hijacking program removal Results

Page 1 of 2.
Results 1...20 of 32

Sponsored Links:

I believe a hijacking program infected my computer. I understand that reformatting my fixed disk will not absolutely remove the hijacking program, because the program can hide itself in a

I'm sorry for the tone of this e-mail, I cannot take this anymore. I have some sort of virus/intrusion on my machine that WILL NOT allow me to click on a Google search result without re-routing me to an irrelevant result. This is outrageous. I have used SIX different virus/malware programs for purposes of removal and scanned the directory for unusual entires (using HijackThis) but to no avail. I even clean installed Windows 7 (on an ASUS notebook), and on the FIRST search I did, the browser (I tried both IE8 and Firefox) redirected me to an ad site from which I hence cannot escape (once I clicked on the desired result). I cannot find anything, ANYTHING that will remedy this problem. Any help you can provide would be appreciated.

Thank you for your time,
Bradly Alicea

I have been having alot of problems with my computer being
infected with spyware, adware, hijackers, cookies, etc. I
think I have removed alot or most - I think - and another
anti-virus, Norton's. I have also had messages reading
memory leaks are in some of my software programs. Both of
these problems have brought up different programs that
could fix it or scan it or something. I think I definately
had bugs but I don't know how many. I need alot of help
getting into my computer to see exactly what is going on,
from every angle, and fix it. I am getting extremely
confussed and ****ed off - to be exact!! HELP ME PLEASE!

Stop popup windows and remove adware / spyware.

SCAN YOUR PC FOR FREE: http://noadwares.1found.com

This IS an exception of your rule. It is free with no catch.

You mix two programs http://noadwares.1found.com to clear adware and
spyware; and http://stoppopupwindow.1found.com to stop those annoying
popup windows.

http://noadwares.1found.com IS a full
system scan, totally safe and 100% free, just click and view the
results. This can tell you if your computer is infected with HIDDEN

Using the popup killer or popup nuker you can stop popup windows even
BEFORE they have opened. Don't continue to put up with annoying popup
ads, THE INTERNET WAS NOT MADE FOR POPUP ADS. Do something about it.

Files usually affected
stcloader.exe, bho.dll, bho001.dll, rsp.dll, rsp001.dll,
install all.dll, update com.dll, winstart.exe,
winstart001.exe, Loader.exe, IE ClrSch.DLL,
Install All.dll, Update Hosts.DLL, Update BHO.DLL,
Update RSP.DLL, Update RemoveOld.DLL, rules.dat,
ClrSchP012.exe, ClrSchP013.exe, ClrSchP014.exe,
ClrSchP015.exe, ClrSchP012.dll, ClrSchP013.dll,
ClrSchP014.dll, ClrSchP015.dll, ClrSchP041.dll

Bazooka Adware and Spyware Scanner detects IGetNet.
Bazooka is freeware and detects spyware, adware,
foistware, trojan horses, viruses, worms, etc. Read more

Programs: Stripping Adware/Spyware from PC Can Be Tricky
By Gene Emery

One of the biggest challenges a computer owner can face is getting rid
adware or spyware, programs that can sneak onto your PC when you agree
download free utility software from the Web.
In addition to monitoring your activity on the Internet, adware and
can lock you into an unwanted home page and swamp you with pop-up

Removal can be difficult because the designers of such programs often
try to
keep them out of sight on your PC.

Most don't show up on the "Add/Remove Programs" list in the Windows
panel. They seldom offer an "Uninstall" option in the Windows
list; in fact, they're seldom listed at all.

Even when you identify them, some adware programs can't be removed
because they are tied to other unrelated utility programs you may have

If you're a do-it-yourselfer, there are ways to get rid of the
programs. The
first step: Go to sites such as http://noadwares.1found.com or
and run a free scan of your computer. They list any adware/spyware
they see,
but they do not tell you how to remove it.

The site http://noadwares.1found.com , has been very aggressive in
taking on adware
and spyware. And, although it identifies fewer programs than
PestPatrol and
WebRoot, it does a much better job of explaining how to clean your

Another way of removing adware is to find its Web site, a plan that
can be
easy if your home page has been hijacked. Some of those sites offer an
"Uninstall" program for their software, though it may be a challenge
to find
it. Look for an FAQ (frequently asked questions) link.

Unfortunately, such uninstall programs don't always undo all the
made to your PC. An adware program called i-lookup had a downloadable
program to uninstall its software, but the i-lookup-sponsored Web
listed in the "Favorites" section of Internet Explorer remained. I had
to cl
ick on "Organize Favorites" and manually delete them.

A better bet for scouring your hard disk clean may be independent
The ones I found worked pretty well from all sorts of places (like the
Windows registry).

The best bargain was "Ad-aware," popular with many readers, as I
from the e-mail I got after last week's column.

"Ad-aware 6.0," available to home users for free from
http://noadwares.1found.com , is easy to use. It lets you sort
programs and
files by type or adware company, so you can see the program it is
to delete. It eliminated annoyances such as a toolbar cluttering up
Explorer that kept returning even after I told Explorer not to display

"Ad-aware" tracked down traces of adware I thought I had removed, and
eliminated two viruses that had gotten on the PC because the owner had
kept his virus checker up to date.

However, "Ad-aware" does not automatically watch for adware unless you
$27 for an upgrade. You must run it regularly and check for updates.

Several readers said they run "Spybot-Search & Destroy," available for
at http://noadwares.1found.com .

I have less confidence in "Spy Sweeper" from
http://noadwares.1found.com , which you
can try for free or buy for $30. It's easy to use and updates
but offers few details about the adware it finds.

During the cleaning process, "Spy Sweeper" told me I was running other
programs I needed to close, but didn't say which ones or how to go
about it.
It also said I had Internet Explorer running when I didn't (at least
as far
as I could tell). Such statements don't inspire confidence.

When I asked "Pest Patrol" to clean up a PC whose owner had already
eliminated or disabled some of the unwanted programs, it found plenty
adware-associated remnants. But it got hung up in the decontamination
process. Fortunately, the program displayed the folder that seemed to
causing problems. Because the folder was named Claria, after the
company, I quit out of "Pest Patrol," opened Windows Explorer, and
sent the
whole Claria folder to the Recycle Bin.

When I reran "Pest Control," it cleaned everything else out smoothly.
can try "Pest Patrol" for free. The full version, with a year of
updates, is
$40. The license costs $20 a year.

If you're bothered by adware, but you want to keep using the "free"
that come with it, "StopZilla," available from StopZilla.com, may be
worth a
look. It doesn't try to remove the adware and spyware, but claims to
suppress it, by eliminating most of the pop-up windows while letting
"free" programs run freely. It costs $20 per year.

Personally, I'd rather just get rid of it all. Then I would use
www.PanicWare.com 's free "Pop-Up Stopper" program, or something
to block most pop-up windows.

A final word: Make it a habit to click "No" whenever a Web site tries
to get
you to download a "free" program.

* Gene Emery is a columnist who covers science and technology. His
address is GEmery(at)


Les mthodes d'espionnage
-Les Adware
-Les Bho Browser Helper
-Les Cookies
-Les Dialer
-Les Error Reporting Tool
-Les Guid identificateur
-Les Hijack Hijacker Hijacking
-Les KeyLogger
-Les Nsa Trapdoor
-Les PopUp - fentres pop up
-Les Prfixes d'url
-Les Script
-Les Spyware
--Directive Europe
--Informations voles
--Insu vs Permission
-Les Trojan
--Est-ce un virus ?
-Les Web Bug
Les listes d'espions
-A propos des listes
-Liste hosts courte
-Liste hosts longue - 2'
-Liste spywares
-Liste trojan alphabtique
-Liste trojan par port
-Liste vecteurs Spy Courte
-Liste vecteurs Spy Longue
-Liste Web Bug
Veille technologique
Revue de Presse
Quelques espions
-Aureate Radiate
-Brillantdigital AltNet
-Brillantdigital rapport
-Doubleclick communiqu
-New Net
-Radiate Aureate

Les mthodes de lutte
Centre de contres mesures
-Anti Adware
-Anti Backdoor
-Anti Bho
-Anti Cookies
-Anti Dialer
-Anti Guid
-Anti Hackers
-Anti HiJack
-Anti KeyLogger
-Anti Pirates
-Anti PopUp
-Anti Prfixe d'url
-Anti Script
-Anti Spyware
-Anti traque traces
-Anti trojan
-Anti Virus
-Anti Web Bug
Les modes d'emploi
-Antiy GhostBusters
-Astuces diverses
-Cookie Crusher
-Cookie Wall
-Guard Dog
-IE Spyad
-Internet Explorer Cookie
-Kazaa rebound
-Le Surveillant
-Liste hosts simple
-Liste hosts tendue
-McAfee FireWall
-Norton Personal FireWall
-Pest Patrol
-PopUp Killer
-PopUp Stopper
-Regwizc - Regwizc.dll
-SpyBot Search & Destroy
-Sygate Personal FireWall
-Webroot Cache Cookie W.

Bon courage


i have tried everything from adaware,hijack this , browser hijack blaster ,
cws shredder ,antivirus software and even did the step by step guide from one
of the experts(sorry i cant remember youre name)but nothing has fixed my
problem . adaware finds everything i think but it still goes back to the sane
page which is msn search page but with an address
res://ycrm.dll/index.html#35759 and many other addresses of the same content
but with a different res://****.html#35759, i am not sure but i think that
this address is also linked to my problem www.v61.com. here is a log from my
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :13 September 2004 19:53:37
Created with Ad-aware Personal, free for private use.
Using reference-file :01R340 06.09.2004
__________________________________________________ ____

Ad-aware Settings
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

13-09-2004 19:53:37 - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : SystemRootSystem32
ThreadCreationTime : 13-09-2004 17:51:25
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : ??C:WINDOWSsystem32
ThreadCreationTime : 13-09-2004 17:51:28
BasePriority : High

#:3 [services.exe]
FilePath : C:WINDOWSsystem32
ThreadCreationTime : 13-09-2004 17:51:28
BasePriority : Normal
FileSize : 105 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 19/09/2002 19:26:40
Last accessed : 13/09/2004 18:53:37
Last modified : 04/08/2004 07:56:55

#:4 [lsass.exe]
FilePath : C:WINDOWSsystem32
ThreadCreationTime : 13-09-2004 17:51:28
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 19/09/2002 19:26:22
Last accessed : 13/09/2004 18:53:37
Last modified : 04/08/2004 07:56:50

#:5 [svchost.exe]
FilePath : C:WINDOWSsystem32
ThreadCreationTime : 13-09-2004 17:51:28
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 19/09/2002 19:26:44
Last accessed : 13/09/2004 17:55:41
Last modified : 04/08/2004 07:56:57

#:6 [svchost.exe]
FilePath : C:WINDOWSSystem32
ThreadCreationTime : 13-09-2004 17:51:29
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 19/09/2002 19:26:44
Last accessed : 13/09/2004 17:55:41
Last modified : 04/08/2004 07:56:57

#:7 [spoolsv.exe]
FilePath : C:WINDOWSsystem32
ThreadCreationTime : 13-09-2004 17:51:31
BasePriority : Normal
FileSize : 56 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 19/09/2002 19:26:43
Last accessed : 13/09/2004 18:53:37
Last modified : 04/08/2004 07:56:57

#:8 [ccevtmgr.exe]
FilePath : C:Program FilesCommon FilesSymantec Shared
ThreadCreationTime : 13-09-2004 17:51:31
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All
rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 13/11/2002 16:44:02
Last accessed : 13/09/2004 18:53:06
Last modified : 13/11/2002 16:44:02

#:9 [navapsvc.exe]
FilePath : C:Program FilesNorton AntiVirus
ThreadCreationTime : 13-09-2004 17:51:31
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All
rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 14/11/2002 19:41:26
Last accessed : 13/09/2004 18:53:07
Last modified : 14/11/2002 19:41:26

#:10 [nisum.exe]
FilePath : C:Program FilesNorton Internet Security
ThreadCreationTime : 13-09-2004 17:51:31
BasePriority : Normal
FileSize : 137 KB
FileVersion : 6.02.1015
ProductVersion : 6.02.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All
rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security NISUM
InternalName : NISUM
OriginalFilename : NISUM.exe
ProductName : Norton Internet Security
Created on : 14/11/2002 19:31:24
Last accessed : 13/09/2004 18:53:37
Last modified : 14/11/2002 19:31:24

#:11 [nkkua]
FilePath : C:WINDOWSwiaservc.log:
ThreadCreationTime : 13-09-2004 17:51:32
BasePriority : Normal

#:12 [svchost.exe]
FilePath : C:WINDOWSSystem32
ThreadCreationTime : 13-09-2004 17:51:35
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 19/09/2002 19:26:44
Last accessed : 13/09/2004 17:55:41
Last modified : 04/08/2004 07:56:57

#:13 [ccpxysvc.exe]
FilePath : C:Program FilesNorton Internet Security
ThreadCreationTime : 13-09-2004 17:51:35
BasePriority : Normal
FileSize : 33 KB
FileVersion : 6.02.1015
ProductVersion : 6.02.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All
rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security Proxy Service
InternalName : ccPxySvc
OriginalFilename : ccPxySvc.exe
ProductName : Norton Internet Security
Created on : 14/11/2002 19:30:06
Last accessed : 13/09/2004 18:53:37
Last modified : 14/11/2002 19:30:06

#:14 [explorer.exe]
FilePath : C:WINDOWS
ThreadCreationTime : 13-09-2004 18:52:31
BasePriority : Normal
FileSize : 1008 KB
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 06/08/2004 04:52:07
Last accessed : 13/09/2004 18:52:34
Last modified : 04/08/2004 07:56:49

#:15 [realsched.exe]
FilePath : C:Program FilesCommon FilesRealUpdate_OB
ThreadCreationTime : 13-09-2004 18:52:36
BasePriority : Normal
FileSize : 148 KB
FileVersion :
ProductVersion :
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealOne Player (32-bit)
Created on : 05/08/2003 16:07:27
Last accessed : 13/09/2004 18:52:36
Last modified : 05/08/2003 16:07:27

#:16 [soundman.exe]
FilePath : C:WINDOWS
ThreadCreationTime : 13-09-2004 18:52:36
BasePriority : Normal
FileSize : 53 KB
FileVersion : 5.1.00
ProductVersion : 5.1.00
Copyright : Copyright (c) 2001-2003 Realtek Semiconductor Corp.
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
OriginalFilename : ALSMTray.exe
ProductName : Realtek Sound Manager
Created on : 21/08/2004 11:28:08
Last accessed : 13/09/2004 18:52:36
Last modified : 21/08/2004 11:28:08

#:17 [sdkss.exe]
FilePath : C:WINDOWSsystem32
ThreadCreationTime : 13-09-2004 18:52:36
BasePriority : Normal
FileSize : 27 KB
Created on : 11/08/2004 03:30:06
Last accessed : 13/09/2004 18:52:36
Last modified : 11/08/2004 03:30:06

#:18 [traycontrol.exe]
FilePath : C:Program FilesPackard Bell EverSafe
ThreadCreationTime : 13-09-2004 18:52:37
BasePriority : Normal
FileSize : 744 KB
FileVersion : 4.0
ProductVersion : 4.0
Copyright : Copyright
CompanyName : NovaStor Corporation
FileDescription : Tray Control
InternalName : TRAYCONTROL
OriginalFilename : TrayControl.exe
ProductName : NovaNet-WEB
Created on : 02/01/2004 23:39:37
Last accessed : 13/09/2004 18:52:37
Last modified : 31/07/2002 15:00:36

#:19 [em_exec.exe]
ThreadCreationTime : 13-09-2004 18:52:37
BasePriority : Normal
FileSize : 34 KB
FileVersion : 9.43.75
ProductVersion : 9.43
Copyright : Copyright
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
OriginalFilename : EM_EXEC.CPP
ProductName : MouseWare
Created on : 05/08/2003 15:58:13
Last accessed : 13/09/2004 18:52:37
Last modified : 28/01/2002 08:43:00

#:20 [ccapp.exe]
FilePath : C:Program FilesCommon FilesSymantec Shared
ThreadCreationTime : 13-09-2004 18:52:38
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.03.15
ProductVersion : 1.03.15
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All
rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 14/11/2002 19:29:06
Last accessed : 13/09/2004 18:53:08
Last modified : 14/11/2002 19:29:06

#:21 [atiptaxx.exe]
FilePath : C:ATI TechnologiesATI Control Panel
ThreadCreationTime : 13-09-2004 18:52:38
BasePriority : Normal
FileSize : 328 KB
FileVersion :
ProductVersion :
Copyright : Copyright (C) 1998-2002 ATI Technologies Inc.
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
OriginalFilename : Atiptaxx.exe
ProductName : ATI Desktop Component
Created on : 05/08/2003 15:58:53
Last accessed : 13/09/2004 18:52:38
Last modified : 19/06/2003 12:31:00

#:22 [aboard.exe]
FilePath : C:appsABoard
ThreadCreationTime : 13-09-2004 18:52:38
BasePriority : Normal
FileSize : 24 KB
FileVersion : 1, 2, 0, 0
ProductVersion : 1, 2, 0, 0
Copyright : Copyright (C) 2003
CompanyName : NEC Computers International
FileDescription : Activboard Application
InternalName : Activboard
OriginalFilename : ABoard.exe
ProductName : Activboard Application
Created on : 05/08/2003 16:06:05
Last accessed : 13/09/2004 18:52:39
Last modified : 02/05/2003 10:31:50

#:23 [spykiller.exe]
FilePath : C:Program FilesSpyKiller
ThreadCreationTime : 13-09-2004 18:52:41
BasePriority : Normal
FileSize : 261 KB
FileVersion : 1.00
ProductVersion : 1.00
CompanyName : www.spykiller.com
FileDescription : SpyWare/AdWare Remover
InternalName : SpyKiller
OriginalFilename : SpyKiller.exe
ProductName : SpyKiller 2004
Created on : 01/07/2003 06:04:18
Last accessed : 13/09/2004 18:52:41
Last modified : 10/06/2004 06:01:52

#:24 [msmsgs.exe]
FilePath : C:Program FilesMessenger
ThreadCreationTime : 13-09-2004 18:52:41
BasePriority : Normal
FileSize : 1628 KB
FileVersion : 4.7.3000
ProductVersion : Version 4.7.3000
Copyright : Copyright (c) Microsoft Corporation 2004
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 14/04/2003 19:05:20
Last accessed : 13/09/2004 17:55:38
Last modified : 04/08/2004 07:56:53

#:25 [quickdcf.exe]
FilePath : C:Program FilesFinePixViewer
ThreadCreationTime : 13-09-2004 18:52:42
BasePriority : Normal
FileSize : 196 KB
FileVersion : 4, 0, 0, 0
ProductVersion : 4, 0, 0, 0
Copyright : Copyright 2000-2003 FUJI PHOTO FILM CO.,LTD.
FileDescription : Exif Launcher
InternalName : QuickDCF
OriginalFilename : QuickDCF.exe
ProductName : FinePixViewer
Created on : 19/05/2004 22:53:05
Last accessed : 13/09/2004 18:52:42
Last modified : 20/12/2002 15:18:40

#:26 [hpohmr08.exe]
FilePath : C:Program FilesHewlett-PackardDigital Imagingbin
ThreadCreationTime : 13-09-2004 18:52:42
BasePriority : Normal
FileSize : 144 KB
FileVersion :
ProductVersion :
Copyright : Copyright (C) Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOHMR08
OriginalFilename : HPOHMR08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 06/04/2003 01:17:18
Last accessed : 13/09/2004 18:53:37
Last modified : 06/04/2003 01:17:18

#:27 [hpotdd01.exe]
FilePath : C:Program FilesHewlett-PackardDigital Imagingbin
ThreadCreationTime : 13-09-2004 18:52:42
BasePriority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
OriginalFilename : hpotdd01.exe
ProductName : Hewlett-Packard hpotdd01
Created on : 06/04/2003 01:06:58
Last accessed : 13/09/2004 18:52:42
Last modified : 06/04/2003 01:06:58

#:28 [aosd.exe]
FilePath : C:appsABoard
ThreadCreationTime : 13-09-2004 18:52:43
BasePriority : ?
FileSize : 68 KB
FileVersion : 1, 2, 0, 0
ProductVersion : 1, 2, 0, 0
Copyright : Copyright (C) 2003
CompanyName : NEC Computers International
FileDescription : ActivOSD Application
InternalName : ActivOSD
OriginalFilename : ActivOSD.exe
ProductName : ActivOSD Application
Created on : 05/08/2003 16:06:05
Last accessed : 13/09/2004 18:52:43
Last modified : 02/05/2003 10:31:38

#:29 [calcheck.exe]
FilePath : C:APPSUlead SystemsUlead Photo Express 4.0 SE
ThreadCreationTime : 13-09-2004 18:52:43
BasePriority : Normal
FileSize : 68 KB
FileVersion : 4, 0, 0, 0
ProductVersion : 4, 0, 0, 0
Copyright : Copyright (C) 1992-1999.Ulead Systems, Inc.
CompanyName : Ulead Systems, Inc.
FileDescription : Photo Express -- Calendar Checker
InternalName : CalCheck
OriginalFilename : CalCheck.EXE
ProductName : Calendar Checker Application
Created on : 02/01/2004 22:41:28
Last accessed : 13/09/2004 18:53:37
Last modified : 16/04/2002 16:11:28

#:30 [hpoevm08.exe]
FilePath : C:Program FilesHewlett-PackardDigital Imagingbin
ThreadCreationTime : 13-09-2004 18:52:51
BasePriority : Normal
FileSize : 280 KB
FileVersion :
ProductVersion :
Copyright : Copyright (C) Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
OriginalFilename : HPOEVM08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 06/04/2003 00:45:10
Last accessed : 13/09/2004 18:53:02
Last modified : 06/04/2003 00:45:10

#:31 [hposts08.exe]
FilePath : C:Program FilesHewlett-PackardDigital ImagingBin
ThreadCreationTime : 13-09-2004 18:52:56
BasePriority : Normal
FileSize : 304 KB
FileVersion :
ProductVersion :
Copyright : Copyright (C) Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
OriginalFilename : HPOSTS08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 06/04/2003 00:55:04
Last accessed : 13/09/2004 18:53:37
Last modified : 06/04/2003 00:55:04

#:32 [ad-aware.exe]
FilePath : C:PROGRA~1LavasoftAD-AWA~1
ThreadCreationTime : 13-09-2004 18:53:31
BasePriority : Normal
FileSize : 668 KB
FileVersion :
ProductVersion :
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 29/07/2004 20:44:08
Last accessed : 13/09/2004 18:22:03
Last modified : 12/07/2003 20:00:20

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : File
Data : a0003236.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 07/09/2004 22:17:40
Last accessed : 13/09/2004 18:43:29
Last modified : 07/09/2004 22:17:40

CoolWebSearch Object recognized!
Type : File
Data : a0003237.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 23/08/2004 18:47:20
Last accessed : 13/09/2004 18:43:29
Last modified : 23/08/2004 18:47:20

CoolWebSearch Object recognized!
Type : File
Data : a0003238.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 28/08/2004 18:05:09
Last accessed : 13/09/2004 18:43:29
Last modified : 28/08/2004 18:05:09

CoolWebSearch Object recognized!
Type : File
Data : a0003239.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 31/08/2004 02:37:36
Last accessed : 13/09/2004 18:43:29
Last modified : 31/08/2004 02:37:36

CoolWebSearch Object recognized!
Type : File
Data : a0003244.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 11/08/2004 05:53:47
Last accessed : 13/09/2004 18:43:30
Last modified : 11/08/2004 05:53:47

CoolWebSearch Object recognized!
Type : File
Data : a0003245.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 03/08/2004 19:18:56
Last accessed : 13/09/2004 18:43:30
Last modified : 03/08/2004 19:18:56

CoolWebSearch Object recognized!
Type : File
Data : a0003247.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 14/08/2004 08:38:06
Last accessed : 13/09/2004 18:43:30
Last modified : 14/08/2004 08:38:06

CoolWebSearch Object recognized!
Type : File
Data : a0003248.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 09/08/2004 21:04:51
Last accessed : 13/09/2004 18:43:30
Last modified : 09/08/2004 21:04:51

CoolWebSearch Object recognized!
Type : File
Data : a0003249.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 04/08/2004 05:13:46
Last accessed : 13/09/2004 18:43:30
Last modified : 04/08/2004 05:13:46

CoolWebSearch Object recognized!
Type : File
Data : a0003250.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 26/08/2004 03:08:03
Last accessed : 13/09/2004 18:43:30
Last modified : 26/08/2004 03:08:03

CoolWebSearch Object recognized!
Type : File
Data : a0003251.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 31/08/2004 12:31:24
Last accessed : 13/09/2004 18:43:30
Last modified : 31/08/2004 12:31:24

CoolWebSearch Object recognized!
Type : File
Data : a0003252.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 17/08/2004 17:53:11
Last accessed : 13/09/2004 18:43:30
Last modified : 17/08/2004 17:53:11

CoolWebSearch Object recognized!
Type : File
Data : a0003253.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 06/08/2004 00:44:07
Last accessed : 13/09/2004 18:43:30
Last modified : 06/08/2004 00:44:07

CoolWebSearch Object recognized!
Type : File
Data : a0003254.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 10/09/2004 16:50:23
Last accessed : 13/09/2004 18:43:30
Last modified : 10/09/2004 16:50:23

CoolWebSearch Object recognized!
Type : File
Data : a0003261.dll
Object : C:System Volume
FileSize : 55 KB
Created on : 04/09/2004 03:20:31
Last accessed : 13/09/2004 18:43:30
Last modified : 04/09/2004 03:20:31

Disk scan result for C:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 41

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegKey
Data :
Object :
SOFTWAREMicrosoftWindowsCurrentVersionUninstal lHSA

CoolWebSearch Object recognized!
Type : RegKey
Data :
Object :
SOFTWAREMicrosoftWindowsCurrentVersionUninstal lSE

CoolWebSearch Object recognized!
Type : RegKey
Data :
Object :
SOFTWAREMicrosoftWindowsCurrentVersionUninstal lSW

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 44

20:05:17 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:11:40:281
Objects scanned :182283
Objects identified :44
Objects ignored :0
New objects :44

this is a Hijack This startup log - as you can see, i am being hacked but i
don't know how to interpret all the data. i believe they created a hidden
partition on my drive, have taken over admin rights and are impersonating the
one user (vince) on the machine.

any help would be most appreciated!!!

sorry for posting such a large log file - the remainder is in a second post
with the same title

(config = winxp sp2 all udates - panasonic touchbook elite - broadband
access through shaw internet)

StartupList report, 1/27/2005, 3:33:50 PM
StartupList version: 1.52.2
Started from : C:Program Fileshijack tmpHijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections

Running processes:

C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:Program FilesUPHCleanuphclean.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:Program FilesQuickTimeqttask.exe
C:Program FilesWinZipWZQKPICK.EXE
C:Program FilesInternet Exploreriexplore.exe
C:Program Fileshijack tmpHijackThis.exe


Listing of startup folders:

Shell folders Startup:
[C:Documents and SettingsVinceStart MenuProgramsStartup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:Documents and SettingsAll UsersStart MenuProgramsStartup]
Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat
WinZip Quick Pick.lnk = C:Program FilesWinZipWZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*


Checking Windows NT UserInit:

[HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon]
UserInit = C:WINDOWSsystem32userinit.exe,

[HKLMSoftwareMicrosoftWindowsCurrentVersionWin logon]
*Registry key not found*

[HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon]
*Registry value not found*

[HKCUSoftwareMicrosoftWindowsCurrentVersionWin logon]
*Registry key not found*


Autorun entries from Registry:

ccApp = "C:Program FilesCommon FilesSymantec SharedccApp.exe"
vptray = C:PROGRA~1SYMANT~1VPTray.exe
PCTVOICE = pctspk.exe
IgfxTray = C:WINDOWSsystem32igfxtray.exe
HotKeysCmds = C:WINDOWSsystem32hkcmd.exe
Hotkey = C:WINDOWSsystem32hkeyman.exe
QuickTime Task = "C:Program FilesQuickTimeqttask.exe" -atboottime
Mizo - XP Netstats Bar = C:PROGRA~1Mizotecxpnsbar.exe


Autorun entries from Registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Once

*No values found*


Autorun entries from Registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun OnceEx

*No values found*


Autorun entries from Registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Services

*Registry key not found*


Autorun entries from Registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun ServicesOnce

*Registry key not found*


Autorun entries from Registry:

*No values found*


Autorun entries from Registry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Once

*Registry key not found*


Autorun entries from Registry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun OnceEx

*Registry key not found*


Autorun entries from Registry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Services

*Registry key not found*


Autorun entries from Registry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun ServicesOnce

*Registry key not found*


Autorun entries from Registry:
HKLMSoftwareMicrosoftWindows NTCurrentVersionRun

*Registry key not found*


Autorun entries from Registry:
HKCUSoftwareMicrosoftWindows NTCurrentVersionRun

*Registry key not found*


Autorun entries in Registry subkeys of:
*No subkeys found*


Autorun entries in Registry subkeys of:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Once
*No subkeys found*


Autorun entries in Registry subkeys of:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun OnceEx
*No subkeys found*


Autorun entries in Registry subkeys of:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Services
*Registry key not found*


Autorun entries in Registry subkeys of:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun ServicesOnce
*Registry key not found*


Autorun entries in Registry subkeys of:
*No subkeys found*


Autorun entries in Registry subkeys of:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Once
*Registry key not found*


Autorun entries in Registry subkeys of:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun OnceEx
*Registry key not found*


Autorun entries in Registry subkeys of:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Services
*Registry key not found*


Autorun entries in Registry subkeys of:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun ServicesOnce
*Registry key not found*


Autorun entries in Registry subkeys of:
HKLMSoftwareMicrosoftWindows NTCurrentVersionRun
*Registry key not found*


Autorun entries in Registry subkeys of:
HKCUSoftwareMicrosoftWindows NTCurrentVersionRun
*Registry key not found*


File association entry for .EXE:

(Default) = "%1" %*


File association entry for .COM:

(Default) = "%1" %*


File association entry for .BAT:

(Default) = "%1" %*


File association entry for .PIF:

(Default) = "%1" %*


File association entry for .SCR:

(Default) = "%1" /S


File association entry for .HTA:

(Default) = C:WINDOWSSystem32mshta.exe "%1" %*


File association entry for .TXT:

(Default) = %SystemRoot%system32NOTEPAD.EXE %1


Enumerating Active Setup stub paths:
HKLMSoftwareMicrosoftActive SetupInstalled Components
(* = disabled by HKCU twin)

StubPath = C:WINDOWSinfunregmp2.exe /ShowWMP

[{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%system32shmgrate.exe OCInstallUserConfigIE

[{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%system32shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%system32regsvr32.exe /s /n /i:/UserInstall

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%Outlook Expresssetup50.exe" /APP:OE
/CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection
C:WINDOWSINFmsnetmtg.inf,NetMtg.Install.PerUser .NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%System32rundll32.exe setupapi,InstallHinfSection
MarketplaceLinkInstall 896 %systemroot%infie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%Outlook Expresssetup50.exe" /APP:WAB
/CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%system32ie4uinit.exe


Enumerating ICQ Agent Autostart apps:

*Registry key not found*


Load/Run keys from C:WINDOWSWIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM..Windows NTCurrentVersionWinLogon: load=*Registry value not found*
HKLM..Windows NTCurrentVersionWinLogon: run=*Registry value not found*
HKLM..WindowsCurrentVersionWinLogon: load=*Registry key not found*
HKLM..WindowsCurrentVersionWinLogon: run=*Registry key not found*
HKCU..Windows NTCurrentVersionWinLogon: load=*Registry value not found*
HKCU..Windows NTCurrentVersionWinLogon: run=*Registry value not found*
HKCU..WindowsCurrentVersionWinLogon: load=*Registry key not found*
HKCU..WindowsCurrentVersionWinLogon: run=*Registry key not found*
HKCU..Windows NTCurrentVersionWindows: load=
HKCU..Windows NTCurrentVersionWindows: run=*Registry value not found*
HKLM..Windows NTCurrentVersionWindows: load=*Registry value not found*
HKLM..Windows NTCurrentVersionWindows: run=*Registry value not found*
HKLM..Windows NTCurrentVersionWindows: AppInit_DLLs=


Shell & screensaver key from C:WINDOWSSYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

drivers=*Registry value not found*

Policies Shell key:

HKCU..Policies: Shell=*Registry key not found*
HKLM..Policies: Shell=*Registry value not found*


Checking for EXPLORER.EXE instances:


C:Explorer.exe: not present
C:WINDOWSExplorerExplorer.exe: not present
C:WINDOWSSystemExplorer.exe: not present
C:WINDOWSSystem32Explorer.exe: not present
C:WINDOWSCommandExplorer.exe: not present
C:WINDOWSFontsExplorer.exe: not present


Checking for superhidden extensions:

..lnk: HIDDEN! (arrow overlay: yes)
..pif: HIDDEN! (arrow overlay: yes)
..exe: not hidden
..com: not hidden
..bat: not hidden
..hta: not hidden
..scr: not hidden
..shs: HIDDEN!
..shb: HIDDEN!
..vbs: not hidden
..vbe: not hidden
..wsh: not hidden
..scf: HIDDEN! (arrow overlay: NO!)
..url: HIDDEN! (arrow overlay: yes)
..js: not hidden
..jse: not hidden


Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed


Enumerating Browser Helper Objects:

(no name) - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll -


Enumerating Task Scheduler jobs:

*No jobs found*


Enumerating Download Program Files:

[Office Update Installation Engine]
InProcServer32 = C:WINDOWSopuc.dll
CODEBASE = http://office.microsoft.com/officeup...ntent/opuc.cab

[Shockwave Flash Object]
InProcServer32 = C:WINDOWSsystem32macromedflashFlash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

[MSN Money Ticker]
InProcServer32 = C:WINDOWSDownloaded Program Filesticker13.ocx
CODEBASE = http://fdl.msn.com/public/investor/v13/ticker.cab


Enumerating Winsock LSP files:

NameSpace #1: C:WINDOWSSystem32mswsock.dll
NameSpace #2: C:WINDOWSSystem32winrnr.dll
NameSpace #3: C:WINDOWSSystem32mswsock.dll
Protocol #1: C:WINDOWSsystem32mswsock.dll
Protocol #2: C:WINDOWSsystem32mswsock.dll
Protocol #3: C:WINDOWSsystem32mswsock.dll
Protocol #4: C:WINDOWSsystem32rsvpsp.dll
Protocol #5: C:WINDOWSsystem32rsvpsp.dll
Protocol #6: C:WINDOWSsystem32mswsock.dll
Protocol #7: C:WINDOWSsystem32mswsock.dll
Protocol #8: C:WINDOWSsystem32mswsock.dll
Protocol #9: C:WINDOWSsystem32mswsock.dll
Protocol #10: C:WINDOWSsystem32mswsock.dll
Protocol #11: C:WINDOWSsystem32mswsock.dll


Enumerating Windows NT/2000/XP services

Intel(r) 82801 Audio Driver Install Service (WDM):
system32driversac97intc.sys (manual start)
Microsoft ACPI Driver: System32DRIVERSACPI.sys (system)
Microsoft Embedded Controller Driver: System32DRIVERSACPIEC.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32driversaec.sys (manual
AFD Networking Support Environment: SystemRootSystem32driversafd.sys
Alerter: %SystemRoot%System32svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%System32alg.exe (manual
Application Management: %SystemRoot%system32svchost.exe -k netsvcs (manual
RAS Asynchronous Media Driver: System32DRIVERSasyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32DRIVERSatapi.sys (system)
ATM ARP Client Protocol: System32DRIVERSatmarpc.sys (manual start)
Windows Audio: %SystemRoot%System32svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32DRIVERSaudstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%System32svchost.exe
-k netsvcs (manual start)
Computer Browser: %SystemRoot%System32svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:Program FilesCommon FilesSymantec
SharedccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:Program FilesCommon FilesSymantec
SharedccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:Program FilesCommon FilesSymantec
SharedccSetMgr.exe" (autostart)
CD-ROM Driver: System32DRIVERScdrom.sys (system)
Indexing Service: %SystemRoot%system32cisvc.exe (manual start)
ClipBook: %SystemRoot%system32clipsrv.exe (disabled)
Microsoft ACPI Control Method Battery Driver: System32DRIVERSCmBatt.sys
(manual start)
Microsoft Composite Battery Driver: System32DRIVERScompbatt.sys (system)
COM+ System Application: C:WINDOWSSystem32dllhost.exe
/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%system32svchost.exe -k netsvcs
DCOM Server Process Launcher: %SystemRoot%system32svchost -k DcomLaunch
Symantec AntiVirus Definition Watcher: "C:Program FilesSymantec
AntiVirusDefWatch.exe" (autostart)
DHCP Client: %SystemRoot%System32svchost.exe -k netsvcs (autostart)
Disk Driver: System32DRIVERSdisk.sys (system)
Logical Disk Manager Administrative Service:
%SystemRoot%System32dmadmin.exe /com (manual start)
dmboot: System32driversdmboot.sys (disabled)
Logical Disk Manager Driver: System32driversdmio.sys (system)
dmload: System32driversdmload.sys (system)
Logical Disk Manager: %SystemRoot%System32svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32driversDMusic.sys (manual start)
DNS Client: %SystemRoot%System32svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32driversdrmkaud.sys (manual
Error Reporting Service: %SystemRoot%System32svchost.exe -k netsvcs
Event Log: %SystemRoot%system32services.exe (autostart)
COM+ Event System: C:WINDOWSSystem32svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%System32svchost.exe -k
netsvcs (manual start)
FltMgr: system32driversfltmgr.sys (system)
Volume Manager Driver: System32DRIVERSftdisk.sys (system)
Generic Packet Classifier: System32DRIVERSmsgpc.sys (manual start)
Help and Support: %SystemRoot%System32svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%System32svchost.exe -k netsvcs
Panasonic Hotkey Driver: system32DRIVERSHOTKEY.SYS (manual start)
HTTP: System32DriversHTTP.sys (manual start)
HTTP SSL: %SystemRoot%System32svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32DRIVERSi8042prt.sys
ialm: system32DRIVERSialmnt5.sys (manual start)
CD-Burning Filter Driver: System32DRIVERSimapi.sys (system)
IMAPI CD-Burning COM Service: C:WINDOWSSystem32imapi.exe (manual start)
IntelIde: System32DRIVERSintelide.sys (system)
Intel Processor Driver: System32DRIVERSintelppm.sys (system)
IPv6 Windows Firewall Driver: system32driversip6fw.sys (manual start)
IP Traffic Filter Driver: System32DRIVERSipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32DRIVERSipinip.sys (manual start)
IP Network Address Translator: System32DRIVERSipnat.sys (manual start)
IPSEC driver: System32DRIVERSipsec.sys (system)
IR Enumerator Service: System32DRIVERSirenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32DRIVERSisapnp.sys (system)
Keyboard Class Driver: System32DRIVERSkbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32driverskmixer.sys (manual start)
Server: %SystemRoot%System32svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%System32svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%System32svchost.exe -k LocalService
Messenger: %SystemRoot%System32svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:WINDOWSSystem32mnmsrvc.exe (manual
Mouse Class Driver: System32DRIVERSmouclass.sys (system)
WebDav Client Redirector: System32DRIVERSmrxdav.sys (manual start)
MRXSMB: System32DRIVERSmrxsmb.sys (system)
Distributed Transaction Coordinator: C:WINDOWSSystem32msdtc.exe (manual
Windows Installer: C:WINDOWSSystem32msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32driversMSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32driversMSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32driversMSPQM.sys
(manual start)
Microsoft System Management BIOS Driver: System32DRIVERSmssmbios.sys
(manual start)
NAVENG: ??C:PROGRA~1COMMON~1SYMANT~1VIRUSD~12005011 9.041naveng.sys
(manual start)
NAVEX15: ??C:PROGRA~1COMMON~1SYMANT~1VIRUSD~12005011 9.041navex15.sys
(manual start)
Remote Access NDIS TAPI Driver: System32DRIVERSndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32DRIVERSndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32DRIVERSndiswan.sys (manual start)
NetBIOS Interface: System32DRIVERSnetbios.sys (system)
NetBios over Tcpip: System32DRIVERSnetbt.sys (system)
Network DDE: %SystemRoot%system32netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%system32netdde.exe (disabled)
Net Logon: %SystemRoot%System32lsass.exe (manual start)
Network Connections: %SystemRoot%System32svchost.exe -k netsvcs (manual
Network Location Awareness (NLA): %SystemRoot%System32svchost.exe -k
netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%System32lsass.exe (manual
Removable Storage: %SystemRoot%system32svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32DRIVERSnwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32DRIVERSnwlnkfwd.sys (manual start)
PCI Bus Driver: System32DRIVERSpci.sys (system)
PCIIde: system32DRIVERSpciide.sys (system)
Pcmcia: System32DRIVERSpcmcia.sys (system)
Plug and Play: %SystemRoot%system32services.exe (autostart)
IPSEC Services: %SystemRoot%System32lsass.exe (autostart)
WAN Miniport (PPTP): System32DRIVERSraspptp.sys (manual start)
Processor Driver: System32DRIVERSprocessr.sys (system)
Protected Storage: %SystemRoot%system32lsass.exe (autostart)
QoS Packet Scheduler: System32DRIVERSpsched.sys (manual start)
Direct Parallel Link Driver: System32DRIVERSptilink.sys (manual start)
W2K Pctel Serial Device Driver: system32DRIVERSptserial.sys (manual start)
Remote Access Auto Connection Driver: System32DRIVERSrasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%System32svchost.exe -k
netsvcs (manual start)
WAN Miniport (L2TP): System32DRIVERSrasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%System32svchost.exe -k
netsvcs (manual start)
Remote Access PPPOE Driver: System32DRIVERSraspppoe.sys (manual start)
Direct Parallel: System32DRIVERSraspti.sys (manual start)
Rdbss: System32DRIVERSrdbss.sys (system)
RDPCDD: System32DRIVERSRDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32DRIVERSrdpdr.sys (manual
Remote Desktop Help Session Manager: C:WINDOWSsystem32sessmgr.exe (manual
Digital CD Audio Playback Filter Driver: System32DRIVERSredbook.sys (system)
Routing and Remote Access: %SystemRoot%System32svchost.exe -k netsvcs
Remote Registry: %SystemRoot%system32svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%System32locator.exe
(manual start)
Remote Procedure Call (RPC): %SystemRoot%system32svchost -k rpcss
QoS RSVP: %SystemRoot%System32rsvp.exe (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver:
System32DRIVERSRTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%system32lsass.exe (autostart)
SAVRoam: "C:Program FilesSymantec AntiVirusSavRoam.exe" (manual start)
SAVRT: ??C:Program FilesSymantec AntiVirussavrt.sys (system)
SAVRTPEL: ??C:Program FilesSymantec AntiVirusSavrtpel.sys (autostart)
Smart Card: %SystemRoot%System32SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%System32svchost.exe -k netsvcs (autostart)
Ricoh SD Bus Host Adapter : System32Driverssdbus.sys (manual start)
Memory Card: System32Driverssdstmem.sys (manual start)
Secdrv: System32DRIVERSsecdrv.sys (manual start)
Secondary Logon: %SystemRoot%System32svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%system32svchost.exe -k netsvcs
Windows Firewall/Internet Connection Sharing (ICS):
%SystemRoot%System32svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%System32svchost.exe -k netsvcs
Symantec Network Drivers Service: "C:Program FilesCommon FilesSymantec
SharedSNDSrvc.exe" (manual start)
Microsoft Kernel Audio Splitter: system32driverssplitter.sys (manual start)
Print Spooler: %SystemRoot%system32spoolsv.exe (autostart)
System Restore Filter Driver: SystemRootSystem32DRIVERSsr.sys (disabled)
System Restore Service: %SystemRoot%System32svchost.exe -k netsvcs
Srv: System32DRIVERSsrv.sys (manual start)
SSDP Discovery Service: %SystemRoot%System32svchost.exe -k LocalService
(manual start)
Windows Image Acquisition (WIA): %SystemRoot%System32svchost.exe -k imgsvc
(manual start)
Software Bus Driver: System32DRIVERSswenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32driversswmidi.sys
(manual start)
MS Software Shadow Copy Provider: C:WINDOWSSystem32dllhost.exe
/Processid:{D00B1DD8-F5AF-4905-ABB3-3830CB984851} (manual start)
Symantec AntiVirus: "C:Program FilesSymantec AntiVirusRtvscan.exe"
SymEvent: ??C:Program FilesSymantecSYMEVENT.SYS (manual start)
SYMREDRV: SystemRootSystem32DriversSYMREDRV.SYS (manual start)
SYMTDI: SystemRootSystem32DriversSYMTDI.SYS (system)
Microsoft Kernel System Audio Device: system32driverssysaudio.sys (manual
Performance Logs and Alerts: %SystemRoot%system32smlogsvc.exe (manual start)
Telephony: %SystemRoot%System32svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32DRIVERStcpip.sys (system)
Terminal Device Driver: System32DRIVERStermdd.sys (system)
Terminal Services: %SystemRoot%System32svchost -k DComLaunch (manual start)

I installed the latest version of Yahoo in/for a second userid, and then discovered that in my userid clicking on an email link in a web page invokes Yahoo Mail and not the required Outlook Express.

I uninstalled Yahoo Mail via Add/Remove Programs and now find that clicking on a mail link in a web page causes Outlook (from Office 2003) to be started, which asks me to set up an email account (just like the one I have in Outlook Express).

Does anyone know a way in which I can reconnect Outlook Express to run for mail links (and also for Send To... in programs like Word, etc)?



I am going to give you as much info that I am able
I have attached my HIJACK THIS Log below

I am not sure how/if it all relates but here it is
Also not sure if I am in the right forum but I thought I would start here

The quick version A synopsis of what happened
My screen went black one day and I had a techie restore it
It seemed to work okay but was freezing up regularly and now is freezing up several times a day
It seems to be be most affected when I have stuff on the clipboard and/or I am online
I brought it back to him and he says it seems fine

I multitask and always seem to have many windows opened simultaneously and it has never happened before. Early on when I multitasked it seemed to freeze up but now it is freezing all the time with only one program opened but I am always online

I have done the following
Defragged, checked for viruses (see below) and then he did the same and also checked for corrupted sectors
I do have loads of pictures on the computer so I thought that maybe there was too little memory but there is over 50% of memory remaining

After this blackout happened I had one of the those pop ups where the simulated window screen flashes that you have several threats etc and says you need to download this to get rid of the threats etc
The second time it popped up I wrote down the file name in the Run this file pop-up and found it to be malware
I purchased PREVX 3.0 to remove it but the computer is still freezing

This is what they wanted to install - I have a screen shot of the pop up if that will help

The IE window pops up with the www.scannerspy08.com
The a realistic Window Security Alert pops up in that window

I went in and googled the Pack_40S10.exe and found that others found it was a Cloaked Malware and they had luck removing it with PREVX3.0 so I bought that and removed it but I cant tell for certain as I searched for it in the SEARCH window b4 I deleted and it did not appear

I have those dings go off twice everytime shortly after I turn on the computer. It is the bell like I am trying to complete a process that wont work it dings twice in a row and then not again

Laptop is IBM Think Pad Windows XP 2G


I am running WinXP SP3 on a generic desktop computer. Have Norton AV installed and Spybot 1.6.X shows nothign out of the ordinary. I do backups for this box with Drive Image 7. Its a setup that has been well behaved for a couple years. Starting a few weeks ago, I started getting an odd reaction with my context menu. When I go int Windows Explorer and try to do a right click for the context menu (looking for disk drive properties sheet), it immediately fires off the installation setup program for Drive Image 7. This is odd, as I haven't mucked around with an install / uninstall for that program for a couple years. I have three hard drives defined - one partitioned into two (programs and data) and a third used as a backup target. Once I kill the setup program run, context menus work normally until the next time I restart the computer. I plan on removing Drive Image 7 completely and seeing what shows up in the context menus. Suspect malware wanting to fire off something and am expecting an error upon that test.

Anyone out there see or heard anything like this? I don't mind getting into the registry and changing keys if necessary, but need to know the default values. Thanks for any suggestions. Cheers -

I've seen a few threads on AdAware and Spybot S&D. Two lesser known programs I've found recently will compliment these two nicely:
Hijack This

I thought I had things properly bolted down after a reinstall of 98SE/IE5, but I left a minute window of opportunity and ended up with a 20KB HOSTS file. A significant offender was CoolWebSearch, which even warrants its own dedicated nuking program called CWShredder.

Amazing the time & effort spent on eradicating this rubbish that invades your personal space uninvited!


I had been using Firefox as my default browser. I thought I was safer. I did not like the way it worked on EBay and a few other places, but I kept it as my default browser thinking that it was safer than IE. After reading the last few issues of The Langa List I decided to go back to IE for many reasons.

So I went into IE and checked the box for asking about default browser and went on my merry way opening IE. It didn't ask me but I innocently hoped I was switched. I should have known I wasn't but sometimes stupidity reigns. I was in my e-mail program and clicked on a link and Firefox (ver 1.0.3) opened as my default browser. OK - So I went into file types on my computer and changed the "open with" command from Firefox to IE. And then tried to open some shortcuts on my desktop. They opened in Firefox. So I highlighted one shortcut, held down shift and clicked on Open With and clicked IE and clicked ALWAYS OPEN WITH THIS PROGRAM. It opened in IE. I closed it and noticed it still had the Firefox icon. I opened it again. Firefox! I did the shift "open with" AGAIN. And I checked the ALWAYS boxs. And closed it and went and reopened it. Firefox.

I just removed Firefox from my machine and rebooted. And there were the icons to Firefox. I clicked on the shortcuts and I got the box that says "search the web for a program to open this". I tired to do the ALWAYS OPEN WITH again. Nope. Didn't work. I got the same gray box asking me to go to the net to find a program to open the shortcut.

I will ask a friend to go into the registry and take it out for me, (I am assuming that that is what I will have to be done). I do not deal with the registry because I am pretty sure I would be very very dangerous in there. I tend to sometimes go a bit overboard .

I am wondering, though, if anyone else has had this problem. As I am thinking about it when I went to my program files and opened the Firefox folder there was no uninstall icon. I used the Add Remove Programs to remove it. But as I think about it, why wasn't there a remove icon? I am really surprised that Firefox seemds to be doing this. I guess I had an idealized view of Firefox that was first challenged by Fred Langa about a week ago, then again with the issue I linked to above, and now this. I am disappointed.

I seem to have acquired a browser hijacker yesterday, when I installed a screensaver program. It seemed harmless at first, the screensaver was not what I expected and I deleted it. Then today when I went to my homepage (Webshots) I was grabbed and redirected to a blank page site with a porn popup and a security warning on an underlying page about spyware and porn popups with a link to a spyware removal tool to "fix" my "problem". It also activated ZoneAlarm wanting to let Microsoft HTML Application Host access the internet. I said no and don't ask again and then ZA asked if ftp.exe could access the internet. Again I said no. I then closed down all open windows, noting that my new default homepage seemed to be http://default-homepage-network.com/start.cgi?new-hkcu. I shortened that to http://default-homepage-network.com/ and got to a page telling me that due to problems with their "business model" they were voluntarily ceasing operations at the end of June 2004. I went to Google and checked their cached page for that address and it seems like a straight up spyware firm trying to put on a legit face. Either way, I ran Task Manager and found 2 running processes that were new 0Pwh.exe (in the C:WINDOWSprefetch folder) and wowexce.exe (no location given, but I found it later in the registry). These two seem to be the visible cause of the trouble (renaming them stopped some of the activity, but not all.), but I'm not sure if I should delete them and edit them out of the registry or if I should install and run Hijack This to get rid of all traces of the nasties. Also, the 0Pwh file attempted to access the internet when I rebooted the system from an entry in the registry. ZA stopped it, but that was what told me it was something I needed to be careful with. I pretty certain that I've identified the problem, I just need to know the best course of action to resolve the issue without any harm to my system.

All thoughts are welcome.

Hi, I went through all forums I could think of searching for an answer to this issue I'm having and found nothing remotely close to it, so now I'm creating a new thread.

Here's what happened:
I decided to use a 32" Plasma Vizio tv for my monitor. Connected it through HDMI to my Nvidia 460 GTX graphics card. Image was terrible, sound did not work for anything but video games (unless I ran the video game then turned on something else like music or a movie), the sound does not work causing whatever program being used to crash. So I said to myself, picture isn't great enough for the sound issue and I disconnected the tv and returned to my old monitor using a VGA cable with DVI converter for the graphics card.
Since this terrible decision I've had a recurring issue with my sound not initializing when trying to play music, movies, or games. Also, after the computer is on for some time, all audio crashes completely, and nothing can be done but a restart to get it working... kind of.

1) My system starts up and all system sounds work great! Then I try to play music on Windows Media Player... it loads a song continuously but never plays... so I turn it off and the window closes but the process remains open in Task Manager forcing me to end its process. To get sound to work again I have to go to youtube.com and play a video (which sometimes fails because of the same issue).

2) WMP aside, another issue is games not starting up because of sound failure. For instance, Counter-Strike Source will load, reach the splash screen of the main menu and will crash... the splash will remain visible with a loading sign on the bottom right corner. Alt-tabbing doesn't work, hitting the windows button doesn't work... have to end-process . And again I have to go to youtube and run a video to get my sound working again.

3) Third and most irritating and unique issue is with Netflix and Silverlight. When I try to stream a movie on netflix, silverlight loads all parameters until actually playing the movie, where it freezes because again the sound doesn't initialize. I've found an odd work-around to this issue however. That is to play a youtube video and then play a netflix stream movie, in which case it works fine and I can close youtube and continue watching the movie. This method also sometimes works with WMP and video games also.

4) The core issue is this. After some time, my audio completely goes away. NOTHING brings it back; no youtube work-around or launching a game. When this happens, even windows sounds are completely dead. Trying to raise or lower volume through volume control in the taskbar causes the volume control to freeze on screen, forcing me to end task the SndVol.exe process to get rid of it.

Basically I think the problem lies in my video cards audio drivers interfering with windows audio drivers. Now to remedy the situation I went to Device Manager and disabled all Nvidia High Definition Audio drivers... this didn't help. I also resorted to uninstalling my sound card and removing the card itself from my system, which also did nothing. I am completely at my wits end. Can't think of anything else to do, but post here and hope for a jedi's help... PLEASE HELP ME? PLEASE?

System Specs:
Nvidia nForce 680i SLI motherboard
Intel Core 2 Duo Processor at 2.4Ghz
4ghz of Corsair XMS 2 RAM DDR2 1088 mhz (i think)
Nvidia Geforce GTX460 SC 1024MB
750 Watt Power
Creative Labs X-FI Fatality Series Gaming Sound Card (removed this)
I now use the Logitech G35 USB Headset (good enough)
Running Windows 7 Ultimate

I've checked all my drivers and they are all up to date... I just can't figure out what is causing my problem. I will give you any info you think may help, perhaps a Hijack This log? Can it be some form of virus? Please help and THANK YOU VERY MUCH if you do!


Hi everyone,

With this month's bulletin release, I want to highlight the great work done through our partnerships in theMicrosoft Active Protections Program (MAPP). MAPP represents our commitment to community based defense and a shared sense of responsibility to help protect the computing ecosystem. In July of this year, the Stuxnet malware emerged onto the threat landscape and resulted in the release of an out-of-band security update, MS10-046, to address a zero-day vulnerability the malware used to compromise systems. Additionally, we updated the Microsoft Malicious Software Removal Tool (MSRT) in August to remove Stuxnet and we are able to report that according to our telemetry, the threat has gone way down from the spike we saw in early August.

Since that time, Microsoft and partners in our MAPP program have continued to investigate this extremely complex malware. Today, we are releasing MS10-061 to address another vulnerability first discovered and reported to us by Kaspersky Lab and then later by Symantec. This vulnerability in the Print Spooler Service is rated Critical for Windows XP and Important on all other affected platforms and is used by Stuxnet to spread to systems inside the network where the Print Spooler service is exposed without authentication.

In addition, Microsoft researchers uncovered two additional Elevation of Privilege (EoP) vulnerabilities (one of which was also reported to us by Kaspersky, and later independently confirmed by Symantec) used by the malware to gain full control of the infected system. One of these EoP vulnerabilities affects Windows XP and the other affects Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. These are local EoP issues which means that an attacker, in this case Stuxnet, already has permission to run code on the system or has compromised the system through some other means. We are currently working to address both issues in a future bulletin.

We want to thank both Kaspersky Lab and Symantec for their collaboration in uncovering these vulnerabilities and for coordinating with us to protect customers. This is what community based defense is all about.

As we look at our other high priority bulletins for this month, I would like to emphasize the fact that there are no critical bulletins for Windows 7 or Windows Server 2008 R2. This is due to security enhancements such as additional heap mitigations built into the newer operating systems. Additionally, this month's Office bulletin does not affect Office 2010. I will also state that we are still investigating and working on updates for public issues that do affect these platforms. We want customers to know that we continue to work hard to address these issues and that our efforts to produce comprehensive updates and release them in a predictable manner is something that comes "in the box" when you buy our software.

As you can see from our aggregate severity and exploitability index chart below, there are two bulletins that are both Critical and have an exploitability index rating of 1. The first is MS10-061 that I discussed above and the second, MS10-062, involves a vulnerability in the MPEG-4 codec affecting supported versions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This issue can be exploited if a user opens a specially crafted media file or receives streaming content from the web.

The remaining bulletins are given a 2 or a 3 in our deployment priority list. This guidance is intended to help customers prioritize bulletin deployment and is based on several factors including severity, exploitability, breadth of platforms, and available mitigations and workarounds. Since every environment is different, we do recommend that customers evaluate accordingly and apply the updates as soon as possible.

In the video below, Adrian Stone and I give an overview of this month’s bulletin release and discuss why we have prioritized the bulletins the way we did.

Please join Adrian and me tomorrow, September 15, at 11:00 a.m. PDT (UTC -7) for a public webcast where we will go into more details about these bulletins. We will also have a room full of subject matter experts standing by to help answer all of your questions during the session. You can register here:


We will also release two security advisories this month:

Security Advisory 2401593, which describes a vulnerability affecting Outlook Web Access (OWA) that may affect Microsoft Exchange customers to gain elevation of privilege. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session.
Security Advisory 973811, is an updated Advisory enabling Outlook Express and Windows Mail to opt in to Extended Protection for Authentication. Finally, this month, we also released an update for the User Profile Hive Cleanup Service. This is an optional tool for Windows 2000, Windows XP and Windows Server 2003 that simplifies user management. The tool is not formally supported by Microsoft, but as it's a common tool to many system administrators, we released a new version to address a security vulnerability reported by a security researcher. More information can be found on the UPHClean blog.


Jerry Bryant
Group Manager, Response Communications


I just got done rebuilding my computer a few days ago, ensuring all of the devices in it are compatible, and getting the proper drivers for them. Though obviously I've done something wrong along the way, or some part of my computer is malfunctioning because I'm getting 3-10 BSOD's a day.

I'm uploading 3 of the dumps from said BSOD's. If someone could look at them and give me some advice as to what to do, that would be much appreciated. Attached Files 031812-36691-01.zip (24.6 KB, 9 views) 031812-35131-01.zip (27.2 KB, 10 views) 031512-35849-01.zip (26.9 KB, 10 views) Share Share this post on Digg Del.icio.us Technorati Twitter
Operating System Windows 7 Ultimate x64
Computer Type PC
OS Service Pack 1
Internet Explorer Version Unknown, never needed it.
DirectX Version 11
CPU Type and Speed AMD Athlon II, Triple Core, 3.3GHZ
CPU Cooling Standard fan.
Motherboard Chipset Gigabyte's GA-970A-D3
System BIOS Revision F7
Video Card Type and Speed NVidia GeForce GTX 550 TI
Video Card Cooling Built-in Fan
Power Supply Unit (PSU) 480 Watt
Computer Monitor Manufacturer is DELL, all I know.
Modem-Router Type Linksys WRT54GS2
Anti-virus Software AVG, Hijack This, Spybot Search & Destroy, Avast!
Computer Skill Level Average Ability
Favorite Game Dwarf Fortress
Favorite Application Adobe Photoshop
Reply With Quote .postbitlegacy .postfoot .textcontrols a.post_info_button, .postbit .postfoot .textcontrols a.post_info_button { background: url(/images/post_infobox.png) no-repeat transparent left; padding-left: 20px; } .postbitlegacy .postfoot .textcontrols a.post_info_button:hover, .postbit .postfoot .textcontrols a.post_info_button:hover { background: url(/images/post_infobox-hover.png) no-repeat transparent left; JavaScript must be enabled 03-19-2012 #2 Elmer Tier 2 Moderator Resident eejit
Join Date Mar 2010 Posts 1,946 Re: BSOD help, please. Hi Zenogod and Welcome to The Forum.

Usual causes: System service, Device driver, graphics driver, ?memory

Although your dump files have different stop error codes, they all list Pool_Corruption as the probable cause which usually indicates bad drivers.
Old and incompatible drivers can and do cause issues with Windows 7, often giving false error codes.
Random stop codes can often indicate hardware issues.

As a Priority:

AVG is known to be a cause of BSOD's on Windows 7 systems. Suggest that you uninstall it. Download the correct AVG Remover for your system (32 or 64 bit).
If you have AVG ID protection installed, download the AVGID Protection Remover from the above link as well (it wouldn't hurt to download and run it anyway). Download BSOD friendly Microsoft Security Essentials as AVG's replacement.
Uninstall AVG through the Control Panel. Re-boot to Safe Mode and run the AVG Removal tool(s). Re-boot to normal mode and install MSE. Make sure your Windows firewall is enabled! After your blue screens have been resolved, feel free to re-try AVG.

dtsoftbus01.sys Fri Jan 13 13:45:46 2012 The dtsoftbus01.sys driver has been known to cause problems on some Windows 7 systems. This belongs to Daemon Tools Light. I suggest uninstalling DT Light until your blue screens are resolved. But do not replace with Daemon Tools!!

Drivers that pre-date Windows 7. Update:

purendis.sys Sat Jun 06 05:32:06 2009
pnarp.sys Sat Jun 06 07:06:44 2009 Pure Networks, Inc.

Drivers with Updates:

Rt64win7.sys Tue Aug 23 14:55:41 2011 Realtek PCIe GBE Family Controller v7.050 If you're unsure about manually installing drivers then choose the Win7 and WinServer 2008 R2 Auto Installation Program (SID:1483XXX) option to download.

Bugcheck Analysis: Code: ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 3B, {c0000005, fffff800030139bc, fffff88007c7dee0, 0} Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+100 ) Followup: Pool_corruption
Drivers: Code: fffff880`00f31000 fffff880`00f88000 ACPI ACPI.sys Sat Nov 20 09:19:16 2010 (4CE79294) fffff880`066e2000 fffff880`0676b000 afd afd.sys Wed Dec 28 03:59:20 2011 (4EFA9418) fffff880`1303d000 fffff880`13053000 AgileVpn AgileVpn.sys Tue Jul 14 01:10:24 2009 (4A5BCCF0) fffff880`0689e000 fffff880`068b3000 amdppm amdppm.sys Tue Jul 14 00:19:25 2009 (4A5BC0FD) fffff880`00d94000 fffff880`00d9f000 amdxata amdxata.sys Fri Mar 19 16:18:18 2010 (4BA3A3CA) fffff880`00cda000 fffff880`00ce3000 atapi atapi.sys Tue Jul 14 00:19:47 2009 (4A5BC113) fffff880`00d6a000 fffff880`00d94000 ataport ataport.SYS Sat Nov 20 09:19:15 2010 (4CE79293) fffff880`07fb7000 fffff880`07fe2000 AVGIDSDriver AVGIDSDriver.Sys Sun Jul 10 23:36:37 2011 (4E1A2975) fffff880`0199e000 fffff880`019a8000 AVGIDSEH AVGIDSEH.Sys Sun Jul 10 23:36:50 2011 (4E1A2982) fffff880`095b9000 fffff880`095c4000 AVGIDSFilter AVGIDSFilter.Sys Sun Jul 10 23:37:05 2011 (4E1A2991) fffff880`0682f000 fffff880`06878000 avgldx64 avgldx64.sys Fri Oct 07 04:55:41 2011 (4E8E783D) fffff880`019de000 fffff880`019ee000 avgmfx64 avgmfx64.sys Mon Aug 08 04:41:46 2011 (4E3F5AFA) fffff880`01992000 fffff880`0199e000 avgrkx64 avgrkx64.sys Tue Sep 13 05:02:34 2011 (4E6ED5DA) fffff880`0663d000 fffff880`0669d000 avgtdia avgtdia.sys Sun Jul 10 23:46:53 2011 (4E1A2BDD) fffff880`019f7000 fffff880`019fe000 Beep Beep.SYS Tue Jul 14 01:00:13 2009 (4A5BCA8D) fffff880`0681e000 fffff880`0682f000 blbdrive blbdrive.sys Tue Jul 14 00:35:59 2009 (4A5BC4DF) fffff880`07efa000 fffff880`07f18000 bowser bowser.sys Wed Feb 23 04:55:04 2011 (4D649328) fffff960`00620000 fffff960`00647000 cdd cdd.dll Sat Nov 20 12:55:34 2010 (4CE7C546) fffff880`07a7f000 fffff880`07a9c000 cdfs cdfs.sys Tue Jul 14 00:19:46 2009 (4A5BC112) fffff880`015c5000 fffff880`015ef000 cdrom cdrom.sys Sat Nov 20 09:19:20 2010 (4CE79298) fffff880`00c00000 fffff880`00cc0000 CI CI.dll Sat Nov 20 13:12:36 2010 (4CE7C944) fffff880`01962000 fffff880`01992000 CLASSPNP CLASSPNP.SYS Sat Nov 20 09:19:23 2010 (4CE7929B) fffff880`00d0c000 fffff880`00d6a000 CLFS CLFS.SYS Tue Jul 14 00:19:57 2009 (4A5BC11D) fffff880`012f1000 fffff880`01363000 cng cng.sys Thu Nov 17 04:23:17 2011 (4EC48C35) fffff880`1302d000 fffff880`1303d000 CompositeBus CompositeBus.sys Sat Nov 20 10:33:17 2010 (4CE7A3ED) fffff880`07a9c000 fffff880`07aaa000 crashdmp crashdmp.sys Tue Jul 14 01:01:01 2009 (4A5BCABD) fffff880`06965000 fffff880`069e8000 csc csc.sys Sat Nov 20 09:27:12 2010 (4CE79470) fffff880`06800000 fffff880`0681e000 dfsc dfsc.sys Sat Nov 20 09:26:31 2010 (4CE79447) fffff880`06956000 fffff880`06965000 discache discache.sys Tue Jul 14 00:37:18 2009 (4A5BC52E) fffff880`0194c000 fffff880`01962000 disk disk.sys Tue Jul 14 00:19:57 2009 (4A5BC11D) fffff880`06d67000 fffff880`06d89000 drmk drmk.sys Tue Jul 14 02:01:25 2009 (4A5BD8E5) fffff880`0137e000 fffff880`013c7000 dtsoftbus01 dtsoftbus01.sys Fri Jan 13 13:45:46 2012 (4F10358A) fffff880`07ab6000 fffff880`07abf000 dump_atapi dump_atapi.sys Tue Jul 14 00:19:47 2009 (4A5BC113) fffff880`07aaa000 fffff880`07ab6000 dump_dumpata dump_dumpata.sys Tue Jul 14 00:19:47 2009 (4A5BC113) fffff880`07abf000 fffff880`07ad2000 dump_dumpfve dump_dumpfve.sys Tue Jul 14 00:21:51 2009 (4A5BC18F) fffff880`07ad2000 fffff880`07ade000 Dxapi Dxapi.sys Tue Jul 14 00:38:28 2009 (4A5BC574) fffff880`06ac4000 fffff880`06bb8000 dxgkrnl dxgkrnl.sys Sat Nov 20 09:50:50 2010 (4CE799FA) fffff880`06bb8000 fffff880`06bfe000 dxgmms1 dxgmms1.sys Sat Nov 20 09:49:53 2010 (4CE799C1) fffff880`00deb000 fffff880`00dff000 fileinfo fileinfo.sys Tue Jul 14 00:34:25 2009 (4A5BC481) fffff880`00d9f000 fffff880`00deb000 fltmgr fltmgr.sys Sat Nov 20 09:19:24 2010 (4CE7929C) fffff880`01374000 fffff880`0137e000 Fs_Rec Fs_Rec.sys Tue Jul 14 00:19:45 2009 (4A5BC111) fffff880`01912000 fffff880`0194c000 fvevol fvevol.sys Sat Nov 20 09:24:06 2010 (4CE793B6) fffff880`0180f000 fffff880`01859000 fwpkclnt fwpkclnt.sys Sat Nov 20 09:21:37 2010 (4CE79321) fffff800`02e1e000 fffff800`02e67000 hal hal.dll Sat Nov 20 13:00:25 2010 (4CE7C669) fffff880`06a00000 fffff880`06a24000 HDAudBus HDAudBus.sys Sat Nov 20 10:43:42 2010 (4CE7A65E) fffff880`06d8f000 fffff880`06deb000 HdAudio HdAudio.sys Sat Nov 20 10:44:23 2010 (4CE7A687) fffff880`06c00000 fffff880`06c19000 HIDCLASS HIDCLASS.SYS Sat Nov 20 10:43:49 2010 (4CE7A665) fffff880`06c19000 fffff880`06c21080 HIDPARSE HIDPARSE.SYS Tue Jul 14 01:06:17 2009 (4A5BCBF9) fffff880`06deb000 fffff880`06df9000 hidusb hidusb.sys Sat Nov 20 10:43:49 2010 (4CE7A665) fffff880`07e00000 fffff880`07ec9000 HTTP HTTP.sys Sat Nov 20 09:24:30 2010 (4CE793CE) fffff880`01909000 fffff880`01912000 hwpolicy hwpolicy.sys Sat Nov 20 09:18:54 2010 (4CE7927E) fffff880`13000000 fffff880`1301e000 i8042prt i8042prt.sys Tue Jul 14 00:19:57 2009 (4A5BC11D) fffff880`1301e000 fffff880`1302d000 kbdclass kbdclass.sys Tue Jul 14 00:19:50 2009 (4A5BC116) fffff800`00b9e000 fffff800`00ba8000 kdcom kdcom.dll Sat Feb 05 16:52:49 2011 (4D4D8061) fffff880`06c34000 fffff880`06c77000 ks ks.sys Sat Nov 20 10:33:23 2010 (4CE7A3F3) fffff880`012d6000 fffff880`012f1000 ksecdd ksecdd.sys Thu Nov 17 03:48:13 2011 (4EC483FD) fffff880`0159a000 fffff880`015c5000 ksecpkg ksecpkg.sys Thu Nov 17 04:23:44 2011 (4EC48C50) fffff880`06d89000 fffff880`06d8e200 ksthunk ksthunk.sys Tue Jul 14 01:00:19 2009 (4A5BCA93) fffff880`07b0f000 fffff880`07b24000 lltdio lltdio.sys Tue Jul 14 01:08:50 2009 (4A5BCC92) fffff880`07aec000 fffff880`07b0f000 luafv luafv.sys Tue Jul 14 00:26:13 2009 (4A5BC295) fffff880`00ceb000 fffff880`00cf8000 mcupdate_AuthenticAMD mcupdate_AuthenticAMD.dll Tue Jul 14 02:29:09 2009 (4A5BDF65) fffff880`07ade000 fffff880`07aec000 monitor monitor.sys Tue Jul 14 00:38:52 2009 (4A5BC58C) fffff880`013e3000 fffff880`013f2000 mouclass mouclass.sys Tue Jul 14 00:19:50 2009 (4A5BC116) fffff880`06c24000 fffff880`06c31000 mouhid mouhid.sys Tue Jul 14 01:00:20 2009 (4A5BCA94) fffff880`00cc0000 fffff880`00cda000 mountmgr mountmgr.sys Sat Nov 20 09:19:21 2010 (4CE79299) fffff880`07f18000 fffff880`07f45000 mrxsmb mrxsmb.sys Wed Apr 27 03:40:38 2011 (4DB78226) fffff880`07f45000 fffff880`07f93000 mrxsmb10 mrxsmb10.sys Sat Jul 09 03:46:28 2011 (4E17C104) fffff880`07f93000 fffff880`07fb7000 mrxsmb20 mrxsmb20.sys Wed Apr 27 03:39:37 2011 (4DB781E9) fffff880`013c7000 fffff880`013d2000 Msfs Msfs.SYS Tue Jul 14 00:19:47 2009 (4A5BC113) fffff880`00f91000 fffff880`00f9b000 msisadrv msisadrv.sys Tue Jul 14 00:19:26 2009 (4A5BC0FE) fffff880`01278000 fffff880`012d6000 msrpc msrpc.sys Sat Nov 20 09:21:56 2010 (4CE79334) fffff880`0694b000 fffff880`06956000 mssmbios mssmbios.sys Tue Jul 14 00:31:10 2009 (4A5BC3BE) fffff880`018f7000 fffff880`01909000 mup mup.sys Tue Jul 14 00:23:45 2009 (4A5BC201) fffff880`01447000 fffff880`0153a000 ndis ndis.sys Sat Nov 20 09:23:30 2010 (4CE79392) fffff880`068e0000 fffff880`068ec000 ndistapi ndistapi.sys Tue Jul 14 01:10:00 2009 (4A5BCCD8) fffff880`07b77000 fffff880`07b8a000 ndisuio ndisuio.sys Sat Nov 20 10:50:08 2010 (4CE7A7E0) fffff880`0122f000 fffff880`0125e000 ndiswan ndiswan.sys Sat Nov 20 10:52:32 2010 (4CE7A870) fffff880`06ce3000 fffff880`06cf8000 NDProxy NDProxy.SYS Sat Nov 20 10:52:20 2010 (4CE7A864) fffff880`067b0000 fffff880`067bf000 netbios netbios.sys Tue Jul 14 01:09:26 2009 (4A5BCCB6) fffff880`0669d000 fffff880`066e2000 netbt netbt.sys Sat Nov 20 09:23:18 2010 (4CE79386) fffff880`0153a000 fffff880`0159a000 NETIO NETIO.SYS Sat Nov 20 09:23:13 2010 (4CE79381) fffff880`013d2000 fffff880`013e3000 Npfs Npfs.SYS Tue Jul 14 00:19:48 2009 (4A5BC114) fffff880`0693f000 fffff880`0694b000 nsiproxy nsiproxy.sys Tue Jul 14 00:21:02 2009 (4A5BC15E) fffff800`02e67000 fffff800`03450000 nt ntkrnlmp.exe Thu Jun 23 03:53:23 2011 (4E02AAA3) fffff880`01044000 fffff880`011e7000 Ntfs Ntfs.sys Fri Mar 11 03:39:39 2011 (4D79997B) fffff880`019ee000 fffff880`019f7000 Null Null.SYS Tue Jul 14 00:19:37 2009 (4A5BC109) fffff880`06cf8000 fffff880`06d2a000 nvhda64v nvhda64v.sys Tue Jan 17 12:45:46 2012 (4F156D7A) fffff880`13059000 fffff880`13d77000 nvlddmkm nvlddmkm.sys Wed Feb 29 18:04:52 2012 (4F4E68C4) fffff880`07b24000 fffff880`07b77000 nwifi nwifi.sys Tue Jul 14 01:07:23 2009 (4A5BCC3B) fffff880`06774000 fffff880`0679a000 pacer pacer.sys Sat Nov 20 10:52:18 2010 (4CE7A862) fffff880`00fdb000 fffff880`00ff0000 partmgr partmgr.sys Sat Nov 20 09:20:00 2010 (4CE792C0) fffff880`00f9b000 fffff880`00fce000 pci pci.sys Sat Nov 20 09:19:11 2010 (4CE7928F) fffff880`00e71000 fffff880`00e78000 pciide pciide.sys Tue Jul 14 00:19:49 2009 (4A5BC115) fffff880`00ff0000 fffff880`01000000 PCIIDEX PCIIDEX.SYS Tue Jul 14 00:19:48 2009 (4A5BC114) fffff880`01363000 fffff880`01374000 pcw pcw.sys Tue Jul 14 00:19:27 2009 (4A5BC0FF) fffff880`09400000 fffff880`094a6000 peauth peauth.sys Tue Jul 14 02:01:19 2009 (4A5BD8DF) fffff880`07b8a000 fffff880`07b96000 pnarp pnarp.sys Sat Jun 06 07:06:44 2009 (4A2A0774) fffff880`06d2a000 fffff880`06d67000 portcls portcls.sys Tue Jul 14 01:06:27 2009 (4A5BCC03) fffff880`00cf8000 fffff880`00d0c000 PSHED PSHED.dll Tue Jul 14 02:32:23 2009 (4A5BE027) fffff880`07b96000 fffff880`07ba2000 purendis purendis.sys Sat Jun 06 05:32:06 2009 (4A29F146) fffff880`068bc000 fffff880`068e0000 rasl2tp rasl2tp.sys Sat Nov 20 10:52:34 2010 (4CE7A872) fffff880`06614000 fffff880`0662f000 raspppoe raspppoe.sys Tue Jul 14 01:10:17 2009 (4A5BCCE9) fffff880`01000000 fffff880`01021000 raspptp raspptp.sys Sat Nov 20 10:52:31 2010 (4CE7A86F) fffff880`0125e000 fffff880`01278000 rassstp rassstp.sys Tue Jul 14 01:10:25 2009 (4A5BCCF1) fffff880`068ee000 fffff880`0693f000 rdbss rdbss.sys Sat Nov 20 09:27:51 2010 (4CE79497) fffff880`069e8000 fffff880`069f3000 rdpbus rdpbus.sys Tue Jul 14 01:17:46 2009 (4A5BCEAA) fffff880`01600000 fffff880`01609000 RDPCDD RDPCDD.sys Tue Jul 14 01:16:34 2009 (4A5BCE62) fffff880`01435000 fffff880`0143e000 rdpencdd rdpencdd.sys Tue Jul 14 01:16:34 2009 (4A5BCE62) fffff880`0143e000 fffff880`01447000 rdprefmp rdprefmp.sys Tue Jul 14 01:16:35 2009 (4A5BCE63) fffff880`018bd000 fffff880`018f7000 rdyboost rdyboost.sys Sat Nov 20 09:43:10 2010 (4CE7982E) fffff880`07ba2000 fffff880`07bba000 rspndr rspndr.sys Tue Jul 14 01:08:50 2009 (4A5BCC92) fffff880`06a24000 fffff880`06ab1000 Rt64win7 Rt64win7.sys Tue Aug 23 14:55:41 2011 (4E53B15D) fffff880`094a6000 fffff880`094b1000 secdrv secdrv.SYS Wed Sep 13 14:18:38 2006 (4508052E) fffff880`13deb000 fffff880`13df7000 serenum serenum.sys Tue Jul 14 01:00:33 2009 (4A5BCAA1) fffff880`067bf000 fffff880`067dc000 serial serial.sys Tue Jul 14 01:00:40 2009 (4A5BCAA8) fffff880`018b5000 fffff880`018bd000 spldr spldr.sys Mon May 11 17:56:27 2009 (4A0858BB) fffff880`09521000 fffff880`095b9000 srv srv.sys Fri Apr 29 04:06:06 2011 (4DBA2B1E) fffff880`094b8000 fffff880`09521000 srv2 srv2.sys Fri Apr 29 04:05:46 2011 (4DBA2B0A) fffff880`07ec9000 fffff880`07efa000 srvnet srvnet.sys Fri Apr 29 04:05:35 2011 (4DBA2AFF) fffff880`06abc000 fffff880`06abd480 swenum swenum.sys Tue Jul 14 01:00:18 2009 (4A5BCA92) fffff880`0160b000 fffff880`0180f000 tcpip tcpip.sys Thu Sep 29 04:43:04 2011 (4E83E948) fffff880`095c4000 fffff880`095d6000 tcpipreg tcpipreg.sys Sat Nov 20 10:51:48 2010 (4CE7A844) fffff880`01222000 fffff880`0122f000 TDI TDI.SYS Sat Nov 20 09:22:06 2010 (4CE7933E) fffff880`01200000 fffff880`01222000 tdx tdx.sys Sat Nov 20 09:21:54 2010 (4CE79332) fffff880`06600000 fffff880`06614000 termdd termdd.sys Sat Nov 20 11:03:40 2010 (4CE7AB0C) fffff960`00580000 fffff960`0058a000 TSDDD TSDDD.dll unavailable (00000000) fffff880`06878000 fffff880`0689e000 tunnel tunnel.sys Sat Nov 20 10:51:50 2010 (4CE7A846) fffff880`06c77000 fffff880`06c89000 umbus umbus.sys Sat Nov 20 10:44:37 2010 (4CE7A695) fffff880`07a64000 fffff880`07a7ec80 usbaudio usbaudio.sys Sat Nov 20 10:43:52 2010 (4CE7A668) fffff880`01021000 fffff880`0103e000 usbccgp usbccgp.sys Sat Nov 20 10:44:03 2010 (4CE7A673) fffff880`06c22000 fffff880`06c23f00 USBD USBD.SYS Tue Jul 14 01:06:23 2009 (4A5BCBFF) fffff880`13dda000 fffff880`13deb000 usbehci usbehci.sys Sat Nov 20 10:43:54 2010 (4CE7A66A) fffff880`13dcd000 fffff880`13dda000 usbfilter usbfilter.sys Tue Dec 22 08:26:22 2009 (4B3082AE) fffff880`06c89000 fffff880`06ce3000 usbhub usbhub.sys Sat Nov 20 10:44:30 2010 (4CE7A68E) fffff880`06ab1000 fffff880`06abc000 usbohci usbohci.sys Tue Jul 14 01:06:30 2009 (4A5BCC06) fffff880`13d77000 fffff880`13dcd000 USBPORT USBPORT.SYS Sat Nov 20 10:44:00 2010 (4CE7A670) fffff880`00fce000 fffff880`00fdb000 vdrvroot vdrvroot.sys Tue Jul 14 01:01:31 2009 (4A5BCADB) fffff880`015ef000 fffff880`015fd000 vga vga.sys Tue Jul 14 00:38:47 2009 (4A5BC587) fffff880`01400000 fffff880`01425000 VIDEOPRT VIDEOPRT.SYS Tue Jul 14 00:38:51 2009 (4A5BC58B) fffff880`01859000 fffff880`01869000 vmstorfl vmstorfl.sys Sat Nov 20 09:57:30 2010 (4CE79B8A) fffff880`00e00000 fffff880`00e15000 volmgr volmgr.sys Sat Nov 20 09:19:28 2010 (4CE792A0) fffff880`00e15000 fffff880`00e71000 volmgrx volmgrx.sys Sat Nov 20 09:20:43 2010 (4CE792EB) fffff880`01869000 fffff880`018b5000 volsnap volsnap.sys Sat Nov 20 09:20:08 2010 (4CE792C8) fffff880`0679a000 fffff880`067b0000 vwififlt vwififlt.sys Tue Jul 14 01:07:22 2009 (4A5BCC3A) fffff880`067dc000 fffff880`067f7000 wanarp wanarp.sys Sat Nov 20 10:52:36 2010 (4CE7A874) fffff880`01425000 fffff880`01435000 watchdog watchdog.sys Tue Jul 14 00:37:35 2009 (4A5BC53F) fffff880`00e7e000 fffff880`00f22000 Wdf01000 Wdf01000.sys Tue Jul 14 00:22:07 2009 (4A5BC19F) fffff880`00f22000 fffff880`00f31000 WDFLDR WDFLDR.SYS Tue Jul 14 00:19:54 2009 (4A5BC11A) fffff880`0676b000 fffff880`06774000 wfplwf wfplwf.sys Tue Jul 14 01:09:26 2009 (4A5BCCB6) fffff960`00090000 fffff960`003a5000 win32k win32k.sys Fri Feb 03 04:34:05 2012 (4F2B63BD) fffff880`068b3000 fffff880`068bc000 wmiacpi wmiacpi.sys Tue Jul 14 00:31:02 2009 (4A5BC3B6) fffff880`00f88000 fffff880`00f91000 WMILIB WMILIB.SYS Tue Jul 14 00:19:51 2009 (4A5BC117) Unloaded modules: fffff880`019a8000 fffff880`019b6000 crashdmp.sys Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 0000E000 fffff880`019b6000 fffff880`019c2000 dump_ataport Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 0000C000 fffff880`019c2000 fffff880`019cb000 dump_atapi.s Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 00009000 fffff880`019cb000 fffff880`019de000 dump_dumpfve Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 00013000 Let us know how it goes. If you get further problems with blue screens, attach your new dump files and details and we'll move on from there.


So i'm really new to this, I just want to know what to take out. My IE is hijacked like crazy so idk, i think it been putting new virus in my pc or something. And I have been using a program that removes Trojans called Trojan Remover so yeah...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:16 PM, on 2/20/2009
Platform: Unknown Windows (WinNT 6.01.2904)
MSIE: Internet Explorer v8.00 (8.00.7000.0000)
Boot mode: Normal

Running processes:
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:Program FilesDell Support Centerbinsprtcmd.exe
C:Program FilesPC Tools AntiVirusPCTAV.exe
C:Program FilesRegistry MechanicRMTray.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesDellSupportDSAgnt.exe
C:Program FilesMySpaceIMMySpaceIM.exe
C:Program FilesDigital Line DetectDLG.exe
C:Program FilesMySpaceIMMySpaceIM.exe
C:Program FilesYahoo!MessengerYahooMessenger.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Program FilesMozilla Firefoxfirefox.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = Live Search
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = Live Search
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = Live Search
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = MSN.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Internet Explorer provided by Dell
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:Program FilesSweetIMToolbarsInternet ExplorermgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre6binssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:Program FilesBAEBAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:Program FilesSweetIMToolbarsInternet ExplorermgToolbarIE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:Program FilesYahoo!CompanionInstallscpnYTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O4 - HKLM..Run: [NvSvc] RUNDLL32.EXE C:Windowssystem32nvsvc.dll,nvsvcStart
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:Windowssystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:Windowssystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [DellSupportCenter] "C:Program FilesDell Support Centerbinsprtcmd.exe" /P DellSupportCenter
O4 - HKLM..Run: [dscactivate] "C:Program FilesDell Support Centergs_agentcustomdsca.exe"
O4 - HKLM..Run: [ISUSScheduler] "C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe" -start
O4 - HKLM..Run: [PCTAVApp] "C:Program FilesPC Tools AntiVirusPCTAV.exe" /MONITORSCAN
O4 - HKLM..Run: [QuickTime Plugin Install] C:Program FilesQuickTimePluginsDeleteMe1.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [RegistryMechanic] C:Program FilesRegistry MechanicRMTray.exe /QS
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [WrtMon.exe] C:Windowssystem32spooldriversw32x863WrtMon.exe
O4 - HKLM..Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM..Run: [TrojanScanner] C:Program FilesTrojan RemoverTrjscan.exe /boot
O4 - HKCU..Run: [DellSupport] "C:Program FilesDellSupportDSAgnt.exe" /startup
O4 - HKCU..Run: [DellSupportCenter] "C:Program FilesDell Support Centerbinsprtcmd.exe" /P DellSupportCenter
O4 - HKCU..Run: [ehTray.exe] C:WindowsehomeehTray.exe
O4 - HKCU..Run: [MySpaceIM] C:Program FilesMySpaceIMMySpaceIM.exe
O4 - HKCU..Run: [WMPNSCFG] C:Program FilesWindows Media PlayerWMPNSCFG.exe
O4 - HKCU..Run: [Messenger (Yahoo!)] "C:Program FilesYahoo!MessengerYahooMessenger.exe" -quiet
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..RunOnce: [mctadmin] C:WindowsSystem32mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-20..RunOnce: [mctadmin] C:WindowsSystem32mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Memeo AutoBackup Launcher.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:Program FilesDigital Line DetectDLG.exe
O12 - Plugin for .mdz: C:Program FilesInternet ExplorerPluginsnpmod32.dll
O13 - Gopher Prefix:
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:Program FilesYahoo!CommonYinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:PROGRA~1mcafeeSITEAD~1mcieplg.dll
O20 - AppInit_DLLs: C:PROGRA~1StardockOBJECT~1WINDOW~1
O23 - Service: Apple Mobile Device - Apple, Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:Windowssystem32CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:Program FilesDellSupportbrkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:Program FilesNOSbingetPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:Program FilesPC Tools AntiVirusPCTAVSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:Program FilesDell Support Centerbinsprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:WindowsSystem32STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:Program FilesCommon FilesSureThing Sharedstllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:Program FilesViewpointCommonViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:Windowssystem32DRIVERSxaudio.exe

End of file - 9100 bytes

so whats up with the log? anything odd?

Dear Friends,

While running IE6 on my Home machine (Windows XP home), I sometimes
see a Process called "nnympb.exe" that runs without notice and causes
popups on the screen. I tried to search for this program on my
computer, and remarkably it is not on my C: drive. Another remarkable
thing about this process is its rather surreptitious nature; it stays
on for only a short period of time when it creates the popup and then
quits by itself. I don't have any other drives on my computer (aside
from C, so it is unclear where this program is being launched from!
Has anyone found this annoying process nnympb.exe creating havoc with
their Explorer? And have you figured out the right "block" for it.
If so kindly help.

I must add that I have the Google popup blocker and also have already
followed Mike Maltby's (MS-MVP

-----Original Message-----
Teri wrote:
Over the past week my pc has slowed down considerably.
I'm talking a minute or 2 to open a window. I have
virus scans (clean), I have ran Spybot and Adaware
(completely clean), I have run CW Shredder, disk
diskcheck, defrag , the Windows Memory Diagnostic and
power supply is free of dust. (I read the Knowledge
regulary) Everything comes back clean. No problems
anywhere. I have a HP Pavilion and I run Windows XP
Upgrated from Win 98 SE. I have always had a problem
with "Hang App Errors" but I have always been able to
least clean it up enough to speed it up some. I don't
know what else to do.

You've tried most of my suggestions, but let me just
throw out a personal
comment here..

HP Pavilion.. My apologies.

Having said that - have you cleaned up the running
processes and such? Take
out some of the normal HP crap they like to install?
Killed off unnecessary

Also - have you installed any patches or updates you
think might cause
this - have you tried uninstalling them?

The last thing in this spill will explain how to stop
services and choose
the ones you need.

Suggestions on what you can do to secure/clean your PC.
I'm going to try
and be general, I will assume a "Windows" operating
system is what is
being secured here.


This one is the most obvious. There is no perfect
product and any company
worth their salt will try to meet/exceed the needs of
their customers and
fix any problems they find along the way. I am not
going to say Microsoft
is the best company in the world about this but they do
have an option
available for you to use to keep your machine updated
and patched from
the problems and vulnerabilities (as well as product
improvements in some
cases) - and it's free to you.

Windows Update

Go there and scan your machine for updates. Always get
the critical ones as
you see them. Write down the KB###### or Q###### you
see when selecting the
updates and if you have trouble over the next few days,
go into your control
panel (Add/Remove Programs), match up the latest numbers
you downloaded
recently (since you started noticing an issue) and
uninstall them. If there
was more than one (usually is), install them back one by
one - with a few
hours of use in between, to see if the problem returns.
Yes - the process
is not perfect (updating) and can cause trouble like I
mentioned - but as
you can see, the solution isn't that bad - and is MUCH
better than the
alternatives. (SASSER/BLASTER were SO preventable with
just this step!)

Windows is not the only product you likely have on your
PC. The
manufacturers of the other products usually have updates
as well. New
versions of almost everything come out all the time -
some are free, some
are pay - some you can only download if you are
registered - but it is best
to check. Just go to their web pages and look under
their support and
download sections.

You also have hardware on your machine that requires
drivers to interface
with the operating system. You have a video card that
allows you to see on
your screen, a sound card that allows you to hear your
PCs sound output and
so on. Visit those manufacturer web sites for the
latest downloadable
drivers for your hardware/operating system. Always
(IMO) get the
manufacturers hardware driver over any Microsoft
offers. On the Windows
Update site I mentioned earlier, I suggest NOT getting
their hardware
drivers - no matter how tempting.

Have I mentioned that Microsoft has some stuff to help
secure your computer
available to the end-user for free? This seems as good
of a time as any.
They have a CD you can order (it's free) that contain
all of the Windows
patches through October 2003 and some trial products as
well that they
released in February 2004. Yeah - it's a little behind
now, but it's better
than nothing (and used in coordination with the
information in this post,
well worth the purchase price..)

Order the Windows Security Update CD

They also have a bunch of suggestions, some similar to
these, on how to
better protect your Windows system:

Protect your PC


Let's say you are up-to-date on the OS (operating
system) and you have
Windows XP.. You should at least turn on the built in
firewall. That will
do a lot to "hide" you from the random bad things flying
around the
Internet. Things like Sasser/Blaster enjoy just sitting
out there in
Cyberspace looking for an unprotected Windows Operating
System and jumping
on it, doing great damage in the process and then using
that Unprotected OS
to continue its dirty work of infecting others. If you
have the Windows XP
ICF turned on - default configuration - then they cannot
see you! Think of
it as Internet Stealth Mode at this point. It has other
advantages, like
actually locking the doors you didn't even (likely) know
you had. Doing
this is simple, the instructions you need to use your
built in Windows XP
firewall can be found he


If you read through that and look through the pages that
are linked from it
at the bottom of that page - I think you should have a
firm grasp on the
basics of the Windows XP Firewall as it is today. One
thing to note RIGHT
NOW - if you have AOL, you cannot use this nice firewall
that came with
your system. Thank AOL, not Microsoft. You HAVE to
configure another
one.. So we continue with our session on Firewalls...

But let's say you DON'T have Windows XP - you have some
other OS like
Windows 95, 98, 98SE, ME, NT, 2000. Well, you don't
have the nifty built in
firewall. My suggestion - upgrade. My next suggestion -
look through your
options. There are lots of free and pay firewalls out
there for home users.
Yes - you will have to decide on your own which to get.
Yes, you will have
to learn (oh no!) to use these firewalls and configure
them so they don't
interfere with what you want to do while continuing to
provide the security
you desire. It's just like anything else you want to
protect - you have to
do something to protect it. Here are some suggested
applications. A lot of
people tout "ZoneAlarm" as being the best alternative to
just using the
Windows XP ICF, but truthfully - any of these
alternatives are much better
than the Windows XP ICF at what they do - because that
is ALL they do.

ZoneAlarm (Free and up)

Kerio Personal Firewall (KPF) (Free and up)

Outpost Firewall from Agnitum (Free and up)

Sygate Personal Firewall (Free and up)

Symantec's Norton Personal Firewall (~$25 and up)

BlackICE PC Protection ($39.95 and up)

Tiny Personal Firewall (~$49.00 and up)

That list is not complete, but they are good firewall
options, every one of
them. Visit the web pages, read up, ask around if you
like - make a
decision and go with some firewall, any firewall. Also,
maintain it.
Sometimes new holes are discovered in even the best of
these products and
patches are released from the company to remedy this
problem. However, if
you don't get the patches (check the manufacturer web
page on occasion),
then you may never know you have the problem and/or are
being used through
this weakness. Also, don't stack these things. Running
more than one
firewall will not make you safer - it would likely (in
fact) negate some
protection you gleamed from one or the other firewalls
you ran together.


That's not all. That's one facet of a secure PC, but
firewalls don't do
everything. I saw one person posting on a newsgroup
that "they had
never had a virus and they never run any anti-virus
software." Yep - I used
to believe that way too - viruses were something
everyone else seemed to
get, were they just stupid? And for the average joe-
user who is careful,
uses their one-three family computers carefully, never
opening unknown
attachments, always visiting the same family safe web
sites, never
installing anything that did not come with their
computer - maybe, just
maybe they will never witness a virus. I, however, am a
Network Systems
Administrator. I see that AntiVirus software is an
absolute necessity given
how most people see their computer as a toy/tool and not
they should have to maintain and upkeep. After all,
they were invented to
make life easier, right - not add another task to your
day. You
can be as careful as you want - will the next person be
as careful? Will
someone send you unknowingly the email that erases all
the pictures of your
child/childhood? Possibly - why take the chance?
SOFTWARE and KEEP IT UP TO DATE! Antivirus software
comes in so many
flavors, it's like walking into a Jelly Belly store -
which one tastes like
what?! Well, here are a few choices for you. Some of
these are free (isn't
that nice?) and some are not. Is one better than the
other - MAYBE.

Symantec (Norton) AntiVirus (~$11 and up)

Kaspersky Anti-Virus (~$49.95 and up)

Panda Antivirus Titanium (~$39.95 and up)
(Free Online Scanner:

AVG 6.0 Anti-Virus System (Free and up)

McAfee VirusScan (~$11 and up)

AntiVir (Free and up)

avast! 4 (Free and up)

Trend Micro (~$49.95 and up)
(Free Online Scanner:


RAV AntiVirus Online Virus Scan (Free!)

Did I mention you have to not only install this
software, but also keep it
updated? You do. Some of them (most) have automatic
services to help you
do this - I mean, it's not your job to keep up with the
half-dozen or more
new threats that come out daily, is it? Be sure to keep
whichever one you
choose up to date!


So you must be thinking that the above two things got
your back now - you
are covered, safe and secure in your little fox hole.
Wrong! There are
more bad guys out there. There are annoyances out there
you can get without
trying. Your normal web surfing, maybe a wrong click on
a web page, maybe
just a momentary lack of judgment by installing some
software packages
without doing the research.. And all of a sudden your
screen starts filling
up with advertisements or your Internet seems much
slower or your home page
won't stay what you set it and goes someplace unfamiliar
to you. This is
spyware. There are a whole SLEW of software packages
out there to get rid
of this crud and help prevent reinfection. Some of the
products already
mentioned might even have branched out into this arena.
However, there are
a few applications that seem to be the best at what they
do, which is
eradicating and immunizing your system from this crap.
Strangely, the best
products I have found in this category ARE generally
free. That is a trend
I like. I make donations to some of them, they deserve

Two side-notes: Never think one of these can do the
whole job.
Try the first 5 before coming back and saying "That did
not work!"
Also, you can always visit:
For more updated information.

Spybot Search and Destroy (Free!)

Lavasoft AdAware (Free and up)

CWSShredder (Free!)

Hijack This! (Free)
( Tutorial:
http://www.spywareinfo.com/~merijn/htlogtutorial.html )

SpywareBlaster (Free!)

IE-SPYAD (Free!)

ToolbarCop (Free!)

Bazooka Adware and Spyware Scanner (Free!)

Browser Security Tests

The Cleaner (49.95 and up)

That will clean up your machine of the spyware, given
that you download and
install several of them, update them regularly and scan
with them when you
update. Some (like SpywareBlaster and SpyBot Search and
Destroy) have
immunization features that will help you prevent your PC
from being
infected. Use these features!

Unfortunately, although that will lessen your popups on
the Internet/while
you are online, it won't eliminate them. I have looked
at a lot of options,
seen a lot of them used in production with people who
seem to attract popups
like a plague, and I only have one suggestion that end
up serving double
duty (search engine and popup stopper in one):

The Google Toolbar (Free!)

Yeah - it adds a bar to your Internet Explorer - but its
a useful one. You
can search from there anytime with one of the best
search engines on the
planet (IMO.) And the fact it stops most popups - wow -
BONUS! If you
don't like that suggestion, then I am just going to say
you go to
www.google.com and search for other options.

One more suggestion, although I will suggest this in a
way later, is to
disable your Windows Messenger service. This service is
not used frequently
(if at all) by the normal home user and in cooperation
with a good firewall,
is generally unnecessary. Microsoft has instructions on
how to do this for
Windows XP he


This one can get annoying, just like the rest. You get
50 emails in one
sitting and 2 of them you wanted. NICE! (Not.) What
can you do? Well,
although there are services out there to help you, some
servers/services that actually do lower your spam with
features built into
their servers - I still like the methods that let you be
the end-decision
maker on what is spam and what isn't. If these things
worked perfectly, we
wouldn't need people and then there would be no spam
anyway - vicious
circle, eh? Anyway - I have two products to suggest to
you, look at them
and see if either of them suite your needs. Again, if
they don't, Google is
free and available for your perusal.

SpamBayes (Free!)

Spamihilator (Free!)

As I said, those are not your only options, but are
reliable ones I have
seen function for hundreds+ people.


I might get arguments on putting this one here, but it's
my spill. There are
lots of services on your PC that are probably turned on
by default you don't
use. Why have them on? Check out these web pages to
see what all of the
services you might find on your computer are and set
them according to your
personal needs. Be CAREFUL what you set to manual, and
take heed and write
down as you change things! Also, don't expect a large
performance increase
or anything - especially on todays 2+ GHz machines,
however - I look at each
service you set to manual as one less service you have
to worry about
someone exploiting. A year ago, I would have thought
the Windows Messenger
service to be pretty safe, now I recommend (with
addition of a firewall)
that most home users disable it! Yeah - this is another
one you have to
work for, but your computer may speed up and/or be more
secure because you
took the time. And if you document what you do as you
do it, next time, it
goes MUCH faster! (or if you have to go back and re-
enable things..)

Task List Programs


Black Viper's Service List and Opinions (XP)

Processes in Windows NT/2000/XP

There are also applications that AREN'T services that
startup when you start
up the computer/logon. One of the better description on
how to handle these
I have found he


That's it. A small booklet on how to keep your computer
secure, clean of
scum and more user friendly. I am SURE I missed
something, almost as I am
sure you won't read all of it (anyone for that matter.)
However, I also
know that someone who followed all of the advice above
would also have less
problems with their PC, less problems with viruses, less
problems with spam,
fewer problems with spyware and better performance than
someone who didn't.

Hope it helps.

- Shenan -
The information is provided "as is", with no guarantees
completeness, accuracy or timeliness, and without
warranties of any
kind, express or implied. In other words, read up
before you take any
advice - you are the one ultimately responsible for your

Shenan, thank you so much for taking the time to answer
my post with so much detail. Not only did I read every
word, I also made a lot of notes and recorded every
link. Yes, I am running XP, I do use the built in
firewall, I have Spybot, Adaware, Hijack This and CW
Shredder all installed and use them on a regular basis.
I use the housecall,trendmicro and the symantec security
and virus scan at the same time. Windows update informs
me when there is an update for my pc and I always install
the critical ones. My startup up programs are at a
minimum as are my running services. Actually, I am
wondering if I have something checked in Internet Options
that I shouldn't. As I mentioned before I have always
had a problem with "hungapp errors" in the event viewer
but under "security" I am getting events I really do not
understand and they keep changing, for instance
User Name: Network Service User Name: Owner
Domain: NT Authority Domain:OEMCOMPUTER
Logon Type: 5 Logon Type:2
Logon Process:Advapi Logon Process:User32

User Name:
Logon Type:3
Logon Process:NtLmSsp
Also, I am getting events "A trusted logon process has
registered with the Local Security Authority. This
logon process will be trusted to submit logon requests
(CHAP, scecli, WinlogonMSGina, KsecDD, Lan Manager
Workstation Service). These might all be normal but I
don't remember seeing all of them before.

Just my personal experience...

I'm certainly no PC or internet newbie. And I've been online before there was even a well-known "internet", using CompuServ in it's earliest days, and BBS's before that. I know how to avoide email virii, various scams, and can spot a virus "hoax" a mile
away. I have a home network, behind a firewall/router, and routinely run ZoneAlarm, Norton AV, AdAware, SpyBot S&D, and have used various pop-up blockers, currently relying on the one built into the Google Toolbar.

In spite of all this, twice within the last month my system has been compromized by my doing nothing more than clicking a web link on what appeared to be trustworthy sites. Just a couple days prior to the SCOB scare, I was surfing around looking for info
on digital cameras. After clicking some link, suddenly the screen began filling with popups (in spite of the Google popup blocker), and then the system froze. Upon rebooting, I found my desktop wallpaper had been replaced by an active desktop page to a "
security" software site, and the CPU was pegged at near 100%. After about 9 hours, and multiple passes with various tools, I found I that along with the desktop hijack, I had been infected with Backdoor.Jeem, several adware programs, and the nefarious Coo
lWebSearch. I lost a whole day tracking down and removing all traces of this.

This Sunday, an identical episode occurred...searching Google for info on injector razors. One of the links I clicked on took me to another site that had some "consolidated" links regarding my search. About the 5th link I clicked on there suddenly put a
couple of popups on the screen, and one looked like a normal permissions screen, asking if I wanted to install something-or-other from "Slotch.Com". Of course I didn't...but I paused for a minute to look over that window, as it didn't look quite right. T
he layout of the "Yes" and "No" buttons, and a couple other things, didn't appear genuine. I actually felt that clicking anywhere on that window was a bad idea, so I just closed down all browser windows. I also shut down the system, and then I decided th
at considering my experience from a couple weeks earlier, I better check things out thoroughly.

I unplugged the network cable, and booted to safe mode. First I ran CWShredder, which found 4 instances installed. I then ran Spybot S&D, which found 40 suspicious files/entries, and deleted those. Then I ran Norton AV, which found 57 bad hits. It was
only able to delete 37 of them, so I had to manually right down the name and location of each file/registry entry and attempt to get rid of them. After working through all this, I reconnected to the network and booted up normally. During the course of th
is, I also discovered that two programs called PowerScan and Sidebar T-Search, or something like that, had been installed, and as neither had any uninstall or entry in Add/Remove programs, I had to manually get rid of those.

I wanted to go to the Symantic site and see what other info might be available for some of the things it found. After booting up, I decided to use Mozilla Firefox to go to the site, as I had installed that after the previous problem, and thought I might b
e a little safer till I was sure the machine was clean. But when I clicked on the Firefox desktop icon, it couldn't find the program...sure enough, the entire Firefox folder and install was gone. Sneaky move on the spyware's part! I still had the Firefo
x install package on the system, so I reinstalled, and went out to the Symantec site. I went to a couple more site with Firefox and then shut the system down.

I started it up a little later, and once again, clicking on the Firefox icon said it couldn't locate the program...and again, the entire folder and install was gone. So something was still on the system, and deleting Firefox apparently at will. I ran HiJ
ack This! and noticed a new BHO listing that pointed to a DLL I hadn't seen before, something like bvm202.dll. I went and looked at the properties of that DLL, and it had been created that day, at the same time all the problems started. So I booted to sa
fe mode again, deleted the DLL, and deleted all references to in from the Registry. Reinstalled Firefox again, and now it seems to be staying, so I'm not sure if that was the problem or not.

In any event, I probably lost almost 20 hours of time over the two incidents. I'm still not 100% confident of the machine's status at this point. Numerous bad things got installed in each instance, and with me doing no more than clicking a web link...in
both cases, I did not attempt to download or install anything, I did not give permission for installation, and I had firewalls and AV products active at the time, along with "supposed" popup blockers, and I was not doing or visiting anything "shady" that I
shouldn't have been. Yet all of this did nothing to stop these incidents from occurring.

Point is, IE is simply allowing way to much damage to occurr with little or no action on the end-users part. It should never allow something to be installed on my system without my explicit permission. I do not understand how this has happened, as I didn
't think it was even possible for things like this to occurr without me doing SOMETHING to initiate it. If clicking on a web link is all it takes, then quite clearly the IE browser is useless.

So now I'm back to using Firefox. We'll see how this goes. In any event, MS needs to completely redesign it's security model for this thing, as right now I wouldn't trust it to go to MS's own website.

Please see the following instructions.

Spyware/Virus Removal and Prevention:
(You should find links to online virus scans on the same page)

Startup and Temporary Files Cleanup:

Good Luck!

"slim1968" wrote:

I made the mistake of downlaoding some shareware and whenever my firewall asked me if I would allow a program to communicate with the Internet I said yes as I had no idea waht the programs were! Then Blaze Find took over my Home Page and when I changed t
hat in Options in IE it installed a tool bar next to my systems tray. I found out how to delete this program on the control panel. My anti-virus software detected nothing nor did Spybot but Housecall found three Trojans (one of which had Blaze Find in the
name). I thought they were deleted but I have had all sorts of strange things happen in IE and everytime I run Ad-aware Blaze Ifind is back and they claim it is trying to hijack my browser. I delete it but then it comes back again. I have googled Blaze Fin
d but didn't feel compotent to follow the fixes I found there or I wondered how reliable they were. Tech support at my server said I should call (866)PCSAFTY but there was no one there. Is there anything a complete idiot can do to get rid of this damn thin

Page 1 of 2.
Results 1...20 of 32