Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: What is this evidence of?

(New)
(!)

aarhus2004's Avatar
aarhus2004 has a Photo Album
Computer Specs
Gone but always remembered with 1,049 posts.
THREAD STARTER
 
Join Date: Jan 2004
Location: Western Canada
Experience: Windows Millennium only
17-Nov-2006, 01:36 PM #1
Arrow Solved: What is this evidence of?
Hello,

In WinME.

Outlook Express has never looked like this (GIF). Have I found a nice nasty? Has it been updated since last I last downloaded those updates for it and now has these coloured icons?

Should I worry?

Thanks.

Ben.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
valis's Avatar
Moderator with 63,639 posts.
 
Join Date: Sep 2004
Location: as above
17-Nov-2006, 01:41 PM #2
I would go with options a and c.

Please do this:

· Click here to download HJTsetup.exe
· Save HJTsetup.exe to your desktop.
· Doubleclick on the HJTsetup.exe icon on your desktop.
· By default it will install to C:\Program Files\Hijack This.
· Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
· Put a check by Create a desktop icon then click Next again.
· Continue to follow the rest of the prompts from there.
· At the final dialogue box click Finish and it will launch Hijack This.
· Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
· Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
· Come back here to this thread and Paste the log in your next reply.
· DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Be patient and a security expert will be along to assist you with this shortly. They can be identified by the gold badge next to their name.
__________________
Microsoft M.V.P. - Windows IT Professional | M.C.S.A. | M.C.P. - MS Server 2k3 | blog | rate me

"Ask Bill why the string in function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that". - Gary Kildall
aarhus2004's Avatar
aarhus2004 has a Photo Album
Computer Specs
Gone but always remembered with 1,049 posts.
THREAD STARTER
 
Join Date: Jan 2004
Location: Western Canada
Experience: Windows Millennium only
17-Nov-2006, 02:25 PM #3
Thanks, valis.

Logfile of HijackThis v1.99.1
Scan saved at 10:16:38 AM, on 17/11/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\FORMAT INSTALLSETUP ALL\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: RSRCMTR.EXE.lnk = C:\WINDOWS\RSRCMTR.EXE
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.livesporton.tv
O15 - Trusted Zone: http://www.willow.tv
O15 - Trusted Zone: http://www.theweathernetwork.com
O15 - Trusted Zone: http://www.cricinfo.com
O15 - Trusted Zone: http://ipac.virl.bc.ca
O15 - Trusted Zone: http://www.onlineconversion.com
O15 - Trusted Zone: http://www.google.ca
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://www.m-w.com

Ben.
valis's Avatar
Moderator with 63,639 posts.
 
Join Date: Sep 2004
Location: as above
17-Nov-2006, 02:53 PM #4
nothing jumps out and says 'boo', but I"m not an expert at these, so you may want to wait until an expert takes a look at it. I know there's a trojan that goes by the name scanregw, BUT i think that for windows ME it's a legit app.....let an expert parse it.

In the meantime, a few questions:

1. how long has this been happening?
2. Have you rebooted since it began?
3. Close Outlook express
4. right click on start > explore > that should default you into your present user profile. Go to tools at the top > folder options > view tab > make sure that you can see the hidden files and foldesr. I don't know how it is in ME, but I think it's ticking show hidden files and folders, but I may be wrong. Go to application data > microsoft > outlook express and rename it > outlook express_old.
5. Reboot, restart outlook, and let me know if the icons are still like that.

v
aarhus2004's Avatar
aarhus2004 has a Photo Album
Computer Specs
Gone but always remembered with 1,049 posts.
THREAD STARTER
 
Join Date: Jan 2004
Location: Western Canada
Experience: Windows Millennium only
17-Nov-2006, 03:22 PM #5
Quote:
Originally Posted by valis
1. how long has this been happening?
2. Have you rebooted since it began?
3. Close Outlook express
4. right click on start > explore > that should default you into your present user profile. Go to tools at the top > folder options > view tab > make sure that you can see the hidden files and foldesr. I don't know how it is in ME, but I think it's ticking show hidden files and folders, but I may be wrong. Go to application data > microsoft > outlook express and rename it > outlook express_old.
5. Reboot, restart outlook, and let me know if the icons are still like that.

v
1.This is my second time in the last week.
2.Yes.

I found I had a donation of My Global Search Bar and removed it (from the Programs folder). It seems related to this morning's (and second time) download/install of a P2P BS file.

I searched the registry for 'my global search bar' and removed a couple of entries. Reboot and it is gone from Outloolk Express. I read that this search bar is a low level nuisance here.

Thanks for responding, valis. And, by the way,

1. I didn't know a right-click on Start was even a possibility!!
2. scanregw is a genuine ME item - it places those registry roll backs available from a run command 'scanreg /restore'.

Ben.
valis's Avatar
Moderator with 63,639 posts.
 
Join Date: Sep 2004
Location: as above
17-Nov-2006, 04:36 PM #6
Quote:
Originally Posted by aarhus2004

1. I didn't know a right-click on Start was even a possibility!!
2. scanregw is a genuine ME item - it places those registry roll backs available from a run command 'scanreg /restore'.

Ben.
we both learned something! I know that if you see scanregw in 2k or up, you are *most likely* looking at a trojan, but in the foggy depths the fen that portrays itself as my brain I remember something about it being s.o.p. for windows ME, so I wanted to at least toss that out there.

Glad to help, wish I would've solved it, but regardless, glad you are up and operating.

v
aarhus2004's Avatar
aarhus2004 has a Photo Album
Computer Specs
Gone but always remembered with 1,049 posts.
THREAD STARTER
 
Join Date: Jan 2004
Location: Western Canada
Experience: Windows Millennium only
17-Nov-2006, 08:41 PM #7
Thumbs down A contrary...
Hello,

Sorry valis it is not resolved and my PM to you is not the solution.

I have cleared the P2P software as thoroughly as possible from my computer. I did use Panda on line scan but it found nothing. I removed My Global Web Search bar and all I could find by other means. I.E. Explorer opens without it now.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:38:39 PM, on 17/11/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\FORMAT INSTALLSETUP ALL\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: RSRCMTR.EXE.lnk = C:\WINDOWS\RSRCMTR.EXE
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.livesporton.tv
O15 - Trusted Zone: http://www.willow.tv
O15 - Trusted Zone: http://www.theweathernetwork.com
O15 - Trusted Zone: http://www.cricinfo.com
O15 - Trusted Zone: http://ipac.virl.bc.ca
O15 - Trusted Zone: http://www.onlineconversion.com
O15 - Trusted Zone: http://www.google.ca
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://www.m-w.com
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

help appreciated.

Ben.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 97,685 posts.
 
Join Date: Aug 2003
17-Nov-2006, 08:44 PM #8
I understand the problem has returned so please do this.


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.


Download WinPFind.exe to your desktop and double click on it open it and then select “extract” to extract the files. This will create a folder named WinPFind on your desktop.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.

Double click on the WinPFind folder on your desktop to open it and then double click on the WinPFind.exe file to start the program.
  • Click “Configure scan options”
  • Under “Run AdOns” select the following:
    • Policies.def
    • Security.def
  • Click “apply”
  • Click "Start Scan"
  • It will scan the entire System, so please be patient and let it complete.


When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and the results of the Panda scan.
__________________
Microsoft MVP - Consumer Security
aarhus2004's Avatar
aarhus2004 has a Photo Album
Computer Specs
Gone but always remembered with 1,049 posts.
THREAD STARTER
 
Join Date: Jan 2004
Location: Western Canada
Experience: Windows Millennium only
17-Nov-2006, 09:47 PM #9
Quote:
Originally Posted by Cookiegal
  • Click “Configure scan options”
  • Under “Run AdOns” select the following:
    • Policies.def
    • Security.def
  • Click “apply”
  • Click "Start Scan"
  • It will scan the entire System, so please be patient and let it complete.
Cookiegal,

I was not able to see the Apply button and could not drag the window open wider to do so. I was just able to see the first three letters of the Adons items = Pol and Sec &
I could see two buttons above but not enough of them to see their labels. I clicked on each in turn but the Start Scan button was not active.

I'm back where I feel safer!

Ben.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 97,685 posts.
 
Join Date: Aug 2003
17-Nov-2006, 10:08 PM #10
Open the program in normal mode and you will see where they are so you can check the correct ones in safe mode.


For the policies it's the 7th and 8th ones down.

The Apply button is in the top right corner. In safe mode you will see only the left side of it but you can still click on it.
aarhus2004's Avatar
aarhus2004 has a Photo Album
Computer Specs
Gone but always remembered with 1,049 posts.
THREAD STARTER
 
Join Date: Jan 2004
Location: Western Canada
Experience: Windows Millennium only
17-Nov-2006, 10:32 PM #11
WinP Finds please attached .txt file
Repeat of ActiveScan Log also attached.

Logfile of HijackThis v1.99.1
Scan saved at 6:25:10 PM, on 17/11/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\FORMAT INSTALLSETUP ALL\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: RSRCMTR.EXE.lnk = C:\WINDOWS\RSRCMTR.EXE
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.livesporton.tv
O15 - Trusted Zone: http://www.willow.tv
O15 - Trusted Zone: http://www.theweathernetwork.com
O15 - Trusted Zone: http://www.cricinfo.com
O15 - Trusted Zone: http://ipac.virl.bc.ca
O15 - Trusted Zone: http://www.onlineconversion.com
O15 - Trusted Zone: http://www.google.ca
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://www.m-w.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.sharewareconnection.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

Thank-you, Cookiegal.

Ben.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
valis's Avatar
Moderator with 63,639 posts.
 
Join Date: Sep 2004
Location: as above
18-Nov-2006, 01:18 AM #12
aarhus: You are in far greater hands than I could ever possibly hope to offer, so I will bypass your p.m. from earlier in the day and watch and learn from cookie, freshly wrapped for the holidaze.

thanks,

v
aarhus2004's Avatar
aarhus2004 has a Photo Album
Computer Specs
Gone but always remembered with 1,049 posts.
THREAD STARTER
 
Join Date: Jan 2004
Location: Western Canada
Experience: Windows Millennium only
18-Nov-2006, 01:41 AM #13
Talking Safe hands.
Quote:
Originally Posted by valis
aarhus: You are in far greater hands than I could ever possibly hope to offer, so I will bypass your p.m. from earlier in the day and watch and learn from cookie, freshly wrapped for the holidaze.

thanks,

v
Vallis, from the look of the young fellow in your arms I think you have capably safe hands! Nice pic.

Thanks for trying. Everything will be AOK I am sure.

Ben.
valis's Avatar
Moderator with 63,639 posts.
 
Join Date: Sep 2004
Location: as above
18-Nov-2006, 02:43 AM #14
thanks.....let's just say he bounces well....
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 97,685 posts.
 
Join Date: Aug 2003
18-Nov-2006, 09:44 AM #15
I'm convinced My Global Search is responsible.

Go to Control Panel - Add/Remove programs and remove any of these (or similar) that you find there:

MyWay
MyWebSearch
MySearchBar
FunWebProducts
MyGlobalSearch
MyGlobalSearchToolbar



I'm attaching a Fixaarhus.zip file to this post to remove a registry entry. Save it to your desktop. Unzip it and double click the Fixaarhus.reg file and allow it to enter into the registry.


Reboot and then let me know if things have reverted back to normal.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑