20 replies to this topic

[JSass]

Hello, it appears that I have several issues with my system, and any help anyone can provide is much appreciated. The biggest problem is that I have been unable to conduct a sweep for spyware in about 20 days or so. At this point, whenever I attemp a sweep using Webroot SpySweeper 5.0, the application eventually freezes and then the system provides me with a "STOP" blue screen. The specific content of the screen is: "A problem has been detected and Windows has been shut down to prevent damage to your computer. KERNEL_DATA_INPAGE_ERROR If this is the first time you've seen this STOP error screen, restart your computer. If this screen appears again, follow these steps: Check to see if any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need. If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode. Technical Information: *** STOP: 0x0000007A (0xc0384B68, 0xc000000E, 0xe12da658, 0x09c1a880)" Although my system has presented me with a "blue" screen previously, it was intermittedly, say, once every two - three months, if that. I started receiving more "blue" screens after my Netgear and now Linksys router was installed. But now, it seems the only time I get a "blue" screen is when I attempt to scan my computer with Webroot SpySweeper. I noticed for the first time the other day that SpySweeper stops / got stuck when scanning a file with the name "c:\windows\system32\drivers\agp440.exe," ...think this was the name. Today when doing a scan, it stopped at a file named "c:\system volume information\_restore {21d7d642-4...\q0005214.exe. In regards to this issue, I searched the Internet for "agp440.exe" and found this site. To my knowledge, it has been some time since I installed new hardware or software, not withstanding that which I installed in the last couple of days, driver updates, etc. That is, the problem existed prior to my attempting to install such updates. Reading the thread begun by "STROBIE" I see that I was experiencing some of the same issues: slow startup, hard drive making noise when I am not performing any apparent operations, errors along the lines of "application error - the instruction at ... referenced memory at ... could not be read". After following instructions in that thread, I now get a couple of other errors, probably because I deleted one too many files, etc.: "RUNDLL ... Error loading NvQTwk ... The spedified module coul not be found." Once, since yesterday, I received the error "Error 8602 - Auxilliary device failure keyboard failure." After restarting my computer, the device failure error seemed to go away. However, the RUNDLL error still exists. Now, I have done the following based on reviewing the "STROBIE" thread: * checked the location of the machine, the proper operation of the fan, and the overall temperature of the unit. Overall, although there is some, a small amount of, dust near and on the computer, the temperature is cool to luke warm by touch of the hand. I am able to feel air movement near the fan. The CPU / tower is located beneath my desk with plenty of room for air flow, etc. * run the HijackThis utility / program. The header for the log file is provided below. * located the lsass.exe file in the c:\windows\system32 folder * reviewed the Device Manager, and saw no "warnings" * run the "scannow" utility a few times. It appears no files are corrupted or missing * run the Windows disk defragment utility * run cleanmgr, searched and deleted (including emptying recycle bin) *.tmp files * run %temp%, deleted all files (including offline content) by emptying the Temporary Internet Cache * deleted all other temp files in suggested folders (see STROBIE) * set the system restore space to 3% * viewed log file from HijackThis (this list of items fills 4 8.5x11 pages) What I have yet to do is go to www.answersthatwork.com to determine what items from my HijackThis log need to be removed. It seems a bit of an overwhelming task. Below is the header from my HijackThis log. I also include a snapshot of my system components. Once again, any help would be appreciated. Thank you. Jeff ******************************************************************************** ********* HighjackThis Log File Header: Logfile of HijackThis v1.99.1 Scan saved at 8:04:46 PM, on 9/2/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) ******************************************************************************** ********* System Information Summary: OS Name: Microsoft Windows XP Home Edition Version: 5.1.2600 Service Pack 2 Build 2600 OS Manufacturer: Microsoft Corporation System Name: <removed> System Manufacturer: Dell Computer Corporation System Model: Dimension 8200 System Type: X86-based PC Processor x86 Family: 15 Model 1 Stepping 2 GenuineIntel ~1694 Mhz BIOS Version/Date: Dell Computer Corporation A03, 12/7/2001 SMBIOS Version: 2.3 Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume2 Locale: United States Hardware Abstraction Layer Version =: "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" User Name: <removed> Time Zone: Pacific Daylight Time Total Physical Memory: 256.00 MB Available Physical Memory: 11.96 MB Total Virtual Memory: 2.00 GB Available Virtual Memory: 1.96 GB Page File Space: 615.73 MB Page File: C:\pagefile.sys ******************************************************************************** ******** P.S.: when going through the process of removing unneeded files and applications, the diagnostic tool for my sound card came up. Completing the diagnostic once, I received and error. Running it again, that error went away, but another appeared indicating that my sound card may be bad. Running it a third time, everything passed. Anythoughts on this one? P.P.S: I use my computer to surf the web, create and view email, and perform some standard office functions (Word, excel, etc.), nothing too daunting. I do not use the system for gaming, video editing, etc. P.P.S: why in general does my dell system at work take only 10 or so seconds to boot up and it takes sometimes a minute or two for my system at home to boot up? Any thoughts?

Attached Files

•  hijackthis_LOG_FILE_090206.txt   8.55KB   453 downloads

Edited by JSass, 04 September 2006 - 02:04 PM.

[Doug]

Hi JSass,

I see that you have also posted this problem in the HJT Forum.
That is good, as you do show some evidence of infection.
Please complete your work in the HJT Forum prior to making other changes to your system independantly.

After completing your work in HJT, please feel free to return here to this "other computer problems" Forum for assistance.

Generally, the Error types that you are receiving relate to Hardware problems of "low resource" and corrupted controllers of your Hard Drive.

You show that you have 256mb RAM installed on this machine. That is a very low amount of RAM for a Machine running Windows XP, particularly when there are so many applications and processes running actively from StartUp, as is the case with your machine.

Many of the actively running programs (which unnecessarily consume large quantities of system resources) are highly optional and even not recommended items that do not need to start up every time you boot your machine.

Many of them (including at least one instance of spyware) will regularly attempt to access the internet to check for updates, or to convey your personal information to a remote host. Not good.

After you are cleaned up in HJT, you can use the http://AnswersThatWork.com resource you cited, or you are welcome to post back here to work on setting up your machine to work more optimally.

Best Regards

[JSass]

Hi Dough, thank you for your quick response. I was hoping that you would respond, given the response you provided "STROBIE." I will await a response from someone in the HJT forum. I have also sent the same information to Webroot for consideration. Once I obtain some resolution, I will update my post here. Again, hopefully you will respond. A quick note: the current system configuration is what came with it from the factory. I've made no intentional adjustments, i.e. adding hardware, etc., other than a router and cable modem. Also, I would really like for my system to be as quick as possible and really, I think, have no need for all of "that stuff" to load at start-up. I am very open to doing what it takes to make things work right. Until our next chat, thank you once again. Your advice is much appreciated. All the best. Jeff

[paws]

Hi JSass,

You will be in very experienced hands when you receive detailed advice on malware removal from:
http://forums.tomcoy...hp?showforum=27
and also from this forum here from Dough.

I hopped over to the above forum as I was interested to have a look at your HiJackThis log (HJT Log) but as far as I can see you have not posted one there.

To enable a trained and trusted adviser to provide you with detailed information/advice/instructions on malware infection they will need to "see" what is going on inside your machine and you will need therefore to follow the instructions on posting HJT logs in:
http://forums.tomcoy...hp?showforum=27
before an adviser can analyse your system and provide assistance. (The attachment you sent will not be of use to them as it's very difficult to read let alone analyse)

When your machine is declared free of undesirable elements please post back in this forum, when I am sure Dough will be please to offer you detailed advice on "slimming down" your system thereby speeding it up
Regards
paws

[Doug]

Paws.........

http://forums.tomcoy...w...c=69037&hl=

Best Regards

[paws]

Hi Dough Thanks for the link. Yes it is the same page that I was looking at. I have checked it a couple of times but there's no HJT log showing!! Very strange. If it's showing on your machine the problem must be my end! I am off to bed now (nearly midnight here) but will fire up some of my other machines tomorrow and see what happens and more important what's visible then. Regards paws

[Doug]

Paws,

You are correct that their is no HJT Log posted in the HJT Forum posting, just a rather well elaborated statement of the problem, much like JSass's first post in this Thread.

Of course, the first thing that the Expert is going to ask for is a full HJT Log.

To: JSass

If you decide to Run and Post your HJT Log, then I'd recommend that you "EDIT" it into your initial post.

I recommend this because the Experts look for HJT postings with zero (0) replies, on the assumption that if there has already been a reply, then it must have come from another HJT Expert who has decided to respond to the HJT problem. As a result, if your HJT Posting has one or two replies, and they were posted by YOU......... your log is likely to be ignored!

If the "EDIT" button has expired in your LOG posting, you can PM an Admin/Mod/Expert and ask them to help you complete the EDIT so you don't lose your place in line.

Otherwise, you could just wait until an Expert tells you to post your LOG.

Doug

Edit: I was not complete in my statement above. JSass "did" submit an "attached file" that contains the TEXT of his HJT Log, at the very bottom of his first Post in this Thread.... as follows:

Attached File(s)
hijackthis_LOG_FILE_090206.txt ( 8.55k ) Number of downloads: 3

WORD OF CAUTION: I don't know if there is an actual RULE about including "attached files" in these Forums, but I have occasionally noticed Senior Members replying "My browser will not correctly display your HJT Log from an Attached File. Therefore, please copy and paste the text of your complete LOG into your next Reply in this Thread."

I did "download" the "attached file", but I subjected it to "intense scanning" prior to opening it to read.
Doug

Edited by dough, 05 September 2006 - 05:36 PM.

[JSass]

Doug,

the edit button on my initial posting has expired. When I click on the PM button, I receive an error indicating I am unable to use "this" feature. Maybe I am doing something wrong. In any event, here is my entire HJT log. I was under the impression that I was to just post a header, and then provide the entire log only if requested. I've not as of yet heard back from Webroot. If I am correct, I should work with them first, then repost? Please advise. Thank you.

Jeff



***********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 8:04:46 PM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Jeff Sass\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [HPLJ Config] "C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe" -c Direct -p DOT4_001 -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [*eulaas] C:\WINDOWS\system\eulaas.exe
O4 - HKLM\..\Run: [*cabkb] C:\WINDOWS\Driver Cache\cabkb.exe
O4 - HKLM\..\Run: [*mp3av] C:\WINDOWS\ServicePackFiles\mp3av.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [hklkegato] C:\WINDOWS\System32\tnqrav.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [DIAGENT] "C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE" startup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AuthConsoleStart] c:\program files\cox\applications\app\cox.exe
O4 - HKLM\..\Run: [AHQInit] "C:\Program Files\Creative\SBLive\Program\AHQInit.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://quicken.ehos...s/custappx3.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2EC77245-C97C-4F5E-80D1-9B280C4CD820} - http://download.mail...or/instmtdr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp....SWebManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152413742140
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[Doug]

JSass, You've done nothing wrong. This is a help resource Forum which is available to new and experienced Members alike, with an open attitude extended to folks like yourself who present legitimate situations for resolution. I may have created an awkward situation for you with my suggestion about Editing in your HJT Log into the HJT Forum. I'll ask someone to look in to see if we can get this straightened out. I apologize for any inconvenience I may have caused you. I remain confident that you are on the right track to resolve the situation that you wish to resolve. Best Regards

[Micah_6:8]

Hello Gentlemen

dough has asked me to peek in on this thread.

I't looks to me like you have remnants of a "StopGuard" infection, and one "unknown" piece of malware.

These are what appears to be a "StopGuard" infection:

O4 - HKLM\..\Run: [*eulaas] C:\WINDOWS\system\eulaas.exe
O4 - HKLM\..\Run: [*cabkb] C:\WINDOWS\Driver Cache\cabkb.exe
O4 - HKLM\..\Run: [*mp3av] C:\WINDOWS\ServicePackFiles\mp3av.exe

"Stopguard" is a real CPU hog.

This is the "unknown" malware:

O4 - HKLM\..\Run: [hklkegato] C:\WINDOWS\System32\tnqrav.exe

Unless these applications are KNOWN to be "friendly", here's what I suggest:

Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.

• Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
• Over to the left click "shields" and uncheck all there.
• Uncheck" home page shield".
• Uncheck ''automatically restore default without notification".

After all of the fixes are complete it is very important that you enable SpySweeper again.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only

Don't run it yet.

Download Killbox from here:

Killbox.zip

Unzip it, but don't run it yet.

Copy the file names in the quote box below to the clipboard by highlighting them and pressing <Ctrl>C (hold the <Ctrl> key down, then press C):

c:\windows\driver cache\cabkb.exe
c:\windows\servicepackfiles\mp3av.exe
c:\windows\system32\tnqrav.exe
c:\windows\system\eulaas.exe

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Run Hijack This!
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

F2 - REG:system.ini: UserInit=userinit.exe

O4 - HKLM\..\Run: [*eulaas] C:\WINDOWS\system\eulaas.exe

O4 - HKLM\..\Run: [*cabkb] C:\WINDOWS\Driver Cache\cabkb.exe

O4 - HKLM\..\Run: [*mp3av] C:\WINDOWS\ServicePackFiles\mp3av.exe

O4 - HKLM\..\Run: [hklkegato] C:\WINDOWS\System32\tnqrav.exe

O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then click "Fix checked".

Close Hijack This!

Now, run Killbox.

In Killbox select "Delete on Reboot".

Click File (in the upper left of Killbox), and choose "Paste from Clipboard".

Click the red dot with the white X in it, in the upper right of Killbox, then click "Yes", and "Yes" again.

The machine will reboot.

When the machine reboots, reboot in "safe" mode. <--- VERY IMPORTANT!!!

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All.
Click the Empty Selected button.
Close the program.

Delete this FOLDER:

c:\program files\ebates_moemoneymaker <--- FOLDER

Reboot in normal mode and "copy/paste" a new HijackThis! log file into this thread.

[JSass]

Doug, Micah:

With a few challenges on my part, I think I was successful on completing the above instructions. If need be, I will do it again. Per your request, below is my latest HJT log file. Please advise. Thank you.

Jeff.

***********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 8:40:51 PM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeff Sass\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [HPLJ Config] "C:\Program Files\Hewlett-Packard\hp LaserJet 3015_3020_3030_3380\SetConfig.exe" -c Direct -p DOT4_001 -pn "" -n 1 -l 1033 -sl 120000
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DIAGENT] "C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE" startup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AuthConsoleStart] c:\program files\cox\applications\app\cox.exe
O4 - HKLM\..\Run: [AHQInit] "C:\Program Files\Creative\SBLive\Program\AHQInit.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://quicken.ehos...s/custappx3.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2EC77245-C97C-4F5E-80D1-9B280C4CD820} - http://download.mail...or/instmtdr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp....SWebManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152413742140
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

[Doug]

JSass, What changes, if any have you noticed in the operation of your machine, since completing the HJT instructions posted by Micah? Doug

[Micah_6:8]

From my point of view, it appears your endeavors were successful.

I hope you have noticed an improvement.

The files that Killbox removed can now be found in this folder:

C:\!Killbox

When you, dough, and paws are satisfied that they are no longer necessary, you may delete that folder.

[JSass]

Still slow on startup. Even email takes a good amount of time to load. At one point, it seemed somewhat fine, in terms of speed. Over the past few months, just seems slower. With this system, I read email, surf the net, and create documents using MS applications ... no video editing, photography, etc. Ultimately, I would like for it to run at peak performance where I press the "on" button and within, say, 30 seconds I can access my desktop. You know, there is a Windows 98 system in the house that boots up and runs a lot faster that this system. Your thoughts? Jeff

[Micah_6:8]

Never mind... Open mouth, insert foot...

Edited by Micah_6:8, 07 September 2006 - 08:10 PM.