registry cleaner again. Needs a bit of caution.

Try the Registry Cleaner with EasyCleaner it is a Bit harder on Removing "Tail ends" than CCleaner (Don't clash)
http://personal.inet.fi/business/toniarts/ecleane.htm
See if that improves matters?
 
Posts: 14540 | Location: 6 miles west of Wigan UK | Registered: 06-05-02Reply With QuoteEdit or Delete MessageReport This Post
bedstor
Diamond Enthusiast

Picture of bedstor
Posted Hide Post
As regards the Task Manager To Reboot it May mean going into the Registry to alter a setting Frown (1 line)
Here are the Full details for XP http://tinyurl.com/tskmgr-Regchange

Nothing in the Security controls relating to Task Manager
But this looks hopeful Try this First
Open the Control Panel. Locate Administrative Tools
Click Services ...
Click the Extended View Tab(underneath the Box)
Big List scroll Down and Check 2 adjacent items are enabled
I'm listing them in the Order on the List

#1 Windows Management Instrumentation
You see the Status looking to the Right of the listing ..It will say Started & Automatic

If Not , then click on the item (To highlight it) and a Message appears to the Left together

with Links For stopping /starting and rebooting the service
Simply Click what you require (a NO brainer)

#2 Windows Management Instrumentation Driver Extensions
NOTE Is Shown as Manual and Has a Start link only

Bit of Hot News Re: Google Chrome for you.
They say on the Version 2.0 they are going to have an Auto fill Forms facility Smile
The First Developer version came out today. Jan 9th (Is Not a Beta) I'd wait a few weeks before the Proper semi stable Beta Version is seen, before Testing out what's new. Wink
 
Posts: 14540 | Location: 6 miles west of Wigan UK | Registered: 06-05-02Reply With QuoteEdit or Delete MessageReport This Post
  Powered by Eve Community  
 

    AnswerPool.com  Hop To Forum Categories  Computers  Hop To Forums  Security Issues    I have virus that's messing up Internet Explorer.

© 2002-2009 AnswerPool.com
All Rights Reserved
Using This Site Means You Accept Its Terms of Service and Privacy Policy
Close Cover Before Striking
3D Glasses Required for Optimal Viewing
Now in HD and Surround Sound
Offer Void Where Prohibited by Law
There's a Bathroom on the Right
Caution - Objects May Be Closer Than They Appear
Anything You Post May Be Used Against You in the Court of Public Opinion



Visit DiscussionPool.com!