Antivirus Protection
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me
Go Back   Dev Shed ForumsSystem AdministrationAntivirus Protection
Reload this Page

HELP! Strange file/virus, Looks like Chinese/Asian Characters

Receive the tools necessary to be the rock star of your field. Our 12-month program teaches you the evolving world of multi-channel marketing as well as the complex issues and opportunities found in the industry.

ASP Free and Iron Speed Designer are giving away $5,500+ in FREE licenses. Iron Speed's RAD CASE toolset can save up to 80% of your coding time. One free license per week, one perpetual license per month!
Download and Activate to enter!
Web development can be a daunting task, even for specialists. There is a lot of information to absorb and a lot of technologies to learn in order to manage a superior website. When trying to learn the ropes, developers need a reliable source to introduce new ideas that can be easily implemented. When working on large projects, even web veterans may run into a technology or an aspect of a technology that they are unfamiliar with.

Learn More!
Download to Enter | Contest Rules
Tutorials | Forums

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
« Previous Thread | Next Thread »  
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Dev Shed Forums Sponsor:
  #1  
Old April 10th, 2007, 03:13 AM
tsnaji tsnaji is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Apr 2007
Posts: 12 tsnaji User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 5 h 29 m 42 sec
Reputation Power: 0
HELP! Strange file/virus, Looks like Chinese/Asian Characters
Hello All,

I have a most unusual problematic file that I can't identify because it has no name that I'm familiar with, and it uses strange characters (some of which look like Chinese script).

Actually, I can't find any physical files, it's something that appeared in my MSCONFIG window, in my list of startup programs. In my startup program list, it appears as a strange symbol - a cross with a round top (similar to the symbol Prince used instead of his name, back in the 90's). Anyway, I don't know what the symbol is called so I'm posting a screen capture of my MSCONFIG window so you can get an idea of what it looks like.
[IMG](URL address blocked: See forum rules)[/IMG]

If the image doesn't appear above, you can a copy of my screen shot here.

And if neither of those images work, MS WORD has the symbol: Here it is -- ♀

My MSCONFIG says this this file is linked to the following registry key:
hkcu\software\microsoft\windows nt\ currentversion\windows:run

UPDATE: I just tried to remove this file from my startup list, and MSCONFIG told me I couldn't, that access was denied, and that I needed to logon as an administrator. I restarted my computer and the cross-symbol now turned into two Chinese script charaters. Here's another screenshot:
[IMG](URL address blocked: See forum rules)[/IMG]

If the above photo doesn't load, you can see the pic here:

Also note, now when I restart my computer, it tries to look for these files, but it can't find their location. I still can't unselect them from my startup.

I dont' know what this is, or what to do to remove it, so any help is greatly appreciated. Your forum seems to really know its stuff, so hopefully one of you can help me.

My OS is Windows XP SP2 (WinNT 5.01.2600)
I ran HijackThis and the scan file is below:

Logfile of HijackThis v1.99.1
Scan saved at 8:16:24 PM, on 4/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Stan\registry cleaner\RegClean.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (URL address blocked: See forum rules)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

(URL address blocked: See forum rules)=DE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (URL address blocked: See forum rules)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = (URL address blocked: See forum rules)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = (URL address blocked: See forum rules)
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program

Files\MyWaySA\SrchAsDe\deSrcAs.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program

Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10

\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program

files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel

PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe"

-startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -

start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - (URL address blocked: See forum rules)=ZNxdm006YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

(URL address blocked: See forum rules)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

(URL address blocked: See forum rules)
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) -

(URL address blocked: See forum rules)
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) -

(URL address blocked: See forum rules)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -

(URL address blocked: See forum rules)
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) -

(URL address blocked: See forum rules)
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - (URL address blocked: See forum rules)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) -

(URL address blocked: See forum rules)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner -

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1

\McAfee\EmProxy\emproxy.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common

Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common

files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1

\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1

\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1

\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program

Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program

Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe



Thanks,
Stan
Reply With Quote
  #2  
Old April 10th, 2007, 05:15 AM
tsnaji tsnaji is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Apr 2007
Posts: 12 tsnaji User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 5 h 29 m 42 sec
Reputation Power: 0
Possible Update
I haven't received any replies yet, but I might have an update. I found two patch.exe files in the following folders:
C:\Windows
C:\Documents and Settings\Sue\.housecalls

I remember back in college that a patch.exe file meant the netbus trojan, but I haven't yet been able to find it in my registry keys: I checked HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run and didn't find patch.exe
I also checked the"Mysterious File" location given in MSCONFIG, that extension being HKCU\SOFTWARE\Microsoft\Windows NT\Current Version\Windows, and again I didn't see it there.

I also found a sysedit.exe file in the following locations:
C:\i386
C:\WINDOWS\system32

I scanned these files (both the patch.exe and sysedit.exe) with McAfee, and both came up as clean.

Could these be viruses? Are these the programs causing the weird files in my startup list?

Please help.
Stan
Reply With Quote
  #3  
Old April 10th, 2007, 12:34 PM
aitken325i's Avatar
aitken325i aitken325i is offline
Providing fuel for space ships
Dev Shed God 19th Plane (14000 - 14499 posts)
  
Join Date: Mar 2004
Location: nr Edinburgh, Scotland
Posts: 14,273 aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)  Folding Points: 10110 Folding Title: Novice Folder
Time spent in forums: 5 Months 4 Weeks 1 Day 23 h 12 m 14 sec
Reputation Power: 3714
Hi tsnaji and welcome to Dev Shed.

I've had a look over your log and there are a couple of items in there that can be removed, but before we do so, can you firstly download, update the definitions and run Spybot S & D, Ad-Aware, AVG Anti-Spyware and Trojan Hunter. After you have ran all these programs, run a thorough Anti-Virus scan. I see you are running McAffee but have a look at running an online scan at Kaspersky Online Scan or Trend Micro Housecall or by downloading and installing AVG Free.

Once you have run these programs, please post a fresh HijackThis log for us to look at.
Comments on this post
bigSeth agrees: 5 of the best free security and privicy programs EVER!
__________________
The No Ma'am commandments:

1.) It is O.K. to call hooters 'knockers' and sometimes snack trays
2.) It is wrong to be French
3.) It is O.K. to put all bad people in a giant meat grinder
4.) Lawyers, see rule 3
5.) It is O.K. to drive a gas guzzler if it helps you get babes
6.) Everyone should car pool but me
7.) Bring back the word 'stewardesses'
8.) Synchronized swimming is not a sport
9.) Mud wrestling is a sport
Reply With Quote
  #4  
Old April 11th, 2007, 01:32 AM
tsnaji tsnaji is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Apr 2007
Posts: 12 tsnaji User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 5 h 29 m 42 sec
Reputation Power: 0
Hello Hello Aiken325i,

Thank you for the reply. I love "Married W/Children" by the way. Your little icon took me back, years ago, to the time when I saw that 'No MA'AM' episode. Ah, those were the days.

Anyway, I did everything you asked, and the weird object is still there in my MSCONFIG window, however I have some other updates for you. I'd like to go over, briefly, first, the other things I've done with my system prior to your instructions, maybe they can give a better picture of what's going on with my machine:

Let me go back a little further and tell you something about MSCONFIG first. It seems that I get an error when I try to make changes to any portion of MSCONFIG, but it's a false error because the changes I make take effect. For example, when I uncheck any 'startup' item - like 'ehtray' for example - I get the message "ACCESS DENIED ERROR WAS RETURNED WHILE ATTEMPTING TO CHANGE SERVICE. YOU MAY NEED TO LOG ON USING AN ADMINISTRATOR ACCOUNT TO MAKE CHANGES." Problem is, I am logged on as the administrator - silly computer. However, when I restart, I see that my changes did take effect, so why the error? There is one exception to this rule. When I try to click on and uncheck this unknown object/virus in my startup list, I get the error message, but the object's status never changes - when I reboot it remains unchecked.

Now here's what I've learned about the unknown object: I don't know its name, but I do know it's written sometimes in Korean letters and sometimes in Chinese characters. It changes characters frequently on reboot and seemingly without cause.

I discovered that this object was connected to the following registry path: HKCU\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Windows, into which it established a string value entitled "run" This value had no data or file location associated with it. And, when the unknown object in MSCONFIG was de-selected (so it wouldn't run in startup), the registry value had no data associated with it at all.

I deleted this registry string value and rebooted, without any problems with my startup. However, now when I go to MSCONFIG, I CANNOT, under any circumstances, change the status of unknown object - It remains unchecked and seemingly deactivated - which I guess is a good thing. But I cannot DELETE it from MSCONFIG either - which I guess is a bad thing. It doesn't recreate the registry value either - which I guess is a good thing. Bottom line, however, I want it removed from MSCONFIG and I want to eliminate the adminstrator-error message.

As a side note, I have a second registry editing program - called regclean.exe -which also allows me to remove items from my start up (It also generates a list of start up items). However, this program does not recognize or register this unknow object as being part of my startup. It doesn't exist for this program.

Sorry for writing so much. I hope you're still with me

Now, per your instructions, I updated and ran all of the programs you suggested. I did a thorough system scan as well with AVG. The programs found many cookies, but nothing seeminly lethal. The Trojan finder deleted the following file:
adware.MyWebSearch.108 filename f3PSSavr.scr located in the folder c:\windows\system32\f3PSSavr.scr and deleted it.

Below you will find my latest HiJackThis log.

I hope this long post was not in vein. I hope it helped identify my problem.

Do you think MSCONFIG is corrupt and that the virus has been removed? Should I reinstall MSCONFIG? Your expert guidance will be greatly appreciated.

Thank you so much for your help.
-Stan

Logfile of HijackThis v1.99.1
Scan saved at 10:23:34 PM, on 4/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\DJGPP\bin\Ransom\Bmt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (URL address blocked: See forum rules)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (URL address blocked: See forum rules)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = (URL address blocked: See forum rules)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = (URL address blocked: See forum rules)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - (URL address blocked: See forum rules)=ZNxdm006YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - (URL address blocked: See forum rules)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - (URL address blocked: See forum rules)
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - (URL address blocked: See forum rules)
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - (URL address blocked: See forum rules)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - (URL address blocked: See forum rules)
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - (URL address blocked: See forum rules)
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - (URL address blocked: See forum rules)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - (URL address blocked: See forum rules)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
Reply With Quote
  #5  
Old April 11th, 2007, 10:32 AM
aitken325i's Avatar
aitken325i aitken325i is offline
Providing fuel for space ships
Dev Shed God 19th Plane (14000 - 14499 posts)
  
Join Date: Mar 2004
Location: nr Edinburgh, Scotland
Posts: 14,273 aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)  Folding Points: 10110 Folding Title: Novice Folder
Time spent in forums: 5 Months 4 Weeks 1 Day 23 h 12 m 14 sec
Reputation Power: 3714
Yeah, I'm still with you buddy.

When you say these items are appearing in MSCONFIG, do you mean the 'Services' or the 'Startup' tab ?

Anyway, can you run HJT again, select the following item and then select 'Fix':

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Also, navigate to the following file and delete it. If it won't allow you to delete it, use Delete Doctor to remove the bugger:

C:\DJGPP\bin\Ransom\Bmt.exe


Next, reboot your machine and then can you post a fresh HJT log for me to look at. In addition, when you open up HJT, can you click on the 'Misc Tools' button and then click on the button marked 'Generate Startup List Log' and then post that log on here for us to look at too.
Reply With Quote
  #6  
Old April 11th, 2007, 02:51 PM
tsnaji tsnaji is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Apr 2007
Posts: 12 tsnaji User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 5 h 29 m 42 sec
Reputation Power: 0
Hello Hello,

I followed your instructions. Below you'll find my HijackThis Log and 2 startup lists (The first one is the standard startup list, the second is a complete startup list - supposedly containing empty paths,whatever that means???).

To answer your question, these unknown objects appear only in the 'Startup' tab of MSCONFIG. The 'Service' tab appears to be normal, though I'm not familiar enough with my services to know exactly what is 'normal' and 'safe'.

Oh, and to let you know, the file you told me to delete, c:\DJGPP\bin\Ransom\Bmt.exe was actually HighJackThis. I moved it into a random folder and renamed it. I read somewhere that viruses sometimes hide from HighjackThis, and that moving it and renaming it might help.

I have a few questions: While rummaging through these forums, I came across a program that allows me to delete objects from my MSCONFIG 'Startup' tab. Do you think I should run this program and try to delete this unknown object that way? And why is my MSCONFIG in c:\windows\pchealth\helpctr\binaries? Shouldn't it be in a c:\windows\systerm folder?

If you would like to take a look at this object, I posted three JPG screen captures on photobucket.

This link shows the current state of this unknkown object - unchecked and seemily idle in my MSCONFIG, after having deleted the object's registry values:
i32.photobucket.com/albums/d43/ariesdaddy/MSCONFIG3.jpg

These two links show the unknown object in two of it's previous states - one with Korean letters, another with Chinese Characters. These images show what it looked like when it's registry keys were active:
i32.photobucket.com/albums/d43/ariesdaddy/MsConfig2.jpg

and

i32.photobucket.com/albums/d43/ariesdaddy/MSConfigScreenshot.jpg

I know this forum blocks web links for new users like me, that's why I didn't include the http:// in front of the above links (none of these links contain www).

What are your thoughts?

Logfile of HijackThis v1.99.1
Scan saved at 12:03:46 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJack This\Bmt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (URL address blocked: See forum rules)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (URL address blocked: See forum rules)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = (URL address blocked: See forum rules)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = (URL address blocked: See forum rules)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - (URL address blocked: See forum rules)=ZNxdm006YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - (URL address blocked: See forum rules)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - (URL address blocked: See forum rules)
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - (URL address blocked: See forum rules)
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - (URL address blocked: See forum rules)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - (URL address blocked: See forum rules)
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - (URL address blocked: See forum rules)
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - (URL address blocked: See forum rules)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - (URL address blocked: See forum rules)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe




StartupList report, 4/11/2007, 12:05:42 PM
StartupList version: 1.52.2
Started from : C:\HiJack This\Bmt.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\HiJack This\Bmt.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Digital Line Detect.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\Userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
SigmatelSysTrayApp = stsystra.exe
MskAgentexe = C:\Program Files\McAfee\MSK\MskAgent.exe
ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
ISUSPM Startup = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
IntelWireless = C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
igfxtray = C:\WINDOWS\system32\igfxtray.exe
igfxpers = C:\WINDOWS\system32\igfxpers.exe
igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
THGuard = "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
ehTray = C:\WINDOWS\ehome\ehtray.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ModemOnHold = C:\Program Files\NetWaiting\netWaiting.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
scriptproxy - c:\program files\mcafee\virusscan\scriptcl.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
(no name) - c:\program files\google\googletoolbar4.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McDefragTask.job
McQcTask.job

--------------------------------------------------

Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = (URL address blocked: See forum rules)

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = (URL address blocked: See forum rules)

[WebIQ Technology Client]
InProcServer32 = C:\Program Files\WebIQ\WebIQClientLib.dll
CODEBASE = (URL address blocked: See forum rules)

[ParallelGraphics Cortona Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cortona_control.dll
CODEBASE = (URL address blocked: See forum rules)

[Shutterfly Picture Upload Plugin]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\sfuploadplugin.ocx
CODEBASE = (URL address blocked: See forum rules)

[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = (URL address blocked: See forum rules)

[{A662DA7E-CCB7-4743-B71A-D817F6D575DF}]
CODEBASE = (URL address blocked: See forum rules)

[Get_ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HPGETD~1.OCX
CODEBASE = (URL address blocked: See forum rules)

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = (URL address blocked: See forum rules)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 8,485 bytes
Report generated in 0.391 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only






StartupList report, 4/11/2007, 12:05:56 PM
StartupList version: 1.52.2
Started from : C:\HiJack This\Bmt.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\HiJack This\Bmt.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Digital Line Detect.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\Userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
SigmatelSysTrayApp = stsystra.exe
MskAgentexe = C:\Program Files\McAfee\MSK\MskAgent.exe
ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
ISUSPM Startup = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
IntelWireless = C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
igfxtray = C:\WINDOWS\system32\igfxtray.exe
igfxpers = C:\WINDOWS\system32\igfxpers.exe
igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
THGuard = "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
ehTray = C:\WINDOWS\ehome\ehtray.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ModemOnHold = C:\Program Files\NetWaiting\netWaiting.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
scriptproxy - c:\program files\mcafee\virusscan\scriptcl.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
(no name) - c:\program files\google\googletoolbar4.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McDefragTask.job
McQcTask.job

--------------------------------------------------

Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = (URL address blocked: See forum rules)

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = (URL address blocked: See forum rules)

[WebIQ Technology Client]
InProcServer32 = C:\Program Files\WebIQ\WebIQClientLib.dll
CODEBASE = (URL address blocked: See forum rules)

[ParallelGraphics Cortona Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cortona_control.dll
CODEBASE = (URL address blocked: See forum rules)

[Shutterfly Picture Upload Plugin]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\sfuploadplugin.ocx
CODEBASE = (URL address blocked: See forum rules)

[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = (URL address blocked: See forum rules)

[{A662DA7E-CCB7-4743-B71A-D817F6D575DF}]
CODEBASE = (URL address blocked: See forum rules)

[Get_ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HPGETD~1.OCX
CODEBASE = (URL address blocked: See forum rules)

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9.ocx
CODEBASE = (URL address blocked: See forum rules)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 8,485 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Reply With Quote
  #7  
Old April 12th, 2007, 02:13 PM
aitken325i's Avatar
aitken325i aitken325i is offline
Providing fuel for space ships
Dev Shed God 19th Plane (14000 - 14499 posts)
  
Join Date: Mar 2004
Location: nr Edinburgh, Scotland
Posts: 14,273 aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)  Folding Points: 10110 Folding Title: Novice Folder
Time spent in forums: 5 Months 4 Weeks 1 Day 23 h 12 m 14 sec
Reputation Power: 3714
Ah, the 'bmt.exe' had me wondering, as it's a keylogger ! You couldn't have picked a worse name to rename HJT to!

And you are right about MSCONFIG - according to the original HJT log, it is on the wrong place but I would suspect that it is in it's correct folder otherwise you would be having other problems.

On looking at your HJT log and your Startup log, nothing really appears in them that are causing me to worry, which, with an item like this is very strange. It sounds to me like you have been infected with a Trojan, but for none of the scanners to pick it up, makes me think otherwise. Can you go to the registry editor, and navigate to the following keys and see if it appears :
Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
I suspect that nothing will look out of the ordinary, but if you see anything you suspect, let us know about it.

Next, can you download and run Rootkit Revealer and post it's log on here for us to look at.
Reply With Quote
  #8  
Old April 12th, 2007, 04:34 PM
tsnaji tsnaji is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Apr 2007
Posts: 12 tsnaji User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 5 h 29 m 42 sec
Reputation Power: 0
aitken325i

That's hilarious, I had no idea bmt.exe was a keylogger!

Again, I'm really thankful for your advice and insight. It's really great of you to give me your time!

I looked at the registry entries you suggested, and didn't find the unknown object. Just for the heck of it, here is a list of the values in those registry folders, in case you notice sometihng that would escape me (The "DOCUMENTS" entry below looks suspicious to me, only because it's data is blank):

HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\ CurrentVersion\Windows

NAME...................DATA
DebugOptions........2048
Device.................HP Photosmart C3100 series
Documents...........(BLANK: NOTHING HERE)
DosPrint...............no
NetMessage..........no
NullPort................None
Programs..............com exe bat pif cmd



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

NAME.............................................DATA
AppInit_Dlls.....................................(BLANK: NOTHING HERE)
DeviseNotSelectedTimout...................15
GDIProcessHandleQuota.....................0x00002710 (10000)
Spooler...........................................yes
swapdisk.........................................(BLANK: NOTHING HERE)
TransmissionRetry Timout...................90
USERProcessHandleQuota...................0x00002710 (10000)



Oh, and here's someting I found that's a little unusual: I found entries in my registry for the program NetBuster. I never installed NetBuster, so I don't know where they came from. They're located in this registry key:

HKEY_USERS\S-1-5-21-2889383146-4068158514-1716667310-1005\Software\Eclipse\NetBuster



Here's what rootkit reveal had to say about my registry:
HKLM\S-1-5-21-2889383146-4068158514-1716667310-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{161B2731-C96B-21AE-23F1-1C96485C0BEF}*
- 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{161B2731-C96B-21AE-23F1-1C96485C0BEF}\InProcServer32*
- 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol
- 13 bytes Data mismatch between Windows API and raw hive data.


Your thoughts?

Thanks again,
Stan
Reply With Quote
  #9  
Old April 14th, 2007, 03:04 AM
aitken325i's Avatar
aitken325i aitken325i is offline
Providing fuel for space ships
Dev Shed God 19th Plane (14000 - 14499 posts)
  
Join Date: Mar 2004
Location: nr Edinburgh, Scotland
Posts: 14,273 aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)  Folding Points: 10110 Folding Title: Novice Folder
Time spent in forums: 5 Months 4 Weeks 1 Day 23 h 12 m 14 sec
Reputation Power: 3714
Are you running any registry cleaners ?

Do you have your XP install cd ?
Reply With Quote
  #10  
Old June 7th, 2007, 11:14 AM
eprincess eprincess is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Jun 2007
Posts: 1 eprincess User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 3 m 6 sec
Reputation Power: 0
Asian Characters and Acer
Hello,

I had the exact same thing on my computer. I've been told by a friend that has the same thing that it's a program specific to Acer and that it's ok.
Reply With Quote
  #11  
Old June 7th, 2007, 12:22 PM
aitken325i's Avatar
aitken325i aitken325i is offline
Providing fuel for space ships
Dev Shed God 19th Plane (14000 - 14499 posts)
  
Join Date: Mar 2004
Location: nr Edinburgh, Scotland
Posts: 14,273 aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)aitken325i User rank is General 41st Grade (Above 100000 Reputation Level)  Folding Points: 10110 Folding Title: Novice Folder
Time spent in forums: 5 Months 4 Weeks 1 Day 23 h 12 m 14 sec
Reputation Power: 3714
WHat is the program that it is meant to be specific to ?
Reply With Quote
  #12  
Old August 7th, 2007, 11:14 AM
cleo2394 cleo2394 is offline
Registered User
Dev Shed Newbie (0 - 499 posts)
  
Join Date: Aug 2007
Posts: 1 cleo2394 User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 29 m 39 sec
Reputation Power: 0
Acer and Asian characters file
Quote:
Originally Posted by aitken325i
WHat is the program that it is meant to be specific to ?


I have the same exact issue with my Vista Acer. I was able to de-select it from startup. I noticed the file one time when a window popped up unintended with the "button" in chinese. The window was "Erecoveryagent", ERAgent version 1.0, copy wright 2006. The window had a symbol of a hard drive and an optical disc. This lead me to searth for it. I found that file in an ACER backup/recovery utility.The file was at c:\acer\Empowerment Technology\eRecovery\eRAgent
The asian file still no where to be found. I also would like to know more about this and to get rid of it.
Reply With Quote
  #13  
Old August 7th, 2007, 11:29 PM
Porthos's Avatar
Porthos Porthos is offline
Malware Warrior /AV forum Mod
Dev Shed Regular (2000 - 2499 posts)
  
Join Date: Nov 2006
Location: San Antonio Tx
Posts: 2,325 Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level)Porthos User rank is General 2nd Grade (Above 100000 Reputation Level) 
Time spent in forums: 2 Weeks 5 Days 6 h 6 m 23 sec
Reputation Power: 1138
Quote:
I have the same exact issue with my Vista Acer. I was able to de-select it from startup. I noticed the file one time when a window popped up unintended with the "button" in chinese. The window was "Erecoveryagent", ERAgent version 1.0, copy wright 2006. The window had a symbol of a hard drive and an optical disc. This lead me to searth for it. I found that file in an ACER backup/recovery utility.The file was at c:\acer\Empowerment Technology\eRecovery\eRAgent
The asian file still no where to be found. I also would like to know more about this and to get rid of it.



You tacked on to an old topic.

Start a new TOPIC and

Click Here to download HJTinstall.exe
• Save HJTinstall.exe to your desktop.
• Doubleclick on the HJTinstall.exe icon on your desktop
.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Paste this into your new thread

• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Please note. Due to fourm restrictions you will have to edit out the URL's before posting.
Reply With Quote
Reply

Viewing: Dev Shed ForumsSystem AdministrationAntivirus Protection > HELP! Strange file/virus, Looks like Chinese/Asian Characters

« Previous Thread | Next Thread »

Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Linear Mode Linear Mode
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump

Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 


Powered by: vBulletin Version 3.0.5
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.

© 2003-2012 by Developer Shed. All rights reserved. DS Cluster 6 - Follow our Sitemap