0

Greets!
Working with XP, SP2, connect via modem. Have Norton 2004, fully updated, Ewido, CWSweeper. Followed instructions in the sticky that heads up this forum for cleaning out my machine as best I could (removed .tmp, history, cookies, etc) in safe-mode.
Problem: I get a pop-up window asking me to "For Instant Access Please click yes" when connected to the internet for a few minutes. My current dial-up disconnects, and the virus creates a dialer that keeps trying to connect. This dialer eventually goes away, and it doesn't bother me again. Web search turned up that this was something called a DialerPlatform.
Norton initially caught the Gaobot, the ByteVerify, and the DialerPlatform. Below is a modified HJT log, cleared of all the items I know are legit, after a thorough cleaning of my system by all of the programs listed above. Of note: what is "lich.exe"?Doesn't show up anywhere except in HJT. Also note the winlogon entry...hmmm.
Please let me know if any more info is helpful. If a full HJT log is needed, I can post it.

Logfile of HijackThis v1.99.1
Scan saved at 11:19:03 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Default\My Documents\Computer Files\Virus022006\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Default\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [lich] lich.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Also: something that doesn't show up anywhere: I have a program called zdj.exe on my C: that calls itself a "loader for you" in the properties window. Suspicious, yes? Can I just delete it?

Thanks for your help.

2
Contributors
10
Replies
11
Views
11 Years
Discussion Span
Last Post by Eku
Featured Replies
  • Hi, Glad to hear that everything's working fine :) Yes, the files alcrmv.exe, alcupd.exe are "relatives" of Alcxmntr.exe. Actually, all these files are related to RealTek Audio driver. But, Alcxmntr.exe is known to be a threat, and hence should be removed. But, the other two files are not "bad"! And, … Read More

0

Hi,
Perform an online virus scan at Kaspersky Online Scanner (Click the "Kaspersky Online Scanner" button). Save the log it gives after the scan.

Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with Kaspersky log.


Note: If your PC doesnt remain online until the Kaspersky scan completes, then you can skip it.

0

And, by the way, that O20 entry is related to Intel Graphics driver and is legitimate. And, Lich.exe is a spyware, we will remove it later :)

0

Thanks, swatkat! I'm on my work computer right now, I'll do those scans this afternoon and post back.

0

OK, I have the scans.

Kaspersky gave me this (original is html, so the formatting is weird):

Tuesday, February 21, 2006 8:56:32 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 21/02/2006
Kaspersky Anti-Virus database records: 178009


Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true 

Scan Target My Computer 
A:\
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\
L:\
M:\  

Scan Statistics 
Total number of scanned objects 169781 
Number of viruses found 12 
Number of infected objects 47 
Number of suspicious objects 0 
Duration of the scan process 02:49:05 

Infected Object Name Virus Name Last Action 
C:\Documents and Settings\Default\Local Settings\Temp\ajgocpmd.exe  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Documents and Settings\Default\Local Settings\Temp\kohbhpmd.exe  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\HXEHKH09\gdnUS2161[1].exe  Infected: Trojan-Downloader.Win32.Small.ayl  skipped  

C:\Documents and Settings\Parents\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-43756bb5-691be12c.class  Infected: Trojan-Downloader.Java.OpenStream.y  skipped  

C:\Documents and Settings\Parents\Local Settings\Temp\bnlncpmd.exe  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\7BU5HRZX\gdnUS2161[1].exe  Infected: Trojan-Downloader.Win32.Small.ayl  skipped  

C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\VSG8T1F2\init[1].js  Infected: Trojan-Downloader.JS.IstBar.af  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\02C26968  Infected: Backdoor.Win32.Agobot.gen  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\164830C8  Infected: Backdoor.Win32.Agobot.gen  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\1AE55FBC  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\1CAB2F40  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\1D34664E  Infected: Backdoor.Win32.Agobot.gen  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\1F530FB9  Infected: Backdoor.Win32.Agobot.gen  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\2690798C/Beyond.class  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\2690798C/BlackBox.class  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\2690798C/VerifierBug.class  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\2690798C  ZIP: infected - 3  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\2690798C  CryptFF: infected - 3  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\26C16F57  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\26C41953  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\278C68EC  Infected: Backdoor.Win32.Agobot.gen  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\29A024A2  Infected: Backdoor.Win32.Agobot.gen  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\2B4B3E26  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\2C03656D  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\2C4F452A  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\2D4533C4  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\2D485DC1  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\379976E4  Infected: Trojan-Downloader.Java.OpenConnection.v  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\3A2764AE  Infected: Backdoor.Win32.Agobot.gen  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\3A2D7E90  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\43400266  Infected: Backdoor.Win32.Agobot.gen  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\4600197F  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\4835108A  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\4E0B4A63  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\51ED08F7  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\586534A7  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\5B293A28  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\660E70DE  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\675A1500  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\678C7715  Infected: Trojan.Java.ClassLoader.ak  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\681759A8  Infected: Trojan.Java.Needy.c  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\68F90B9E  Infected: Trojan.Win32.Dialer.ay  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\6F4B6083.class  Infected: Exploit.Java.ByteVerify  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\717C586A  Infected: Trojan.Java.ClassLoader.z  skipped  

C:\Program Files\Norton AntiVirus\Quarantine\7E41045D  Infected: Backdoor.Win32.Agobot.gen  skipped  

C:\WINDOWS\system32\drivers\etc\hosts.bak  Infected: Trojan.Win32.Qhost  skipped  

C:\WINDOWS\system32\lich.exe  Infected: Trojan.Win32.LowZones.dm  skipped  

Scan process completed. [/QUOTE] 

And WinPFind gave me this:
[QUOTE]WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 2    Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX!                 8/22/2004 4:04:56 PM        69120      C:\WINDOWS\daemon.dll

Checking %System% folder...
aspack               3/18/2005 5:19:58 PM        2337488    C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack               5/26/2005 3:34:52 PM        2297552    C:\WINDOWS\SYSTEM32\d3dx9_26.dll
aspack               7/22/2005 7:59:04 PM        2319568    C:\WINDOWS\SYSTEM32\d3dx9_27.dll
aspack               12/5/2005 6:09:18 PM        2323664    C:\WINDOWS\SYSTEM32\d3dx9_28.dll
PEC2                 8/29/2002 7:00:00 AM        41397      C:\WINDOWS\SYSTEM32\dfrg.msc
FSG!                 2/14/2006 12:41:32 PM       5692       C:\WINDOWS\SYSTEM32\lich.exe
PECompact2           2/8/2006 12:23:40 AM        4513120    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               2/8/2006 12:23:40 AM        4513120    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               8/4/2004 2:56:36 AM         708096     C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor             8/4/2004 2:56:44 AM         657920     C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync              8/29/2002 7:00:00 AM        1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech                8/4/2004 12:41:38 AM        1309184    C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
                     2/21/2006 4:58:54 PM      S 2048       C:\WINDOWS\bootstat.dat
                     2/21/2006 5:20:48 PM     H  0          C:\WINDOWS\LastGood\INF\oem84.inf
                     2/21/2006 5:20:48 PM     H  0          C:\WINDOWS\LastGood\INF\oem84.PNF
                     1/3/2006 1:17:06 PM       S 8792       C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911564.cat
                     1/4/2006 12:39:38 AM      S 11223      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911927.cat
                     1/2/2006 6:09:36 PM       S 11223      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
                     1/13/2006 2:28:32 PM      S 10925      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB913446.cat
                     1/6/2006 12:22:22 PM      S 7156       C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem79.CAT
                     2/21/2006 6:00:58 PM     H  1024       C:\WINDOWS\system32\config\default.LOG
                     2/21/2006 5:11:56 PM     H  1024       C:\WINDOWS\system32\config\SAM.LOG
                     2/21/2006 8:53:08 PM     H  1024       C:\WINDOWS\system32\config\SECURITY.LOG
                     2/21/2006 9:02:06 PM     H  1024       C:\WINDOWS\system32\config\software.LOG
                     2/21/2006 8:58:12 PM     H  1024       C:\WINDOWS\system32\config\system.LOG
                     2/17/2006 10:20:32 AM    H  1024       C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
                     2/21/2006 4:58:56 PM     H  6          C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Realtek Semiconductor Corp.    9/20/2004 3:20:44 PM        16121856   C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation          8/4/2004 2:56:58 AM         549888     C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         110592     C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         135168     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         80384      C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         155136     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation              4/7/2003 9:14:30 AM         94208      C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         358400     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         129536     C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         380416     C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         68608      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems               11/19/2003 5:48:12 PM       61555      C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/29/2002 7:00:00 AM        187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         618496     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/29/2002 7:00:00 AM        35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         25600      C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         257024     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
                               8/2/2005 3:35:00 PM         73728      C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         32768      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Autodesk, Inc.                 2/14/2003 1:34:12 AM        205472     C:\WINDOWS\SYSTEM32\plotman.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         114688     C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc.           8/26/1996 2:12:00 AM    R   341504     C:\WINDOWS\SYSTEM32\QTW32.CPL
Apple Computer, Inc.           6/3/1999 7:11:20 PM         229376     C:\WINDOWS\SYSTEM32\QuickTime.cpl
Autodesk, Inc.                 2/14/2003 1:34:14 AM        205472     C:\WINDOWS\SYSTEM32\styleman.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         298496     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/29/2002 7:00:00 AM        28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         94208      C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation          8/4/2004 2:56:58 AM         148480     C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation          5/26/2005 3:16:30 AM        174360     C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          8/29/2002 7:00:00 AM        187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation          8/29/2002 7:00:00 AM        35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          8/29/2002 7:00:00 AM        28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Realtek Semiconductor Corp.    2/17/2004 5:49:14 AM        14193152   C:\WINDOWS\SYSTEM32\DRVSTORE\Alcxwdm_cfb7d3fc0ab7f7a3133a6c25509eaf3479108975\ALSNDMGR.CPL
Intel Corporation              4/7/2003 9:14:30 AM         94208      C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp.    9/20/2004 3:20:00 PM        16121856   C:\WINDOWS\SYSTEM32\ReinstallBackups\0022\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     2/29/2004 5:15:04 PM        1835       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
                     3/14/2004 10:52:54 AM       901        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
                     10/10/2003 9:32:08 PM    HS 84         C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
                     8/13/2005 10:39:14 PM       1567       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
                     10/10/2003 10:42:52 PM      1808       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
                     2/29/2004 5:08:02 PM        754        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MacName.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
                     10/10/2003 2:26:14 PM    HS 62         C:\Documents and Settings\All Users\Application Data\desktop.ini
                     10/10/2003 11:30:42 PM      1236       C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
                     10/10/2003 9:32:08 PM    HS 84         C:\Documents and Settings\Default\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
                     10/10/2003 2:26:14 PM    HS 62         C:\Documents and Settings\Default\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    SV1  = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
    {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}   = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\DataVizMenu
    {1f0c0580-d3fa-11cf-92b8-0020afd3f438}   = C:\Program Files\Conversions Plus\dvzext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\RhinoShExt
    {C81DCBCA-8AE2-41FC-9C39-78B160393210}   = C:\WINDOWS\system32\RhinoShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = c:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}   = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
    Start Menu Pin   = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\DataVizMenu
    {1f0c0580-d3fa-11cf-92b8-0020afd3f438}   = C:\Program Files\Conversions Plus\dvzext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
    {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}   = c:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}   = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
    {B41DB860-8EE4-11D2-9906-E49FADC173CA}   = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
     = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{FED7043D-346A-414D-ACD7-550D052499A7}
     = C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
    AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
    CNavExtBho Class = c:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
    Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
    hp view = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
         =  : 
    {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}   = HP View  : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}   = Norton AntiVirus : c:\Program Files\Norton AntiVirus\NavShExt.dll
    {47833539-D0C5-4125-9FA8-0819E2EAAC93}   = Adobe PDF    : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
    ButtonText   = Research : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
    ButtonText   = Messenger    : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
     = 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
    Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
    History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
    Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View    : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus   : c:\Program Files\Norton AntiVirus\NavShExt.dll
    {47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF  : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View    : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
    {47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF  : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    hpsysdrv    c:\windows\system\hpsysdrv.exe
    HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
    CamMonitor  c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    HPHUPD05    c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    HPHmon05    C:\WINDOWS\System32\hphmon05.exe
    KBD C:\HP\KBD\KBD.EXE
    UpdateManager   "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    AutoTKit    C:\hp\bin\AUTOTKIT.EXE
    Recguard    C:\WINDOWS\SMINST\RECGUARD.EXE
    ccApp   "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    LTMSG   LTMSG.exe 7
    PS2 C:\WINDOWS\system32\ps2.exe
    Sunkist2k   C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    MacLicense  "C:\Program Files\Conversions Plus\MacLic.exe"
    HPDJ Taskbar Utility    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    Logitech Utility    Logi_MwX.Exe
    SunJavaUpdateSched  C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    Share-to-Web Namespace Daemon   C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
    QuickTime Task  "C:\Program Files\QuickTime\qttask.exe" -atboottime
    NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    nwiz    nwiz.exe /install
    NvMediaCenter   RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    AlcxMonitor ALCXMNTR.EXE
    TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    MaxtorOneTouch  C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    MXOBG   C:\Documents and Settings\Default\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
    RetroExpress    C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
    lich    lich.exe
    Symantec NetDriver Monitor  C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL   Installed = 1
    MAPI    Installed = 1
    MSFS    Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    RecordNow!  
    BackupNotify    c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    MSMSGS  "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Backup Scheduler.lnk
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Backup Scheduler.lnk
    backup  C:\WINDOWS\pss\Iomega Backup Scheduler.lnkCommon Startup
    location    Common Startup
    command C:\PROGRA~1\Iomega\IOMEGA~2\dtiom98.exe  /sc
    item    Iomega Backup Scheduler
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Backup Scheduler.lnk
    backup  C:\WINDOWS\pss\Iomega Backup Scheduler.lnkCommon Startup
    location    Common Startup
    command C:\PROGRA~1\Iomega\IOMEGA~2\dtiom98.exe  /sc
    item    Iomega Backup Scheduler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Icons.lnk.disabled
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk.disabled
    backup  C:\WINDOWS\pss\Iomega Icons.lnk.disabledCommon Startup
    location    Common Startup
    command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk.disabled
    item    Iomega Icons.lnk
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk.disabled
    backup  C:\WINDOWS\pss\Iomega Icons.lnk.disabledCommon Startup
    location    Common Startup
    command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk.disabled
    item    Iomega Icons.lnk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Iomega Startup Options.lnk
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
    backup  C:\WINDOWS\pss\Iomega Startup Options.lnkCommon Startup
    location    Common Startup
    command C:\PROGRA~1\Iomega\Tools\IMGSTART.EXE 
    item    Iomega Startup Options
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
    backup  C:\WINDOWS\pss\Iomega Startup Options.lnkCommon Startup
    location    Common Startup
    command C:\PROGRA~1\Iomega\Tools\IMGSTART.EXE 
    item    Iomega Startup Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IomegaWare.lnk
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IomegaWare.lnk
    backup  C:\WINDOWS\pss\IomegaWare.lnkCommon Startup
    location    Common Startup
    command C:\PROGRA~1\Iomega\IOMEGA~1\COMMAN~1.EXE  /startup
    item    IomegaWare
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IomegaWare.lnk
    backup  C:\WINDOWS\pss\IomegaWare.lnkCommon Startup
    location    Common Startup
    command C:\PROGRA~1\Iomega\IOMEGA~1\COMMAN~1.EXE  /startup
    item    IomegaWare

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk.disabled
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
    backup  C:\WINDOWS\pss\Quicken Scheduled Updates.lnk.disabledCommon Startup
    location    Common Startup
    command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
    item    Quicken Scheduled Updates.lnk
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
    backup  C:\WINDOWS\pss\Quicken Scheduled Updates.lnk.disabledCommon Startup
    location    Common Startup
    command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
    item    Quicken Scheduled Updates.lnk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuikSync.lnk
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuikSync.lnk
    backup  C:\WINDOWS\pss\QuikSync.lnkCommon Startup
    location    Common Startup
    command C:\PROGRA~1\Iomega\QuikSync\QUIKSYNC.EXE  NoStartUp
    item    QuikSync
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuikSync.lnk
    backup  C:\WINDOWS\pss\QuikSync.lnkCommon Startup
    location    Common Startup
    command C:\PROGRA~1\Iomega\QuikSync\QUIKSYNC.EXE  NoStartUp
    item    QuikSync

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
    backup  C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
    location    Common Startup
    command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
    item    Updates from HP
    path    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
    backup  C:\WINDOWS\pss\Updates from HP.lnkCommon Startup
    location    Common Startup
    command C:\PROGRA~1\UPDATE~1\137903\Program\BACKWE~1.EXE -startup
    item    Updates from HP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools-1033
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    daemon
    hkey    HKLM
    command "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    daemon
    hkey    HKLM
    command "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    mmtask
    hkey    HKLM
    command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    mmtask
    hkey    HKLM
    command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    realsched
    hkey    HKLM
    command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    inimapping  0
    key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    item    realsched
    hkey    HKLM
    command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    inimapping  0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
    system.ini  0
    win.ini 0
    bootini 2
    services    0
    startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
    {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
    {0DF44EAA-FF21-4412-828E-260A8728E7F1} = 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption  
    legalnoticetext 
    shutdownwithoutlogon    1
    undockwithoutlogon  1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun  145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    PostBootReminder                {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
    CDBurn                          {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
    WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit    = C:\WINDOWS\system32\userinit.exe,
    Shell       = Explorer.exe
    System      = 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
     = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
     = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
     = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
     = igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
     = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
     = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
     = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
     = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs    


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/21/2006 9:03:04 PM

Edited by diafol: fixed formatting

0

Hi,
Download KillBox, extract it to your desktop.

Download Hosts.zip file and save it in a convinient location.

Download CCleaner and install it. Run it, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\Default\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [lich] lich.exe

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Exit from HijackThis and delete these two files:-
C:\WINDOWS\system32\drivers\etc\hosts.bak
C:\WINDOWS\system32\drivers\etc\hosts

Next, extract the Hosts.zip to the same folder where the old (deleted) Hosts file was present.


Now, open Killbox.exe. Check the following box:-
Delete on Reboot
Highlight the entry in the quote box below and then Copy it.

C:\WINDOWS\system32\lich.exe

After this, right-click inside the "Full path of file to delete" textbox in KillBox and paste the copied filename. Then click the Red X button and for the confirmation message that will appear, you will need to click "Yes". A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.


After the reboot, please post a new HijackThis log.

0

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:01:46 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\My Documents\Computer Files\Virus022006\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

The behavior (the creation of the dialer, the pop-up "Instant Access" and the disconnection) seems to have gone away...so far so good!

(I assumed, by the way, that ALL of the contents of the hosts.zip file had to be extracted to the ..drivers\etc\ folder, not just the hosts file, correct? There's a .bat file, and some text files in there too.)

0

Hi,
There's only one entry to be removed now. Run HijackThis and select the below mentioned entry:-

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

And click "Fix Checked".

Next, delete this file:-
C:\WINDOWS\ALCXMNTR.EXE


And, only hosts file is important and the other files (ReadMe.txt, PrivacyPolicy.txt and mvps.bat, this batch can used to automatially copy the Hosts file to the system32\drivers\etc\ folder) are not necessary. You can delete them. By the way, is Norton detecting anything?

0

Did the HJT, did the deletion. Internet seems to be running along great. I did notice when I deleted the .exe you mentioned, there were two other files next to it with the same icon called alcrmv.exe and alcupd.exe (the icons look like blue crabs.) Was the one I deleted a spoof of these files, or are they relatives of the ALCXMNTR?

Afterward, I did a scan with Norton, and here's what he found:

2/22/2006 7:22:23 PM,Virus scanner,Dialer.DialPlatform,Manually deleted,File,N/A,N/A,200602150006,10.0.1.13,Default,MAIN,",Threat category: DialerSource: C:\Documents and Settings\Parents\Local Settings\Temp\bnlncpmd.exe,Description: The file C:\Documents and Settings\Parents\Local Settings\Temp\bnlncpmd.exe is a Dialer threat."
2/22/2006 7:22:23 PM,Virus scanner,Dialer.DialPlatform,Manually deleted,File,N/A,N/A,200602150006,10.0.1.13,Default,MAIN,",Threat category: DialerSource: C:\Documents and Settings\Parents\Local Settings\Temp\kiojppmd.exe,Description: The file C:\Documents and Settings\Parents\Local Settings\Temp\kiojppmd.exe is a Dialer threat."
2/22/2006 7:22:23 PM,Virus scanner,Adware.Istbar,Manually deleted,File,N/A,N/A,200602150006,10.0.1.13,Default,MAIN,",Threat category: AdwareSource: C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\VSG8T1F2\init[1].js,Description: The file C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\VSG8T1F2\init[1].js is a Adware threat."
2/22/2006 7:22:23 PM,Virus scanner,Adware.IEPlugin,Manually deleted,File,N/A,N/A,200602150006,10.0.1.13,Default,MAIN,",Threat category: AdwareSource: C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\O12VKPIR\webplugin[1].cab,Description: The file C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\O12VKPIR\webplugin[1].cab is a Adware threat."

As you can see, I deleted the four files Norton found. Then, just to be thorough, I rebooted and did a scan of just the ..\Local Settings folders for all users, and it came out clean.

I knew going into this process it wasn't going to be easy, but wow!

1

Hi,
Glad to hear that everything's working fine :) Yes, the files alcrmv.exe, alcupd.exe are "relatives" of Alcxmntr.exe. Actually, all these files are related to RealTek Audio driver. But, Alcxmntr.exe is known to be a threat, and hence should be removed. But, the other two files are not "bad"!

And, please run CCleaner after Internet browsing or before shutting down the system, because Temp folders are a favourite spot for spyware programs. CCleaner cleans up all the Temp files.

If there's no problem,shall i mark the thread as "Solved"?

Votes + Comments
Swatkat helped me in a very professional manner, and very quickly too!
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.