Attached is my Hijack This log file, run from an exclusive Hijack This folder. Experts, please let me know which entries I should delete. I tried to delete on my own and probably deleted an entry that stopped MS Word files opening the word document whenever I try to open by double-clicking the file. I tried to link with "Open With" option but it doesn't work when I select the check box "Always use this program to open files with".

Thanks for your help!


Logfile of HijackThis v1.99.1
Scan saved at 10:37:17 PM, on 4/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\WINDOWS\SYSTEM\TCDPBTN.EXE
C:\WINDOWS\SYSTEM\TWBBTN.EXE
C:\TOSHIBA\IVP\ISM\PINGER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\EARTHLINK ACCELERATOR\PROPELAC.EXE
C:\WINDOWS\NSGILQBV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\TBVFTATH\TBVFTATH.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\RPIR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WPSPSW.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netcom.com/bin/ie40search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/toshiba/?http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/toshiba/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F1 - win.ini: load=WPSLOAD.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM FILES\EARTHLINK TOOLBAR\PNEL.DLL
O2 - BHO: ElnkScamBHO Class - {66252F33-BE30-4188-9199-63F2AC8BA137} - C:\PROGRAM FILES\EARTHLINK TOOLBAR\ESCAMBLK.DLL
O2 - BHO: (no name) - {170FCE60-AB9C-11D9-82E3-0010A4C7417C} - C:\PROGRAM FILES\TBVFTATH\TBVFTATH.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM FILES\EARTHLINK TOOLBAR\PNEL.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [TCDPbtn] TCDPbtn.exe
O4 - HKLM\..\Run: [TWBbtn] TWBbtn.exe
O4 - HKLM\..\Run: [THotkey] THotkey.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\EARTHLINK ACCELERATOR\PROPELAC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vapyzncyvk] C:\WINDOWS\nsgilqbv.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [TBVFTATH] \Progra~1\TBVFTATH\TBVFTATH.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\imkizp.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [THotkey] THotkey.Exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: rpir.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink Accelerator\pac-image.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/o...winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3067dda298c...xIE601.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0018.exe

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netcom.com/bin/ie40search

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: (no name) - {170FCE60-AB9C-11D9-82E3-0010A4C7417C} - C:\PROGRAM FILES\TBVFTATH\TBVFTATH.dll

O4 - HKLM\..\Run: [vapyzncyvk] C:\WINDOWS\nsgilqbv.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [TBVFTATH] \Progra~1\TBVFTATH\TBVFTATH.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\imkizp.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: rpir.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3067dda298c...xIE601.cab

Reboot and delete

files
C:\WINDOWS\nsgilqbv.exe
C:\WINDOWS\SYSTEM\WINUP2DATE.DLL
C:\WINDOWS\imkizp.exe

folders
C:\PROGRAM FILES\TBVFTATH
c:\windows\SYSTEM\KB891711

These may be hidden files. See HERE (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.

David,

I highly appreciate your fast analysis and reply. I'll perform the tasks as mentioned by you and post a new log.

Thanks

David,

Should I delete the following as well?

O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0018.exe

Please let me know.

Thanks

David,

Should I delete the following as well?

O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0018.exe

Please let me know.

Thanks

Yes, by all means have HJT fix this one as well. It is listed in SpywareBlaster's ActiveX "nasty" database. It is associated with a trojan downloader. Good call.

I guess that means we know what you'll be downloading and installing after your system is clean...:)

Here's the HijackThis log file generated after fixing the ones marked by you. Please let me know if it's clean.

Thanks for all your help.


Logfile of HijackThis v1.99.1
Scan saved at 9:59:37 PM, on 4/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\WINDOWS\SYSTEM\TCDPBTN.EXE
C:\WINDOWS\SYSTEM\TWBBTN.EXE
C:\TOSHIBA\IVP\ISM\PINGER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\EARTHLINK ACCELERATOR\PROPELAC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WPSPSW.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/toshiba/?http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/toshiba/search.html
F1 - win.ini: load=WPSLOAD.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM FILES\EARTHLINK TOOLBAR\PNEL.DLL
O2 - BHO: ElnkScamBHO Class - {66252F33-BE30-4188-9199-63F2AC8BA137} - C:\PROGRAM FILES\EARTHLINK TOOLBAR\ESCAMBLK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM FILES\EARTHLINK TOOLBAR\PNEL.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [TCDPbtn] TCDPbtn.exe
O4 - HKLM\..\Run: [TWBbtn] TWBbtn.exe
O4 - HKLM\..\Run: [THotkey] THotkey.Exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\EARTHLINK ACCELERATOR\PROPELAC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [THotkey] THotkey.Exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink Accelerator\pac-image.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

This seems to be the same log you posted on SWI... Please choose a forum to get help and stick with it... Asking people in two different forums to work on your log is a waste of a limited and valuable resource, the volunteer time of the people that help with logs... Please post here which forum you prefer to work with...

Budfred,

Point taken.

Thanks for your help.

I am glad you understand my point... I am not sure if you want to proceed with your log here or if you prefer to work with it at SWI... Please let us know... :)

It depends upon where I get my fixes. For now, I'm sticking around this site. Secondly, I still have a problem. The computer won't shutdown properly. Ay ideas?

Now it seems you didn't understand my point... If you post in several forums looking for someone to help you in each forum and you get 3 separate people in 3 different forums helping you, you are getting your fixes and wasting the time of at least 2 of the 3 helpers... I am asking if you are going to continue to post in multiple forums or if you are going to limit it to one forum... Please be clear on your intentions...

The response in this forum is good. I said I'll stick to this forum. But what happens when I do not receive any response? For example, I posted another thread with the log of my brother's comp last the night before yesterday but yet to see any replies. I did not post the log anywhere else. What do you expect me to do?

Hi Martian63. Good question.

I know at SWI, they have a special thread for those who have not received help after 3 days - that's 72 hours! Location: http://forums.spywareinfo.com/index.php?showtopic=23284
Basically if 72 hours goes by and you have still not received a response, you would post the link to your post in that special forum and then you will put on a top-priority list.

As far as the PC Guide forums go (this one), I am not aware of such a policy. I can say from experience, however, that it is very rare to see someone waiting for more than 3 days (72 hours) for a response.

Keep in mind that HJT logs, in particular, can be rather time-consuming to assess (for me as a beginner, one log takes approximately 1 hour to assess just to give you a general idea of what I'm talking about) and so a little more patience for these types of responses is appreciated.

I am in full agreement with Budfred, however, and would say that no matter how long it takes, to stick with just one forum that you like. It makes it better for all interested parties.

1. Well... I enrolled myself in the bootcamp at SWI and would love to volunteer.

2. I decided to work on the log myself and identified the following problematic entries.

-----------------------------------------------------------------------
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-find.com/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-find.com/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-find.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://my-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://127.0.0.1:8080

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
-----------------------------------------------------------------------

a. Please let me know if I missed something or if I marked something which should not be removed.

b. How do you identify the files to be deleted from the hard disk? e.g., c:\windows\iau.exe

Thanks.

Hello martian63.

Well, I congratulate you on your decision to join boot camp. We can always use more dedicated helpers, and you will be joining me during the training (I just started myself about a week ago)...:)

As far as your choices for what to fix in that log, I wouldn't hit the 'Fix Checked' button just yet. You have a bunch of optionals in there and these are exactly the things you'll be learning about at boot camp (although I commend you for finding a bunch of garbage, as well). Anyway, for now I suggest that you wait for Budfred or one of the other experts to verify what you have chosen to fix.

Incidentally, where did these entries come from, as they certainly didn't come from the last log posted in this thread?

In regards to your question:

How do you identify the files to be deleted from the hard disk? e.g., c:\windows\iau.exe


You will be learning this at boot camp, as well. My understanding is, however, that HJT will delete the O2s and the O3s, although I've heard mixed things about the O3s as of late (not sure of they are deleted or not). And since ActiveX controls are not really in file format, they do not need to be manually removed either. Again, Budfred or David Eaton will, I'm sure, be able to answer this more clearly for the both of us. In the mean time, I suggest that you create a fresh log of the computer to be helped and post it in this thread.

The last log posted in this thread is mostly clean... However, there are a couple of suspicious items... On the first one I suggest finding the file and checking Properties... If it is not from a legit company, I suggest that you have HJT fix it... I suggest you fix the second one since O16 items will get restored if you visit the site again and this one looks quite suspicious... Open an HJT scan and put checks by these if you opt to fix them both:

O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.c...iveX/winrep.cab

Close all open windows except HJT and click Fix Checked...

If you opted to fix the O4, you will also need to delete this file:

C:\WINDOWS\SYSTEM\WINUP2DATE.DLL

Reboot and post a fresh log...