Solved: need advice registry has a "Mirosoft"???

I have my sisters pc to help rid of the gaobot virus. Well when I went into the registry under HKLMachine:software:Microsoft, just below the microsoft is a MIROSOFT? I think it is very strange and may be some virus or something. I right clicked and looked in permissions and it has many names and such. If anyone knows this is legit or interested in knowing more about it. Please send your opinions? thanks,

 

IT's a HP 510w with windows xp home and I also forgot to mention a whole bunch of publishers in internet options section that say, "windows cannot verify this? If interested in that info, will send it.

 

I think it is hijacked? I can't download updates from microsoft. It locate, catsrvut.dll or locator.exe. I search and find several of them so i am stumped. I could post a hijack but it seems to be clean. Maybe it's nothing. If anyone has any good free registry checkers? Appreciate it. thanks,

 

Hi, Please do post a log> be sure you have v. 1.99

www.radiosplace.com

Be sure to run it from it's own folder, not just off the desktop, but inside a folder YOU CREATE, you can create the folder in My Documents, Program Files, etc, or just make a new folder right on C: so it is under C:\HJT\hijackthis.exe

There is one small company or software publisher called MiroSoft...I am still looking and will post any info, but usually if you find funny things like that, they are bad so I would post a log to be safe.

And, found one trojan, the first one found, that does seem to create a Mirosoft Reg key:

http://vil.nai.com/vil/content/v_100002.htm

""The entry for "Keylog-Razytimer" was added to cover for a malicious file called "MSHTML.EXE". The binary file is of 32 bit PE file format and has a filesize of 624.642 bytes (decimal). The file is made using Borland Delphi and is not compressed internally.

Note that while a specific entry for the Keylog-Razytimer trojan will be added to the Dat-4246, it's detected heuristically with for example the current released Dat-4245 as New backdoor2, this is a generic detection.

When run, the file copies itself to the %windows\%system directory and makes a registry entry to load itself automatically at system start.

For example on a Windows9X/ME based system: HKLM\Software\Mirosoft\Windows\CurrentVersion\Run\ "c:\windows\system\mshtml.exe" """

Here is an example of Mirosoft Reg Key and mshtml.exe in an old TSG thread with win98:

http://forums.techguy.org/showthread.php?p=1256486


If you could post the values in the list to the right when you click once on the Mirosoft entry on the left side, that may help.

Here is a year old post of the same entry:

http://www.derkeiler.com/Newsgroups/microsoft.public.windowsxp.security_admin/2003-07/4147.html

Another: (best)

http://computercops.biz/postp142844.html

More:

http://www.mcse.ms/archive71-2004-2-418180.html

One possible suggested cause here:

http://miataru.computing.net/security/wwwboard/forum/1161.html

 

Hi, alot has happened since posting so I wanted to give you an old hijack i did before finally able to download sp1 just incase things have changed alot which i noticed in the hijack it has or maybe cause it's the new hijack and it's not as familiar to me yet. Under user accounts there is only my sis's account,"admin.,owner" There used to be the two boys accounts but were deleted along time ago so don't know if the reason for me finding two user profiles in system folder,advanced is anything suspicious or not. But there was her profile and an administrator profile too but maybe it saves old user accounts? I think i totally deleted the boys accounts but not sure. LIke a year ago they were deleted. but anyways, i thought it strange so i copied the profile to a folder and then deleted it and then when went to look at it , it said the folder was private, which is a setting i did on my user acct. after deleting it to protect maybe? Oh and when i looked at permissions for the mirosoft it was that admin. profile as owner. Then when i deleted it, it went to kellis acct. as owner. If that's important too.Still learning about this user acct.,profile thing on xp still so this might be not important. So it asked if i wanted to change it or something , and i did and it started changing in size which again may be nothing. But don't want to leave anything out. Just didn't know if two user profiles but only one user account and guest off was not normal??? Plus in computer management it showed a bunch of security alerts of logon/logoff successful in guest? How if it's turned off?. Checked and it seem to take me to microsoft for info on blaster worm which she did have along time ago. Okay, so here's old hijack and then will post the new hijack with sp1 now installed finally,,,,thanks and hope this is all worth investigating and not be nothing serious. I searched forever for info on mirosoft and couldn't find it that's what made me suspicious too. thanks,,,,will go and look at rest of ur post and follow directions.

Logfile of HijackThis v1.98.2
Scan saved at 8:00:13 PM, on 1/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Owner\My Documents\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.epix.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.epix.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.epix.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by epix®
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.epix.net"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BBEFF6C-BC5F-4F83-A383-4415D4C1C6AD}: NameServer = 199.224.86.17 199.224.86.15

 

Logfile of HijackThis v1.98.2
Scan saved at 8:00:13 PM, on 1/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Owner\My Documents\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.epix.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.epix.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.epix.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by epix®
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.epix.net"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BBEFF6C-BC5F-4F83-A383-4415D4C1C6AD}: NameServer = 199.224.86.17 199.224.86.15

 

I am gonna run some virus scans and i have spybot,adaware,cwshredder,stinger,killbox. Just about all of them so u know. thanks,,,

 

Hi, The old HJT log doesn't show anything, please see my first reply and post a log made with version 1.99 of Hijack that one shows much more with XP than 1.98.2.

You can download it from my link in first reply.

You can simply delete the old version, or just download the new to another folder> HJTnew, or something marked so you know you are using the newest one.

Also> the two logs made with 1.98.2 show that SP2 is not installed yet, but you posted that it should be for the 2nd log, it does not show.

A Guest account is a limited account- it can be turned off or on as you know, and has no password.

http://www.microsoft.com/resources/...xp/all/proddocs/en-us/ua_c_account_types.mspx

To work with accounts you must be signed on as an administrator, but not neccessarily as the computer admin> those two terms are different. All users, unless they are set up from the beginning as limited users, are administrator accounts with privileges described here:

http://www.microsoft.com/resources/...xp/all/proddocs/en-us/ua_c_account_types.mspx

http://www.microsoft.com/resources/...xp/all/proddocs/en-us/ua_c_account_types.mspx

The boy's user accounts apparently were passworded, which makes folders and files private.

The account "owner" is created automatically if no separate users are configured when XP is installed...so the first admin and user is "owner"...that account can be renamed if you wish. Apparently from what you said, this is your sister's account, and she has not named it with her own username? That is what shows in the logs.
The administrator account is created during setup>
this is the one that you used to see on bootup screen, if there are NO other separate user accounts.
(After other user accounts are made,
you do not see an Administrator logon box, but you can log on as THE adminstrator in Safe Mode, usually no need to unless you are locked out of an account, or the machine does not boot normally.)

Since your sister did, (the two boys)...when you deleted those, you would be give the option to save their files, and apparently did that, so you see those private folders in Explorer. So I would say you are wondering what those old user folders are, they are just those saved files...which can be deleted> but, since you did something else I am not sure, we can figure that out later.

 

Sorry, second hijack above was wrong one, here is new with v1.99. With sp1 i meant not sp2. Unsure about if should install sp2 yet? Oh and I looked at those sites and I do have a pinnacle studio. I think it was bundled with the hp pc. So maybe that's all it is. Goin to fiinish lookin at ur last post. thanks

Logfile of HijackThis v1.99.0
Scan saved at 8:27:02 AM, on 1/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\Owner\My Documents\new hijack\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.epix.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.epix.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.epix.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by epix®
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.epix.net"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BBEFF6C-BC5F-4F83-A383-4415D4C1C6AD}: NameServer = 199.224.86.17 199.224.86.15
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Unknown - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: McAfee.com McShield - Unknown - C:\Program Files\mcafee.com\VSO\mcshield.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

Hi, Yes, I should have had SP1 in my reply, I mis-typed.

I see the new log and that looks OK. It does show that McAfee virus scan has been taken off, there is an entry at the bottom of the log that can be fixed if there will be no reinstall of McAfee. You may want to run the McAfee cleanup tool: that should remove leftovers for you:

http://ts.mcafeehelp.com/faq3.asp?docid=68717

Wait on fixing this> run the cleanup McAfee tool first.
O23 - Service: McAfee.com McShield - Unknown - C:\Program Files\mcafee.com\VSO\mcshield.exe (file missing)

 

Okay, when i click on mirosoft and then to the right it is just default:value not set , if i right click on it and choose modify binary it has 4 0's is all so must be nothing then.
Yeah, I got rid of startups, mcafee,lexb's ones,music match and all but after installing sp1 they are all back. Plus, i deleted the lexb's which are a lexmark printer cause she doesn't have it anymore and it keeps running again now after sp1 so i have to do them all over again. I was wondering why it was running so slow again after installing sp1 . Too many running things that arent' even used or exist anymore. ugh,,, I have norton 04 installed now. So don't need the old mcafee so will remove it. Thanks for all your help and maybe this atleast will definitely resolve the "mirosoft" thing for sure.

 

Hi, Yes I would say you have solved your mystery.

A Registry cleaner may help you.

I use EasyCleaner 2.0, it is available at www.majorgeeks.com in the "Registry" category on the left of the page. Works very well, but I would advise using only the "Registry" invalid entry finder, Internet File cleanup, and perhaps the Add/Remove part, not the duplicate file finder or unneccesary file finder as they have given people problems- too much chance of a mishap with those parts. I use EasyCleaner on every pc I work on. But, use only the invalid Registry entry finder, and the Temp file and Cookie cleaner part, and Add/Remove Programs part (that can find uninstall strings so you can try to remove hung-up bad uninstalls, in some cases).

 

Hi, yes You solved my mystery and thanks so much. I appreciate all the help and info. Will go and get the reg cleaner you suggested and I will print out what you said to do. thanks, Kim

 

Hi, You are very welcome! If you need help with any of what you posted about feel free to post it here.

Don't forget to clean out the Restore Points after you are all done changing things, deleting etc...Restore will be making the changes along with you, it might be a good idea to leave it on right now, then when you are sure things are going to be OK (after several days) it would be a good idea to turn Restore off, which will remove all the past Restore Points....then, you turn Restore back on, and create a new Restore Point.
You can, when you are ready to, mark the thread Solved or as you wish, by using the Thread Tools button at the top of the page...(I can't mark it for you) so take a minute and do that. You can still reply to this thread if you mark it solved.

 

Yeah, good old restore. hehe,,,will do. thanks again and mark solved now.