# How do I uninstall Free Scratch Cards



## stephanidowd (Mar 23, 2003)

The little program installed itself on my PC. It is called Free Scratch Cards. It opens at start up and is in my system tray. There is no option to remove it under add/remove programs. I can not find any file on my PC called Scratch or Cards.
I have win XP.

The uninstall option leads to an invalid web address:

http://www.free-scratch-cards.com/uninstall.html

Help me please, this is frustrating.

Thank you!!
--steph


----------



## Talamasca (Mar 23, 2003)

Look i program files on you hard drive. It probably wont be anything obvious, so you'll have to poke around.
It's probably not in your Adobe or Yahoo folder so look in folders with unfamiliar names.


----------



## Steppinstone (Aug 18, 2002)

Just to get you started in the right direction please go HERE! and download startup list, unzip and run, then copy and paste the results back to this thread and someone will take a look at it for you!
Chari


----------



## Crossfire (Sep 11, 2002)

I just got hit with it here at work earlier this morning. SpyBot doesn't know about it - YET! - but I seem to have disabled it manually by using REGEDIT and MSCONFIG.

The pop-up prompt box which asks you whether you want to install it has no [X] button to close the box - only "Help" and "Yes" buttons. I did not and would not click either one. Instead, I used CTRL+ALT+DEL to close it via the task list. Still, it had already installed itself, as evidenced when I rebooted a while later and got the same prompt on boot-up. That's when I knew it had gone into the RUN key.

I am making a guess when I say that the drive-by-installed executable MIGHT use a random name, as the unusual startup entry which suddenly appeared on this machine - referencing an .EXE which was created this morning - called for DFEMFTTF.EXE. That doesn't have any obvious meaning that I can see. Other odd files with very recent dates/times were DFUSECBY.EXE, DELXCMIR.EXE, DVNJTSNM.DLL, DEBCBVPK.EXE, and FSC.INI [not an ASCII text file like you'd expect for an .INI extension]. There were also RUN keys in the registry, one referencing DFEMFTTF.EXE and another referencing something else that I didn't recognize.

An observation: Notice how these EXE and DLL files all start with a D, have 8 characters, and never more than 2 vowels?

After making changes with MSCONFIG and REGEDIT, I did not get that "Free Scratch Cards" box at startup again. I did, however, tweak up the default browser security settings on this machine, which seem to have been set to a lower security level by someone else here, even after I had raised them after being hit by Xupiter several months ago. That's the problem with communal computers...


----------



## stephanidowd (Mar 23, 2003)

I was able to narrow it down to the file: 

Thanks for all your help. I disabled the programs in startup, (Start>>Run>>msconfig>>startup tab>>disable). The "Free Scratch Cards" ad/spyware has stopped. I checked out the files in the startup that were disabled and only one stands out. I checked the file names by searching on Microsoft Support and Google websites. I have not been able to find a purpose for just one. The file is: tnjpfpvk.exe
It was installed in the C:windows\system32 folder.

Thanks,
--steph


----------



## Crossfire (Sep 11, 2002)

Interesting... I may be right about my random filename theory. That could make detection difficult, but I would assume that there would be other ways to detect it. For instance, the filename itself may be random while the actual contents of the .EXE could perhaps be fingerprinted.

I'm sure it's only a matter of time before SpyBot, AdAware, etc. gain the ability to detect and remove this little stinker. I'll assume that at least SOMEBODY in the detection-and-removal software business is aware of Free Scratch Cards and is working on a cure. In the meantime, it seems that the best fix might be to use MSCONFIG to check for the recent appearance of weird, unrecognized entries - which will vary from one system to the next, so it's really up to the user to know what's normal for the system and to decide what doesn't look right.

Vigilance. Always vigilance.


----------



## brendandonhu (Jul 8, 2002)

Random filename generation is good for keeping A/V/Spyware detection companies using the proper methods.

If they detect by filename, a picture of an Alligator called Gator might be detected as the spyware gator. Its better to search by contents of the file. There is no simple way around it except on a case by case basis using a hex editor, and this method does not really work when you are offering software for download becuase you just can't change the file every 5 minutes to ensure its not detected.


----------



## mViOkPe (Oct 15, 2002)

In SSD, go to Settings/Settings/WebUpdate and tick 'also display available betas'. Remember tho that these sigs are beta. Please let us know about your results.

:: 2003-03-24 (beta)
Trojan: 
++ LinkReplacer, 
++ ozexexc
Hijacker: 
++ MSInfoSys, 
++ ShopNav, 
++ Inet Delivery, 
++ SiteHlpr, 
++ SecondPower, 
++ WindowsIE, 
+ UnderageHost, 
+ Xupiter.OrbitExplorer
Spyware: 
++ Wishbone, 
++ Inet Delivery, 
++ ClientMan (aka iPend), 
*++ FreeScratchCards,* 
+ C2.lop, 
+ INetSpeak, 
+ WurldMedia, 
+ VX2/e, 
+ OnePop, 
+ eBates, 
+ SaveNow
Tracks: 
++ Adobe ImageReady 7.0, 
++ Adobe Photoshop 7.0, 
++ Adobe Save For Web 3.0, 
++ CD-R Diagnostic, 
++ Cubasis InWired, 
++ Futuris Imager, 
++ KD MakeThumbs, 
++ Macromedia Director MX, 
++ Macromedia Flash MX, 
++ Oasys Columbus, 
++ Paint Shop Pro 8, 
++ Paint Shop Photo Album, 
++ Serif PhotoPlus 5.5, 
++ Ulead PhotoImpact 8.0, 
++ Ulead Export Web Album, 
++ Ulead Export Web Slide Show, 
+ MS Media Player


----------



## Crossfire (Sep 11, 2002)

Got the beta includes. SSD detected only registry keys for FSC - one for "Code storage database" and one for "User Settings." These are leftovers that I didn't catch [because I wasn't looking for them] when I manually yanked FreeScratchCards out with my bare hands, just as I did with Xupiter last year.

If this machine ever gets hit with FSC again, I'll let SpyBot kill it properly. I run it at least semi-regularly here, and it's a danged good thing I do, because nobody else seems to be keeping track of security on this machine.


----------



## Telperion (Mar 26, 2003)

I used the given instructions and had very positive results. The beta download, that was mentioned in the last post did the job. Without it the program couldn't find FSC, so it was required. But after that: no more problems.


----------



## nemrac624 (Mar 26, 2003)

I had a problem with free scratch cards. I found through task manager that there was a file called ghuhlafo.exe in my windows/system32 folder. I deleted it, but it kept re-appearing. Later, I saw about 5 more files with the same little dollar sign icon. Once I deleted all of them, I never got the free scratch cards again.


----------



## tamster (Mar 28, 2003)

It took me 3 1/2 hours, several alcoholic beverages, and a lot of swearing, but I think I've finally been able to rid myself of this god awful piece of crap... 

First, I would suggest downloading Spybot S&D, as nummerous items get added from Lop.com.

Next, search for and delete any FSC* files on your pc. 

Then, remove the following items from C:\windows\system32

bvfggeak.exe
ktqcgdpa.dll
fsc.ini
cbuoptpt.dll
csgvgqnw.exe
cjhxuwsr.exe
kksowjuv.exe
klbjyamc.exe
bnahasqt.exe
vmolgucf.exe
vdxiutvm.exe
vxhyxtms.exe
voqvlsfa.exe
vuaukzai.exe
vujomqtp.dll
bedtqyvo.exe
bmrnybym.dll
kuzxhuih.exe

If you only remove kuzxhuih.exe, which is the process that shows it's running, it will regenerate the next time you reboot.

In closing, I hope these *******s die with festering boils.


----------



## Javacool (Jan 17, 2003)

> _Originally posted by Crossfire:_
> If this machine ever gets hit with FSC again, I'll let SpyBot kill it properly.


For anyone interested:

The latest SpywareBlaster update (today in fact) can prevent the installation of FreeScratchCards.

Best regards,

-Javacool


----------



## Omega (Apr 15, 2003)

> _Originally posted by Steppinstone:_
> *Just to get you started in the right direction please go HERE! and download startup list, unzip and run, then copy and paste the results back to this thread and someone will take a look at it for you!
> Chari *


I did like you said and this is what it looks like...

StartupList report, 4/15/2003, 9:14:02 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for startuplist1521.zip\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\mcafee.com\VSO\mcvsshld.exe
C:\Program Files\mcafee.com\Agent\mcagent.exe
C:\Program Files\mcafee.com\Agent\mcupdate.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM95\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for startuplist1521.zip\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
KBD = C:\HP\KBD\KBD.EXE
DDCM = "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
DDCActiveMenu = "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
S3TRAY2 = S3tray2.exe
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
PS2 = C:\WINDOWS\system32\ps2.exe
VirusScan Online = C:\Program Files\mcafee.com\VSO\mcvsshld.exe
MCAgentExe = C:\Program Files\mcafee.com\Agent\mcagent.exe
MCUpdateExe = C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Sentry = C:\WINDOWS\Sentry.exe
ekovzopg = C:\WINDOWS\System32\ekovzopg.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
AIM = C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
PopUpStopperFreeEdition = "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\ipinsigt.dll - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}
(no name) - C:\WINDOWS\MSView.DLL - {00000580-C637-11D5-831C-00105AD6ACF0}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\System32\btiein.dll - {63B78BC1-A711-4D46-AD2F-C581AC420D41}
(no name) - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll - {A6250FB8-2206-499E-A7AA-E1EC437E71C0}
(no name) - c:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Registration reminder 3.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[sys Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitStop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[{26E8361F-BCE7-4F75-A347-98C88B418322}]
InProcServer32 = C:\WINDOWS\DOWNLO~1\btiein.dll
CODEBASE = http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab

[Register Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HWUtils.dll
CODEBASE = http://content.hiwirenetworks.net/inbrowser/cabfiles/3.1.5/HiwireBF.cab

[{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
CODEBASE = http://207.188.7.150/2229019b909c6aae4515/netzip/RdxIE2.cab

[{69FD62B1-0216-4C31-8D55-840ED86B7C8F}]
CODEBASE = http://installs.hotbar.com/installs/hotbar/programs/hotbar.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37572.3147106481

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://www.blowsearch.com/TB/The_Ultimate_Browser_Enhancer.exe

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINDOWS\System32\nsupdate.dll
CODEBASE = http://xbs.sea.mtree.com/mt/dialers/on/US/NSupd9x.cab

[{ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE}]
CODEBASE = http://206.161.193.101/install.exe

[{FC327B3F-377B-4CB7-8B61-27CD69816BC3}]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SNDbMark.dll
CODEBASE = http://www.clock-sync.com/ClockSyncAutoSYNC0009.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,790 bytes
Report generated in 0.094 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Can anyone help me get rid of this cursed program? (I also downloaded spyware as of this morning).

Any help would be greatly appreciated.


----------



## Steppinstone (Aug 18, 2002)

Well you do have some nasties in there but I am not even close to being smart enough to guide you the rest of the way. Hang tough someone will be along to look at this. Good luck! Chari


----------



## Top Banana (Nov 11, 2002)

You have various junk on your machine. Download SSD. "Online" tab > Search for and download all updates. Close all IE windows. Scan wih SSD and remove all the RED entries.

Then post a new StartupList log.


----------



## Omega (Apr 15, 2003)

StartupList report, 4/15/2003, 11:44:39 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for startuplist1521.zip\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\mcafee.com\VSO\mcvsshld.exe
C:\Program Files\mcafee.com\Agent\mcagent.exe
C:\Program Files\mcafee.com\Agent\mcupdate.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM95\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for startuplist1521.zip\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
KBD = C:\HP\KBD\KBD.EXE
DDCM = "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
DDCActiveMenu = "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
S3TRAY2 = S3tray2.exe
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
PS2 = C:\WINDOWS\system32\ps2.exe
VirusScan Online = C:\Program Files\mcafee.com\VSO\mcvsshld.exe
MCAgentExe = C:\Program Files\mcafee.com\Agent\mcagent.exe
MCUpdateExe = C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
ekovzopg = C:\WINDOWS\System32\ekovzopg.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
AIM = C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
PopUpStopperFreeEdition = "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Registration reminder 3.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[sys Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitStop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Register Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HWUtils.dll
CODEBASE = http://content.hiwirenetworks.net/inbrowser/cabfiles/3.1.5/HiwireBF.cab

[{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
CODEBASE = http://207.188.7.150/2229019b909c6aae4515/netzip/RdxIE2.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37572.3147106481

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{FC327B3F-377B-4CB7-8B61-27CD69816BC3}]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SNDbMark.dll
CODEBASE = http://www.clock-sync.com/ClockSyncAutoSYNC0009.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,613 bytes
Report generated in 0.109 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Ok...downloaded SSD and this is the new list. How does it look now? (the scratch card thingy didn't pop up when I rebooted my computer...Hoooray!)


----------



## Top Banana (Nov 11, 2002)

Yes, that looks a lot better. A few more things I would do:

C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
Both of these look familar, but I'm not sure. I think they are legitimate. Do a search for them, right-click, Properties.

ekovzopg = C:\WINDOWS\System32\ekovzopg.exe
This looks very odd. You should definitely investigate this.

IE > Tools > Internet Options > View Objects > right-click > Remove...........

[Register Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HWUtils.dll
CODEBASE = http://content.hiwirenetworks.net/i....5/HiwireBF.cab

[{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
CODEBASE = http://207.188.7.150/2229019b909c6a...tzip/RdxIE2.cab

The DPF below is from WhenU.com. Up to you. WhenU is not for me.

[{FC327B3F-377B-4CB7-8B61-27CD69816BC3}]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SNDbMark.dll
CODEBASE = http://www.clock-sync.com/ClockSyncAutoSYNC0009.cab


----------



## Corrosive (Jan 9, 2003)

> ekovzopg = C:\WINDOWS\System32\ekovzopg.exe
> This looks very odd. You should definitely investigate this.


It does seem to fit the FSC profile that has been uncovered here, but I'm surprised that Spybot didn't catch it. I think it would be best to rename the file or give it a *.old extension and reboot to see if any problems arise. If not, banish to the voids of binary hell!


----------



## Omega (Apr 15, 2003)

Thanks everyone for your help. Much appreciated!


----------



## dmille (Apr 19, 2003)

Look for this in your files and in the registry, ysskpnxl


----------



## TonyKlein (Aug 26, 2001)

> _Originally posted by dmille:_
> *Look for this in your files and in the registry, ysskpnxl *


I'm afraid you won't find it, as FSC unfortunately uses random file names.

It therefore can't be detected by file name alone.


----------



## dmille (Apr 19, 2003)

When the install app was open, I hit ctrl-alt-delete to open my Windows task manager.

I right clicked on the free scratch card app in the task list. It open the menu and I clicked on "go to process".

That was how I found the file name. I wrote it down and searched for it first in my registry, then with windows explorer.


----------



## brendandonhu (Jul 8, 2002)

As tony just said FSC has random filenames and that file is only on your PC.


----------



## foaxaca (Apr 21, 2003)

I discovered the start-up box asking if I wanted to accept the installation of Free Scratch Cards (FSC) when I booted up my laptop this morning. Seems my 13 year old son had encountered it after browsing a website with lists of humorous embarassing moments. A pop-up window appeared with no option for exiting when he accessed the website. He used the Win XP task manager to kill the process so FSC didn't load but certain files were loaded and some registry changes were made.

I found 4 files in the Windows/System32 directory with the following random looking names. One clue was that they were all modified/created yesterday at the same time:

BHSTOOAM
BILIRWLA
BCZKVGSA
BKNDJJUX

2 of them were .exe files, one had a green and yellow dollar sign logo and was an .fsc file and the final one was a .dll. I removed all of them from that directory and put them on my desktop. Before that I ran msconfig and found a strange start-up item with the name "bilirwla". Running a search for files modified or created yesterday came up with an identically named file in the above directory as well as the other three.

I unchecked that strange start up item in msconfig and then went to regedit and searched the registry for any entry with each of the above 4 file names. There were several which I deleted. ALL OF THEM! I then rebooted my machine and no more pop-up box asking about FSC. At least a couple of the registry changes had "FSC" in the name so that might be another string to search for in regedit.

I ran SpyBot Search and Destroy before doing all of this and it didn't find anything but I don't think I had the latest identification list. I hope this little summary helps.

By the way, the pop-up window asking if you want to let FSC load has a help button that if you click on it gives you an exit option so that it doesn't load. Clicking on that will prevent it from loading which I thought was strange. This is obviously an underhanded attempt to load spyware on unsuspecting users but at least the programmers of this little work of art had some conscience!


----------



## TonyKlein (Aug 26, 2001)

If you'd like, do this:

Go to http://www.spywareinfo.com/downloads.php#det , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless, so don't fix anything yet.

There might be a few things left, and HT will help pinpoint them.


----------



## foaxaca (Apr 21, 2003)

Here it it Tony . . .

Logfile of HijackThis v1.93.0
Scan saved at 9:41:08 PM, on 4/21/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://government.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://government.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://government.dellnet.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_7.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TrueMobile 1150 Client Manager.lnk = C:\Program Files\Dell TrueMobile 1150\Client Manager\CmDEL.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks11_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37580.9952083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.117/install.exe
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab


----------



## TonyKlein (Aug 26, 2001)

OK, there's a FSC ActiveX control, and SpyBot also forgot to remove an iGetNet Browser plugin.

Run Hijack This, and check ALL of the items in bold. Next, shut down _all_ browser Windows, and have HT fix all checked.

*O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - (no file)

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - 
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http//206.161.193.117/install.exe*

Cheers,


----------



## Grady (Apr 24, 2003)

Im very new here - just registered tonight - If i post my hijacked list will someone take a look at it for me? This thing is driving me crazy! Thanks in advance for your help.


----------



## brendandonhu (Jul 8, 2002)

Yes, but post it in a new thread in security and someone will help out.
If its the same prob as in this thread, follow the instructions here 1st as the spyware problem is pretty common.


----------



## lilk8tob (May 2, 2003)

I have tried everything I've seen on these pages, but still have the Free Scratch Card thing popping up- I installed the Spybot Search and destroy and the hijackthis, but don't know where to go from here.... I even tried to unistall the file I think is causing the problem: C:\WINDOWS\SYSTEM\qtmzmlez.exe, but after restarting my computer, it was back. I really don't know what I am doing... any help is greatly appreciated!! Thanks so much! Katie


----------



## Top Banana (Nov 11, 2002)

Katie
Scan with HijackThis > "Scan" changes to "Save Log" > Save the log and copy and paste it into your next post.


----------



## lilk8tob (May 2, 2003)

Logfile of HijackThis v1.93.0
Scan saved at 8:18:22 PM, on 5/1/2001
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: Yahoo! Word Racer (Shockwave ActiveX Control) - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0014.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.85/install.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37742.6946412037


----------



## Top Banana (Nov 11, 2002)

Scan with HT, "Fix" below, then reboot.
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.85/install.exe

Unrelated, but I would also "Fix"
O15 - Trusted Zone: http://free.aol.com


----------



## lilk8tob (May 2, 2003)

YOU ARE WONDERFUL!! It worked! Thanks for your help! Katie


----------



## Top Banana (Nov 11, 2002)

No problem Katie. Glad you got it sorted.


----------



## Grady (Apr 24, 2003)

I have the free scratch cards - and others i believe -- please help - I dunno what to do - Thank You!!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.news14charlotte.com/content/top_stories/Default.asp?SecID=1&RegionCookie=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
O1 - Hosts: 216.239.39.101 desktop.kazaa.com
O1 - Hosts: 216.239.39.101 shop.kazaa.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0edff403-524a-4153-8d5b-ed27ea42eac2} - C:\DOCUME~1\Christy\APPLIC~1\ckiqumbrzk.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstBoot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 825" /O6 "USB002" /M "Stylus Photo 825"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Warning: do not remove it!] fpplock.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [YahooStock] C:\WINDOWS\pRmvr.exe
O4 - HKLM\..\Run: [hjqmtxhg] C:\WINDOWS\System32\hjqmtxhg.exe
O4 - HKLM\..\Run: [crbrzi] C:\DOCUME~1\Christy\APPLIC~1\tststshw.exe -QuieT
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe"
O4 - HKLM\..\Run: [PSSetup] "C:\Program Files\PowerStrip\PSSetup.exe" 
O4 - HKCU\..\Run: [DesktopX] "C:\Program Files\Object Desktop\DesktopX\DesktopX.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download &All by FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/291/nCaseInstaller.cab
O16 - DPF: {7704D8D8-9EFE-4D82-9C89-0ECBA8434EEE} (PSSetup Class) - http://www.adsvr.net/PowerStrip/PSOCX.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37691.6186342593
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - http://64.246.24.68/Aff_Installer_4.exe
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.totalvelocity.com/MemoryMeterbb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/action/NSupd9x.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://akweb.whenu.com/WsCsAutoWCCS0017.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = t7164.ecpm.com
O17 - HKLM\Software\..\Telephony: DomainName = t7164.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{167F14CE-6A4D-4A15-972F-9EFECD33D946}: Domain = t7164.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A290F616-1783-414D-8091-F2112B7CCC5F}: Domain = t7164.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB1789D7-B4F2-4FA3-BC8F-D22DBEE82DE0}: Domain = t7164.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = t7164.ecpm.com


----------



## Grady (Apr 24, 2003)

Jesus my list is huge compared to everyone elses!! lol


----------



## brendandonhu (Jul 8, 2002)

It looks like you have a lot of spyware installed, including kazaa's bundle.
Have you run spybot yet?
http://tomcoyote.com/SPYBOT


----------



## Grady (Apr 24, 2003)

yes ive ran spybot and theres another ive ran called spysweeper , and ran adaware. I'm blaming this all on my girlfriend by the way. Thanks for your help.


----------



## TonyKlein (Aug 26, 2001)

Run Hijack This, and check ALL of the items in bold. Doublecheck so as to be sure not to miss a single one.
Next, shut down _all_ browser Windows, and have HT fix all checked.

You NEED to reboot when you're done.

*O1 - Hosts: 216.239.39.101 desktop.kazaa.com
O1 - Hosts: 216.239.39.101 shop.kazaa.com

O2 - BHO: (no name) - {0edff403-524a-4153-8d5b-ed27ea42eac2} - C:\DOCUME~1\Christy\APPLIC~1\ckiqumbrzk.dll
O2 - BHO: (no name) - {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [Warning: do not remove it!] fpplock.exe (Yup, remove that one as well! Especially that one...)
O4 - HKLM\..\Run: [YahooStock] C:\WINDOWS\pRmvr.exe
O4 - HKLM\..\Run: [hjqmtxhg] C:\WINDOWS\System32\hjqmtxhg.exe
O4 - HKLM\..\Run: [crbrzi] C:\DOCUME~1\Christy\APPLIC~1\tststshw.exe -QuieT
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe

O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab
O16 - DPF: {7704D8D8-9EFE-4D82-9C89-0ECBA8434EEE} (PSSetup Class) - http://www.adsvr.net/PowerStrip/PSOCX.cab
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - http://64.246.24.68/Aff_Installer_4.exe
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.totalvelocity.com/MemoryMeterbb.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/action/NSupd9x.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://akweb.whenu.com/WsCsAutoWCCS0017.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = t7164.ecpm.com
O17 - HKLM\Software\..\Telephony: DomainName = t7164.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{167F14CE-6A4D-4A15-972F-9EFECD33D946}: Domain = t7164.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A290F616-1783-414D-8091-F2112B7CCC5F}: Domain = t7164.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB1789D7-B4F2-4FA3-BC8F-D22DBEE82DE0}: Domain = t7164.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = t7164.ecpm.com*


----------



## yellowfin (May 2, 2003)

I too have been hit by this nasty pop up. I am not very tech savy, so please bear with me. I dl'd the search and destroy program and ran it. I tried to dl the "hijack this" program, but I couldnt unzip. What do I do?


----------



## TonyKlein (Aug 26, 2001)

Well, you need to decompress it with a utility like WinZip

Many downloads come in the shape of a compressed file, so it's an indispensible tool, really.
It has an evaluation version which you can use for a month or so

Here are a couple of tutorials:

WinZip Tutorial

Using Winzip Tutorial

And QuickZip is an excellent alternative to WinZip that's freeware: http://www.tucows.com/system/preview/194312.html

After unzipping the file to a folder of your choice, you'll end up with the file itself, which is Hijackthis.*exe*, and _that's_ the one you'll need to doubleclick.
It will create a log automatically.


----------



## Grady (Apr 24, 2003)

Thank you for your help - seems to clear up most things - my girlfriend is another user on my comp - i ran her hijack file as well and used your delete list - i may be posting her list here as well if thats ok - again thanks so much for the help - dont know what i would have done without your help - i was real close to formating the disk - you saved me!


----------



## TonyKlein (Aug 26, 2001)

You're welcome. 

Glad to hear that did the trick.


----------



## BarbieV86 (May 5, 2003)

Hi! I accidently loaded this piece of crud on my computer. I downloaded the uninstall for it, but it still shows the ad. If my dad finds out it is on the computer again he will have a fit! Can someone tell me EXACTLY what process to go through inorder to uninstall it, and put it in english please! lol I don't understand all the technical talk! lol Thanx so much!


----------



## TonyKlein (Aug 26, 2001)

Yup. Please do this:

Go to http://www.tomcoyote.org/hjt/, and download Hijack This.

Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless, so do NOT fix anything yet.
Someone here will be happy to help you interpret the results.


----------



## Kamicolin (May 5, 2003)

I have the "Free Scratch Cards" software too. Here's my Hijack This! log. If you could tell me what I need to fix, that'd be great. I've been trying to uninstall it for a few hours but I'm not having any luck.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.searchwords.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\Updates\BWSearch.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: (no name) - {23DDAE8C-6A79-4d62-80AA-E95D89CB9811} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [awhpnqwd] C:\WINDOWS\System32\awhpnqwd.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
O4 - HKLM\..\Run: [HRYFMGDKR] C:\WINDOWS\HRYFMGDKR.exe
O4 - HKLM\..\Run: [ZAHOVCJQX] C:\WINDOWS\ZAHOVCJQX.exe
O4 - HKLM\..\Run: [msbb] C:\Program Files\nCase\msbb.exe
O4 - HKLM\..\Run: [FMWEL] C:\WINDOWS\FMWEL.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://mx.servisco.net/access.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/291/nCaseInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37711.2853472222
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.totalvelocity.com/MemoryMeterbb.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.117/install.exe


----------



## TonyKlein (Aug 26, 2001)

Wooo, you have much more than just FSC.

I've got a lot of things for you to do.

First, run Hijack This, and check ALL of the items in bold. Doublecheck so as to be sure not to miss a single one.
Next, shut down _all_ browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.searchwords.com/

R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\Updates\BWSearch.dll (file missing)

O3 - Toolbar: (no name) - {23DDAE8C-6A79-4d62-80AA-E95D89CB9811} - (no file)
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)

O4 - HKLM\..\Run: [awhpnqwd] C:\WINDOWS\System32\awhpnqwd.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
O4 - HKLM\..\Run: [HRYFMGDKR] C:\WINDOWS\HRYFMGDKR.exe
O4 - HKLM\..\Run: [ZAHOVCJQX] C:\WINDOWS\ZAHOVCJQX.exe
O4 - HKLM\..\Run: [msbb] C:\Program Files\nCase\msbb.exe
O4 - HKLM\..\Run: [FMWEL] C:\WINDOWS\FMWEL.exe

O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/i...5.30/Hiwire.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - 
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.totalvelocity.com/MemoryMeterbb.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http:/206.161.193.117/install.exe*

After restarting your computer, find and delete the following items:

The C:\WINDOWS\System32\awhpnqwd.exe file
The C:\WINDOWS\TVMD.exe file
The C:\WINDOWS\HRYFMGDKR.exe file
The C:\WINDOWS\ZAHOVCJQX.exe file
and C:\WINDOWS\FMWEL.exe

Finally, download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Good luck,


----------



## TonyKlein (Aug 26, 2001)

BTW, before you delete these files, would you mind terribly sending me zipped up copies of the following files?

C:\WINDOWS\HRYFMGDKR.exe
C:\WINDOWS\ZAHOVCJQX.exe
C:\WINDOWS\FMWEL.exe

We're seeing a lot of these randomly named files, and I'd love to have a closer look at them for analysis.

Private Message with my e-mail addy is on its way!

Thanks a lot!


----------



## Kamicolin (May 5, 2003)

I'll do all of what you just said. I ran spybot (with the latest update) just before i posted that list, and I ran "Spy Sweeper" right after, and that found a lot more than spybot did. I'm sure a lot of the stuff you want me to delete is already gone because of that. Also, I just used the task manager to see what the files were for FSC. I found and deleted the following: 
The C:\WINDOWS\System32\awhpnqwd.exe file
The C:\WINDOWS\TVMD.exe file
The C:\WINDOWS\HRYFMGDKR.exe file
The C:\WINDOWS\ZAHOVCJQX.exe file
and C:\WINDOWS\FMWEL.exe

Then, when I restarted, they were all back again. I'll zip and send you those files. Here's the re-scanned Hijack This Log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.searchwords.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [awhpnqwd] C:\WINDOWS\System32\awhpnqwd.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
O4 - HKLM\..\Run: [HRYFMGDKR] C:\WINDOWS\HRYFMGDKR.exe
O4 - HKLM\..\Run: [FMWEL] C:\WINDOWS\FMWEL.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://mx.servisco.net/access.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/291/nCaseInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37711.2853472222
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.totalvelocity.com/MemoryMeterbb.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Now what do I need to fix with Hijack this? I figured I'd better scan again in case something had changed.


----------



## TonyKlein (Aug 26, 2001)

But I thought I explained to you what to do with Hijack This in my previous posting:

Check and have it fix the items I mentioned, reboot, and only THEN run SpyBot.

Did you do it the other way around? That would explain why the files "came back".


----------



## TonyKlein (Aug 26, 2001)

BTW, you said you actually _deleted_ the files.

Then what we may be seeing in that log is just orphaned startup entries. Are the files themselves still there?


----------



## Kamicolin (May 5, 2003)

No, I ran spybot before I read your reply. I figured you wouldnt reply for a few hours (most messageboards I've visited tend to be like that) so I tried to fix it on my own. I just realized that the files didnt come back after all, it was just the recyclebin copies I was finding, and then I accidentally deleted them, because I didn't realize they were recyclebin copies, and I thought they would just come back next restart. Sorry, I guess I can't send you them now. If they end up coming back, I'll zip them for you, though. Even though those are gone, I'm still getting the FSD on restart. I'm going to fix it with Hijack This now, and then I'll tell you how it went.


----------



## Kamicolin (May 5, 2003)

I just followed your instructions, and it appears to be gone. When I restarted FSC didn't pop up. Thanks a lot! I've never been on a board where someone replied so fast, and was so helpful. You're doing a great job here!


----------



## TonyKlein (Aug 26, 2001)

You're welcome.

Glad to hear that helped. 

Too bad about the files, but as you're the third one with a similar log I've seen in two days time, I have no doubt that more will follow before long...  

Happy surfing!


----------



## Natalie7 (May 6, 2003)

I followed all your wonderful wonderful directions..here is the mess...delete all or keep some? Thank you so much for your site..this is got to be theeeee worst pop up thing I have ever encountered on my computer here at work!

Logfile of HijackThis v1.94.0
Scan saved at 2:07:33 PM, on 05/06/2003
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.xupiter.com/search2.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://mww.metlife.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://mww.metlife.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll (file missing)
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\Program Files\Xupiter\XTUpdate.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\XupiterToolbar.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [PaperPort] C:\Program Files\Visioneer\PaperPort\pportldr.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [TVMD] C:\WINNT\TVMD.exe
O4 - HKLM\..\Run: [tlvbsvxs] C:\WINNT\System32\tlvbsvxs.exe
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://mww.metlife.com
O16 - DPF: {38481807-CA0E-42D2-BF39-B33AF135CC4D} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator.com/v3/download/pdpplugin_4094_hd3ptdm.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.totalvelocity.com/MemoryMeterbb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.101/install.exe
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.clock-sync.com/ClockSyncAutoSYNC0015.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MetLife.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MetLife.com


----------



## Top Banana (Nov 11, 2002)

Close IE. Scan with HijackThis, "Fix" *all* the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.xupiter.com/search2.html
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll (file missing)
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\Program Files\Xupiter\XTUpdate.dll (file missing)
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\XupiterToolbar.dll (file missing)
O4 - HKLM\..\Run: [TVMD] C:\WINNT\TVMD.exe
O4 - HKLM\..\Run: [tlvbsvxs] C:\WINNT\System32\tlvbsvxs.exe
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator.com/v3/download...094_hd3ptdm.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.totalvelocity.com/MemoryMeterbb.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.101/install.exe
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.clock-sync.com/ClockSyncAutoSYNC0015.cab

*Reboot* find and remove/delete

Program Files\Xupiter
TVMD.exe
tlvbsvxs.exe


----------



## Natalie7 (May 6, 2003)

THANK YOU!THANK YOU!THANK YOU!THANK YOU! The annoyance has dissapeared! GODS..thank goodness..what a frustrating thing to have to have on your computer..Thank you for all of your help..I'll know to come to you guys first if ever I have a problem. You guys know more then our IT dept ever would!! Knowing how they are they probably would blame it on us saying we put it on there intentionally..oye..thank you


----------



## mal1930 (Apr 27, 2002)

Hi Tony, I pointed some-one here who had opened a thread. I now don't know if I did the right thing as you seemed to have to talk and give advice to different people at the same time. I had thought that the person I had told to look here would be able to follow the directions that were printed and do it themselves. Would you rather I did not point them to this thread anymore. Peace Mal


----------



## TonyKlein (Aug 26, 2001)

Hi Mal,

I don't mind. If they do post to this thread, I'll get an e-mail notification so I won't overlook it.

Cheers,


----------



## jferna (May 8, 2003)

Here's my HijackThis log, can anybody help?

Logfile of HijackThis v1.94.0
Scan saved at 8:42:58 PM, on 5/7/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=http=127.0.0.1:6711
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - (no file)
O2 - BHO: (no name) - {2737A6C0-7E24-11D7-B299-00E0297E0844} - C:\WINDOWS\SYSTEM\MO030414S.DLL
O2 - BHO: (no name) - {2737A6C1-7E24-11D7-B299-00E0297E0844} - C:\WINDOWS\SYSTEM\CWKLRPU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [STB TVFIX] C:\WINDOWS\SYSTEM\NOAPPRUN.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [MovieNetworks] "C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
O4 - HKLM\..\Run: [viiadwrw] C:\WINDOWS\SYSTEM\viiadwrw.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [V128IID] Rundll32.exe C:\WINDOWS\SYSTEM\v128iitw.dll,STB_InitTweak
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Mark as Popup (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www-irn.sandia.gov/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.broadcast.com/wsp/VisionBrowser.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: Yahoo! Chat (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.gateway.com/support/contact/serial/gwCID.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {853C1A83-1639-11D0-8BBF-0080C7A01083} (Web Browser Pop-up Window Control) - http://activex.microsoft.com/activex/controls/iptdweb/webpopup.ocx
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: ConferenceRoom Java Client (QuickTime Object) - http://chat.musiccity.com/java/cr.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/action/NSupd9x.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks Upload UI Control) - http://services.photoworks.com/Pixami/PixamiSFWUploader.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} (Support.com RemoteControl Class) - http://www.comcastsupport.com/sdccommon/download/tgrc.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.101/install.exe

Thanks in advance
Jim


----------



## Top Banana (Nov 11, 2002)

Close IE, Scan with HijackThis, "Fix" *all* the following entries:

O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - (no file)
O2 - BHO: (no name) - {2737A6C0-7E24-11D7-B299-00E0297E0844} - C:\WINDOWS\SYSTEM\MO030414S.DLL
O2 - BHO: (no name) - {2737A6C1-7E24-11D7-B299-00E0297E0844} - C:\WINDOWS\SYSTEM\CWKLRPU.DLL
O4 - HKLM\..\Run: [MovieNetworks] "C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
O4 - HKLM\..\Run: [viiadwrw] C:\WINDOWS\SYSTEM\viiadwrw.exe
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.101/install.exe

*Reboot* and remove:

Program Files\MovieNetworks
Program Files\SwimSuitNetwork

Download SSD. Update via "Online" tab. Search for and download all updates. Scan with SSD and "Fix" all the red entries.


----------



## jferna (May 8, 2003)

Thanks, Banana

Jim


----------



## Top Banana (Nov 11, 2002)

No problem, Jim.


----------



## BarbieV86 (May 5, 2003)

Logfile of HijackThis v1.94.0
Scan saved at 5:24:31 PM, on 5/6/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://toolbar.i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.xupiter.com/search3.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.the-huns-yellow-pages.com/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=javascript:window.close()
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://www.the-huns-yellow-pages.com/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.the-huns-yellow-pages.com/hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.jetseeker.com/ie/
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM FILES\XUPITER\XTSEARCH.DLL (file missing)
F0 - system.ini: Shell=Explorer.exe MSREXE.exe
O2 - BHO: ineb Helper - {61D029AC-972B-49FE-A155-962DFA0A37BB} - C:\WINDOWS\SYSTEM\INEB.DLL
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBABE.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_6.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\STOOLBAR.DLL
O3 - Toolbar: I-Lookup.com Bar - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - C:\WINDOWS\SYSTEM\INEB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~8\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
O4 - HKLM\..\Run: [QAGENT] C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [WinLoader] MSREXE.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [babeie] rundll32 "C:\Program Files\CommonName\Toolbar\CNBabe.dll",DllStartup
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [bettyhouse] c:\Program Files\DiallerProgram\012561.exe -r
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
O4 - HKLM\..\Run: [sexes] C:\sexes\VIDEO001[1].EXE -t
O4 - HKLM\..\Run: [nzcfnqnl] C:\WINDOWS\SYSTEM\nzcfnqnl.exe
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
O4 - HKLM\..\Run: [MSRegSvc] C:\WINDOWS\SYSTEM\REGSVC32.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [WinLoader] MSREXE.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\RunServices: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Startup: Alarm Manager.LNK = C:\Program Files\Handspring\AlarmApp.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - User Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - User Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - User Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - User Startup: Alarm Manager.LNK = C:\Program Files\Handspring\AlarmApp.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Power Search - res://C:\PROGRAM FILES\COMMON FILES\MSIETS\MSIELINK.DLL//iemenu
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Dell Home (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O11 - Options group: [CommonName] CommonName
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for .wmv: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.sexyplugin.com/diallerfiles/012561.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C} - http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37646.5817013889
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite/fvliteY.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll
O16 - DPF: DigiChat Applet (YahooYMailTo Class) - http://host8.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} (WTApp Class) - http://www.shockwave.com/content/combat_medic/CMonline.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.blowsearch.com/TB/The_Ultimate_Browser_Enhancer.exe
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/260/nCaseInstaller.cab
O16 - DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} (Inst Class) - http://toolbar.i-lookup.com/ineb.cab


----------



## TonyKlein (Aug 26, 2001)

Well, that's possibly the worst log I've seen for quite a while...

First, go to Control Panel > Add/Remove Programs, and uninstall New.Net (domains) and Kazaa.

Reboot whenever prompted, and once again when you're done.

Next, in Hijack This, check ALL of the items in bold. Doublecheck so as to be sure not to miss a single one.
Next, shut down _all_ browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://toolbar.i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.xupiter.com/search3.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.the-huns-yellow-pages.com/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=java script:window.close()
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://www.the-huns-yellow-pages.com/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.the-huns-yellow-pages.com/hp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.jetseeker.com/ie/

R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM FILES\XUPITER\XTSEARCH.DLL (file missing)

F0 - system.ini: Shell=Explorer.exe MSREXE.exe

O2 - BHO: ineb Helper - {61D029AC-972B-49FE-A155-962DFA0A37BB} - C:\WINDOWS\SYSTEM\INEB.DLL

O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\STOOLBAR.DLL
O3 - Toolbar: I-Lookup.com Bar - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - C:\WINDOWS\SYSTEM\INEB.DLL

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WinLoader] MSREXE.exe
O4 - HKLM\..\Run: [babeie] rundll32 "C:\Program Files\CommonName\Toolbar\CNBabe.dll",DllStartup
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [bettyhouse] c:\Program Files\DiallerProgram\012561.exe -r
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
O4 - HKLM\..\Run: [sexes] C:\sexes\VIDEO001[1].EXE -t
O4 - HKLM\..\Run: [nzcfnqnl] C:\WINDOWS\SYSTEM\nzcfnqnl.exe
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
O4 - HKLM\..\Run: [MSRegSvc] C:\WINDOWS\SYSTEM\REGSVC32.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.EXE

O4 - HKLM\..\RunServices: [WinLoader] MSREXE.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\RunServices: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - User Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe

O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm

O11 - Options group: [CommonName] CommonName

O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.sexyplugin.com/diallerfiles/012561.exe
O16 - DPF: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C} - http://www.xupiter.com/search2/inst...olbarLoader.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite/fvliteY.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.blowsearch.com/TB/The_Ul...er_Enhancer.exe
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab
O16 - DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} (Inst Class) - http//toolbar.i-lookup.com/ineb.cab*

After restarting your computer, find and delete the following :

The C:\WINDOWS\SYSTEM\nzcfnqnl.exe file
The c:\Program Files\DiallerProgram folder
The C:\sexes folder
The C:\WINDOWS\SYSTEM\REGSVC32.exe file
The MSREXE.exe file (do a Find Files in order to see where it is. It's a worm or trojan.

Finally, download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Cheers,


----------



## marcus n (May 10, 2003)

Here's my HijackThis log, can anybody help?

Logfile of HijackThis v1.94.0
Scan saved at 11:07:39 AM, on 5/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://fastmetasearch.com/bar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://drvvv.com/jf-home.phtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://O27681.ecpm.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://O27681.ecpm.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://O27681.ecpm.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\FOne.dll
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cb05a43f-3bb1-4df4-8beb-d26393ea472e} - C:\DOCUME~1\Poon\APPLIC~1\qstwgiejgl.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O3 - Toolbar: ucklyhgedll - {d14bc620-070f-4426-9955-8f583ddf6341} - C:\DOCUME~1\Poon\APPLIC~1\qstwgiejgl.dll
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [cwsriqwi] C:\WINDOWS\System32\cwsriqwi.exe
O4 - HKLM\..\Run: [oaiejst] C:\DOCUME~1\Poon\APPLIC~1\eckcrmdo.exe -QuieT
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmtrans.html
O9 - Extra button: Browser Pal Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT....viewpoint.com/cgi-bin/vet_install_popup.pl?2
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/SSInstaller.exe
O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.101/install.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = w27516.ecpm.com
O17 - HKLM\Software\..\Telephony: DomainName = w27516.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{359120F6-9246-475D-8AA8-2F893041E96F}: Domain = w27516.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{664A1A1B-34AD-4562-B5FF-C5BF1DDB650D}: Domain = w27516.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = w27516.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{359120F6-9246-475D-8AA8-2F893041E96F}: Domain = w27516.ecpm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = w27516.ecpm.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{359120F6-9246-475D-8AA8-2F893041E96F}: Domain = w27516.ecpm.com


----------



## TonyKlein (Aug 26, 2001)

Another spyware collection... 

In Hijack This, check the following items, shut all browser windows, and press fix checked. Reboot when you're done.

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://fastmetasearch.com/bar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://drvvv.com/jf-home.phtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://O27681.ecpm.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://O27681.ecpm.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://O27681.ecpm.com/searchbar.html

O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\FOne.dll
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL

O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O2 - BHO: (no name) - {cb05a43f-3bb1-4df4-8beb-d26393ea472e} - C:\DOCUME~1\Poon\APPLIC~1\qstwgiejgl.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: ucklyhgedll - {d14bc620-070f-4426-9955-8f583ddf6341} - C:\DOCUME~1\Poon\APPLIC~1\qstwgiejgl.dll

O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [cwsriqwi] C:\WINDOWS\System32\cwsriqwi.exe
O4 - HKLM\..\Run: [oaiejst] C:\DOCUME~1\Poon\APPLIC~1\eckcrmdo.exe -QuieT

O15 - Trusted Zone: http://free.aol.com

O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/SSInstaller.exe
O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - 
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.101/install.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = w27516.ecpm.com
O17 - HKLM\Software\..\Telephony: DomainName = w27516.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{359120F6-9246-475D-8AA8-2F893041E96F}: Domain = w27516.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{664A1A1B-34AD-4562-B5FF-C5BF1DDB650D}: Domain = w27516.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = w27516.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{359120F6-9246-475D-8AA8-2F893041E96F}: Domain = w27516.ecpm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = w27516.ecpm.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{359120F6-9246-475D-8AA8-2F893041E96F}: Domain = w27516.ecpm.com*

After restarting your computer, delete the following files:

C:\WINDOWS\System32\cwsriqwi.exe
C:\Documents and Settings\Poon\Application Data\eckcrmdo.exe

Finally, download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Cheers,


----------



## TonyKlein (Aug 26, 2001)

Well, update on Msiefr40.dll, meanwhile I obtained the file, and it's a Hijacker for sure, redirecting to www.Featured-Results.com (the site is at present unavailable)

It appears to be BrowserAid related.

Have Hijack This fix the following as well:

*O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll

O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer*

Cheers,


----------



## marcus n (May 10, 2003)

Thanks, it worked. The free scratch cards pop up is gone. I was
hoping you could help me out with a new ecpm pop up toolbar on my girlfriends account?

ogfile of HijackThis v1.94.0
Scan saved at 12:24:37 PM, on 5/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://O27681.ecpm.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://O27681.ecpm.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://b30790.ecpm.com/passthrough/index.html?http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://fastmetasearch.com/bar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://O27681.ecpm.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://drvvv.com/jf-home.phtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://O27681.ecpm.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL=http://134.139.56.33:8080/proxy.pac 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.69-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.69-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.69-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.69-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.69-deleon.dll/cmtrans.html
O9 - Extra button: Browser Pal Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT....viewpoint.com/cgi-bin/vet_install_popup.pl?2
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -


----------



## brendandonhu (Jul 8, 2002)

Marcus N - have had her run spybot yet? If not do that first and post a new Hijack This log after using it.

Tony will definitely spot more, but kill these ones.
(1 sec, im posting the ones you should delete)


----------



## brendandonhu (Jul 8, 2002)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://O27681.ecpm.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://O27681.ecpm.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://b30790.ecpm.com/passthrough/index.html?http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://O27681.ecpm.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://drvvv.com/jf-home.phtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://O27681.ecpm.com/searchbar.html
O15 - Trusted Zone: http://free.aol.com


----------



## TonyKlein (Aug 26, 2001)

> _Originally posted by brendandonhu:_
> *
> 
> Tony will definitely spot more.
> *


No, I think you got about everything covered!

Good job, Brendan!


----------



## brendandonhu (Jul 8, 2002)

Ooh cool  
Might want to look at that proxy config. script. I don't understand ASP (I think its in ASP) but I see what looks like a bunch of redirects in there. I had seen once before where Spybot didn't pick it up but it was redirecting everything to a casine site.


----------



## TonyKlein (Aug 26, 2001)

That particular url resolves to

California State University, Long Beach
1250 Bellflower Blvd.
Long Beach, CA 90840
UNITED STATES

So that's OK I guess.


----------



## ehj3000 (May 21, 2003)

please tell me wat to remove...thank you

Logfile of HijackThis v1.94.0
Scan saved at 11:08:37 PM, on 5/20/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O1 - Hosts: 216.239.37.101 www.kazaagold.com
O1 - Hosts: 216.239.37.101 kazaagold.com
O1 - Hosts: 216.239.37.101 www.k-lite.com
O1 - Hosts: 216.239.37.101 www.kazaa-download.de
O1 - Hosts: 216.239.37.101 www.mp3downloadhq.com
O1 - Hosts: 216.239.37.101 www.easymusicdownload.com
O1 - Hosts: 216.239.37.101 easymusicdownload.com
O1 - Hosts: 216.239.37.101 www.mp3madeeasy.com
O1 - Hosts: 216.239.37.101 www.monstershare.com
O1 - Hosts: 216.239.37.101 www.kazaa-plus.net
O1 - Hosts: 216.239.37.101 kazaa-plus.net
O1 - Hosts: 216.239.37.101 www.kazaa-plus.com
O1 - Hosts: 216.239.37.101 www.edonkey.com
O1 - Hosts: 216.239.37.101 www.kazaa-file-sharing-downloads.com
O1 - Hosts: 216.239.37.101 www.kazaaplatinum.com
O1 - Hosts: 216.239.37.101 www.madeformusic.com
O1 - Hosts: 216.239.37.101 ikazaa.net
O1 - Hosts: 216.239.37.101 www.mp3u.com
O1 - Hosts: 216.239.37.101 www.mp3specialty.com
O1 - Hosts: 216.239.37.101 music-download-world.com
O1 - Hosts: 216.239.37.101 song-download-world.com
O1 - Hosts: 216.239.37.101 www.flixs.net
O1 - Hosts: 216.239.37.101 www.ishareit.net
O1 - Hosts: 216.239.37.101 www.ishareit.com
O1 - Hosts: 216.239.37.101 www.download-doctor.com
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\America Online 8.0\PwMgr.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [alvwckjv] C:\WINNT\System32\alvwckjv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/08d272c43c01bad17c20/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37706.8789814815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## brendandonhu (Jul 8, 2002)

ehj3000-you have not even told us what is wrong with your computer, how are we to help you? 

I do see you have all the kazaa replacements pointing to google.
I would go into your hosts file, remove the one that is "k-lite.tk" and all the other ones should be changed from 216.239.37.101 to 0.0.0.0. Except for k-lite, all the other ones are stolen versions of old kazaa lites, they steal other people's work of taking ads out, then put their own ads back in AND try to hit you up for $$.


----------



## ehj3000 (May 21, 2003)

sorry i didn't tell you wats wrong. But so far everytime i turn on my computer a pop-up comes on with "install free scratch cards"


----------



## ehj3000 (May 21, 2003)

how do i remove k-lite.tk from host file


----------



## brendandonhu (Jul 8, 2002)

To remove k-lite, just run Hijack This again, put a check in the box next to the
O1 - Hosts: 216.239.37.101 www.k-lite.com
entry, and click "Fix".


----------



## ehj3000 (May 21, 2003)

so wat do i check to get rid of the "install free scratch" ...here is my new log
Logfile of HijackThis v1.94.0
Scan saved at 10:56:20 PM, on 5/21/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\America Online 8.0\PwMgr.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [alvwckjv] C:\WINNT\System32\alvwckjv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/08d272c43c01bad17c20/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37706.8789814815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Top Banana (Nov 11, 2002)

Close IE, "Fix" entries below:

O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\America Online 8.0\PwMgr.dll (file missing)
O4 - HKLM\..\Run: [alvwckjv] C:\WINNT\System32\alvwckjv.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/08d272c43c01ba...ip/RdxIE601.cab

*Reboot* and delete
alvwckjv.exe


----------



## ehj3000 (May 21, 2003)

thank you ...i highly appreciate the help


----------



## DubWise (May 22, 2003)

Thanks to everyone who has posted methods for removing "free scratch cards". I used the method of finding the process, finding the file from there and removing, but on reboot it reappeared with a new name!! I then removed all cookies, and killed it again, and this seems to have solved the problem.


----------



## danielan (May 23, 2003)

I got hit by free scratch cards and it's driving me crazy. not only is it disturbing my work, but i'm starting to get porno ads (my 13 year old son uses the same computer). I'm unfortunately not as technical as most users of this forum, so I need someone to please, please explain to me in detail how to get rid of this nuisance. I will be EXTREMELY GRATEFUL!


----------



## Top Banana (Nov 11, 2002)

Download HijackThis. Unzip, run, "scan", "scan" becomes "save log". Save the log and copy and paste the HijackThis log into your next post.

Do not fix anything in HijackThis. Most of the entries will be harmless.


----------



## Nexus2k (May 26, 2003)

I found associated files in my System32 folder. when I removed these files, I didn't get the pop-up from FSC anymore. 
 THese be them: zekhidoo.dll, zekhidoo.exe, zwfjbrex.exe, and zwpecixe.exe.
Good luck. 
Nex


----------



## TonyKlein (Aug 26, 2001)

FSC does use random file names. You'll still have the startup entry for the excutable, though.
And FSC usually comes bundled with LOP: http://www.doxdesk.com/parasite/lop.html

It would still be useful to see a log, as you'll almost certainly have other baddies that need to be removed.

Cheers,


----------



## danielan (May 23, 2003)

Top Nanana, here is the log that you asked me to run. Thanks for your help.

===================================
Logfile of HijackThis v1.94.0
Scan saved at 10:58:11 AM, on 5/26/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll (file missing)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\qr01kfiu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\qr01kfiu.slt\prefs.js)
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_0_2_5.dll
O2 - BHO: HTML Source Editor - {05BBB56A-2A69-4a5c-BFDA-43295DD67434} - C:\WINNT\Downloaded Program Files\winy.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25b073a8-6b24-4aae-b1a1-d27fc6f84edc} - C:\DOCUME~1\ADMINI~1\APPLIC~1\alcreapjk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_0_2_5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: rsblzeathdr - {3d26d1ac-8967-4a38-96f1-d2f49f57c6fa} - C:\DOCUME~1\ADMINI~1\APPLIC~1\alcreapjk.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [MovieNetworks] "C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [jmzqaujg] C:\WINNT\System32\jmzqaujg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TVMD] C:\WINNT\TVMD.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.nais.org/CFIDE/classes/CFJava.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://www.liveupdate.com/controls/getcab2.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://www.yumpa.com/promo_eb_200212a/winy.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/291/nCaseInstaller.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {730F2451-A3FE-4A72-938C-FC8A74F15978} - http://www.igetnet.com/downloads/nlmupgradev4.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37516.0661574074
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://download.eonreality.com/eonx/3_0_2/eonx.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeterSP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/movieplace.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.85/install.exe
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSignedAdvertisingcom.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_5.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0010.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = I4243.ecpm.com
O17 - HKLM\Software\..\Telephony: DomainName = I4243.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FB5BF62-189B-48F3-A3D9-024F13CD161B}: Domain = I4243.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6567CB87-D607-4DE9-BFE3-2090C894A433}: Domain = I4243.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{669E578A-214E-409B-9120-47EF26A5E733}: Domain = I4243.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF17F5E7-DDD6-439B-BB2C-47A0706E6961}: Domain = I4243.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEF4619F-74E1-4A65-A2D4-767BEB752085}: Domain = I4243.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = I4243.ecpm.com


----------



## TonyKlein (Aug 26, 2001)

Do the following:

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, shut down _all_ browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

*R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll (file missing)

O2 - BHO: (no name) - {25b073a8-6b24-4aae-b1a1-d27fc6f84edc} - C:\DOCUME~1\ADMINI~1\APPLIC~1\alcreapjk.dll

O3 - Toolbar: rsblzeathdr - {3d26d1ac-8967-4a38-96f1-d2f49f57c6fa} - C:\DOCUME~1\ADMINI~1\APPLIC~1\alcreapjk.dll

O4 - HKLM\..\Run: [MovieNetworks] "C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H
O4 - HKLM\..\Run: [jmzqaujg] C:\WINNT\System32\jmzqaujg.exe
O4 - HKLM\..\Run: [TVMD] C:\WINNT\TVMD.exe
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min

O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://www.yumpa.com/promo_eb_200212a/winy.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab
O16 - DPF: {730F2451-A3FE-4A72-938C-FC8A74F15978} - http://www.igetnet.com/downloads/nlmupgradev4.exe
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeterSP.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/movieplace.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.85/install.exe

O17 - HKLM\Software\..\Telephony: DomainName = I4243.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FB5BF62-189B-48F3-A3D9-024F13CD161B}: Domain = I4243.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{6567CB87-D607-4DE9-BFE3-2090C894A433}: Domain = I4243.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{669E578A-214E-409B-9120-47EF26A5E733}: Domain = I4243.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF17F5E7-DDD6-439B-BB2C-47A0706E6961}: Domain = I4243.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEF4619F-74E1-4A65-A2D4-767BEB752085}: Domain = I4243.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = I4243.ecpm.com*

After rebooting, find and delete the C:\WINNT\System32\jmzqaujg.exe file, as well as C:\WINNT\TVMD.exe

Cheers,


----------



## TonyKlein (Aug 26, 2001)

Oops!

Before you do that, could you please send me a copy of C:\WINNT\Downloaded Program Files\*winy.dll*?

Its a MarketDart related advertising plugin, and we'd like to have a closer look at it for analysis.

After sending it, feel free to have HT delete this item:

*O2 - BHO: HTML Source Editor - {05BBB56A-2A69-4a5c-BFDA-43295DD67434} - C:\WINNT\Downloaded Program Files\winy.dll*

TIA!


----------



## danielan (May 23, 2003)

I looked in the downloaded program files folder, and the file is not there. I also performed a search and I can't find it anywhere. I have my preferences turned on to show hidden files. why can't I find it?


----------



## TonyKlein (Aug 26, 2001)

Well, it could well be gone for whatever reason, and in that case all that Hijack This found was an orphaned registry entry.

However, in such a case it would usually tell you that the "file is missing".

Hmm, not a clue, I'm afraid.

If you're positive it's not there, feel free to have HT fix it.

Cheers,


----------



## danielan (May 23, 2003)

Thank you so much for all your help! It's finally gone!


----------



## TonyKlein (Aug 26, 2001)

You're welcome!


----------



## Crossfire (Sep 11, 2002)

> _Originally posted by TonyKlein:_
> *Well, that's possibly the worst log I've seen for quite a while...
> *


I recently ran SSD on another machine at work, the first time any such scan had ever been run on that system, and it detected 540 - that's FIVE HUNDRED AND FORTY! - assorted instances of spyware, browser highjackers, "tracking cookies or cookies of tracking sites," and other s**tware. Xupiter, WhenU, FSC, Gator, Comet Cursors, that thing that alleges to keep your clock accurate... All of the usual suspects were in there. It took three restarts for SSD to completely clear out all the garbage.

Needless to say, I adjusted the heck out of the security settings on _that_ machine... I.T. isn't my department, but SOMEBODY has to keep on top of this stuff, and I'm probably the second most qualified to do it.

Now if we could get this one certain employee to stay the bleep away from the, shall we say, _questionable_ sites he keeps visiting with our communal computers...


----------



## jim48 (Jun 4, 2003)

Please check my highjackthis.log and let me know which items to delete. Thanks for the help,

Jim

Logfile of HijackThis v1.94.0
Scan saved at 12:09:23 PM, on 6/4/03
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.xupiter.com/search2.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://yahoo.honeywell.com/yahoo
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://myhoneywell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.xupiter.com/search2.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Honeywell, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL=http://iecfg.honeywell.com/proxy/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=ftp=interneth1.honeywell.com:82;gopher=interneth1.honeywell.com:82;http=interneth1.honeywell.com:82;https=interneth1.honeywell.com:443
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=*allied.com; *honeywell.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\Updates\XTSearch.dll (file missing)
O1 - Hosts: 129.239.31.99 magellan magellan.cas.honeywell.com aspecthp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - (no file)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\Updates\XupiterToolbar.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "c:\Program Files\rational\ClearCase\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [nvsbjsgp] C:\WINNT\System32\nvsbjsgp.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.tus1wk47] "C:\PROGRA~1\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\Program Files\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [NaimAgent_UI] C:\Program Files\ePO Agent\naimag32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://myhoneywell.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://communities.honeywell.com/qp2.cab
O16 - DPF: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C} - http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.free-scratch-cards.com/install.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tus.allied.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tus.allied.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tus.allied.com


----------



## Top Banana (Nov 11, 2002)

Unwanted guests.....Xupiter and Free Scratch Cards.

Scan with HijackThis, put a checkmark at and "Fix checked" *all* the following entries. Close all browser windows before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.xupiter.com/search2.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.xupiter.com/search2.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\Updates\XTSearch.dll (file missing)
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - (no file)
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\Updates\XupiterToolbar.dll (file missing)
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [nvsbjsgp] C:\WINNT\System32\nvsbjsgp.exe
O16 - DPF: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C} - http://www.xupiter.com/search2/inst...olbarLoader.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.free-scratch-cards.com/install.exe

*Restart* your computer.

Navigate to and delete:

Program Files\Xupiter
nvsbjsgp.exe


----------



## bob31 (May 5, 2003)

Where did that sucker come from...my kids got hit with it last night...it loaded crap all over my hard drive..in my msconfig startup folder...in my tray...I got so flustered I did a system restore...and so far that seems to work. Heres my question...In the future if I do another system restore is there any chance of that malicious peice of s..t coming back on me and is it still somewhere on my system?. It loaded this thing "TV-MTVMD" in my msconfig start up and every time I tried to disable it from the msconfig startup utility I got a BSOD and couldnt get back to windows or do a cntrl-alt-del...I just had to shut the damn computer down. I am going to update spybot beta and adaware...but is there anything else I can do to keep FSC from ever loading itself on my computer in the future?


----------



## TonyKlein (Aug 26, 2001)

You may find this a useful read: 
So how on earth did I get all this spyware in the first place?

Cheers,


----------



## rosierox (Jun 5, 2003)

Well we started out with that nasty scratch cards, and did end up getting rid of it, but have the "script error" end up popping up with the address in it before we can shut down. Regardless, I've downloaded the Hijack This, and have seen a couple things already posted, and removed them, but was hoping someone knowledgable could tell me what i need to get rid of. The popups are driving me crazy... I truly would appreciate any help, and will check back tomorrow to see if anyone replies. Thanks again!

It's pretty long!



Logfile of HijackThis v1.94.0
Scan saved at 8:05:43 PM, on 6/4/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://66.40.16.198/sm/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.startsampling.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://66.40.16.198/sm/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=http=127.0.0.1:6711
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [McAfeeAutoInstaller] C:\WINDOWS\mcbin\shared\mcdriz.exe
O4 - HKLM\..\Run: [ContentSecurity] CoreLock.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LEDTRAY] C:\PROGRA~1\COMMON~1\SCM\LEDTRAY.EXE
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\SYSTEM\winservn.exe
O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {5C8E2DE3-C9BD-11D3-BAFD-009027A36778} (Lipstream3 Control) - http://lipstream.www.conxion.com/customers/webcamnow/fender.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?4,0,1323,0
O16 - DPF: {DA4EB021-5F1C-11D4-B006-00104B98E2C7} (McAfee Clinic Installer Control) - http://download.mcafee.com/molbin/shared/MInstall.cab
O16 - DPF: {34888AE1-20FF-11D4-B004-00104B98E2C7} (McAfee Clinic Shell Class) - http://download.mcafee.com/molbin/Shared/McSH32.cab
O16 - DPF: {E98B87EE-3FCB-11D3-8A62-00C0F03C3792} (FTWL Class) - http://download1.firetalk.com/FireTalk/MFT_Test/FTWebLauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44/3125973764dbe9b36005/netzip/RdxIE.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! WebCam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v40/sol/sol.cab
O16 - DPF: ChatSpace Java Client 3.0.0.204 - http://216.0.106.14:9000/Java/cms3204.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {6FAB0E5B-8AE4-4A98-9C1E-C34305AC195A} (UniVoice Control) - http://www.webcamnow.com/voice/UniVoice.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: Yahoo! Chat (YInstStarter Class) - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://www.servesafe.net/central/02030105/cccabs/CleverContent.cab
O16 - DPF: ChatSpace Java Client 3.0.0.207 (CscClnt Class) - http://surechat.com:9000/Java/cms3207.cab
O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1234/ftp.coupons.com/brxpdf5.cab
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://download.eonreality.com/eonx/3_0_2/eonx.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,8/mcinsctl.cab
O16 - DPF: {E21AE2D7-972C-4D23-BEE7-A902122841E6} (uload Class) - http://pluginserver.net/uloader.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab
O16 - DPF: ConferenceRoom Java Client (Video Class) - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: ChatSpace Full Java Client 3.0.0.207 (Video Class) - http://surechat.com:9000/Java/cfs3207.cab
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members15.clubphoto.com/_img/uploader/atl_uploader.cab
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.219 - http://surechat.com:9000/Java/cfs31219.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.223 (Yahoo! Audio Conferencing) - http://surechat.com:9000/Java/cfs31223.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.224 (Yahoo! Audio Conferencing) - http://surechat.com:9000/Java/cfs31224.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37612.3542476852
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - 
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://sc.communities.msn.com/controls/chat/msnchat42.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 (MSN Chat Control 4.2) - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.CAB
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: ChatSpace Java Client 2.1.0.79 (WebIQ Technology Client) - http://68.49.2.202/Java/cs4ms079.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 (WebIQ Technology Client) - http://irc.everywherechat.com:8000/Java/cfs40300.cab
O16 - DPF: {A7532940-DB22-4B10-BE6A-B467E5330745} (CustomToolbar.Setup) - http://mojo.com/toolbar/Customtoolbar.CAB


----------



## brendandonhu (Jul 8, 2002)

All I see are these 2, which are for a search engine where the only results are sponsored links, so you can kill these.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://66.40.16.198/sm/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://66.40.16.198/sm/


I dont see what would be causing a script error. Try clearing your temp files and cache.


----------



## rosierox (Jun 5, 2003)

Thank you very much brendandonhu for the reply, I removed what you said and will see how it goes. I did think with ALL that was on MY list, there must be alot of things to remove, then again, I had seen a couple that I had comparing what everyone else had, that was advised to remove, so we'll see if this helps. Again, my thanks, you guys are GREAT!!!!!

EDIT:

Well in about 5 minutes after being on, I got a popup,, from "clickspring.net". That seems to be the main one we get on this comp, the addy of it and all. I'll post a new list, maybe something new has come up?

Logfile of HijackThis v1.94.0
Scan saved at 5:05:42 AM, on 6/5/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.startsampling.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=http=127.0.0.1:6711
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [McAfeeAutoInstaller] C:\WINDOWS\mcbin\shared\mcdriz.exe
O4 - HKLM\..\Run: [ContentSecurity] CoreLock.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LEDTRAY] C:\PROGRA~1\COMMON~1\SCM\LEDTRAY.EXE
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\SYSTEM\winservn.exe
O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {5C8E2DE3-C9BD-11D3-BAFD-009027A36778} (Lipstream3 Control) - http://lipstream.www.conxion.com/customers/webcamnow/fender.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?4,0,1323,0
O16 - DPF: {DA4EB021-5F1C-11D4-B006-00104B98E2C7} (McAfee Clinic Installer Control) - http://download.mcafee.com/molbin/shared/MInstall.cab
O16 - DPF: {34888AE1-20FF-11D4-B004-00104B98E2C7} (McAfee Clinic Shell Class) - http://download.mcafee.com/molbin/Shared/McSH32.cab
O16 - DPF: {E98B87EE-3FCB-11D3-8A62-00C0F03C3792} (FTWL Class) - http://download1.firetalk.com/FireTalk/MFT_Test/FTWebLauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44/3125973764dbe9b36005/netzip/RdxIE.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! WebCam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v40/sol/sol.cab
O16 - DPF: ChatSpace Java Client 3.0.0.204 - http://216.0.106.14:9000/Java/cms3204.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {6FAB0E5B-8AE4-4A98-9C1E-C34305AC195A} (UniVoice Control) - http://www.webcamnow.com/voice/UniVoice.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: Yahoo! Chat (YInstStarter Class) - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://www.servesafe.net/central/02030105/cccabs/CleverContent.cab
O16 - DPF: ChatSpace Java Client 3.0.0.207 (CscClnt Class) - http://surechat.com:9000/Java/cms3207.cab
O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1234/ftp.coupons.com/brxpdf5.cab
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://download.eonreality.com/eonx/3_0_2/eonx.cab
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,8/mcinsctl.cab
O16 - DPF: {E21AE2D7-972C-4D23-BEE7-A902122841E6} (uload Class) - http://pluginserver.net/uloader.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab
O16 - DPF: ConferenceRoom Java Client (Video Class) - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: ChatSpace Full Java Client 3.0.0.207 (Video Class) - http://surechat.com:9000/Java/cfs3207.cab
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members15.clubphoto.com/_img/uploader/atl_uploader.cab
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.219 - http://surechat.com:9000/Java/cfs31219.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.223 (Yahoo! Audio Conferencing) - http://surechat.com:9000/Java/cfs31223.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.224 (Yahoo! Audio Conferencing) - http://surechat.com:9000/Java/cfs31224.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37612.3542476852
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - 
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://sc.communities.msn.com/controls/chat/msnchat42.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 (MSN Chat Control 4.2) - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.CAB
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: ChatSpace Java Client 2.1.0.79 (WebIQ Technology Client) - http://68.49.2.202/Java/cs4ms079.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 (WebIQ Technology Client) - http://irc.everywherechat.com:8000/Java/cfs40300.cab
O16 - DPF: {A7532940-DB22-4B10-BE6A-B467E5330745} (CustomToolbar.Setup) - http://mojo.com/toolbar/Customtoolbar.CAB


----------



## Top Banana (Nov 11, 2002)

Purity Scan = popups

Close IE, put a checkmark at and "Fix checked"

O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\SYSTEM\winservn.exe

*Restart* your computer.

Delete winservn.exe

016 entries. Go to Downloaded Program Files folder. Rightclick > Properties each file. Remove any file you do not recognize.


----------



## rosierox (Jun 5, 2003)

THANK YOU!!! I think that did it,, and YES, it was that PURITY SCAN!!! I kept seeing a blank window pop up when the comp was starting up, but never figured out where that came from or what it was! 

one last question,, when you say to remove files I don't recognize from the huge list of 016's,,, does that mean if i remove them, they won't work at all? In case I remove one that wasn't necessary to remove?


----------



## Top Banana (Nov 11, 2002)

All of them can be removed if you wished. If required in future ( Windows Updates, etc. ) they can easily be downloaded. Anything not Microsoft, Macromedia, Yahoo! etc., or anything you do not recognize, remove.


----------



## rosierox (Jun 5, 2003)

Will do,, and Thank you very much for all your help, as i said before, you guys are the GREATEST!!! so glad I found this site!

Haven't had a popup since I followed your instructions.

If I was there, i'd hug ya big time just for getting that off my comp. Have a wonderful day!


----------



## Top Banana (Nov 11, 2002)

You're welcome. You have a good one too!


----------



## kag (Jun 5, 2003)

Hello all who have the free scratch and win problem. I too went through the very same nightmare. started out with free scratch and win, then massive amounts of pop-ups, and then it changed my homepage address. suddenly in the midst of my frustration, norton identified a virus called js.exception.exploit I wasn't very computer illiterate at the time, and the directions from norton on how to remove weren't helpfull and didn't work, nor did norton find it when i did scans. so, finaly after many many drinks i had to do a full system restore to get rid of the darn thing. thankfully i was able to burn my pictures and other non-internet related stuff onto a cd and put them back after the system restore. check out norton's website for the virus i mentioned above and see if it hits the mark for what you are experiencing. I also updated my microsoft patches and haven't had the problem since. i feel for you all, and good luck.


----------



## rondahinzman (Jun 6, 2003)

Here's my 'hijack this' log. Can you help?

Logfile of HijackThis v1.93.0
Scan saved at 9:52:26 PM, on 6/5/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://E11577.ecpm.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://e13085.ecpm.com/passthrough/index.html?http://www.newsandsentinel.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://E11577.ecpm.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://E11577.ecpm.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://E11577.ecpm.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://E11577.ecpm.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=http=127.0.0.1:6711
F1 - win.ini: load=ptsnoop.exe
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\BRAVEN~1\BIN\ODIGOBHO.DLL
O2 - BHO: (no name) - {9c8e7520-973d-11d7-871d-00036d133213} - (no file)
O2 - BHO: (no name) - {517a57c0-974c-11d7-871d-00036d133213} - C:\WINDOWS\APPLICATION DATA\FBLWCHOUPRT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smart Keyboard] C:\Program Files\Netropa\Smart Keyboard\Smartkbd.exe
O4 - HKLM\..\Run: [thouprbl] C:\WINDOWS\APPLIC~1\gozixthy.exe -QuieT
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37613.6222222222
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/077ad2c05aee5dd33b02/netzip/RdxIE601.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {E44C795F-6136-4D8C-9304-F745D792C2F5} - http://downloads.taxslayer.com/olf2002/netinstall007/install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.com/Installer/rsinstaller.cab
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.7.20.20/tukati.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.free-scratch-cards.com/install.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab


----------



## brendandonhu (Jul 8, 2002)

Kill These Entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://E11577.ecpm.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://e13085.ecpm.com/passthrough/index.html?http://www.newsandsentinel.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://E11577.ecpm.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://E11577.ecpm.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://E11577.ecpm.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://E11577.ecpm.com/searchbar.html

O15 - Trusted Zone: http://free.aol.com

You also have some bad BHOs, but I don't know which ones. Someone should help you with those...


----------



## tpb (Feb 27, 2001)

Also these and reboot.

O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: (no name) - {9c8e7520-973d-11d7-871d-00036d133213} - (no file)
O2 - BHO: (no name) - {517a57c0-974c-11d7-871d-00036d133213} - C:\WINDOWS\APPLICATION DATA\FBLWCHOUPRT.DLL
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {E44C795F-6136-4D8C-9304-F745D792C2F5} - http://downloads.taxslayer.com/olf2...007/install.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.free-scratch-cards.com/install.exe
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.com/Installer/rsinstaller.cab

O4 - HKLM\..\Run: [thouprbl] C:\WINDOWS\APPLIC~1\gozixthy.exe -QuieT

Then Download Spybot - Search & Destroy from here
http://www.lurkhere.com/~nicefiles/index.html

After installing, launch Spybot from the Desktop Icon (Easy Mode),click on the Search For Updates button, search for and install all updates.

Now click on the Check for Problems button and the scan will start. Any Red entries indicate spyware problems that should be fixed to avoid security and/or privacy problems. This is the only kind of problem that is preselected to be fixed. If, after running the scan, Spybot displays red entries, click on the Fix Selected Problems button.

Now click on the Immunize button to protect your PC from known pests and exit.

If you have chosen to install an icon in your Quick Launch bar, Spybot will launch in Advanced Mode. I do not recommend this option for first time users of Spybot.

NOTE: SSD will sometimes not be able to remove all active components in the first 'run'. In that case you will get a dialog asking you to run SSD at next start. Click yes and reboot. 
SSD will activate before the system puts these components 'in use', and it will then be able to 'fix' the rest.


----------



## tpb (Feb 27, 2001)

Thanks Top Banana!, I'm a little brain dead this morning!


----------



## rondahinzman (Jun 6, 2003)

Thank you so much!!!!


----------



## CindyT (Jun 9, 2003)

Help! I have this FSC popping up also. I'd greatly appreciate it if someone could tell me what to fix. Here is my log:

Logfile of HijackThis v1.94.0
Scan saved at 8:25:56 AM, on 6/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://search.ieplugin.com/q.cgi?q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=127.0.0.1;*.ce1.attbb.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSView.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {A6250FB8-2206-499E-A7AA-E1EC437E71C0} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {27F09AE0-972C-444A-8D4A-E6AE606BAC28} - http://downloads.taxslayer.com/olf2002/netinstall013/install.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://ww3.ieplugin.com/adcampaigns/webplugin.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/292/nCaseInstaller.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.*****high.com/exit/voyeur/live.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://bannerfarm.ace.advertising.com/bannerfarm/42833/VBouncerOuter1123.exe
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.fsc2k.com/install.exe
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_4_0.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0010.cab

Thanks!


----------



## TonyKlein (Aug 26, 2001)

Hi Cindy,

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, shut down _all_ browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://search.ieplugin.com/q.cgi?q=%s

O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSView.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {A6250FB8-2206-499E-A7AA-E1EC437E71C0} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll

O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/i...5.30/Hiwire.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://ww3.ieplugin.com/adcampaigns/webplugin.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.*****high.com/exit/voyeur/live.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - 
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.fsc2k.com/install.exe
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http//www.getweathercast.com/WeatherAutoCAST0010.cab*

Finally, download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Cheers,


----------



## CindyT (Jun 9, 2003)

Thank you so much! I'll give it a try.


----------



## craigt (Jun 10, 2003)

Ok, I've got this FSC thing also. I've read through most all of the posts here in this thread, and I have to say you guys are great! It's rare to see someone so willing to help others. Thanks!

Here is my hijack file:

Logfile of HijackThis v1.94.0
Scan saved at 7:28:08 AM, on 6/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=192.168.0.1:4480
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [yckmeamp] C:\WINDOWS\System32\yckmeamp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37636.7890509259
O16 - DPF: {A7A61125-0EAA-11D1-B22F-0000C08C00C4} (SSDBGrid Control 3.1 - A) - https://www.ext.ch2m.com/ETS/controls/sheridan3_11a.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - 
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://www.ext.ch2m.com/cgi-bin/controls/ikcntrls.cab

----------

I'm guessing these, but don't really know.
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [yckmeamp] C:\WINDOWS\System32\yckmeamp.exe


----------



## TonyKlein (Aug 26, 2001)

Hi, and welcome to the board. You're on the right track! 

Leave pmxinit.exe alone though. It's related to Kyro2 based graphics cards.
Check and have Hijack This fix the following. Then press "fix checked" and restart your computer:

*O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [yckmeamp] C:\WINDOWS\System32\yckmeamp.exe*

After rebooting, delete the C:\WINDOWS\System32\yckmeamp.exe file itself.

Cheers,


----------



## craigt (Jun 10, 2003)

Thanks Tony! Worked like a champ!

-Craig


----------



## TonyKlein (Aug 26, 2001)

Excellent!


----------



## jhammond10 (Jun 11, 2003)

Heres my Hijackthis log

Logfile of HijackThis v1.94.0
Scan saved at 4:52:31 PM, on 6/11/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchgateway.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://home.netscape.com/home/winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchgateway.net/search/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.spangdahlem.af.mil:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [ptizjpzq] C:\WINNT\System32\ptizjpzq.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [EasyMP3] c:\documents and settings\hammonj\desktop\temp\easymp3.exe -startup
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator.com/v3/download/pdpplugin_4094_hd3ptdm.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37530.2379166667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spangdahlem.usafe.ds.af.mil
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spangdahlem.usafe.ds.af.mil
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = spangdahlem.usafe.ds.af.mil,usafe.ds.af.mil,spangdahlem.af.mil,af.mil,mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spangdahlem.usafe.ds.af.mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = spangdahlem.usafe.ds.af.mil,usafe.ds.af.mil,spangdahlem.af.mil,af.mil,mil
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = spangdahlem.usafe.ds.af.mil,usafe.ds.af.mil,spangdahlem.af.mil,af.mil,mil


----------



## TonyKlein (Aug 26, 2001)

Thanks! 

In Hijack This, check ALL of the following items. 
Next, shut down _all_ browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchgateway.net/search/%s

O4 - HKLM\..\Run: [ptizjpzq] C:\WINNT\System32\ptizjpzq.exe*

After rebooting, delete the C:\WINNT\System32\ptizjpzq.exe file itself.

Finally, download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Cheers,


----------



## cjills (Jun 29, 2003)

I am new. I'm a little overwhelmed by alot of this stuff but I want to get rid of the FSCs. Should I start with installing/downloading spybot? I read an earlier post that suggested downloading the sstartup list?! And pasting it for someone to review and give me advice. Here's what I got. I appreciate any assistance. thanksStartupList report, 6/28/2003, 8:08:26 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\CHRISTINE JILLSON\Local Settings\Temp\Temporary Directory 2 for startuplist1521[1].zip\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\fbrmsoja.exe
C:\WINDOWS\TVMD.exe
C:\Program Files\Common Files\Presentia\LTDMgr.exe
C:\Program Files\Common Files\Presentia\LSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\OWMngr.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Rdj1.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\CHRISTINE JILLSON\Local Settings\Temp\Temporary Directory 2 for startuplist1521[1].zip\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
Microsoft Works Calendar Reminders.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIModeChange = Ati2mdxx.exe
AtiPTA = atiptaxx.exe
DadApp = C:\Program Files\DELL\AccessDirect\dadapp.exe
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
CC2KUI = C:\PROGRA~1\Comet\Bin\cstray.exe
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
ComcastSUPPORT = C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
agecrvsj = C:\WINDOWS\System32\agecrvsj.exe
jhvcr = C:\DOCUME~1\CHRIST~1\APPLIC~1\fbrmsoja.exe -QuieT
TVMD = C:\WINDOWS\TVMD.exe
LTDMgr = C:\Program Files\Common Files\Presentia\LTDMgr.exe
LSvr = C:\Program Files\Common Files\Presentia\LSvr.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
PopUpStopperFreeEdition = C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
OWMngr = C:\WINDOWS\System32\OWMngr.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=C:\WINDOWS\System32\MACCAD~1.SCR
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\System32\SbSrch_V22.dll - {1D870C86-AA3C-4451-81E4-71D480A1A652}
(no name) - C:\WINDOWS\System32\msvcn.dll - {31995C64-CB4D-483E-82C2-CCFFE2F66CAB}
(no name) - C:\WINDOWS\System32\btiein.dll - {63B78BC1-A711-4D46-AD2F-C581AC420D41}
(no name) - C:\Program Files\POP\pop138.dll (file missing) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778}
(no name) - C:\DOCUME~1\CHRIST~1\APPLIC~1\ycrieckhvpr.dll - {8f80197c-840c-4f89-8371-3c6f8ca77ce3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{26E8361F-BCE7-4F75-A347-98C88B418322}]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\btiein.dll
CODEBASE = http://dst.trafficsyndicate.com/Dnl/T_50015/btiein.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe

[RFXPlayer Class]
InProcServer32 = C:\Program Files\Internet Explorer\PLUGINS\RichFX\Player\npvpg005.dll
CODEBASE = http://download.richfx.com/player/mediaversion/005/latest/twophase.cab

[BHO.clsUrlSearch]
InProcServer32 = C:\WINDOWS\System32\BHO2.dll
CODEBASE = http://207.44.176.11/auth/IE_InstllC.exe

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/235fb99bb7dbc0b75b06/netzip/RdxIE601.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[PSSetup Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PSOCX.dll
CODEBASE = http://www.adsvr.net/PowerStrip/PSOCX.cab

[DmiReader Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL
CODEBASE = http://ftp.us.dell.com/fixes/PROFILER.CAB

[CamImage Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
CODEBASE = http://geotoo.mkm-wpe.net/activex/AxisCamControl.ocx

[{A19A291A-9653-4498-93F6-5BA06CF699D8}]
CODEBASE = http://download.peopleonpage.com/pop/adx/PopLoad.cab

[{AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B}]
CODEBASE = http://www.totalvelocity.com/MemoryMeterbb.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{D9EC0A76-03BF-11D4-A509-0090270F86E3}]
CODEBASE = http://bannerfarm.ace.advertising.com/bannerfarm/42833/VbouncerOuter1123030429.exe

[NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINDOWS\System32\nsupdate.dll
CODEBASE = http://204.177.92.201/quickdl/action/NSupd9x.cab

[SBFullInst Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SBFull.ocx
CODEBASE = http://www.spyblast.com/download/SBFull.cab

[{ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE}]
CODEBASE = http://206.161.193.101/install.exe

[{FC327B3F-377B-4CB7-8B61-27CD69816BC3}]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SNDbMark.dll
CODEBASE = http://akweb.whenu.com/WsCsAutoWCCS0017.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,283 bytes
Report generated in 0.250 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## brendandonhu (Jul 8, 2002)

Yes, start with Spybot. Then your log from Hijack This would be more helpful than the StartupList.


----------



## mal1930 (Apr 27, 2002)

Hi, If others use your computer you could try Spyblaster. I have just installed it so can't say whether it is good but it is supposed to block a lot of spyware from getting on you drive in the first place. Peace Mal


----------



## brendandonhu (Jul 8, 2002)

Yea I have used SpyBlaster, but now I just use SpyBot's Immunize feature.


----------



## cjills (Jun 29, 2003)

Hi Brendandonhu , I downloaded spybot and hijack this. I have had some success!! The FSC window still appears after I click to load my personal settings but after I close it, it has not reappeared. Next, I click on the internet and no more override of my homepage occurs. And no little search box appears on the bottom third of the screen. That is good!!!! I very much would like no more FSC to appear ever. Any suggestions? Also, a continuing and separate problem is pop ups. I have the free Pop up stopper but it is limited in stopping ads. I very much appreciate your earlier suggestion for FSC and hope that you experienced members may continue to assist me. thanks, cjills


----------



## brendandonhu (Jul 8, 2002)

Ok good-now you need to post the log from Hijack This and I or someone else will tell you what items should be removed.


----------



## cjills (Jun 29, 2003)

I downloaded Hijack blaster. Is that different from hijack this? It warns me about BHOs and I click to get rid of them (there are so many!). Anyway, I'm not sure how to get the log from hijack this. I went to google but the list of sites for hijack this was a little confusing. Some guidance, please. Thanks


----------



## TonyKlein (Aug 26, 2001)

Get it here: http://www.tomcoyote.org/hjt/

Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## cjills (Jun 29, 2003)

OKAY, I successfully pasted the hijack log!!! By the way, did I make an error when I downloaded highjack blaster? Looking forward to the next step! thanks, cjills

DILogfile of HijackThis v1.95.0
Scan saved at 3:03:51 PM, on 6/30/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\TVMD.exe
C:\Program Files\Common Files\Presentia\LTDMgr.exe
C:\Program Files\Common Files\Presentia\LSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\OWMngr.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CHRISTINE JILLSON\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\WINDOWS\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.masterbar.com/toolbar/sidebar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.masterbar.com/toolbar/sidebar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.masterbar.com/toolbar/sidebar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.washingtonpost.com/ac2/wp-dyn?node=personalization/mywp/display&destination=startPage&nextstep=refresh&nav=hptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.masterbar.com/toolbar/sidebar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.masterbar.com/toolbar/sidebar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.masterbar.com/toolbar/sidebar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.masterbar.com/toolbar/sidebar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll (file missing)
O1 - Hosts: 207.44.240.65 ads.x10.com
O1 - Hosts: 207.44.240.65 images.x10.com
O1 - Hosts: 207.44.240.65 count.exitexchange.com
O1 - Hosts: 207.44.240.65 servedby.netadvertising.com
O1 - Hosts: 207.44.240.65 images.trafficmp.com
O1 - Hosts: 207.44.240.65 ad.uk.doubleclick.net
O1 - Hosts: 207.44.240.65 ad.ca.doubleclick.net
O1 - Hosts: 207.44.240.65 ads.specificpop.com
O1 - Hosts: 207.44.240.65 ads.specificclick.com
O1 - Hosts: 207.44.240.65 ads.popupsponsor.com
O1 - Hosts: 207.44.240.65 adfarm.mediaplex.com
O1 - Hosts: 207.44.240.65 media.fastclick.net
O1 - Hosts: 207.44.240.65 media1.fastclick.net
O1 - Hosts: 207.44.240.65 media19.fastclick.net
O1 - Hosts: 207.44.240.65 media28.fastclick.net
O1 - Hosts: 207.44.240.65 media29.fastclick.net
O1 - Hosts: 207.44.240.65 media39.fastclick.net
O1 - Hosts: 207.44.240.65 adserv.internetfuel.com
O1 - Hosts: 207.44.240.65 www.satellitepop.com
O1 - Hosts: 207.44.240.65 count.exitexchange.com
O1 - Hosts: 207.44.240.65 z1.adserver.com
O1 - Hosts: 207.44.240.65 view.atdmt.com
O1 - Hosts: 207.44.240.65 servedfor.valuead.com
O1 - Hosts: 207.44.240.65 banners.valuead.com
O1 - Hosts: 207.44.240.65 img.mediaplex.com
O1 - Hosts: 207.44.240.65 ln.doubleclick.net
O1 - Hosts: 207.44.240.65 m2.doubleclick.net
O1 - Hosts: 207.44.240.65 m.doubleclick.net
O1 - Hosts: 207.44.240.65 ad.doubleclick.net
O1 - Hosts: 207.44.240.65 media28.fastclick.net
O1 - Hosts: 207.44.240.65 media39.fastclick.net
O1 - Hosts: 207.44.240.65 media.fastclick.net
O1 - Hosts: 207.44.240.65 popuptraffic.com
O1 - Hosts: 207.44.240.65 leader.linkexchange.com
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 207.44.240.65 view.atdmt.com
O1 - Hosts: 207.44.240.65 iv.doubleclick.net
O1 - Hosts: 207.44.240.65 focusin.ads.targetnet.com
O1 - Hosts: 207.44.240.65 a.tribalfusion.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Masterbar.com - {A3E02B37-8608-4f57-AD58-AB91F32BA4F4} - C:\WINDOWS\Downloaded Program Files\masterbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CC2KUI] C:\PROGRA~1\Comet\Bin\cstray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [agecrvsj] C:\WINDOWS\System32\agecrvsj.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
O4 - HKLM\..\Run: [LTDMgr] C:\Program Files\Common Files\Presentia\LTDMgr.exe
O4 - HKLM\..\Run: [LSvr] C:\Program Files\Common Files\Presentia\LSvr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [OWMngr] C:\WINDOWS\System32\OWMngr.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50015/btiein.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
O16 - DPF: {53E10C2C-43B2-4657-BA29-AAE179E7D35C} (BHO.clsUrlSearch) - http://207.44.176.11/auth/IE_InstllC.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/235fb99bb7dbc0b75b06/netzip/RdxIE601.cab
O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7704D8D8-9EFE-4D82-9C89-0ECBA8434EEE} (PSSetup Class) - http://www.adsvr.net/PowerStrip/PSOCX.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://geotoo.mkm-wpe.net/activex/AxisCamControl.ocx
O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/pop/adx/PopLoad.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.totalvelocity.com/MemoryMeterbb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://bannerfarm.ace.advertising.com/bannerfarm/42833/VbouncerOuter1123030429.exe
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.101/install.exe
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://akweb.whenu.com/WsCsAutoWCCS0017.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = y20700.ecpm.com
O17 - HKLM\Software\..\Telephony: DomainName = y20700.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C7A7351-0C94-4755-A763-E44F53A1290D}: Domain = y20700.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6959CCB-B22E-4D6B-8E19-575C98E7AC53}: Domain = y20700.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = y20700.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C7A7351-0C94-4755-A763-E44F53A1290D}: Domain = y20700.ecpm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = y20700.ecpm.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C7A7351-0C94-4755-A763-E44F53A1290D}: Domain = y20700.ecpm.com


----------



## brendandonhu (Jul 8, 2002)

*oops looked like a startup list at first


----------



## TonyKlein (Aug 26, 2001)

It _is_ the log from Hijack This.

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.masterbar.com/toolbar/sidebar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.masterbar.com/toolbar/sidebar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.masterbar.com/toolbar/sidebar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.masterbar.com/toolbar/sidebar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.masterbar.com/toolbar/sidebar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.masterbar.com/toolbar/sidebar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.masterbar.com/toolbar/sidebar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.websearch.com/ie.aspx

R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll (file missing)

ALL O1 - Hosts: 207.44.240.65 items!

O3 - Toolbar: Masterbar.com - {A3E02B37-8608-4f57-AD58-AB91F32BA4F4} - C:\WINDOWS\Downloaded Program Files\masterbar.dll

O4 - HKLM\..\Run: [CC2KUI] C:\PROGRA~1\Comet\Bin\cstray.exe
O4 - HKLM\..\Run: [agecrvsj] C:\WINDOWS\System32\agecrvsj.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
O4 - HKLM\..\Run: [LTDMgr] C:\Program Files\Common Files\Presentia\LTDMgr.exe
O4 - HKLM\..\Run: [LSvr] C:\Program Files\Common Files\Presentia\LSvr.exe
O4 - HKCU\..\Run: [OWMngr] C:\WINDOWS\System32\OWMngr.exe

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50015/btiein.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - 
O16 - DPF: {53E10C2C-43B2-4657-BA29-AAE179E7D35C} (BHO.clsUrlSearch) - http://207.44.176.11/auth/IE_InstllC.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/235fb99bb7dbc0...ip/RdxIE601.cab
O16 - DPF: {7704D8D8-9EFE-4D82-9C89-0ECBA8434EEE} (PSSetup Class) - http://www.adsvr.net/PowerStrip/PSOCX.cab
O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - 
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.totalvelocity.com/MemoryMeterbb.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - 
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://206.161.193.101/install.exe
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://akweb.whenu.com/WsCsAutoWCCS0017.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = y20700.ecpm.com
O17 - HKLM\Software\..\Telephony: DomainName = y20700.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C7A7351-0C94-4755-A763-E44F53A1290D}: Domain = y20700.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6959CCB-B22E-4D6B-8E19-575C98E7AC53}: Domain = y20700.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = y20700.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C7A7351-0C94-4755-A763-E44F53A1290D}: Domain = y20700.ecpm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = y20700.ecpm.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C7A7351-0C94-4755-A763-E44F53A1290D}: Domain = y20700.ecpm.com*

After rebooting, delete:

C:\WINDOWS\TVMD.exe
The C:\Program Files\Common Files\Presentia folder
C:\WINDOWS\System32\OWMngr.exe

Now download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it found.

Good luck,


----------



## cjills (Jun 29, 2003)

Hi, In Hijack This, I checked all that were listed. Clicked fixed problem and restarted. FSC did not appear. Next I went to C drive to delete files:

C/Windows/TVMD = Access Denied.
The C/Program files/common files/presentia = Can't locate.
C/Windows/Sys32/OWMgr = Sent to recycle bin.

Before I go any further, what should I do about those two files?


cjills


----------



## brendandonhu (Jul 8, 2002)

Did you reboot before attempting to delete them?If not, try that, If that doesn't work, delete them in safe mode.


----------



## cjills (Jun 29, 2003)

Hi, I cannot find safe mode. My notebook's manual is poorly written and there is no reference to 'safe mode.' Now I'm reading the chapter on standard settings which sounds like it might have something to do with what a safe mode might do. By the way, no more FSC!!!! But, I guess I should follow through with deleting the other files anyway. I"ll continue reading and see what I can figure out. cjills


----------



## brendandonhu (Jul 8, 2002)

What brand computer do you have? Usually to get into safe mode, repeatedly tap the F8 key while the computer is booting, and then select Safe Mode from the list of boot options.


----------



## greaser (Jul 2, 2003)

If I read these right, this is only to remove the initial Pop-Up, however this AM while about to remove it my Enter key was stuck down, which hit the "Accept" button on the scratch popup, and I have now installed all sorts of evil junk on my PC.... Anyone know of a way to remove it *after* it's been installed?


----------



## brendandonhu (Jul 8, 2002)

Yes, post your Hijack This log as others in this thread have done and we will tell you what to remove.


----------



## cjills (Jun 29, 2003)

Tony and Brendandonhu,

I was able to get to safe mode (Dell 4100 Inspiron) and complete the deletion of the files in C drive. I updated Spybot and scanned for problems and fixed the problems. I rebooted, too. I have not had FSC return. I get pop ups but I''m thinking this is a separate problem. Thanks for your guidance. cjills


----------



## brendandonhu (Jul 8, 2002)

Ok! Thats good.
If the popups seem like you shouldn't be getting them, post your HJT log again.


----------



## greaser (Jul 2, 2003)

After accidently installing the "Scratch Cards" I ran the most recent Adaware and Spybot updates and haven't had any issues since. The original popup and all the additional junk appear to be wiped clean.


----------



## synctank (Jul 3, 2003)

Logfile of HijackThis v1.95.0
Scan saved at 3:41:15 PM, on 7/3/03
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

(Unable to list running processes (error#53))

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://webselfstorage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://webselfstorage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://webselfstorage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://webselfstorage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://webselfstorage
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=ISA01:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=*.amerco;10.*;135.10.*;172.30.*;192.168.7.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [fddktxwf] C:\WINNT\System32\fddktxwf.exe
O4 - HKLM\..\Run: [MemoryMeter] C:\Program Files\MemoryMeter\MemoryMeter.exe
O4 - HKLM\..\Run: [TVTMD] C:\WINNT\TVTMD.exe
O4 - Global Startup: U-Timer.lnk = ?
O4 - Global Startup: Uhaul16.lnk = C:\ACTPAY\Uhaul16.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {E2B2B5A1-B48C-4886-A318-723916A01024} (SBFullInst Control) - http://www.spyblast.com/download/SBFullWU.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fld.amerco
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fld.amerco
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = fld.amerco uhi.amerco
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = fld.amerco uhi.amerco


----------



## Top Banana (Nov 11, 2002)

Scan with HijackThis, put a checkmark at and "Fix checked" the following entries.

O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O4 - HKLM\..\Run: [fddktxwf] C:\WINNT\System32\fddktxwf.exe
O4 - HKLM\..\Run: [MemoryMeter] C:\Program Files\MemoryMeter\MemoryMeter.exe
O4 - HKLM\..\Run: [TVTMD] C:\WINNT\TVTMD.exe
O16 - DPF: {E2B2B5A1-B48C-4886-A318-723916A01024} (SBFullInst Control) - http://www.spyblast.com/download/SBFullWU.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab

Restart your computer and delete

fddktxwf.exe
Program Files\MemoryMeter
TVTMD.exe


----------



## mea (Jul 15, 2003)

Thanks for any help you could give me! I will be so glad to get rid of this thing!
Mylea

Logfile of HijackThis v1.95.0
Scan saved at 12:16:17 AM, on 7/15/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Save\Save.exe
C:\Program Files\nCase\msbb.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Window Active\winactive.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Date Manager\DateManager.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mylea\My Documents\My Music\From Internet\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://wfix.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://wfix.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://wfix.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {9c22f5f5-0605-4fc9-8ed4-73e1cb3b8070} - C:\DOCUME~1\Hayley\APPLIC~1\lstdestoaf.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: uczekqhckpr - {a4c92b64-dba6-405f-9e0e-6c093246e7c4} - C:\DOCUME~1\Hayley\APPLIC~1\lstdestoaf.dll (file missing)
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [nqateyqd] C:\WINDOWS\System32\nqateyqd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [msbb] C:\Program Files\nCase\msbb.exe
O4 - HKLM\..\Run: [FMS] C:\WINDOWS\FMS.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [BIOVCIM] C:\WINDOWS\BIOVCIM.exe
O4 - HKLM\..\Run: [EKRX] C:\WINDOWS\EKRX.exe
O4 - HKLM\..\Run: [BEL] C:\WINDOWS\BEL.exe
O4 - HKLM\..\Run: [DKQXBHO] C:\WINDOWS\DKQXBHO.exe
O4 - HKLM\..\Run: [ssstoast] C:\DOCUME~1\Hayley\APPLIC~1\kutroqss.exe -QuieT
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://www.wildtangent.com/multiplayer/cannonsmmp/wtinst.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/291/nCaseInstaller.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://cdn1.adsdk.com/bannerfarm/42833/VbouncerOuter1123030507.exe
O16 - DPF: {E2B2B5A1-B48C-4886-A318-723916A01024} (SBFullInst Control) - http://www.spyblast.com/download/SBFullWU.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.free-scratch-cards.com/install.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = C12364.ecpm.com
O17 - HKLM\Software\..\Telephony: DomainName = C12364.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFB11FE2-85AB-4FAE-93C4-509C32943E49}: Domain = C12364.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = C12364.ecpm.com


----------



## TonyKlein (Aug 26, 2001)

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

*R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://wfix.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://wfix.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://wfix.com/searchbar.html

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {9c22f5f5-0605-4fc9-8ed4-73e1cb3b8070} - C:\DOCUME~1\Hayley\APPLIC~1\lstdestoaf.dll (file missing)
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

O3 - Toolbar: uczekqhckpr - {a4c92b64-dba6-405f-9e0e-6c093246e7c4} - C:\DOCUME~1\Hayley\APPLIC~1\lstdestoaf.dll (file missing)

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [nqateyqd] C:\WINDOWS\System32\nqateyqd.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [msbb] C:\Program Files\nCase\msbb.exe
O4 - HKLM\..\Run: [FMS] C:\WINDOWS\FMS.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [BIOVCIM] C:\WINDOWS\BIOVCIM.exe
O4 - HKLM\..\Run: [EKRX] C:\WINDOWS\EKRX.exe
O4 - HKLM\..\Run: [BEL] C:\WINDOWS\BEL.exe
O4 - HKLM\..\Run: [DKQXBHO] C:\WINDOWS\DKQXBHO.exe
O4 - HKLM\..\Run: [ssstoast] C:\DOCUME~1\Hayley\APPLIC~1\kutroqss.exe -QuieT
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - 
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://www.wildtangent.com/multipla...smmp/wtinst.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - 
O16 - DPF: {E2B2B5A1-B48C-4886-A318-723916A01024} (SBFullInst Control) - http://www.spyblast.com/download/SBFullWU.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.free-scratch-cards.com/install.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = C12364.ecpm.com
O17 - HKLM\Software\..\Telephony: DomainName = C12364.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFB11FE2-85AB-4FAE-93C4-509C32943E49}: Domain = C12364.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = C12364.ecpm.com*

Now *restart* your computer, and delete:

The C:\WINDOWS\System32\nqateyqd.exe file
The C:\Program Files\Save folder
The C:\Program Files\nCase folder
The C:\WINDOWS\FMS.exe file
The C:\Program Files\Common Files\CMEII\ folder
The C:\WINDOWS\BIOVCIM.exe file
The C:\WINDOWS\EKRX.exe file
The C:\WINDOWS\BEL.exe file
The C:\WINDOWS\DKQXBHO.exe file
The C:\Documents and Settings\Hayley\Application Data\kutroqss.exe file
The C:\Program Files\Window Active folder

Some of the above may have the hidsen attribute se, so make sure hiden files are set to show in Folder Options > View

Finally, download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.

Cheers,


----------



## videohero (Jul 18, 2003)

Hello,

I managed to remove the Free Scratch Cards from popping up on startup...but now a horrible "scrk.com" has taken over my desktop, installing about 75 favorites, desktop icons, and a searchbar that won't erase from the desktop. I made the mistake of using the "uninstall.exe" to supposedly remove the Scratch Card. It did seem to go away, but is now replaced by this. System performance is much slower as well.

Thanks very much for any help!
David

Here is the logfile:

Logfile of HijackThis v1.95.1
Scan saved at 11:01:55:55 AM, on 7/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Window Active\winactive.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\videohero\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - https://vhost.oddcast.com/admin/hostClientIE.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2/win/PulsePlayer5.2AxWin.cab
O16 - DPF: {BE1BDC4F-2AAC-494E-88B1-86B2EE4F2D6D} (CopySafe3 Control) - http://www.artistscope.com/plugin/download/copysafe.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## TonyKlein (Aug 26, 2001)

No sign of LOP, nor of any other toolbar in your log. Are you sure you posted the _last_ Hijack This log you got, and not a previous one instead?

You do have the Window Active foistware:

*O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe*

Have HT fix that one, restart your computer, delete the C:\Program Files\Window Active folde.

As a matter of fact, before deleting it, would you mind terribly sending me a copy of that entire folder for analysis, please? 
The folks at Lavasoft, SpyBot, and others in the Security field would certainly welcome the opportunity of examining it.

TIA!


----------



## TonyKlein (Aug 26, 2001)

Thanks for the files. It's hugely appreciated!


----------



## morrison (Jul 23, 2003)

These pop ups are killing me. I've blown my whole day at work trying to clean up my computer. Here's my list hopefully you guys can help me out. Thanks

Running processes:
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\Program Files\Chevron\GIL Tools\GILAppMgr.exe
C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\SFD\SFD.exe
C:\Program Files\Chevron\GIL Tools\GILExec.exe
C:\WINDOWS\system32\mobsync.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WorkPace\WorkPace.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Altiris\eXpress\Credentials\AeXCredRun.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Chevron\GILTOO~1\MYDOCU~1\My_Docs.exe
C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\PROGRA~1\WorkPace\sv32_240.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\NAVDEF\GILGASCF.EXE
C:\WINDOWS\TVTMD.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\tmbm\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.orbitexplorer.com/cgi-bin/IESearch.cgi?bid=&affid=212
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.chevrontexaco.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside.chevrontexaco.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Global Information Link
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy:8080;https=proxy:8080;ftp=proxy:8080;gopher=proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oronite.com;*.chevron.com;*.chevron.net;*.chevrontexaco.com;*.chevrontexaco.net;*.*.texaco.com;*.knowledgeplanet.com;*.tengizchevroil.com;*.chevroncreditcard.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R3 - URLSearchHook: OESearchHook Class - {341FB59F-3507-443b-8147-423B4E3B2B15} - C:\OE\search.dll
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\Program Files\POP\pop167.dll
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\OE\toolbar.dll
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\OE\redirector.dll
O3 - Toolbar: (no name) - {645FD3BC-C314-4F7A-9D2E-64D62A0FDD78} - (no file)
O4 - HKLM\..\Run: [WiseUser] C:\Program Files\Chevron\WiseUser\WiseUser.exe
O4 - HKLM\..\Run: [GIL Application Manager] C:\Program Files\Chevron\GIL Tools\GILAppMgr.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SMS Logon Server Batch File] C:\WINDOWS\System32\runquiet.exe C:\WINDOWS\System32\cmd.exe /c %logonserver%\netlogon\smsls.bat
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SFD] C:\Program Files\SFD\SFD.exe -AutoStart
O4 - HKLM\..\Run: [xhseuuix] C:\WINDOWS\System32\xhseuuix.exe
O4 - HKLM\..\Run: [memmeter removal2222] C:\PROGRA~1\JAMES'~1\mmr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [memmeter removal] C:\PROGRA~1\JAMES'~1\mmr.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WorkPace.lnk = C:\Program Files\WorkPace\WorkPace.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program Files\Microsoft Office\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://inside.chevrontexaco.com
O16 - DPF: DigiChat Applet - http://fanclubchat.musictoday.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://cr.stop-popup-ads-now.com/download/cabs/BANN8002/stoppop.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/298e24845a9b70121017/netzip/RdxIE2.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {6C5FF3D2-5978-4728-A4FE-A7714B94A6AF} (ChvCITCOPLocal.OPLocal) - http://gilop.chevrontexaco.com/ChvCITCOPLocal.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://mp3.zonebg.com/mp3archive.exe
O16 - DPF: {8FA85E15-012B-420F-A4E7-FF2B7AA9F9D6} (ChvCITCNetGILLocal.OPNetGIL) - http://gilop.chevron.com/ChvCITCNetGILLocal.CAB
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://midntcmms1.mid.chevrontexaco.net/jinitiator/jinit.exe
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=200331814
O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/pop/ads/247/banner/PopLoad.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab
O16 - DPF: {C25CD630-5DEC-48C3-BE22-A9EA59464F1B} (ChvCITCWAMLocal.WAMLocal) - http://wam.chevron.com/ChvCITCWAMLocal.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D7B3E460-9968-4191-BD6F-BEED1BC18482} (Loader Class) - http://www.orbitexplorer.com/OELoader.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mid.chevrontexaco.net
O17 - HKLM\Software\..\Telephony: DomainName = mid.chevrontexaco.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mid.chevrontexaco.net


----------



## Top Banana (Nov 11, 2002)

Scan with HijackThis, put a checkmark at and "Fix checked" the folowing entries. Close all windows except HijackThis before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.orbitexplorer.com/cgi-bi...?bid=&affid=212
R3 - URLSearchHook: OESearchHook Class - {341FB59F-3507-443b-8147-423B4E3B2B15} - C:\OE\search.dll
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\Program Files\POP\pop167.dll
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\OE\toolbar.dll
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\OE\redirector.dll
O3 - Toolbar: (no name) - {645FD3BC-C314-4F7A-9D2E-64D62A0FDD78} - (no file)
O4 - HKLM\..\Run: [xhseuuix] C:\WINDOWS\System32\xhseuuix.exe
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://cr.stop-popup-ads-now.com/do...002/stoppop.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/298e24845a9b70...tzip/RdxIE2.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://mp3.zonebg.com/mp3archive.exe
O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/po...ner/PopLoad.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab
O16 - DPF: {D7B3E460-9968-4191-BD6F-BEED1BC18482} (Loader Class) - http://www.orbitexplorer.com/OELoader.cab

Restart your computer.

Download Spybot S&D. Update SS&D via the "Online" tab. Search for and download all updates. Close all browser windows, hit "Check for problems". After scan hit "Fix selected problems".


----------



## brady5330 (Aug 14, 2003)

Any help would be appeciated

Logfile of HijackThis v1.95.0
Scan saved at 11:30:26 PM, on 8/13/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ofps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Joseph Brady.BRADY\Local Settings\Temp\Temporary Directory 1 for hijackthis195.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://altavista.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37814.5645833333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## sayit (Aug 19, 2003)

I was diggin around and found this info on the unintall site for fsc.

I hope it helps. I ran the uninstaller and it worked fine but for some you may have to go here and try this:

http://www.free-scratch-cards.com/uninstall-help.php

good luck


----------

