IE 6 error messages and locks up comp.

[Liz]

Internet Explorer 6 running on Win XP Pro errors out and
shuts down (about half of the time while surfing the
net.) This machine is one month old. XP with IE came
loaded. (I did a system restore going back one week with
no noticable effects.) When this happens XP gives me the
option of sending a report including a temp file which I
can't access whether I send the report or not. It is
immediately deleted or overwritten with another temp
file.
I can't determine what scenario will replicate the error
consistantly, I have sent as many as four error reports
in a single day. After IE shuts down I can't do anything
for at least four minutes, (I guess it's busy writing the
error report) task manager doesn't come up, and no
programs will start. After the four minutes, everything I
attempted to do happens at once: i.e. 'Tell Microsoft
about this Problem' task manager windows open, IE opens,
Word opens, etc. all at once. The only action I can take
when it's locked up is to press and hold the power button
for 9 seconds until it shuts down the comp.
I have PC-cillin virus and firewall onboard and
activated. I scanned with Ad-Aware (it only found alexa
and one tracking cookie) and Hijack This. I am including
the first few lines of the two most recent error reports,
and the latest Hijack This scan log.
Most recent error: (atypical - I never saw 'sz' prefix
before)
Error signature
szAppName: iexplore.exe szAppVer: 6.0.2800.1106
szModName: hungapp szModVer: 0.0.0.0 offset: 00901be7
This error report only included two temp files, not the
modules details like all of the previous error reports.
C:\documentsandsettings\liz\locals~1\Temp\WERE.temp.dir01
\iexplore.exe.mdmp
C:\documentsandsettings\liz\locals~1\Temp\WERE.temp.dir01
\appcompat.txt

Most recent previous error report: (typical)
Error signature
AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName:
unknown
ModVer: 0.0.0.0 Offset: 00901be7
Exception Information
Code: 0xc0000005 Flags: 0x00000000
Record 0x0000000000000000 Address: 0x000000000090lbe7
System Information
Windows NT 5.1 Build: 2600
Module 1
Iexplore.exe (and a lot of details which I can't decipher
about each module)
Module 2
Ntdll.dll
Module 3
Kernel32.dll
(Modules 1 through 106)
This file was also included in the sent report:
C:\Document~1\liz\locals~1\temp\WERF55.tmp.dir00
\appcompat.txt

Hijack This log:
Logfile of HijackThis v1.97.7
Scan saved at 1:25:14 PM, on 12/23/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\Kodak EasyShare
software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\Downloaded
Installations\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.orangecom.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-
001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog
Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32
\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk =
C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk =
C:\Program Files\KODAK\Kodak EasyShare
software\bin\EasyShare.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orangecom.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37957.4980208333
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466}
(HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D}
(Hotmail Attachments Control) -
http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN
Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43B18CF-3C39-
4A8F-97ED-C0C6F24FAF7C}: Domain = ocisp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43B18CF-3C39-
4A8F-97ED-C0C6F24FAF7C}: NameServer = 151.164.1.1
65.66.40.1 65.66.40.1 151.164.1.1

Any help would be appreciated!

 

[H Leboeuf]

Winlogon could be from this trojan.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hazzer.html

Lsass from.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.ratsou.b.html

smss.exe from
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.flood.f.html

Services.exe from
http://www.symantec.com/avcenter/venc/data/w32.hllw.kazping.html

When was the last time you scanned your computer with the latest file
definition.

Henri Leboeuf
Web page: http://www.generation.net/~hleboeuf/index.htm

Internet Explorer 6 running on Win XP Pro errors out and
shuts down (about half of the time while surfing the
net.) This machine is one month old. XP with IE came
loaded. (I did a system restore going back one week with
no noticable effects.) When this happens XP gives me the
option of sending a report including a temp file which I
can't access whether I send the report or not. It is
immediately deleted or overwritten with another temp
file.
I can't determine what scenario will replicate the error
consistantly, I have sent as many as four error reports
in a single day. After IE shuts down I can't do anything
for at least four minutes, (I guess it's busy writing the
error report) task manager doesn't come up, and no
programs will start. After the four minutes, everything I
attempted to do happens at once: i.e. 'Tell Microsoft
about this Problem' task manager windows open, IE opens,
Word opens, etc. all at once. The only action I can take
when it's locked up is to press and hold the power button
for 9 seconds until it shuts down the comp.
I have PC-cillin virus and firewall onboard and
activated. I scanned with Ad-Aware (it only found alexa
and one tracking cookie) and Hijack This. I am including
the first few lines of the two most recent error reports,
and the latest Hijack This scan log.
Most recent error: (atypical - I never saw 'sz' prefix
before)
Error signature
szAppName: iexplore.exe szAppVer: 6.0.2800.1106
szModName: hungapp szModVer: 0.0.0.0 offset: 00901be7
This error report only included two temp files, not the
modules details like all of the previous error reports.
C:\documentsandsettings\liz\locals~1\Temp\WERE.temp.dir01
\iexplore.exe.mdmp
C:\documentsandsettings\liz\locals~1\Temp\WERE.temp.dir01
\appcompat.txt

Most recent previous error report: (typical)
Error signature
AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName:
unknown
ModVer: 0.0.0.0 Offset: 00901be7
Exception Information
Code: 0xc0000005 Flags: 0x00000000
Record 0x0000000000000000 Address: 0x000000000090lbe7
System Information
Windows NT 5.1 Build: 2600
Module 1
Iexplore.exe (and a lot of details which I can't decipher
about each module)
Module 2
Ntdll.dll
Module 3
Kernel32.dll
(Modules 1 through 106)
This file was also included in the sent report:
C:\Document~1\liz\locals~1\temp\WERF55.tmp.dir00
\appcompat.txt

Hijack This log:
Logfile of HijackThis v1.97.7
Scan saved at 1:25:14 PM, on 12/23/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\Kodak EasyShare
software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\Downloaded
Installations\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.orangecom.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-
001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog
Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32
\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk =
C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk =
C:\Program Files\KODAK\Kodak EasyShare
software\bin\EasyShare.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orangecom.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37957.4980208333
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466}
(HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D}
(Hotmail Attachments Control) -
http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN
Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43B18CF-3C39-
4A8F-97ED-C0C6F24FAF7C}: Domain = ocisp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43B18CF-3C39-
4A8F-97ED-C0C6F24FAF7C}: NameServer = 151.164.1.1
65.66.40.1 65.66.40.1 151.164.1.1

Any help would be appreciated!

 

[Liz]

Thank you for your help!
My last virus scan was 12/19 I went ahead and did another
one, still no virus.
I checked out all of the links you posted, I'm still
researching whether or not they are really caused by the
trojans. If so, why didn't spybot, hijack this, ad-aware,
or PC-cillin detect them?
I got help on another board, they suggested that my virus
software's 'Webtrap' (the website filter for activex and
java apps) might be the cause. I disabled it and have had
no error problems (yet.) It just makes me wonder whether
this is a chronic problem with webtrap, or my webtrap app
is corrupted. Or whether it really fixed the problem at
all, only time will tell.
Thank You for your help
Liz

-----Original Message-----
Winlogon could be from this trojan.
http://securityresponse.symantec.com/avcenter/venc/data/b ackdoor.hazzer.html

Lsass from.
http://securityresponse.symantec.com/avcenter/venc/data/b ackdoor.irc.ratsou.b.html

smss.exe from
http://securityresponse.symantec.com/avcenter/venc/data/b ackdoor.irc.flood.f.html

Services.exe from
http://www.symantec.com/avcenter/venc/data/w32.hllw.kazpi ng.html

When was the last time you scanned your computer with the latest file
definition.

Henri Leboeuf
Web page: http://www.generation.net/~hleboeuf/index.htm

Internet Explorer 6 running on Win XP Pro errors out and
shuts down (about half of the time while surfing the
net.) This machine is one month old. XP with IE came
loaded. (I did a system restore going back one week with
no noticable effects.) When this happens XP gives me the
option of sending a report including a temp file which I
can't access whether I send the report or not. It is
immediately deleted or overwritten with another temp
file.
I can't determine what scenario will replicate the error
consistantly, I have sent as many as four error reports
in a single day. After IE shuts down I can't do anything
for at least four minutes, (I guess it's busy writing the
error report) task manager doesn't come up, and no
programs will start. After the four minutes, everything I
attempted to do happens at once: i.e. 'Tell Microsoft
about this Problem' task manager windows open, IE opens,
Word opens, etc. all at once. The only action I can take
when it's locked up is to press and hold the power button
for 9 seconds until it shuts down the comp.
I have PC-cillin virus and firewall onboard and
activated. I scanned with Ad-Aware (it only found alexa
and one tracking cookie) and Hijack This. I am including
the first few lines of the two most recent error reports,
and the latest Hijack This scan log.
Most recent error: (atypical - I never saw 'sz' prefix
before)
Error signature
szAppName: iexplore.exe szAppVer: 6.0.2800.1106
szModName: hungapp szModVer: 0.0.0.0 offset: 00901be7
This error report only included two temp files, not the
modules details like all of the previous error reports.
C:\documentsandsettings\liz\locals~1 \Temp\WERE.temp.dir01
\iexplore.exe.mdmp
C:\documentsandsettings\liz\locals~1 \Temp\WERE.temp.dir01
\appcompat.txt

Most recent previous error report: (typical)
Error signature
AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName:
unknown
ModVer: 0.0.0.0 Offset: 00901be7
Exception Information
Code: 0xc0000005 Flags: 0x00000000
Record 0x0000000000000000 Address: 0x000000000090lbe7
System Information
Windows NT 5.1 Build: 2600
Module 1
Iexplore.exe (and a lot of details which I can't decipher
about each module)
Module 2
Ntdll.dll
Module 3
Kernel32.dll
(Modules 1 through 106)
This file was also included in the sent report:
C:\Document~1\liz\locals~1\temp\WERF55.tmp.dir00
\appcompat.txt

Hijack This log:
Logfile of HijackThis v1.97.7
Scan saved at 1:25:14 PM, on 12/23/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \Pop3trap.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\Kodak EasyShare
software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\Downloaded
Installations\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.orangecom.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-
001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog
Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32
\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk =
C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk =
C:\Program Files\KODAK\Kodak EasyShare
software\bin\EasyShare.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orangecom.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37957.4980208333
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466}
(HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1- 32.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D}
(Hotmail Attachments Control) -
http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN
Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43B18CF-3C39-
4A8F-97ED-C0C6F24FAF7C}: Domain = ocisp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43B18CF-3C39-
4A8F-97ED-C0C6F24FAF7C}: NameServer = 151.164.1.1
65.66.40.1 65.66.40.1 151.164.1.1

Any help would be appreciated!

.

 

[PA Bear]

Neither your anti-virus application nor any of the hijackware identifiers
are helpful if you don't seek updates before each and every use, Liz, even
"right out of the box."

Dealing with Hijackware
http://mvps.org/winhelp2002/unwanted.htm
http://www.mvps.org/inetexplorer/Darnit.htm#tshoot
http://aumha.org/a/parasite.htm

When all else fails, HijackThis (http://www.merijn.org/files/hijackthis.zip)
is the preferred tool to use. It will help you to both identify and remove
any hijackware/spyware. **Post your files to http://forums.spywareinfo.com/
or the Spyware forum at http://forum.aumha.org/ for expert analysis, not
here.**
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Protect Your PC
http://www.microsoft.com/security/protect/

Thank you for your help!
My last virus scan was 12/19 I went ahead and did another
one, still no virus.
I checked out all of the links you posted, I'm still
researching whether or not they are really caused by the
trojans. If so, why didn't spybot, hijack this, ad-aware,
or PC-cillin detect them?
I got help on another board, they suggested that my virus
software's 'Webtrap' (the website filter for activex and
java apps) might be the cause. I disabled it and have had
no error problems (yet.) It just makes me wonder whether
this is a chronic problem with webtrap, or my webtrap app
is corrupted. Or whether it really fixed the problem at
all, only time will tell.
Thank You for your help
Liz

-----Original Message-----
Winlogon could be from this trojan.
http://securityresponse.symantec.com/avcenter/venc/data/b
ackdoor.hazzer.html

Lsass from.
http://securityresponse.symantec.com/avcenter/venc/data/b
ackdoor.irc.ratsou.b.html

smss.exe from
http://securityresponse.symantec.com/avcenter/venc/data/b
ackdoor.irc.flood.f.html

Services.exe from
http://www.symantec.com/avcenter/venc/data/w32.hllw.kazpi ng.html

When was the last time you scanned your computer with the latest file
definition.

Henri Leboeuf
Web page: http://www.generation.net/~hleboeuf/index.htm


Internet Explorer 6 running on Win XP Pro errors out and
shuts down (about half of the time while surfing the
net.) This machine is one month old. XP with IE came
loaded. (I did a system restore going back one week with
no noticable effects.) When this happens XP gives me the
option of sending a report including a temp file which I
can't access whether I send the report or not. It is
immediately deleted or overwritten with another temp
file.
I can't determine what scenario will replicate the error
consistantly, I have sent as many as four error reports
in a single day. After IE shuts down I can't do anything
for at least four minutes, (I guess it's busy writing the
error report) task manager doesn't come up, and no
programs will start. After the four minutes, everything I
attempted to do happens at once: i.e. 'Tell Microsoft
about this Problem' task manager windows open, IE opens,
Word opens, etc. all at once. The only action I can take
when it's locked up is to press and hold the power button
for 9 seconds until it shuts down the comp.
I have PC-cillin virus and firewall onboard and
activated. I scanned with Ad-Aware (it only found alexa
and one tracking cookie) and Hijack This. I am including
the first few lines of the two most recent error reports,
and the latest Hijack This scan log.
Most recent error: (atypical - I never saw 'sz' prefix
before)
Error signature
szAppName: iexplore.exe szAppVer: 6.0.2800.1106
szModName: hungapp szModVer: 0.0.0.0 offset: 00901be7
This error report only included two temp files, not the
modules details like all of the previous error reports.
C:\documentsandsettings\liz\locals~1 \Temp\WERE.temp.dir01
\iexplore.exe.mdmp
C:\documentsandsettings\liz\locals~1 \Temp\WERE.temp.dir01
\appcompat.txt

Most recent previous error report: (typical)
Error signature
AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName:
unknown
ModVer: 0.0.0.0 Offset: 00901be7
Exception Information
Code: 0xc0000005 Flags: 0x00000000
Record 0x0000000000000000 Address: 0x000000000090lbe7
System Information
Windows NT 5.1 Build: 2600
Module 1
Iexplore.exe (and a lot of details which I can't decipher
about each module)
Module 2
Ntdll.dll
Module 3
Kernel32.dll
(Modules 1 through 106)
This file was also included in the sent report:
C:\Document~1\liz\locals~1\temp\WERF55.tmp.dir00
\appcompat.txt

Hijack This log:
Logfile of HijackThis v1.97.7
Scan saved at 1:25:14 PM, on 12/23/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \Pop3trap.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\Kodak EasyShare
software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\Downloaded
Installations\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.orangecom.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-
001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog
Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32
\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk =
C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk =
C:\Program Files\KODAK\Kodak EasyShare
software\bin\EasyShare.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orangecom.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37957.4980208333
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466}
(HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1- 32.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D}
(Hotmail Attachments Control) -
http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN
Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43B18CF-3C39-
4A8F-97ED-C0C6F24FAF7C}: Domain = ocisp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43B18CF-3C39-
4A8F-97ED-C0C6F24FAF7C}: NameServer = 151.164.1.1
65.66.40.1 65.66.40.1 151.164.1.1

Any help would be appreciated!



.

 

[Liz]

Thanks for the reply, PA Bear.
I saw some of your other posts and went to a lot of the
links which you pasted into those, consequently I got
hijack this, ad-aware, and spybot, as well as my onboard
PC-cillin, yes, I do update everything before a new scan.
I posted my hijack this log to the spyware forum and
found out that it may have been my PC-cillin's 'webtrap'
component, which I disabled.
I've had it lock up a few times since then, but no error
reports were generated. I'm still at a loss. I wonder
whether 'disabling third party browser extensions'
disabled the report writing and sending component of XP?
Thank you for your advice and links, Robear and Henri

-----Original Message-----
Neither your anti-virus application nor any of the hijackware identifiers
are helpful if you don't seek updates before each and every use, Liz, even
"right out of the box."

Dealing with Hijackware
http://mvps.org/winhelp2002/unwanted.htm
http://www.mvps.org/inetexplorer/Darnit.htm#tshoot
http://aumha.org/a/parasite.htm

When all else fails, HijackThis (http://www.merijn.org/files/hijackthis.zip)
is the preferred tool to use. It will help you to both identify and remove
any hijackware/spyware. **Post your files to http://forums.spywareinfo.com/
or the Spyware forum at http://forum.aumha.org/ for expert analysis, not
here.**
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Protect Your PC
http://www.microsoft.com/security/protect/
http://www.symantec.com/avcenter/venc/data/w32.hllw.kazpi
ng.html

When was the last time you scanned your computer with the latest file
definition.

Henri Leboeuf
Web page: http://www.generation.net/~hleboeuf/index.htm


Internet Explorer 6 running on Win XP Pro errors out and
shuts down (about half of the time while surfing the
net.) This machine is one month old. XP with IE came
loaded. (I did a system restore going back one week with
no noticable effects.) When this happens XP gives me the
option of sending a report including a temp file which I
can't access whether I send the report or not. It is
immediately deleted or overwritten with another temp
file.
I can't determine what scenario will replicate the error
consistantly, I have sent as many as four error reports
in a single day. After IE shuts down I can't do anything
for at least four minutes, (I guess it's busy writing the
error report) task manager doesn't come up, and no
programs will start. After the four minutes, everything I
attempted to do happens at once: i.e. 'Tell Microsoft
about this Problem' task manager windows open, IE opens,
Word opens, etc. all at once. The only action I can take
when it's locked up is to press and hold the power button
for 9 seconds until it shuts down the comp.
I have PC-cillin virus and firewall onboard and
activated. I scanned with Ad-Aware (it only found alexa
and one tracking cookie) and Hijack This. I am including
the first few lines of the two most recent error reports,
and the latest Hijack This scan log.
Most recent error: (atypical - I never saw 'sz' prefix
before)
Error signature
szAppName: iexplore.exe szAppVer: 6.0.2800.1106
szModName: hungapp szModVer: 0.0.0.0 offset: 00901be7
This error report only included two temp files, not the
modules details like all of the previous error reports.
C:\documentsandsettings\liz\locals~1 \Temp\WERE.temp.dir01
\iexplore.exe.mdmp
C:\documentsandsettings\liz\locals~1 \Temp\WERE.temp.dir01
\appcompat.txt

Most recent previous error report: (typical)
Error signature
AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName:
unknown
ModVer: 0.0.0.0 Offset: 00901be7
Exception Information
Code: 0xc0000005 Flags: 0x00000000
Record 0x0000000000000000 Address: 0x000000000090lbe7
System Information
Windows NT 5.1 Build: 2600
Module 1
Iexplore.exe (and a lot of details which I can't decipher
about each module)
Module 2
Ntdll.dll
Module 3
Kernel32.dll
(Modules 1 through 106)
This file was also included in the sent report:
C:\Document~1\liz\locals~1\temp\WERF55.tmp.dir00
\appcompat.txt

Hijack This log:
Logfile of HijackThis v1.97.7
Scan saved at 1:25:14 PM, on 12/23/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \PCCPFW.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \Pop3trap.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\Kodak EasyShare
software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Trend Micro\PC-cillin 2002 \WebTrap.EXE
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\Downloaded
Installations\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.orangecom.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-
001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog
Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32
\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend
Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program
Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk =
C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk =
C:\Program Files\KODAK\Kodak EasyShare
software\bin\EasyShare.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orangecom.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37957.4980208333
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466}
(HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg.com/eps/activex/EPSControl_v1- 32.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D}
(Hotmail Attachments Control) -

http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN
Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43B18CF- 3C39-
4A8F-97ED-C0C6F24FAF7C}: Domain = ocisp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43B18CF- 3C39-
4A8F-97ED-C0C6F24FAF7C}: NameServer = 151.164.1.1
65.66.40.1 65.66.40.1 151.164.1.1

Any help would be appreciated!



.

.