0

Hello All,

I am not certain what has happened but all of a sudden, IE will not open anymore. I click on the icon and the window flashes; i.e. opens and closes very fast.

I do run Webroot Spy Sweeper and each time I attempt to open IE it pops and tells me that another application is attempting to change my home page to about:blank.

What else can I do to find out what is going on ?

Thank you in advance!

Bob

5
Contributors
24
Replies
25
Views
12 Years
Discussion Span
Last Post by brm1999
0

You can try to repair Internet Explorer, but the methods for doing so depend on the particular versions of Windows and IE that you have. Useful information and suggestions can be found in the links returned by this Google search:

http://www.google.com/search?hl=en&q=%22internet+explorer%22+repair&btnG=Google+Search


As far as the posiible about:blank hijack:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded, follow these instructions to install and run the program:

1. Create a new separate folder on your drive for HijackThis, move the program into thids folder, and run it from there. (Don't run HJT from within any Temp or Temporary Internet folder, and don't run it directly from your desktop.)

2. Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser(s)! HijackThis cannot fully perform its fixes while browsers are running.

3. Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

If you have no way of downloading to the machine with the "broken" IE, download HijackThis on another computer and transfer it via floppy or CD.

0

DMR,

Thank you for your help! Here is the log file generated by HijackThis.

========================================
Logfile of HijackThis v1.99.0
Scan saved at 5:37:10 PM, on 2/1/2005
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmBulkMailService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmDeletionService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmWorkflowService.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
C:\Program Files\Microsoft Office Project Server 2003\BIN\PJSCHSVC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmSecurityService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\mshelp32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\palmOne\HOTSYNC.EXE
D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\BOB~1.MIX\LOCALS~1\Temp\ins1F.tmp
D:\PROGRA~1\Netscape\Netscape\Netscp.exe
D:\Software\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://d%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - D:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AntiSpyware Class - {C6176B04-8896-4446-9939-E00EE94C420F} - C:\WINDOWS\system32\ash.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Sauce Reader - {a8f0736c-0b1a-4995-b239-843cd7f5f442} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Paessler Site Inspector Toolbar - {38D2A281-0444-433C-9ED6-A2851795F32A} - d:\Program Files\Paessler Site Inspector\psibar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] d:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\system32\mshelp32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &WebPageToOneNote - res:///204
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: PSI: Copy Image as HTML Tag - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-img-tag.ieb
O8 - Extra context menu item: PSI: Copy Image URL - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-img-src.ieb
O8 - Extra context menu item: PSI: Copy Link as HTML Tag - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-a-tag.ieb
O8 - Extra context menu item: PSI: Copy Meister - res://d:\Program Files\Paessler Site Inspector\psi.dll/copymeister.ieb
O8 - Extra context menu item: PSI: Open Frame In New Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: PSI: Open Frame In This Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-frame-in-this-window.ieb
O8 - Extra context menu item: PSI: Open Selected Text as URL in New Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-selection.ieb
O8 - Extra context menu item: PSI: Show All Forms - res://d:\Program Files\Paessler Site Inspector\psi.dll/FormsModule.ieb
O8 - Extra context menu item: PSI: Show All Images - res://d:\Program Files\Paessler Site Inspector\psi.dll/ImagesModule.ieb
O8 - Extra context menu item: PSI: Show All Links - res://d:\Program Files\Paessler Site Inspector\psi.dll/LinksModule.ieb
O8 - Extra context menu item: PSI: Show All Scripts - res://d:\Program Files\Paessler Site Inspector\psi.dll/ScriptsModule.ieb
O8 - Extra context menu item: PSI: Show All Stylesheets - res://d:\Program Files\Paessler Site Inspector\psi.dll/StylesheetsModule.ieb
O8 - Extra context menu item: PSI: Show Complete Page Analysis - res://d:\Program Files\Paessler Site Inspector\psi.dll/element.ieb
O8 - Extra context menu item: PSI: Show Element Hilighter - res://d:\Program Files\Paessler Site Inspector\psi.dll/hilighter.ieb
O8 - Extra context menu item: PSI: Show HTTP Header - res://d:\Program Files\Paessler Site Inspector\psi.dll/HttpDocumentModule.ieb
O8 - Extra context menu item: PSI: Show HTTP Header of Target - res://d:\Program Files\Paessler Site Inspector\psi.dll/HttpDocumentModuleForAnchor.ieb
O8 - Extra context menu item: PSI: Show Source based on DOM - res://d:\Program Files\Paessler Site Inspector\psi.dll/DomDocumentModule.ieb
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Send to OneNote - {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PSI Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - d:\Program Files\Paessler Site Inspector\psibar.dll
O9 - Extra 'Tools' menuitem: Paessler Site Inspector Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - d:\Program Files\Paessler Site Inspector\psibar.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - D:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Send to OneNote Settings - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WebPageToOneNote - {C20822F3-54CF-4da1-87B7-174090D62D36} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNote.dll (HKCU)
O9 - Extra button: (no name) - {DD6E38FD-66DC-4657-8FC7-9DCBED68D2B2} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNoteOptions.dll (HKCU)
O9 - Extra 'Tools' menuitem: WebPageToOneNote Options - {DD6E38FD-66DC-4657-8FC7-9DCBED68D2B2} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNoteOptions.dll (HKCU)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwha.ops.placeware.com/etc/place/HOTEL/SCHpws-a2/5.1.6.246/lib/quicksilver.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://localhost:8000/projectserver/objects/pjclient.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://localhost:8000/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://sp.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = vixcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F121EC02-46EF-4D02-812B-6AD58C4EE80B}: NameServer = 127.0.0.1,66.75.160.41,66.75.160.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vixcorp.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crystal Cache Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
O23 - Service: Crystal APS - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\CrystalAPS.exe
O23 - Service: Crystal Event Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
O23 - Service: Crystal Input File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
O23 - Service: Crystal Output File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
O23 - Service: Crystal Report Job Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Crystal Page Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
O23 - Service: Project Server Connector Service - Unknown - C:\Program Files\Microsoft Office Project Server 2003\BIN\CNCTSVC.EXE
O23 - Service: Project Server Scheduled Process Service - Unknown - C:\Program Files\Microsoft Office Project Server 2003\BIN\PJSCHSVC.EXE
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Crystal Web Component Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe
=============================================


Bob

0

run adaware and winsock fix in my signature

To add to/expand on that advice, please do the following:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.


B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below)

1. Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days


2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file


3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information

Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT


4) Click the ‘Tweak’ button and select in green:

Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only


Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot


Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check or make green: Include Module list in logfile


5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’

*Choose:'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware SE found


* Run SpyBot.

When you first run SpyBot, it will walk you through a Wizard which will perform a few critical functions (making a registry backup, getting the latest updates, etc.).

1. Perform all of the Wizard's tasks.
2. Run the program. Once it completes, have it fix everything it finds.
3. Reboot.


C) Boot into Safe Mode (do this by hitting the F8 key as the computer is booting) and:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete everything inside the following folders (don't delete the folders themselves though):

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

(If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed.)

- Empty your Recycle Bin.

- Reboot normally.


D) Run HijackThis again and post a fresh log.

0

Okay, I have done exactly as the directions posted. Here is the new copy of the HijackThis Log File. Thank you again for all of your help! :)

Does this log file show you anything?


Logfile of HijackThis v1.99.0
Scan saved at 9:36:44 AM, on 2/4/2005
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmBulkMailService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmDeletionService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmWorkflowService.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
C:\Program Files\Microsoft Office Project Server 2003\BIN\PJSCHSVC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\mshelp32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Netscape\Netscape\Netscp.exe
D:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\palmOne\HOTSYNC.EXE
D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\cmd.exe
D:\Software\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://d%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - D:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AntiSpyware Class - {C6176B04-8896-4446-9939-E00EE94C420F} - C:\WINDOWS\system32\ash.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Sauce Reader - {a8f0736c-0b1a-4995-b239-843cd7f5f442} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Paessler Site Inspector Toolbar - {38D2A281-0444-433C-9ED6-A2851795F32A} - d:\Program Files\Paessler Site Inspector\psibar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] d:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\system32\mshelp32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &WebPageToOneNote - res:///204
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: PSI: Copy Image as HTML Tag - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-img-tag.ieb
O8 - Extra context menu item: PSI: Copy Image URL - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-img-src.ieb
O8 - Extra context menu item: PSI: Copy Link as HTML Tag - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-a-tag.ieb
O8 - Extra context menu item: PSI: Copy Meister - res://d:\Program Files\Paessler Site Inspector\psi.dll/copymeister.ieb
O8 - Extra context menu item: PSI: Open Frame In New Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: PSI: Open Frame In This Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-frame-in-this-window.ieb
O8 - Extra context menu item: PSI: Open Selected Text as URL in New Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-selection.ieb
O8 - Extra context menu item: PSI: Show All Forms - res://d:\Program Files\Paessler Site Inspector\psi.dll/FormsModule.ieb
O8 - Extra context menu item: PSI: Show All Images - res://d:\Program Files\Paessler Site Inspector\psi.dll/ImagesModule.ieb
O8 - Extra context menu item: PSI: Show All Links - res://d:\Program Files\Paessler Site Inspector\psi.dll/LinksModule.ieb
O8 - Extra context menu item: PSI: Show All Scripts - res://d:\Program Files\Paessler Site Inspector\psi.dll/ScriptsModule.ieb
O8 - Extra context menu item: PSI: Show All Stylesheets - res://d:\Program Files\Paessler Site Inspector\psi.dll/StylesheetsModule.ieb
O8 - Extra context menu item: PSI: Show Complete Page Analysis - res://d:\Program Files\Paessler Site Inspector\psi.dll/element.ieb
O8 - Extra context menu item: PSI: Show Element Hilighter - res://d:\Program Files\Paessler Site Inspector\psi.dll/hilighter.ieb
O8 - Extra context menu item: PSI: Show HTTP Header - res://d:\Program Files\Paessler Site Inspector\psi.dll/HttpDocumentModule.ieb
O8 - Extra context menu item: PSI: Show HTTP Header of Target - res://d:\Program Files\Paessler Site Inspector\psi.dll/HttpDocumentModuleForAnchor.ieb
O8 - Extra context menu item: PSI: Show Source based on DOM - res://d:\Program Files\Paessler Site Inspector\psi.dll/DomDocumentModule.ieb
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Send to OneNote - {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PSI Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - d:\Program Files\Paessler Site Inspector\psibar.dll
O9 - Extra 'Tools' menuitem: Paessler Site Inspector Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - d:\Program Files\Paessler Site Inspector\psibar.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - D:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Send to OneNote Settings - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WebPageToOneNote - {C20822F3-54CF-4da1-87B7-174090D62D36} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNote.dll (HKCU)
O9 - Extra button: (no name) - {DD6E38FD-66DC-4657-8FC7-9DCBED68D2B2} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNoteOptions.dll (HKCU)
O9 - Extra 'Tools' menuitem: WebPageToOneNote Options - {DD6E38FD-66DC-4657-8FC7-9DCBED68D2B2} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNoteOptions.dll (HKCU)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwha.ops.placeware.com/etc/place/HOTEL/SCHpws-a2/5.1.6.246/lib/quicksilver.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://localhost:8000/projectserver/objects/pjclient.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://localhost:8000/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://sp.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = vixcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F121EC02-46EF-4D02-812B-6AD58C4EE80B}: NameServer = 127.0.0.1,66.75.160.41,66.75.160.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vixcorp.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crystal Cache Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
O23 - Service: Crystal APS - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\CrystalAPS.exe
O23 - Service: Crystal Event Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
O23 - Service: Crystal Input File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
O23 - Service: Crystal Output File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
O23 - Service: Crystal Report Job Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Crystal Page Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
O23 - Service: Project Server Connector Service - Unknown - C:\Program Files\Microsoft Office Project Server 2003\BIN\CNCTSVC.EXE
O23 - Service: Project Server Scheduled Process Service - Unknown - C:\Program Files\Microsoft Office Project Server 2003\BIN\PJSCHSVC.EXE
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Crystal Web Component Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe

0

1. Make sure all instances of your web browser(s) are closed before having HJT fix anything! This log entry indicates that you had Netscape running when you did your last scan:

" D:\Program Files\Netscape\Netscape\Netscp.exe"


2. Run HJT and have it fix:

O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll
O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\system32\mshelp32.exe
O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe


3. Reboot into safe mode. Find and delete:

C:\WINDOWS\system32\javafix3.dll <-- HJT may have already deleted this one
C:\WINDOWS\system32\mshelp32.exe
c:\windows\jjfixer.exe


4. Empty your recylce bin and reboot normally.


5. Post a fresh log, and tell us if you are still experiencing symptoms of infection.

0

I did have Netscape shutdown. I believe it may have been running in the system tray. This time I made sure it was completely shutdown. I did as you directed and IE still opens and closes right away. I really do appreciate all of your help on this! :)

Here is the latest log file:


Logfile of HijackThis v1.99.0
Scan saved at 3:25:49 PM, on 2/4/2005
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmBulkMailService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmDeletionService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmWorkflowService.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Microsoft Office Project Server 2003\BIN\PJSCHSVC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
C:\WINDOWS\System32\svchost.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\mshelp32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\palmOne\HOTSYNC.EXE
D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cmd.exe
D:\Software\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://d%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AntiSpyware Class - {C6176B04-8896-4446-9939-E00EE94C420F} - C:\WINDOWS\system32\ash.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Sauce Reader - {a8f0736c-0b1a-4995-b239-843cd7f5f442} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Paessler Site Inspector Toolbar - {38D2A281-0444-433C-9ED6-A2851795F32A} - d:\Program Files\Paessler Site Inspector\psibar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] d:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\system32\mshelp32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &WebPageToOneNote - res:///204
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: PSI: Copy Image as HTML Tag - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-img-tag.ieb
O8 - Extra context menu item: PSI: Copy Image URL - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-img-src.ieb
O8 - Extra context menu item: PSI: Copy Link as HTML Tag - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-a-tag.ieb
O8 - Extra context menu item: PSI: Copy Meister - res://d:\Program Files\Paessler Site Inspector\psi.dll/copymeister.ieb
O8 - Extra context menu item: PSI: Open Frame In New Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: PSI: Open Frame In This Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-frame-in-this-window.ieb
O8 - Extra context menu item: PSI: Open Selected Text as URL in New Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-selection.ieb
O8 - Extra context menu item: PSI: Show All Forms - res://d:\Program Files\Paessler Site Inspector\psi.dll/FormsModule.ieb
O8 - Extra context menu item: PSI: Show All Images - res://d:\Program Files\Paessler Site Inspector\psi.dll/ImagesModule.ieb
O8 - Extra context menu item: PSI: Show All Links - res://d:\Program Files\Paessler Site Inspector\psi.dll/LinksModule.ieb
O8 - Extra context menu item: PSI: Show All Scripts - res://d:\Program Files\Paessler Site Inspector\psi.dll/ScriptsModule.ieb
O8 - Extra context menu item: PSI: Show All Stylesheets - res://d:\Program Files\Paessler Site Inspector\psi.dll/StylesheetsModule.ieb
O8 - Extra context menu item: PSI: Show Complete Page Analysis - res://d:\Program Files\Paessler Site Inspector\psi.dll/element.ieb
O8 - Extra context menu item: PSI: Show Element Hilighter - res://d:\Program Files\Paessler Site Inspector\psi.dll/hilighter.ieb
O8 - Extra context menu item: PSI: Show HTTP Header - res://d:\Program Files\Paessler Site Inspector\psi.dll/HttpDocumentModule.ieb
O8 - Extra context menu item: PSI: Show HTTP Header of Target - res://d:\Program Files\Paessler Site Inspector\psi.dll/HttpDocumentModuleForAnchor.ieb
O8 - Extra context menu item: PSI: Show Source based on DOM - res://d:\Program Files\Paessler Site Inspector\psi.dll/DomDocumentModule.ieb
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Send to OneNote - {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PSI Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - d:\Program Files\Paessler Site Inspector\psibar.dll
O9 - Extra 'Tools' menuitem: Paessler Site Inspector Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - d:\Program Files\Paessler Site Inspector\psibar.dll
O9 - Extra button: (no name) - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Send to OneNote Settings - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WebPageToOneNote - {C20822F3-54CF-4da1-87B7-174090D62D36} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNote.dll (HKCU)
O9 - Extra button: (no name) - {DD6E38FD-66DC-4657-8FC7-9DCBED68D2B2} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNoteOptions.dll (HKCU)
O9 - Extra 'Tools' menuitem: WebPageToOneNote Options - {DD6E38FD-66DC-4657-8FC7-9DCBED68D2B2} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNoteOptions.dll (HKCU)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwha.ops.placeware.com/etc/place/HOTEL/SCHpws-a2/5.1.6.246/lib/quicksilver.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://localhost:8000/projectserver/objects/pjclient.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://localhost:8000/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://sp.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = vixcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F121EC02-46EF-4D02-812B-6AD58C4EE80B}: NameServer = 127.0.0.1,66.75.160.41,66.75.160.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vixcorp.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crystal Cache Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
O23 - Service: Crystal APS - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\CrystalAPS.exe
O23 - Service: Crystal Event Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
O23 - Service: Crystal Input File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
O23 - Service: Crystal Output File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
O23 - Service: Crystal Report Job Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Crystal Page Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
O23 - Service: Project Server Connector Service - Unknown - C:\Program Files\Microsoft Office Project Server 2003\BIN\CNCTSVC.EXE
O23 - Service: Project Server Scheduled Process Service - Unknown - C:\Program Files\Microsoft Office Project Server 2003\BIN\PJSCHSVC.EXE
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Crystal Web Component Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe

0

These entries are still present in your lastest log:

O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll
O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\system32\mshelp32.exe
O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe

Did you fully follow my previous instructions for deleting them? If not, please do that now. If you did do that, and the files appeared to be deleted but reappeared in your HJT log after doing so, please tell us if that was the case.

0

DMR,

I see where you are going with this now, HijackThis is a very cool utility. I did follow your previous instructions exactly and the files listed seem to be gone from the log now; I have posted a fresh copy below! Unfortunately, I still have the same problems. Meaning, Explorer opens and closes very fast. And, when SpySweeper is running, it detects another application attempting to change the home page to about:blank.

Is this a train and error process where we continue to work our way through startup programs and processes to eventually locate the threat?


=============================================
Logfile of HijackThis v1.99.0
Scan saved at 7:50:14 AM, on 2/5/2005
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmBulkMailService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmDeletionService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmWorkflowService.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
C:\Program Files\Microsoft Office Project Server 2003\BIN\PJSCHSVC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\palmOne\HOTSYNC.EXE
D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\cmd.exe
D:\Software\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://d%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AntiSpyware Class - {C6176B04-8896-4446-9939-E00EE94C420F} - C:\WINDOWS\system32\ash.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Sauce Reader - {a8f0736c-0b1a-4995-b239-843cd7f5f442} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Paessler Site Inspector Toolbar - {38D2A281-0444-433C-9ED6-A2851795F32A} - d:\Program Files\Paessler Site Inspector\psibar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] d:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] D:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &WebPageToOneNote - res:///204
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: PSI: Copy Image as HTML Tag - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-img-tag.ieb
O8 - Extra context menu item: PSI: Copy Image URL - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-img-src.ieb
O8 - Extra context menu item: PSI: Copy Link as HTML Tag - res://d:\Program Files\Paessler Site Inspector\psi.dll/copy-a-tag.ieb
O8 - Extra context menu item: PSI: Copy Meister - res://d:\Program Files\Paessler Site Inspector\psi.dll/copymeister.ieb
O8 - Extra context menu item: PSI: Open Frame In New Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-frame-in-new-window.ieb
O8 - Extra context menu item: PSI: Open Frame In This Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-frame-in-this-window.ieb
O8 - Extra context menu item: PSI: Open Selected Text as URL in New Window - res://d:\Program Files\Paessler Site Inspector\psi.dll/open-selection.ieb
O8 - Extra context menu item: PSI: Show All Forms - res://d:\Program Files\Paessler Site Inspector\psi.dll/FormsModule.ieb
O8 - Extra context menu item: PSI: Show All Images - res://d:\Program Files\Paessler Site Inspector\psi.dll/ImagesModule.ieb
O8 - Extra context menu item: PSI: Show All Links - res://d:\Program Files\Paessler Site Inspector\psi.dll/LinksModule.ieb
O8 - Extra context menu item: PSI: Show All Scripts - res://d:\Program Files\Paessler Site Inspector\psi.dll/ScriptsModule.ieb
O8 - Extra context menu item: PSI: Show All Stylesheets - res://d:\Program Files\Paessler Site Inspector\psi.dll/StylesheetsModule.ieb
O8 - Extra context menu item: PSI: Show Complete Page Analysis - res://d:\Program Files\Paessler Site Inspector\psi.dll/element.ieb
O8 - Extra context menu item: PSI: Show Element Hilighter - res://d:\Program Files\Paessler Site Inspector\psi.dll/hilighter.ieb
O8 - Extra context menu item: PSI: Show HTTP Header - res://d:\Program Files\Paessler Site Inspector\psi.dll/HttpDocumentModule.ieb
O8 - Extra context menu item: PSI: Show HTTP Header of Target - res://d:\Program Files\Paessler Site Inspector\psi.dll/HttpDocumentModuleForAnchor.ieb
O8 - Extra context menu item: PSI: Show Source based on DOM - res://d:\Program Files\Paessler Site Inspector\psi.dll/DomDocumentModule.ieb
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Send to OneNote - {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PSI Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - d:\Program Files\Paessler Site Inspector\psibar.dll
O9 - Extra 'Tools' menuitem: Paessler Site Inspector Toolbar - {9BE4715D-8249-4f24-9ED6-3F3543A5A221} - d:\Program Files\Paessler Site Inspector\psibar.dll
O9 - Extra button: (no name) - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Send to OneNote Settings - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WebPageToOneNote - {C20822F3-54CF-4da1-87B7-174090D62D36} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNote.dll (HKCU)
O9 - Extra button: (no name) - {DD6E38FD-66DC-4657-8FC7-9DCBED68D2B2} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNoteOptions.dll (HKCU)
O9 - Extra 'Tools' menuitem: WebPageToOneNote Options - {DD6E38FD-66DC-4657-8FC7-9DCBED68D2B2} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNoteOptions.dll (HKCU)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwha.ops.placeware.com/etc/place/HOTEL/SCHpws-a2/5.1.6.246/lib/quicksilver.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://localhost:8000/projectserver/objects/pjclient.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://localhost:8000/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://sp.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = vixcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F121EC02-46EF-4D02-812B-6AD58C4EE80B}: NameServer = 127.0.0.1,66.75.160.41,66.75.160.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vixcorp.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crystal Cache Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
O23 - Service: Crystal APS - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\CrystalAPS.exe
O23 - Service: Crystal Event Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
O23 - Service: Crystal Input File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
O23 - Service: Crystal Output File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
O23 - Service: Crystal Report Job Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Crystal Page Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
O23 - Service: Project Server Connector Service - Unknown - C:\Program Files\Microsoft Office Project Server 2003\BIN\CNCTSVC.EXE
O23 - Service: Project Server Scheduled Process Service - Unknown - C:\Program Files\Microsoft Office Project Server 2003\BIN\PJSCHSVC.EXE
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Crystal Web Component Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe

====================================================

Thank you again for all the help!

Bob

0

Unfortunately, I still have the same problems. Meaning, Explorer opens and closes very fast. And, when SpySweeper is running, it detects another application attempting to change the home page to about:blank.

Is this a train and error process where we continue to work our way through startup programs and processes to eventually locate the threat?

I think it may be heading that way, unfortunately.

:?: Hmm- HijackThis can usually determine the version of Windows you're running, but your particular log reports the following instead:

"Platform: Unknown Windows (WinNT 5.02.3790)"

What exact version of Windows are you using?

0

This is a 2003 Server. I use this machine for software development.

0

All -- More Updates! :)

Ad-Aware still reports a DSO exploit. I fix the problem, reboot into safe mode, delete files, empty the recycle bin, etc (per your instructions) and it continues to return.

Spybot - S&D currently reports no problems.

XoftSpy reports CWS Combo trojan issue. I ran crap cleaner and cwshredder. CW Shredder reported there was no variant of a CWS trojan found.

I removed a lot of startup processes to trim down the log file generated by HijackThis. Here is the latest version.


Logfile of HijackThis v1.99.0
Scan saved at 8:34:18 AM, on 2/6/2005
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmBulkMailService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmDeletionService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmWorkflowService.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
D:\Software\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://d%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: AntiSpyware Class - {C6176B04-8896-4446-9939-E00EE94C420F} - C:\WINDOWS\system32\ash.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &WebPageToOneNote - res:///204
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WebPageToOneNote - {C20822F3-54CF-4da1-87B7-174090D62D36} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNote.dll (file missing) (HKCU)
O9 - Extra button: (no name) - {DD6E38FD-66DC-4657-8FC7-9DCBED68D2B2} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNoteOptions.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WebPageToOneNote Options - {DD6E38FD-66DC-4657-8FC7-9DCBED68D2B2} - C:\Program Files\WebPageToOneNote PowerToy\WebPageToOneNoteOptions.dll (file missing) (HKCU)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwha.ops.placeware.com/etc/place/HOTEL/SCHpws-a2/5.1.6.246/lib/quicksilver.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://localhost:8000/projectserver/objects/pjclient.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://localhost:8000/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = vixcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F121EC02-46EF-4D02-812B-6AD58C4EE80B}: NameServer = 127.0.0.1,66.75.160.41,66.75.160.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vixcorp.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crystal Cache Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
O23 - Service: Crystal APS - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\CrystalAPS.exe
O23 - Service: Crystal Event Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
O23 - Service: Crystal Input File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
O23 - Service: Crystal Output File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
O23 - Service: Crystal Report Job Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Crystal Page Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Crystal Web Component Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe

0

Ops, sorry for the double post; I didn't realize there were multiple pages!

Bob

0

Arg, this is frustrating. I hesitate to continue purchasing various spyware removal tools if they are not going to work. But I also feel stuck, nothing seems to be working here.

The problem seems to be a variant of the CWS trojan but I am not 100% certain of that!

0

Spyware Blaster reports the CWS Aboutblank trojan.

It looks as though it is a variant of the CWS trojan. I wish I could find something to remove it without having to spend more money.

I have purchased Spy Sweeper, Norton, McAfee...

0

1. Your lastest HijackThis log no longer shows indications of infections; but a clean HJT log doesn't necessarilly mean a clean system.


2. A description of the Aboutblank CWS hijacker variant, as well as manual removal instructions for it, can be found here: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453082839

However, as fully-patched versions of Windows/Internet Explorer are reportedly immune to the infection, you should go to the Windows Update page on Microsoft's site and download the most current critical fixes for your system before attempting a manual fix which involves mucking around in the Registry.

Again, your log shows no indication of this, but there are new CWS-based, about:blank-related infections which CWShredder cannot fix. If you want, you can see if these two additional utilities find/fix anything (it won't hurt to try):

about:Buster: http://www.majorgeeks.com/download4289.html
HSRemove: http://www.majorgeeks.com/download4286.html


3. You can protect against DSO (and other) exploits by tightening up some of the default security-oriented settings in your Internet Options control panel; instructions can be found here:
https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm#security


4. I deleted your duplicate post for you, but FYI: you can modify your own posts if you need to- just click on the "Edit" button in the lower right-hand corner of a post and a window will open in which you can delete or edit the post.

0

Which version of the shredder do you have? Try the latest if you do not have it.

Download CWShredder 2 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

AFAIK, Spywareblaster does not give any warnings regarding malware on your PC.

0

Here is where I stand today:

It looks as though any other issues that did exist on my system are gone except some variant of CWS. I am currently assuming it is a variant of CWS because some spyware tools do find it and others do not. I do still have the same symptoms with explorer. Meaning, IE and Windows File Explorer do not open. Anytime I attempt to open IE, I get messages from various spyware tools that indicate the home page is being automatically changed to about:blank.

I seem to have tried most everything here: (the latest are)

about:Buster failed to remove Cool Web Search and reported that it did not find any issues with my system.

SpySubtract reports there are variants of CWS on my system.

I am certainly open to continue working on this. I would hate to have to format and reinstall my OS. Any other suggestions?

Again, thank you in advance for all of your help!

Bob

0

...you should go to the Windows Update page on Microsoft's site and download the most current critical fixes for your system...

I was just going to recommend that! :) Have you done this yet?

Also, have you run CWShredder 2 yet?

After you've done those two things, scan with HJT and post a new log please.

Oh, by the way, what version of Xoftspy do you have? Versions prior to 4.0 give false positives in order to get you to buy it.

0

Unfortunately, I cannot run Windows Update; it requires Internet Explorer which is where I am having all of my problems.

I have run CWShredder 2, it reports that there are no threats on my system at all.

I am using the latest version of XoftSpy (v4.09). It reports 'Trojan/CWS Combo' threat. I have hesitated to purchase this tool until I am certain what issues my system really has and confident it will resolve them.

Just an FYI; this is a development workstation. I am running Windows Server 2003 Standard Edition. I develop software for Microsoft CRM, SharePoint and Project Server; this is why I have a server OS installed. The server OS may be at the root of why some of these tools cannot solve the problems.

Also, I am not opposed to purchasing tools that facilitate resolving the problem. What bothers me is, I have spent over $300 on various tools and still have not resolved anything.

I will post a new HJT log next.

0

Logfile of HijackThis v1.99.0
Scan saved at 6:23:40 PM, on 2/8/2005
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmBulkMailService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmDeletionService.exe
C:\Program Files\Microsoft CRM\Server\bin\CrmWorkflowService.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
C:\WINDOWS\System32\svchost.exe
d:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Spyware Nuker 2004\swn2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\interMute\SpySubtract\SpySub.exe
D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
D:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\cmd.exe
D:\Software\HijackThis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://d%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\bob.mixon\Application Data\Mozilla\Profiles\default\lqlqy86o.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: AntiSpyware Class - {C6176B04-8896-4446-9939-E00EE94C420F} - C:\WINDOWS\system32\ash.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Spyware Nuker] d:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SpySubtract.lnk = D:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwha.ops.placeware.com/etc/place/HOTEL/SCHpws-a2/5.1.6.246/lib/quicksilver.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://localhost:8000/projectserver/objects/pjclient.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://localhost:8000/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = vixcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F121EC02-46EF-4D02-812B-6AD58C4EE80B}: NameServer = 127.0.0.1,66.75.160.41,66.75.160.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vixcorp.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vixcorp.net
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crystal Cache Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\cacheserver.exe
O23 - Service: Crystal APS - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\CrystalAPS.exe
O23 - Service: Crystal Event Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\EventServer.exe
O23 - Service: Crystal Input File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\inputfileserver.exe
O23 - Service: Crystal Output File Repository Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\outputfileserver.exe
O23 - Service: Crystal Report Job Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\JobServer.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Crystal Page Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\pageserver.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Crystal Web Component Server - Crystal Decisions - C:\Program Files\Microsoft CRM\Crystal Decisions\Enterprise 9\win32_x86\WebCompServer.exe

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.