Im having the system32 folder problem as well. I've read this topic through and downloaded every program suggested and gone through every FAQ fowlowing the instructions exactly the way it told me to. I'm still getting a the annoying system32 pop up. I read that the last resort you guys prefer is that I use Hijackthis and paste the log file. I myself noticed a few problems in the log and many system32 references involved with websense. I HATE WEBSENSE. Heres my log. Any help is greatly appreciated.
Logfile of HijackThis v1.97.7
Scan saved at 7:08:22 PM, on 2/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 143.81.8.34:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {00000185-C745-43D2-44F1-01A1C789C738} - C:\PROGRA~1\SB\SMART-~1\BHO010~1.DLL
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SearchAt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [// Filename: master.] c:\WINDOWS\System32\// Filename: master.html
O4 - HKLM\..\Run: [// Description: The "master" block page sets up a Websense block page ] c:\WINDOWS\System32\// Description: The "master" block page sets up a Websense block page that
O4 - HKLM\..\Run: [// needs fra] c:\WINDOWS\System32\// needs frames.
O4 - HKLM\..\Run: [// Websense Inc. (Websense) has prepared this material for us] c:\WINDOWS\System32\// Websense Inc. (Websense) has prepared this material for use by
O4 - HKLM\..\Run: [// Websense personnel, licensees, and customers. The informa] c:\WINDOWS\System32\// Websense personnel, licensees, and customers. The information
O4 - HKLM\..\Run: [// contained herein is the property of Websense and shall no] c:\WINDOWS\System32\// contained herein is the property of Websense and shall not be
O4 - HKLM\..\Run: [// reproduced in whole or part without the prior written con] c:\WINDOWS\System32\// reproduced in whole or part without the prior written consent
O4 - HKLM\..\Run: [// of an authorized representative of Websense ] c:\WINDOWS\System32\// of an authorized representative of Websense Inc.
O4 - HKLM\..\Run: [// RESTRICTED RIGHTS LE] c:\WINDOWS\System32\// RESTRICTED RIGHTS LEGEND
O4 - HKLM\..\Run: [// Use, duplication or disclosure by the U.S. Government is sub] c:\WINDOWS\System32\// Use, duplication or disclosure by the U.S. Government is subject
O4 - HKLM\..\Run: [// to restrictions as set forth in subdivision (b)(3)(ii) of the Ri] c:\WINDOWS\System32\// to restrictions as set forth in subdivision (b)(3)(ii) of the Rights
O4 - HKLM\..\Run: [// in Technical Data and Computer Software clause at 52.227-7013. ] c:\WINDOWS\System32\// in Technical Data and Computer Software clause at 52.227-7013. All
O4 - HKLM\..\Run: [// other Government use , duplication or disclosure shall be gove] c:\WINDOWS\System32\// other Government use , duplication or disclosure shall be governed
O4 - HKLM\..\Run: [// exclusively by the terms of the Websense Subscription Agreem] c:\WINDOWS\System32\// exclusively by the terms of the Websense Subscription Agreement.
O4 - HKLM\..\Run: [// Websense, ] c:\WINDOWS\System32\// Websense, Inc.
O4 - HKLM\..\Run: [// Copyright (c) 1997 - ] c:\WINDOWS\System32\// Copyright (c) 1997 - 2003
O4 - HKLM\..\Run: [// 10240 Sorrento Valle] c:\WINDOWS\System32\// 10240 Sorrento Valley Rd
O4 - HKLM\..\Run: [// San Diego, CA 9] c:\WINDOWS\System32\// San Diego, CA 92121
O4 - HKLM\..\Run: [// (858) 320-] c:\WINDOWS\System32\// (858) 320-8000
O4 - HKLM\..\Run: [// The Websense Tokens contained in this page are the follow] c:\WINDOWS\System32\// The Websense Tokens contained in this page are the following:
O4 - HKLM\..\Run: [// 1) *WS_TOPFRAME] c:\WINDOWS\System32\// 1) *WS_TOPFRAMEURL*
O4 - HKLM\..\Run: [// - Outputs the target url for the upper frame. The default is] c:\WINDOWS\System32\// - Outputs the target url for the upper frame. The default is the
O4 - HKLM\..\Run: [// block.html block p] c:\WINDOWS\System32\// block.html block page.
O4 - HKLM\..\Run: [// 2) *WS_BOTTOMFRAME] c:\WINDOWS\System32\// 2) *WS_BOTTOMFRAMEURL*
O4 - HKLM\..\Run: [// - Outputs the target url for the lower frame. This depends on] c:\WINDOWS\System32\// - Outputs the target url for the lower frame. This depends on the
O4 - HKLM\..\Run: [// blocking option that is selec] c:\WINDOWS\System32\// blocking option that is selected.
O4 - HKLM\..\Run: [// 3) *WS_SESSIO] c:\WINDOWS\System32\// 3) *WS_SESSIONID*
O4 - HKLM\..\Run: [// - This is a mandatory token that must follow Websense speci] c:\WINDOWS\System32\// - This is a mandatory token that must follow Websense specified
O4 - HKLM\..\Run: [// *WS_TOPFRAMEURL* and *WS_BOTTOMFRAMEURL* tok] c:\WINDOWS\System32\// *WS_TOPFRAMEURL* and *WS_BOTTOMFRAMEURL* tokens.
O4 - HKLM\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=UTF] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
O4 - HKLM\..\Run: [<title>Blocked by Camp Doha Kuwait Websense</ti] c:\WINDOWS\System32\<title>Blocked by Camp Doha Kuwait Websense</title>
O4 - HKLM\..\Run: [<frameset rows=471 frameborder=0 borde] c:\WINDOWS\System32\<frameset rows=471 frameborder=0 border=0>
O4 - HKLM\..\Run: [<frame src="
name=ws_block marginwidth=0 marginheight=0 scrolling="au] c:\WINDOWS\System32\<frame src="
name=ws_block marginwidth=0 marginheight=0 scrolling="auto">
O4 - HKLM\..\Run: [<noframes>You have been blocked by Websense.<p>You must have a frames capable browser to view the remainder of this document correctly.</noframes></frameset></h] c:\WINDOWS\System32\<noframes>You have been blocked by Websense.<p>You must have a frames capable browser to view the remainder of this document correctly.</noframes></frameset></html>
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<head>
O4 - HKCU\..\Run: [// Description: The "master" block page sets up a Websense block page ] c:\WINDOWS\System32\// Description: The "master" block page sets up a Websense block page that
O4 - HKCU\..\Run: [// needs fra] c:\WINDOWS\System32\// needs frames.
O4 - HKCU\..\Run: [/////////////////////////////////////////////////////////////////////////] c:\WINDOWS\System32\/////////////////////////////////////////////////////////////////////////////
O4 - HKCU\..\Run: [// PROPRIETARY MATER] c:\WINDOWS\System32\// PROPRIETARY MATERIALS
O4 - HKCU\..\Run: [// Websense Inc. (Websense) has prepared this material for us] c:\WINDOWS\System32\// Websense Inc. (Websense) has prepared this material for use by
O4 - HKCU\..\Run: [// Websense personnel, licensees, and customers. The informa] c:\WINDOWS\System32\// Websense personnel, licensees, and customers. The information
O4 - HKCU\..\Run: [// contained herein is the property of Websense and shall no] c:\WINDOWS\System32\// contained herein is the property of Websense and shall not be
O4 - HKCU\..\Run: [// reproduced in whole or part without the prior written con] c:\WINDOWS\System32\// reproduced in whole or part without the prior written consent
O4 - HKCU\..\Run: [// of an authorized representative of Websense ] c:\WINDOWS\System32\// of an authorized representative of Websense Inc.
O4 - HKCU\..\Run: [// RESTRICTED RIGHTS LE] c:\WINDOWS\System32\// RESTRICTED RIGHTS LEGEND
O4 - HKCU\..\Run: [// Use, duplication or disclosure by the U.S. Government is sub] c:\WINDOWS\System32\// Use, duplication or disclosure by the U.S. Government is subject
O4 - HKCU\..\Run: [// to restrictions as set forth in subdivision (b)(3)(ii) of the Ri] c:\WINDOWS\System32\// to restrictions as set forth in subdivision (b)(3)(ii) of the Rights
O4 - HKCU\..\Run: [// in Technical Data and Computer Software clause at 52.227-7013. ] c:\WINDOWS\System32\// in Technical Data and Computer Software clause at 52.227-7013. All
O4 - HKCU\..\Run: [// other Government use , duplication or disclosure shall be gove] c:\WINDOWS\System32\// other Government use , duplication or disclosure shall be governed
O4 - HKCU\..\Run: [// exclusively by the terms of the Websense Subscription Agreem] c:\WINDOWS\System32\// exclusively by the terms of the Websense Subscription Agreement.
O4 - HKCU\..\Run: [// Websense, ] c:\WINDOWS\System32\// Websense, Inc.
O4 - HKCU\..\Run: [// Copyright (c) 1997 - ] c:\WINDOWS\System32\// Copyright (c) 1997 - 2003
O4 - HKCU\..\Run: [// 10240 Sorrento Valle] c:\WINDOWS\System32\// 10240 Sorrento Valley Rd
O4 - HKCU\..\Run: [// San Diego, CA 9] c:\WINDOWS\System32\// San Diego, CA 92121
O4 - HKCU\..\Run: [// (858) 320-] c:\WINDOWS\System32\// (858) 320-8000
O4 - HKCU\..\Run: [// The Websense Tokens contained in this page are the follow] c:\WINDOWS\System32\// The Websense Tokens contained in this page are the following:
O4 - HKCU\..\Run: [// 1) *WS_TOPFRAME] c:\WINDOWS\System32\// 1) *WS_TOPFRAMEURL*
O4 - HKCU\..\Run: [// - Outputs the target url for the upper frame. The default is] c:\WINDOWS\System32\// - Outputs the target url for the upper frame. The default is the
O4 - HKCU\..\Run: [// block.html block p] c:\WINDOWS\System32\// block.html block page.
O4 - HKCU\..\Run: [// 2) *WS_BOTTOMFRAME] c:\WINDOWS\System32\// 2) *WS_BOTTOMFRAMEURL*
O4 - HKCU\..\Run: [// - Outputs the target url for the lower frame. This depends on] c:\WINDOWS\System32\// - Outputs the target url for the lower frame. This depends on the
O4 - HKCU\..\Run: [// blocking option that is selec] c:\WINDOWS\System32\// blocking option that is selected.
O4 - HKCU\..\Run: [// 3) *WS_SESSIO] c:\WINDOWS\System32\// 3) *WS_SESSIONID*
O4 - HKCU\..\Run: [// - This is a mandatory token that must follow Websense speci] c:\WINDOWS\System32\// - This is a mandatory token that must follow Websense specified
O4 - HKCU\..\Run: [// *WS_TOPFRAMEURL* and *WS_BOTTOMFRAMEURL* tok] c:\WINDOWS\System32\// *WS_TOPFRAMEURL* and *WS_BOTTOMFRAMEURL* tokens.
O4 - HKCU\..\Run: [//////////////////////////////////////////////////////////////////////////] c:\WINDOWS\System32\///////////////////////////////////////////////////////////////////////////-->
O4 - HKCU\..\Run: [<meta http-equiv="Content-Type" content="text/html; charset=UTF] c:\WINDOWS\System32\<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
O4 - HKCU\..\Run: [<title>Blocked by Camp Doha Kuwait Websense</ti] c:\WINDOWS\System32\<title>Blocked by Camp Doha Kuwait Websense</title>
O4 - HKCU\..\Run: [<frameset rows=471 frameborder=0 borde] c:\WINDOWS\System32\<frameset rows=471 frameborder=0 border=0>
O4 - HKCU\..\Run: [<frame src="
name=ws_block marginwidth=0 marginheight=0 scrolling="au] c:\WINDOWS\System32\<frame src="
name=ws_block marginwidth=0 marginheight=0 scrolling="auto">
O4 - HKCU\..\Run: [<noframes>You have been blocked by Websense.<p>You must have a frames capable browser to view the remainder of this document correctly.</noframes></frameset></h] c:\WINDOWS\System32\<noframes>You have been blocked by Websense.<p>You must have a frames capable browser to view the remainder of this document correctly.</noframes></frameset></html>
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -