0

IE6 has been constantly hijacked ;
this damn site :
http://www.lookfor.cc/index.php?p=37049 , replaces the start page , obliging me to edit the register HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\start page ;

It has happened almost every night since the 1st time a week ago ;

An updated Spybot search and destroy has scanned the system and some cookies have been cleared up but it has not solved the annoying problem ;

Is there something else I can do to eliminate whatever is in the system ?

I am very very fed up with that bastard www.lookfor...

Thank you so much

RW

8
Contributors
20
Replies
21
Views
13 Years
Discussion Span
Last Post by ocnative1964
0

Hi Ron Wolpa

caperjack if I may butt in and expand on your post....

Please Download hijackthis from

http://www.merijn.org/files/hijackthis.zip

Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam

0

no problem butt in any time.I was just getting them started till you came along ,I read and read about hijackthis logs and how to decifer them but can't remember what i read ,I think it's that over 50 thing .LOL

0

Hi Guys !
Following your advice I downloaded hijackthis , runned and found
a very large list of .exe files and register entries ; basic what this program does is to seek for suspicious entries that autoload when
the op. system starts up ; alright so Hijackthis supposedly found some entries on my register :

1- H_key_currentuser/software/Microsoft/internet/SearchUrl/http...
the url of a porno site ;

2-H_key_currentuser/software/Microsoft/internet/Main/ .....
search and start page , both www.lookfor....

Before to click hijackthis to do anything I opened the register and
have not found such entries in the way it stated it was ;
I had edited minutes before the start page (because it had happened again , start page was changed ) and deleted the entry H_key_currentuser/software/Microsoft/internet/Main/ search
which was pointing to the lookfor , once again ;
This hold me back in relation to hijackthis , I am not confident its
realiable , as it found items it was no longer there ;
I thank you anyway for your attetion ;
Ron Wolpa

0

This hold me back in relation to hijackthis , I am not confident it's realiable , as it found items it was no longer there.I thank you anyway for your attention.

Oh, they are still there, all right. They lurk anywhere they can -- the registry, of course, but also in the IE temp-file cache. For severe infestations, read this and follow the instructions: Microsoft's Really Hidden Files. The hijackers know this stuff, you should too.

0

Hi Ron Wolpa

If I may point out my earlier post......

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

We can then tell you what to fix

steam

0

Not only have I had problems with changing start page but with weird pop up screens coming up with ads of skunk marijuana,
bogus universities degrees , pornography , mp3 songs for free , etc , etc ...
I think for some people it would be funny to open the page of a serious company like Boeing and get a pop up ad of marijuana ;
disgusting ;
Below I paste the log of hijackthis:

Logfile of HijackThis v1.97.7
Scan saved at 02:24:56, on 30/12/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSINFO.EXE
C:\ARQUIVOS DE PROGRAMAS\MYVITALAGENT8\VITALAGENT\PROGRAM\VTLAGENT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\ARQUIVOS DE PROGRAMAS\ICQ\ICQ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
D:\!DOWNLOAD\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.theadultgate.com/find/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.........../
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookfor.cc/index.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Ron Wolpa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://........../
F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\IEFEATSL.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\MSIESH.DLL
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [sysinfo] C:\WINDOWS\sysinfo.exe
O4 - HKCU\..\RunServices: [sysinfo] C:\WINDOWS\sysinfo.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\ARQUIVOS DE PROGRAMAS\ICQ\ICQ.EXE -trayboot
O4 - Startup: MyVitalAgent.lnk = C:\Arquivos de programas\myvitalagent8\VitalAgent\Program\VtlAgent.exe
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - D:\Arquivos de programas\getright502\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Arquivos de programas\getright502\GRbrowse.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ComVC (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


I have gotten tired of removing this from register :
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.theadultgate.com/find/

and this one .....
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookfor.cc/index.php?p=37049

and that one as well....
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049

The most interesting one is :


F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\IEFEATSL.DLL
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\MSIESH.DLL


Ive gotten at every boot an error message "svcinit.exe not found on your system" ;

IEFEATSL.DLL is on the program unistall list , it simply appeared from nowhere ;

I am feeling tempted to start the cleaning up but will wait for your advice , ;

How can IE 6 security be so frail ??? (stupid microsoft , so mighty so deceivable )

Cheers
RW

ps: Ive read Microsoft's Really Hidden Files and found it very interesting despite could not duplicate some on the tutorial ;
I think some paths have changed in the IE6 and Outlook express 6 , perhaps just question to insist a bit more and find the new
paths ;
I tried to send a message to the author suggesting an updated , but received back a daemon failure of an invalid e-mail ;

0

Hi Ron

It's no use taking out the obvious without taking out the actual hijacker that is putting it there.....this should sort you out.

Close all browser windows - run hijackthisand tick to fix :-

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.theadultgate.com/find/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.........../
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookfor.cc/index.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=37049

F1 - win.ini: run=C:\WINDOWS\svcinit.exe

O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\IEFEATSL.DLL

O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\MSIESH.DLL

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKCU\..\Run: [sysinfo] C:\WINDOWS\sysinfo.exe
O4 - HKCU\..\RunServices: [sysinfo] C:\WINDOWS\sysinfo.exe

O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

REboot then find and delete :-

C:\WINDOWS\svcinit.exe - file
C:\WINDOWS\sysinfo.exe - file

steam

0

Hi Steam

Its done , I ran hijackthis and fixed the entries as per your advice ;
Its too early to tell if the start page and weird pop ups problem is fixed , but I suppose so ;
At least the start page dialogue box and buttons at internet options /general / start page is back to normal operation (since the 1st time IE was hijacked they were invalid )
Thank you once again for your support ;
RW

0

Hi,

I want to thank both of you for discussing this problem here, because I had the same harassment on my computer. But with the information in this thread, I managed to get rid of this this small but annoying problem.

Kind regards

Hans

Chur/Switzerland

0

Hello everyone.
I think I have spyware on my pc. my computer is always getting popups and some Windows functions do not work properly.
anyway i ran "hijackthis.exe" and got the following log.

if someone could advise me as to what to remove from this, using HijackThis.exe, then i would really appreciate it.

Logfile of HijackThis v1.97.7
Scan saved at 02:17:31, on 26/01/2004
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\wump.exe
C:\WINNT\System32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator.PC1\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Configuration Loader] wump.exe
O4 - HKLM\..\RunServices: [Configuration Loader] wump.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

Many thanks in advance!

Adam

0

adam....

YOur post has become lost in this thread....you shold really have started your own thread....

Close all browser windows - run hijackthis and tick to fix :-

O4 - HKLM\..\Run: [Configuration Loader] wump.exe
O4 - HKLM\..\RunServices: [Configuration Loader] wump.exe

Reboot then find and delete :-

C:\WINDOWS\System32\wump.exe .... file

In case the files are hidden - How to Show Hidden/System Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

-----------------------
drummerboy......caperjack has done a good job cleaning your log.....all the malware has gone

you don't need these running at startup (using resources)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Otherwise your log's clean.

steam

0

Hi Guys,

I have a similar problem, I have been following this thread and tried to dowload from merijin.org but the moment I click on merijin.org I get the following error - The page cannot be displayed and the address bar indicates - res://mshp.dll/http_404.htm. Also the following search engines has become my home page from nowhere,, . I have come across other variants of search engines also like easyfind and finditall etc. When the above problem is encountered the IE6 shuts down and restarts. I even tried downloading the Adware and Spyware from Download.com but the moment I start to download the IE6 indicates an error and shuts down.

Can anyone help?

Sayvari

0

Hi Guys,

Thanks to the link given in this thread I was able to able to Download Hijackthis, I have saved the log which looks likes this:

Logfile of HijackThis v1.97.7
Scan saved at 5:51:57 PM, on 2/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?ydtfs about:blank (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?ydtfs about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
O1 - Hosts: 1089288654 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\IEFEATSL\MSIESH.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\SYSTEM\soundmx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38009.8538194444
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

Now can someone help me deciding what to delete and what not to?

Thanks,

Sayvari

0

Hi Guys,

It seems the CWShredder has done the job for the moment, I hope the system continues to remain stable.

Thanks once agaoin.

Sayvari

0

currently I am running windows XP (home edition) and I went to the windows update site and had a horrible time trying to download the patches it said I needed...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.