LandzDown Forum

Logfile of HijackThis v1.99.1
Scan saved at 11:32:03 PM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\CalendarPal\CalendarPal.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thundercloud.net/start/z.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: &2 Customize Menu - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComCustomIEMenu.html
O8 - Extra context menu item: &7 Fill Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComFillForms.html
O8 - Extra context menu item: &8 Save Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComSavePass.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &7 Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &8 Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: RF toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Start Smileycons - {C64A8F17-F16A-4a35-9618-B3A250D9EF2B} - C:\Program Files\Smileycons\smileycons.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start Smileycons - {C64A8F17-F16A-4a35-9618-B3A250D9EF2B} - C:\Program Files\Smileycons\smileycons.exe (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125895254671
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37470.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C994337-D59A-4250-A130-473C470C8A06}: NameServer = 85.255.113.94,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4834170-7D58-4A1F-807E-592FBA1EFCD0}: NameServer = 85.255.113.94,85.255.112.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C994337-D59A-4250-A130-473C470C8A06}: NameServer = 85.255.113.94,85.255.112.19
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C994337-D59A-4250-A130-473C470C8A06}: NameServer = 85.255.113.94,85.255.112.19
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

I hope I got this right....I will post next one to explain my problem....Rose

Hello! Someone recommended to me that I should come here for help by saying you are the best...I hope you can help me...First I read your log instructions I didn't know I should have show hidden files first before I use *highjack this* Should I start over? Also I am not sure about use highjacklog2? Does that means for next log? This is my first log and next one will highjacklog2, is that right?

Reason is I am having problems with my pc that I can't fix it because I don't know. It happens on Tues nite...I opened My Documents folder, I want to move a file into a folder so I selected *move this file* on the left hand column under file and folder tasks. When I clicked it, hourglass came on and got hung up, it won't responding. I had to use task manager to end it. Same thing with *copy this file*. BUT all others work fine like *delete this file, make a new folder, email work ok except these 2 *move this file and copy this file*. I don't understand why...

I downloaded recent microsoft updates tues. All my programs updated...

I had virus showed up on tues or wed I can't remember for sure...also trojans. I have avast that deleted that virus. I could tell you more but I don't know if you need to know everything as it could be get very long so I will just wait to hear from you first. Thank you very much!!  :? Rose

ramblinrose, hello and welcome. :)

QuoteSomeone recommended to me that I should come here for help by saying you are the best...I hope you can help me

Don´t know for sure about that, but we´ll try to do our best  :thumbsup:

Nothing much is showing in your log, exept that you have entries that indicates you are/have been hijacked by "SpyFalcon/Winfixer/SpyAxe" , all rouge, deceptive anti-spyware programs.

Please start by going to your control panel and "Add/Remove programs" and see if you find any of the above and uninstall it.

Then run HiJack This and checkmark those details, click "fix checked" and click yes to the prompt that follows:
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C994337-D59A-4250-A130-473C470C8A06}: NameServer = 85.255.113.94,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4834170-7D58-4A1F-807E-592FBA1EFCD0}: NameServer = 85.255.113.94,85.255.112.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C994337-D59A-4250-A130-473C470C8A06}: NameServer = 85.255.113.94,85.255.112.19
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C994337-D59A-4250-A130-473C470C8A06}: NameServer = 85.255.113.94,85.255.112.19

Then click (Windowskey+E) and in the toolbar click "Tools>Folder options" and under tab "View" checkmark "Show hidden files and folders" and uncheck "Hide protected system files" and "Hide file extentions for known filetypes" .

Now reboot into safe mode (press the F8-key repetedly on bootup) and run the Ewido program.Run a full system scan and on the first alert, a window will open prompting you to take action. Checkmark "Remove" and "Perform action on all detections".

• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  
• Click Save report.
  
• Save the report .txt file to your desktop.
  Now close ewido security suite.
  
  Reboot normally again.
  
  Then post that report together with a new HJT-log
  
  Regards
  
  Die Hard :)
  
  
  

 :D  Hi all :

      I am the one who "referred" Rose from the Avast Antivirus Forums . After you get
      her clean hopefully it will "resolve" her Avast "problems" !?

Logfile of HijackThis v1.99.1
Scan saved at 3:14:44 AM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\system32\verclsid.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\system32\verclsid.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thundercloud.net/start/z.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O8 - Extra context menu item: &2 Customize Menu - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComCustomIEMenu.html
O8 - Extra context menu item: &7 Fill Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComFillForms.html
O8 - Extra context menu item: &8 Save Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComSavePass.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &7 Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &8 Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: RF toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra 'Tools' menuitem: &9 Robo Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Start Smileycons - {C64A8F17-F16A-4a35-9618-B3A250D9EF2B} - C:\Program Files\Smileycons\smileycons.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start Smileycons - {C64A8F17-F16A-4a35-9618-B3A250D9EF2B} - C:\Program Files\Smileycons\smileycons.exe (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125895254671
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37470.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         3:01:22 AM, 4/14/2006
+ Report-Checksum:      A19AD67D

+ Scan result:

   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000264.ocx -> Adware.Coupons : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000265.exe -> Downloader.Agent.tc : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000266.exe -> Adware.Casino : Cleaned with backup


::Report End

OK now that took over an hour! whew....I am glad I did it!! :D Very first time I was in a safe mode (woohooo) now that was scary but I did it because I want my pc get better! I see that 3 sneaky bugs was back but different locations. Hopefully it's gone for good!! After it was done, I put a check back on *hidden files and folders* I can see my pc was not happy I  was doing this because on the bottom I can see I have 5 windows from my computer!! Is that normal? So does that means I have uncheck those *hidden files and folders* everytime I want to scan for ewido??? If you tell me that I don't have to then please tell me why I have 3 files on my desktop show up? They are desktop.ini,hpothb07.tif and hpothb07.dat  I turned it back on to hide and those 3 disappeared and I know they went back to where they were.

I have another question----when I went to add/remove programs to look for any suspicious programs I see none but I did see 2 Highjack programs! I don't know how I did that when I know I only downloaded one and click setup one time. I am confused...ok if can you help me with my avast (another problem) I can't select folders to scan it won't click or respond hourglass stay on till I have to use task manager end it now. If you can't help me then I will write tech support@avast.com  I will be back later to hear what you have to say....One more question---I don't have to turn off system restore when I scan just in case if infected? I can put them in quarantine no need to turn off system restore? If getting them rid of, then I can reboot to have them gone and go back to turn on system restore. What do you recommend? Thank you for helping me...I will be back as soon as I know if I still have problems using that *move this file* option hugs, Rose  :flowers:

I forgot to ask....what about these 2? I don't use Mcafee anymore and other one? I will wait...I don't know what I am doing. I depend on your expertise... :) hugs, Rose


O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab

Ok I am  back and I am sad to say that I still have same problems not able to select *move this file or copy this file* and same with avast.... :(  :help: Rose

Die Hard is away for a few days, and asked for someone to step in. :)

Well for one, I see you have 2 anti-malware software running at startup....this same goes with the usual advice of no 2 Anti-viruses at the same time nor firewalls. This is for one reason really: conflict.

Did you pay for SpySweeper? If you did, I would uninstall Microsoft Anti-Spyware (since it's free, and can be easily re-downloaded) & stop ewido from starting up at boot up. (To do this, simply "fix", using the same way as you did before, these two entries)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

On the other hand if you didn't pay for SpySweeper, uninstall SpySweeper and Microsoft Anti-Spyware and use ewido for the 14-day trial, once it's over decide go and re-install Microsoft Anti-Spyware.

You can get rid of those two O16 entries if you like, they'll be re-downloaded when necessary.

Quotedesktop.ini,hpothb07.tif and hpothb07.dat

Is this is a HP (Hewlett Packard) computer?. Desktop.ini is a normal Windows file, basically it is a hidden file that tells Windows how to display a certain folder, in this case the Desktop (since in reality, the Desktop is a normal folder). The other two are believed to be HP-related files.

Also, with Avast it may be worth re-installing it, if that hasn't been tried already.

Ok So you are telling me that I have 2 anti-malwares? I wasn't aware of that. Which one was it? I paid Spysweeper for 2 years and I am keeping that. So I guess  Iwill have to uninstalled microsoft anti-spyware. I will miss that one because it did a good job alerting me what's happening... I downloaded ewido Wed nite when I started to have problems with my pc and avast. I read somewhere that ewido is compatible with all programs I have that's why I went ahead to installed it...I didn't know. So to prevent ewido from starting up, use that *fix* from highjack?



On the other hand if you didn't pay for SpySweeper, uninstall SpySweeper and Microsoft Anti-Spyware and use ewido for the 14-day trial, once it's over decide go and re-install Microsoft Anti-Spyware.( I don't know how to use quote)

I am not sure I understand that one...to stop ewido from start up( I understand) but stop guard too? Will I still get update auto if I stop guard? I thought I can use click inactive inside ewido?

I have DELL pc and HP is for my printer-scanner.

No I haven't tried to uninstalling avast yet. If I do, I just have to go to register again? Also I should try to use add/remove first and after that use search for files and folders making sure it's gone? Then use setup avast again I saved and I can use same register #? I still have it...What to do? I never done this that's why I am asking so many questions I apologize....Rose

Sorry, maybe I should try explaining better next time. Yes you have 3, in total, anti-malware software running at startup, and they will conflict and cause random things to happen. You will get the same problem if you run two Anti-Viruses & firewalls at the same time. While all three of these are perfectly good programs and provide excellent protection it isn't at all good to have all three running at the same time.

Infact, I didn't know you could make it's real-time protection inactive without disabling it's service...anyway launch it's main program & where it says 'Real-time Protection', simply click it to change it to 'inactive'. Uninstall MS Anti-Spyware. SpySwepper has it's own real-time protection anyway (I assume you have it enabled?). Forget about fixing those entries, it will only confuse things more!

Since you have a HP Printer/Scanner, that explains the other two files.

As for Avast, the registration number is usually sent by e-mail. Do you still have that e-mail? If so and then go ahead into Add/Remove programs and uninstall it. Yes and go through the files/folders to make sure it's gone. Clean out the temp folders too...the easiest way of doing this is by using CCleaner... (If you haven't got that e-mail, note down the registration number in Notepad and save it, or simply onto a piece of paper)

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here (http://www.ccleaner.com/downloadbin.asp?f=1) to clean temp files from your computer.

• Double click on the file to start the installation of the program.
  
• Select your language and click OK, then next.
  
• Read the license agreement and click I Agree.
  
• Click next to use the default install location. Click Install then finish to complete installation.
  
• Double click the CCleaner shortcut on the desktop to start the program.
  
• On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted.  (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  
• If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  
• Click on the "Options" icon at the left side of the window, then click on "Advanced."
  deselect "Only delete files in Windows Temp folders older than 48 hours."
  
• Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  
• Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  
• After CCleaner has completed its process, click Exit.
  

Once that's done, restart the computer. Once back into Windows after the restart, re-install Avast. You enter your registration key by right-clicking on the Avast Scanner icon down in the system tray (next to the system clock), click 'About Avast...', a new dialog box opens. Click 'License Key...', enter in your registration number you have (either by manually typing it in, or copy/pasting it in).

I realise it's alot to do, so let me know how you get on. :)

OK I am a big mess now... :? I feels sick What have I done to my poor pc?

Last nite after reading your advices, I uninstalled microsoft anti-spyware. I *fixed* (highjack) 2 entires 016 and 2 entries 023 (ewido). Now you tell me I can just clicked inactive in ewido.... :( Too late I already done it. Pleaseeee, I depends on your expertise to help me. I don't know what I am doing. I need step by step instructions. I wrote to support avast and I received it today. He advised me to download their removal tool utility so I did that and reinstalled avast. I was very disappointed that new avast still did not help...still cannot click folders to scan ...same as old avast. I don't understand what is happening????

How come CCleaner don't show up on HIghjack log? I already have ccleaner and I used it for over a year. I used it to clean out junks every nite before I go to bed.

I will be back later after I am calmed down...Rose

Calm down & think things through slowly :)

Doesn't matter about the two entries being fixed, here's how to fix it:

Click Start > Run> type this in and press 'Ok': services.msc

Scroll through the list until you find: ewido security suite control

Right-click on it and select 'Properties'. A new window will appear. Change the 'Startup Type' to 'Automatic' and hit the 'Start' button. Click 'OK' and the window will exit. Do the very same for this service: ewido security suite guard. Now go and make sure ewido's real-time protection is off.

CCleaner won't show up on the HijackThis log because it isn't usually running at startup...it is simply a program that is launched, usually, only when needed.

I'm not an expert on Avast. What happens when you try and select the folders for Avast to scan? Does the program hang and eventually say "Not Responding"?

OK I think I am a little calm now...sorry about that...I will do that what you suggest. I know now...  I will not buy ewido I won't need that quard after all I have spysweeper is good until next year.

Yes avast program hung and not responding.....same with my Documents folder, I clicked *move this file* or *copy this file* problems started Tues nite...Everything else work ok and I don't understand these problems. What could be causing it? That's why I have this Highjackthis started here. I was at avast forum before I came here. They couldn't help me. I will be back later as soon as I do what you suggested. Rose

OK I did what you suggested I should do and ewido is ok but disable guard this time. What am I going to do with avast not being able to click folders to scan and program hungs up? And my pc too? I don't know what was going on with my pc? My pc can do everything else except click move or copy this file in My Docs folder and click folders to scan in avast? Very confusing acting like that....Rose  :( :help:

hi rambelinrose

you have the two best HJT experts helping you
and it might take a bit of time
i think you will be suprised at the timezone differences
but i do think they can help you so just give it some time and take a deep breath you are in good hands !

NOTE: if SpyDie said stand on your head and gargle peanut butter while humming the MS log on chant i would do it knowing it would fix my trouble ;-)

it will take time so just hang in there ok?

Thank you Mitch for comforting words... I am calmed now...At least I can use my pc but I just didn't like it when I know something is wrong even minor thing like *move this file* I hated it when program hangs. To make matters worse, Avast is working, I still can't click on folders to scan. I am already over at avast forum asking for help and already did email support twice after I installed new avast letting them know their program still hangs when I click on folders . I am waiting to hear from them. Doesn't make sense you know? I am not downloading anything for now not even open emails with attachments. I have to be extra careful now. Rose  :rose:

hi again
if the avast folks have you do anything unusual post it here so spydie will be up to date on what is happening ok?

QuoteNOTE: if SpyDie said stand on your head and gargle peanut butter while humming the MS log on chant i would do it knowing it would fix my trouble

LOL, thanks mitch! :)

ramblinrose,

Did a Windows XP CD or a Recovery CD come with your computer? If it did, I'll give you some instructions...Windows XP can try and detect any corrupt system files and replace them with fresh copies...

Click Start > Run > type in this and press OK: sfc /scannow

A dialog box will appear saying that basically Windows will try and detect any corrupt system files...if it does come across a corrupt file, it'll prompt you for the location of a fresh copy. If you had a Windows XP or a Recovery CD, put that in when it asks for the location and click OK. If not, then click the 'browse' button and navigate to your I386 folder. This will be either at C:\WINDOWS\I386, C:\WINDOWS\System32\I386 or C:\I386. If still no go, simply click cancel and we'll try something else.

Also one more thing to try for me please, click Start > Run> type in this and press OK: services.msc

Scroll through that list that appeared until you find "Windows Image Acquisition". When you do, double-click on it and it's properties window will appear. Can you tell me if it's started and if it's startup type is set to 'Automatic'? If it isn't started, press the Start button and if it isn't set to Automatic, please change it to Automatic...

See also what the Avast experts can come up with.

Let me know how you get on.

Hi spydie, Sorry I haven't been on pc all day till now I wasn't feeling well and I think that's because I have been at it for 4 days and nites. So here I am ready...I have looked for it what you asked. All I have is reinstallation CD Windows XP Home Edition including service pack 1a from Dell. I brought this pc 2 years ago. Now I have service pack 2 from Microsoft updates. So you still want me to try sfc /scannow? Again I never done that one.

Also I did services.msc and looked. I didn't have to double click on it when I saw windows image acquistion. It says started and automatic...

What did you think about new microsoft updates I had on Tues? I had 7 updates and I was wondering that's what caused it because that's when my problems started. Someone suggested I should uninstall *KB911567 security update* to see if that was the problem. It seemed a lof of people are having problems too. If that update was not the problem then I can go back to microsoft reinstalling update. But  I want to hear what you say about that so I will wait for you. It's just that when I used system restore last time everything worked and then few hours later I went to microsoft.com to install new updates again. Now I have same problems again so I was suspicious that updates might be responsible but I could be wrong....I will be back later to see if you post back... :?

Hi I am back here again to give you more infor...someone contacted me thru other forum and  asked me to check this out that might be the same problems and  I will send a link for you to read... http://forums.techarena.in/showthread.php?t=494711

I do have HP scanner/printer on my pc and funny thing is my laptop do not have HP scanner/printer. So my laptop is running normal with no problems after installed updates Tues. That's why I didn't think it was updates responsible but now I know it was because of HP....please advise me what to do. I will wait for your expertise  :)

http://support.microsoft.com/gp/assistsupport

I got this page blank can anyone see it? I am trying to find out if lastest updates are causing my problems to see if I can get if fixed.

Or I may have to uninstall 2 updates KB908531 and KB912812 but I want to wait to hear what experts have to say

I have Zone Alarm firewall (free) and HP printer/scanner I don't know what else you need to know?

hi ramblinrose

i re read your post and if i was you i would uninstall those two,
worse case you can re-install by ie/tools/windows update

or by going to their download site, or doing a google searck of the KB
. looking at the timeline of the trouble

note i got hit with a update about 3 years ago that was a critial and caused me many days of grief !!!!
now before i do a install of a update i see if it can be removed, and if not i usually wait a week or too and see what is going on ;-)
mitch

you know to go to add/remove programs in the control pannel and at the top of that box to check "show windows updates" sorry i can't quote it as i am on my linux box now but that should be darn close to what it says ;-)

Well I will see if I can uninstall 2 updates KB908531 and KB912812 but I am nervous what will happen. I already did system restore once and then I installed updates again with no problem....but NOW I have same problems again...making me wish I didn't do latest updates right away ....OK I will give it try but I think I will wait few days and see how it goes with others giving me advices...I learned not to rush now. I made few mistakes but no more this time I will wait. Yes mitch I can totally understand what you are going through like I am right now...It's hell!! This is very first time happen to me.

I haven't heard from avast experts yet  :( I think they are avoiding me  :? Rose

ya i read that stuff and got bad vibs from it ;-D


now when the dust settles on this you might want to talk to me about your system and we can do some things to make it safer??
unless you already have spywareblaster and a few other thing? but that is after you are up and running again

those two should be able to be uninstalled with add/remove...i checked before i updated and read that all of this month's "patch tuesday" were uninstallable with add/remove

I clicked to remove KB908531 first...A box came up says that programs might not work properly are ewido, highjackthis, KB911562 and KB912812...I clicked cancel...Sooo now what? I don't care about ewido and highjack I can always download them again. Will you tell me proper way to remove these programs? These programs have backups. Or should I wait for microsoft solving problems? I can't do these registry I don't know what I am doing unless someone can tell me step by step that I copy and paste so I won't miss a step.....that's me  :shock:

Here are my programs I have on my pc:
avast
zone alarm free
spysweeper (paid)
spywareblaster
winpatrol
spybot (no tea timer)
ewido (no guard on)
ad-aware se free
ccleaner
highjackthis

Ahhhh, you are correct. It is that update causing the problems;

http://tinyurl.com/n3a5j

Which, led to this MS article being published;

http://support.microsoft.com/?kbid=918165

Uninstalling that update will cause the others to fail because it seems they all rely on each other.  First though, and you try the resolution posted on that MS article above? It's pretty simple but incase you need more detailed step-by-step instructions read below (I made the instructions more detailed and clear). If that resolution posted doesn't work, uninstalling the updates that caused this problem will be the way to go :).

I've written a quick VBS file to do the registry changes for you. It's attached to my post, all you have to do is download it, and run it. It'll display a Message Box saying "Done" when it's done - it will take one second...

Once it's done, as the MS article says:

Quote8.   Use Task Manager to end the Verclsid.exe process or restart the computer.

So, launch Task Manager (one easy way is to click Start > Run > type in taskmgr and click OK). The Windows Task Manager will appear. Click the 'Processes' tab. Try and find this proccess in that list: Verclsid.exe. Once found, click on it once to 'highlight' it, and then click the 'End Process' button. Click Yes to the confirmation prompt & restart the computer. If you can't find Verclsid.exe in that list, keep looking and if you are totally sure you can't find it then just go ahead and restart the computer.

If this doesn't help, then I'll walk you through the proccess of removing the updates.

[attachment deleted by admin]

First I would like to say HAPPY EASTER! As for me , I am still a mess...I read your post carefully...making sure I understand... I am supposed to download your VBS file and when it's done THEN bring up windows task manager and find verclsid.exe and click end process? I can do that but won't that mean I can't use my HP printer/scanner again? Or everytime I restarted, HP printer/scanner will start up again then I have to use windows task manager again? Is that right?

No I didn't try to use what Microsoft suggests I do to go into registry.I am scared to go in there. I know myself I might make it worse. So VBS file of yours is supposed to do that for me? I think it is but I am not sure... I will be back to see if you post back... Rose

Quote from: ramblinrose on April 16, 2006, 07:19:04 PM
First I would like to say HAPPY EASTER! As for me , I am still a mess...I read your post carefully...making sure I understand... I am supposed to download your VBS file and when it's done THEN bring up windows task manager and find verclsid.exe and click end process? I can do that but won't that mean I can't use my HP printer/scanner again? Or everytime I restarted, HP printer/scanner will start up again then I have to use windows task manager again? Is that right?

Thank you, Happy Easter to you & your family also :)

Yes you are to do exactly that :) No, you won't have to use the Task Manager again nor will the printer/scanner stop working. VERCLSID.EXE is a program which validates shell extensions before they are ever launched or used by another program. (such as Windows Explorer). This program was created with that latest MS update you installed. This program can have a whitelist , and therefore everything on this whitelist it will ignore & leave it to do it's "thing". Basically, all that is required is adding the HP's Shell extension to this whitelist so the VERCLSID.EXE program won't scan it & stop it from working.

The VBS file I included with my post is indeed going to change the registry for you, as per that article. If the registry changes still dont work (because it seems it hasn't worked for everyone) then uninstalling the update(s) altogether is the next step.

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windowsupdate

I neglected to tell you that I also have HP share to web but I didn't think of it because I don't use it anymore, I didn't like it...It was taking too long to upload pics. Anyway, I have HP share to web icon on my desktop that's how I know I have that...SO I can still go ahead to do your VBS file? or use that patch? I know I am confused but I gotta make sure!!!!

Quote from: ramblinrose on April 16, 2006, 07:45:29 PM
I neglected to tell you that I also have HP share to web but I didn't think of it because I don't use it anymore, I didn't like it...It was taking too long to upload pics. Anyway, I have HP share to web icon on my desktop that's how I know I have that...SO I can still go ahead to do your VBS file? or use that patch? I know I am confused but I gotta make sure!!!!

Just had a look at that patch...it does exactly the same as what my VBS file does, just in a different format. You can use either one...they both exactly the same thing.

I will use yours I trust you  I will be right back  :) Rose

 :flowers:  :hug: HALLELUJAH!!!!!!!! Everything is working including avast!!! I looked at task manager to find Verclsid.exe and it wasn't in there at all. I looked carefully and I decided to check in My Documents folder to see if it is working anyway....I was so happy to see no more hangs!!! It worked and I checked avast also working great!! Oh my!!! You should see me dancing around  :lol:Then I went ahead reboot making sure....My only regret is that I took off avast then install another avast, that was totally unnecessary but no one knew. I was right all along when my suspicions was that it happened after new updates. Now I will go post in avast forum and tell them! They avoided my posts after I told them installed new avast didn't help. YOU HELPED ME!!! THANK YOU!!!!!!! You  bet I will be a loyal member here.  :thumbsup: I won't forget ever! God bless you! You save me money from going to *repair shop* I knew it has to be something easy to fix. Now you know why my friends called me *ramblinrose*  :lol: Can you tell I am happy?  :hysterical: Take care,SpyDie big hugs to you, Rose PS I forgot to ask..what about vbs file? I should delete it or save it to where?

 :firefox:  Rose :

   Remember I was the one who told you about this great Forum !

Yes you did, Spiritwind...I thank you very much and thank you mitch for helping me and thank you DieHard. Most of all, thank you thank you SpyDie!!!!! Now what I can do about your VBS file? Should I save it? hugs, Rose

Quote from: ramblinrose on April 17, 2006, 03:50:33 AM
Yes you did, Spiritwind...I thank you very much and thank you mitch for helping me and thank you DieHard. Most of all, thank you thank you SpyDie!!!!! Now what I can do about your VBS file? Should I save it? hugs, Rose

Thought I responded to your post last night, obviously I didn't hit the 'post' button!

Anyway, glad all is working OK for you now. Happy to help :)

As for the VBS file, it is not needed anymore, you can delete it safely  :)

 :hammy:   SpyDie :

   Does your VBS file "replace" all or part of Microsoft's "Resolution" for KB908531,
   shown as follows :

  "RESOLUTION
• Hewlett-Packard's Share-to-Web software. The MS06-015 (908531) (http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx) security update includes a "white list"; VERCLSID.EXE will not scan any extension that appears on this list. Adding the HP shell extension corrects the problem. Manually edit the registry:1. Log on to the computer with an account with administrator privileges.
2. Click the Start button and then click Run.
3. Type Regedit and then click OK.
4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
5. Right-click "Cached", point to New, click "DWORD Value", and then enter: {A4DF5659-0801-4A60-9607-1C48695EFDA9} {000214E6-0000-0000-C000-000000000046} 0x401

6. Set the Data of this value to 1
7. Close the Registry Editor.
8. Use Task Manager to end the Verclsid.exe process or restart the computer. "

   Which of Steps 1 through 8 does it replace ? I ask because if others on the Avast
Antivirus Support forums have similar problem(s), I would like to recommend your
"VBS file" !?

Quote from: SpiritWind on April 17, 2006, 03:26:56 PM
  Does your VBS file "replace" all or part of Microsoft's "Resolution" for KB908531,
   shown as follows :

  "RESOLUTION
• Hewlett-Packard's Share-to-Web software. The MS06-015 (908531) (http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx) security update includes a "white list"; VERCLSID.EXE will not scan any extension that appears on this list. Adding the HP shell extension corrects the problem. Manually edit the registry:1. Log on to the computer with an account with administrator privileges.
2. Click the Start button and then click Run.
3. Type Regedit and then click OK.
4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
5. Right-click "Cached", point to New, click "DWORD Value", and then enter: {A4DF5659-0801-4A60-9607-1C48695EFDA9} {000214E6-0000-0000-C000-000000000046} 0x401

6. Set the Data of this value to 1
7. Close the Registry Editor.
8. Use Task Manager to end the Verclsid.exe process or restart the computer. "

   Which of Steps 1 through 8 does it replace ? I ask because if others on the Avast
Antivirus Support forums have similar problem(s), I would like to recommend your
"VBS file" !?

Basically my VBS files simply does the registry change Microsoft detail in that article. So, in effect, when using the VBS file I created, the user will have to launch that one file instead of doing the steps 1 - 7. Step 8, which is terminating the VERCLSID.exe process can be done manually or done by scripting but seeing as it doesn't seem to matter whether or not it is done, I didn't bother including it in my script. (With ramblinrose the process wasn't there anywhere, so she rebooted the computer, and it worked perfectly. So 'killing' that process isn't neccesarily needed)

Sure go ahead and recommend it, it's a simple file, anyone could have created it :) Hopefully it will help others.

Quoteanyone could have created it

Well, no.  Not anyone and I wouldn't trust a script written by just anyone.  However, anything written by the Jedi Master -- SpyDie -- will work or it wasn't really broken in the first place.  :lol:

I'd agree with Corrine...but I did trust spydie so I did it....Thank you spydie!!!!  :thumbsup:

 :oops: Thanks, and atleast this didn't happen: :angrypc: