# mysearch parasite



## Dekker (Apr 9, 2003)

Hello

I have recently accidentally downloaded a program called mysearch and I can't uninstall it. It has added a new tool bar to my browser and keeps opening pop-ups as well as saving unwanted web pages to my desk top.

When I go to add/remove files it tells that I'm unable to uninstall because there is no uninstall exe.
I've tried deleting the files but Im left with one called 'S4BAR.DLL' that won't be deleted. Is there any way that I can remedy this?

Many thanks


----------



## Gordon7000 (Mar 22, 2003)

Hi Dekker,

Yes, this is a known parasite. Please download and install Spybot Search and Destroy.

http://security.kolla.de/index.php?lang=en&page=download

Before using the programme, UPDATE it from the Internet. Then, disconnect from the Internet, close your browser and run Spybot (Check for Problems). Tick everything highlighted in red and DELETE these entries with Spybot. After this, REBOOT your PC.

After this, download, unzip and run Hijack This

http://www.tomcoyote.org/hjt/

Most of the entries in the log are harmless, so don't fix anything yet. Just SCAN your computer. When the scan is completed, press the SAVE LOG button to save the log to Notepad. Then copy the entire log from Notepad and post it on this forum. Someone will then let you know what to do next.

Regards, Gordon


----------



## Dekker (Apr 9, 2003)

Hi Gordon

Thanks for taking the time to reply, the spybot search and destroy was extremely helpful.

I havent been able to get on the tomcoyote site yet but when I can I shall carry out your second instruction.

Best wishes

Dekker


----------



## TonyKlein (Aug 26, 2001)

You can download Hijack This at the following sites as well:

http://www.spywareinfo.com/downloads.php#det

http://www.lurkhere.com/~nicefiles/index.html


----------



## Dekker (Apr 9, 2003)

Thanks Tony

Logfile of HijackThis v1.93.0
Scan saved at 19:05:10, on 13/04/03
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Antivirus\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\RealDownload.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37467.6698611111
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab


----------



## TonyKlein (Aug 26, 2001)

Are you sure you updated SpyBot before having it scan your drive?

It should have removed some more stuff.

In Hijack This, check the following items, then CLOSE all browser windows, and press "fix checked".

You need to reboot after doing that.

*O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL

O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) -*

Cheers,


----------



## rayandtam02 (Jun 28, 2003)

Logfile of HijackThis v1.95.0
Scan saved at 10:01:08 AM, on 6/28/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\bpk.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=129192
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=129192
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=129192
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://www.yahoo.com/
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\PROGRA~1\Yahoo!\MESSEN~1\bpkwb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17d0d121b519e813bb15/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37748.829224537
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab


----------



## TonyKlein (Aug 26, 2001)

Hi,

Check and have Hijack This fix the following:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=129192
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=129192
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=129192

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file)

O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)

O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe

O16 - DPF: Yahoo! Chat - 
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - 
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17d0d121b519e8...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - 
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab*

Now restart your computer, and find and delete the RunDll16.exe file, if you still have it.

Cheers,


----------



## TonyKlein (Aug 26, 2001)

Also, you have a browser plugin I've never seen before, and I'd like to have a closer look at it.

Would you mind terribly sending me a copy of the bpkwb.dll file in your Program Files\Yahoo!\Messenger folder for analysis, please? 

I'll keep you updated on the nature of the file, and whether it is in fact legitimate.

It has almost the same Class ID as the Stealth Keylogger, and one of the Commonname foistware browser plugins, so I'think it may need to be investigated.

TIA!


----------



## TonyKlein (Aug 26, 2001)

Hmm, here's a Portuguese language thread which indeed mentions this file in relation to the Antispy Keylogger:
http://216.239.39.100/search?q=cach...003-June/002353.html+bpkwb.dll&hl=en&ie=UTF-8


----------



## reedygal (Jul 6, 2003)

Here is my Hijack this log file... Can you help?

Logfile of HijackThis v1.95.0
Scan saved at 3:31:35 PM, on 7/6/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsgSys.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\BQTray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Philips\LightFrame\LightFrame.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://broadband.zoomtown.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINNT\BQTray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB002" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Startup: LightFrame.lnk = C:\Program Files\Philips\LightFrame\LightFrame.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/116842f97924b0966606/netzip/RdxIE6.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37567.4949189815
O16 - DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} (Be Here TotalView Player ActiveX Control, Version 3.0) - http://www.premiereinteractive.com/behere/iVideoViewer3_0.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rrc.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab


----------



## TonyKlein (Aug 26, 2001)

Hi! 

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

*O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL*

O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/i...5.30/Hiwire.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/116842f97924b0...tzip/RdxIE6.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Sha...c/bin/cabsa.cab

Now *restart* your computer, and download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Cheers,


----------



## dieselbreton (Jul 7, 2003)

Hey Im very worried! I just bought my new computer and I realize that a bar downloaded by itself in my internet explorer.....the name of this bar is mysearch. I already tried to erase it but it doesnt have an uninstall program! what do I have to do???? Is this a virus?? will it erase something from my computer?? Please help me!

Please contact me,

Thank you

Armando Bretón

[email protected]


----------



## dieselbreton (Jul 7, 2003)

Its me.....Armando again....my scan gave me these files please tell me if I have to erase anything from here......

Ad-Flow: Tracking cookie or cookie of tracking site (Archivo, nothing done)
C:\Documents and Settings\Armando\Cookies\[email protected][2].txt

BFast: Tracking cookie or cookie of tracking site (Archivo, nothing done)
C:\Documents and Settings\Armando\Cookies\[email protected][1].txt

DSO Exploit: Data source object exploit (Cambio en el Registro, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Cambio en el Registro, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Cambio en el Registro, nothing done)
HKEY_USERS\S-1-5-21-2952981389-2299825339-2237029002-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Cambio en el Registro, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Cambio en el Registro, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

FastClick: Tracking cookie or cookie of tracking site (Archivo, nothing done)
C:\Documents and Settings\Armando\Cookies\[email protected][2].txt

Gator: Global settings (Clave del Registro, nothing done)
HKEY_LOCAL_MACHINE\Software\Gator.com

Hacker.ag: Log file (Archivo, nothing done)
C:\WINDOWS\coder.log

Hacker.ag: Settings (Archivo, nothing done)
C:\WINDOWS\coder.ini

Windows Media Player: Client ID (Cambio en el Registro, nothing done)
HKEY_USERS\S-1-5-21-2952981389-2299825339-2237029002-1005\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=

--- Spybot-S&D version: 1.2 ---
2003-06-24 Includes\Cookies.sbi
2003-07-04 Includes\Dialer.sbi
2003-07-03 Includes\Hijackers.sbi
2003-06-24 Includes\Keyloggers.sbi
2003-07-02 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-06-24 Includes\Security.sbi
2003-07-02 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-07-05 Includes\Tracks.uti
2003-06-24 Includes\Trojans.sbi


----------



## dieselbreton (Jul 7, 2003)

Logfile of HijackThis v1.95.0
Scan saved at 03:16:35 a.m., on 07/07/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Archivos de programa\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Archivos de programa\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Sony\VAIO Action Setup\VAServ.exe
C:\Archivos de programa\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\system32\notepad.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\ARCHIV~1\WINZIP\winzip32.exe
C:\Documents and Settings\Armando\Configuración local\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.sony-latin.com/registration/vaio
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIOSURVEY] C:\Archivos de programa\Sony\VAIO Survey\LASurvey.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Archivos de programa\Archivos comunes\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Archivos de programa\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony-latin.com/registration/vaio
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {280168BC-76BF-4CD0-B835-3D686EFA8DDC} - http://www.browserwise.com/search1/install/BrowserToolbarUninstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37795.5547222222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Metallica (Jan 28, 2003)

Hi dieselbreton,

If you want to get rid of MyBar:

Check the following items in HijackThis.
Close *all* windows except HijackThis and click Fix checked:

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: ?? - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL

And when you´re busy anyway, loose these as well:
O4 - HKLM\..\Run: [TkBellExe] C:\Archivos de programa\Archivos comunes\Real\Update_OB\evntsvc.exe -osboot
O16 - DPF: {280168BC-76BF-4CD0-B835-3D686EFA8DDC} - http://www.browserwise.com/search1/...Uninstaller.cab

Reboot after doing so.

Regards,

Pieter


----------



## TechCowboy (Jul 7, 2003)

Logfile of HijackThis v1.95.0
Scan saved at 2:38:11 PM, on 7/7/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINNT\System32\IETie.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/hwspades_scecab_68.98.185.234.1326210569387167655_973321.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06c6d2e8695b08c30905/netzip/RdxIE601.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37752.4915625
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.nextel.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.nextel.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.nextel.com


----------



## Metallica (Jan 28, 2003)

Hi TechCowboy,

If you want to get rid of the MYBar. 
Check the following items in HijackThis.
Close *all* windows except HijackThis and click Fix checked:
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: ?? - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06c6d2e8695b08...ip/RdxIE601.cab

Reboot after doing so.

Regards,

Pieter


----------



## LGBTBinat (Jul 8, 2003)

Hi,

I had the unfortunate luck of getting that damn My Search parasite. Hell I didn't even download it, it downloaded itself onto my system.

Anyway, after running a search yesterday on the "new" toolbar I had received, I came across your site.

I followed the instructions given, about downloading Spybot Search and Destroy, and then Hijack This.

Anyway, I have run both programs, and have my Hijack This scan results to post, and await further instuctions.

Hijack This scan results:

Logfile of HijackThis v1.95.0
Scan saved at 12:10:27 PM, on 8/07/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Mytek\Mytek Assist\MyTekSystray.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\AOL 7.0\aoltray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.optusnet.com.au/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.optusnet.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by OptusNet
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B4AF6421-1DDD-447B-88AF-ADF6CD6AAEAB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [MytekSystrayExePath] C:\Program Files\Mytek\Mytek Assist\MyTekSystray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thank you for the help already given. And thank you in advance for the further help.

LGBTBinat


----------



## Metallica (Jan 28, 2003)

Hi LGBTBinat,

It looks like you took care of it yourself, just some orphaned registry keys left.

Check the following items in HijackThis.
Close *all* windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {B4AF6421-1DDD-447B-88AF-ADF6CD6AAEAB} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)

Reboot after doing so.

I´m curious about this one:
O4 - HKLM\..\Run: [MytekSystrayExePath] C:\Program Files\Mytek\Mytek Assist\MyTekSystray.exe
If you could point me to a site with info on the program it belongs to?

Regards,

Pieter


----------



## LGBTBinat (Jul 8, 2003)

Hi Pieter,

Thanks so much for your help.

In relation to your question about the MyTek system tray. It belongs to a Web site (www.mytek.com.au) and is a computer tech support thing, here in Australia.

I received it with the computer when I got the computer, but really don't know much about it.

Once again, thank you.

LGBT


----------



## Metallica (Jan 28, 2003)

And thank _you_ for the information.

Regards,

Pieter


----------



## miriote (Jul 12, 2003)

I followed the instructions from other posts about this topic, and the following is my log file. Thanks so much for your help!!!!

Logfile of HijackThis v1.95.0
Scan saved at 4:46:54 PM, on 7/12/03
Platform: Windows 98 SE (Win9x)
MSIE: Internet Explorer v6.00 SP1

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\PROGRAM FILES\BIGFIX\BIGFIX.EXE
C:\PROGRAM FILES\KILL POPUP\KILLPOPUP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://login.passport.net/uilogin.srf?id=2
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Startup: Kill Popup.lnk = C:\Program Files\Kill Popup\KillPopup.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security3.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security3.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea2fd.sea2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1038704779460
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab


----------



## einaussie (Aug 20, 2003)

Logfile of HijackThis v1.96.1
Scan saved at 1:06:09 PM, on 8/20/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Navnt\DefWatch.exe
C:\Program Files\Navnt\rtvscan.exe
C:\ODI\OStore\BIN\OSCMGR6.EXE
C:\ODI\OStore\BIN\OSSERVER.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
C:\WINNT\System32\TPWRTRAY.EXE
C:\WINNT\System32\Tdevdetect.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\Tfunckey.exe
C:\Program Files\ACNU\ACNUpdater.exe
C:\WINNT\System32\Tpwricon.exe
C:\WINNT\System32\TspdIcon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Palm\AlarmApp.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Notes\NLNOTES.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Notes\namgr.EXE
C:\Program Files\Notes\nWEB.EXE
C:\Program Files\Notes\nupdate.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Dsetext] C:\WINNT\dsetext.wsf
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TDspOff] Tdspoff.exe B
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: TMExLogon.lnk = D:\Program Files\TOSHIBA\TME\TMESRV.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab


----------



## kimkay (Aug 24, 2003)

I did everything specified in the first reply on this thread, rebooted my computer, and I still have the mysearch toolbar--here is the results of my hijack this scan--please help! Thanks in advance...

Logfile of HijackThis v1.96.2
Scan saved at 2:42:16 PM, on 8/24/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Norton Personal Firewall\NISUM.EXE
D:\WINNT\system32\spoolsv.exe
E:\Program Files\Norton Personal Firewall\ccPxySvc.exe
D:\WINNT\System32\crypserv.exe
D:\WINNT\System32\svchost.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\explorer.exe
D:\WINNT\system32\winupdate.exe
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\program files\adobe 6\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Support.com\bin\tgcmd.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Winamp\Winampa.exe
D:\WINNT\System32\msblast.exe
D:\WINNT\System32\SahAgent.exe
G:\INTERNET FILES\Temporary Internet Files\Netscp.exe
E:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
D:\WINNT\system32\RUNDLL32.exe
D:\WINNT\system32\RUNDLL32.exe
E:\PROGRA~1\HEWLET~1\HPPSC7~1\bin\hpoevm07.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
F:\PROGRA~1\WinZip\winzip32.exe
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe
D:\Program Files\Outlook Express\msimn.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kazaa-lite.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
F0 - system.ini: Shell=explorer.exe winupdate.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (D:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\6idjj3p5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://G%3A%5CINTERNET%20FILES%5CTemporary%20Internet%20Files%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\6idjj3p5.slt\prefs.js)
O1 - Hosts: 64.200.25.145 gator.com #cooklop
O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 tripod.com #cooklop
O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 cj.com #cooklop
O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
O1 - Hosts: 64.200.25.145 free6.com #cooklop
O1 - Hosts: 64.200.25.145 www.free6.com #cooklop
O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - D:\WINNT\System32\netpal.dll (file missing)
O2 - BHO: (no name) - {6427806D-3820-11D5-9939-00B0D0522EB5} - e:\Palm\FireConverterBrowserHelperObject.dll
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - (no file)
O2 - BHO: (no name) - {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {23DDAE8C-6A79-4d62-80AA-E95D89CB9811} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - D:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\program files\adobe 6\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ccApp] D:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [windowsupdate] winupdate.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] D:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [SAHAgent] D:\WINNT\System32\SahAgent.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "g:\INTERNET FILES\Temporary Internet Files\Netscp.exe" -turbo
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SnagIt 5.lnk.disabled
O4 - Global Startup: Billminder.lnk.disabled
O4 - Global Startup: HPAiODevice.lnk = E:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk.disabled
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Add to FireViewer Conduit (HKLM)
O9 - Extra 'Tools' menuitem: Add to FireViewer Conduit (HKLM)
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030105/cccabs/CleverContent.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {3717DF55-0396-463D-98B7-647C7DC6898A} - http://tb-static.adpowerzone.com/mtb/toolbar.cab
O16 - DPF: {3C5BA506-6C30-4738-9CED-797ACADEA8DC} (Loader Class) - http://www.search-feed.com/bigbar/SQLoader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2992916e43b292d40e18/netzip/RdxIE601.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://hawaiilive.sheraton-hawaii.com/AxisCamControl.ocx
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - http://www.adsrvr.com/promos/Aff_Installer_4.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio4_0_2_10.cab


----------



## buckaroo (Mar 25, 2001)

Hi kimkay, Welcome to TSG.

Well first, you have the MSBlast worm. Let's get rid of that, okay?

Download and run this removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

The, go here and d/l the patch you need to keep from getting re-infected:

http://download.com.com/3120-20-0.html?qt=823980&tg=dl-2001&search=+Go!+

Okay, once that's taken care of, you do have stuff on your log to clean up. However, go here first and download Spybot:

http://www.safer-networking.org/index.php?lang=en&page=download

After installing, have it go online to check for and download all updates. Then have it check you system for problems. Everything it finds in RED is safe to delete.

After running Spybot, reboot and then post another log back here to see what's left over, okay?


----------



## kimkay (Aug 24, 2003)

for the tips! I got rid of the worm, then tried to download the patch--but couldn't because I didn't have service pack 2 or higher. When I tried to download sp 4, the download failed because my D drive is full. Do you know how I can change the drive this downloads to? I'm not a computer guru, and my husband is out of the country, so I don't know what to do to free up room on D. Also, I updated Spybot before running Hijackthis, so that log should be very current. Thanks so much, I really want to get rid of this stupid toolbar....


----------



## winchester73 (Aug 18, 2003)

Kimkay:

Ad-Aware 6.181 will remove the MySearch toolbar and the Blaster. This appears to be a new hijacker ... a new reference file will be released shortly, which will do some further cleaning.

Your broken Internet access is because of LSP provider 'lsp.dll' missing ... sahagent is using a trick to slip through SB's detection ... you aren't using any paths, so windows assumes (correctly) its in the system directory.

The HOSTS redirections are from an ip address that is (not yet) on the targeted list, but from the next update on this hijacker is included (it resolves to this kazaa-lite.ws site also)

Here is what I would suggest ... let's do some HT fixes, then run Ad-Aware ... then we can go through any remaining items:

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kazaa-lite.ws/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/

O1 - Hosts: 64.200.25.145 gator.com #cooklop
O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 tripod.com #cooklop
O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 cj.com #cooklop
O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
O1 - Hosts: 64.200.25.145 free6.com #cooklop
O1 - Hosts: 64.200.25.145 www.free6.com #cooklop
O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop

O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - D:\WINNT\System32\netpal.dll (file missing)

O2 - BHO: (no name) - {6427806D-3820-11D5-9939-00B0D0522EB5} - e:\Palm\FireConverterBrowserHelperObject.dll

O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - (no file)

O2 - BHO: (no name) - {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - (no file)

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC}

O4 - HKLM\..\Run: [windowsupdate] winupdate.exe

O4 - HKLM\..\Run: [windows auto update] msblast.exe

O4 - HKLM\..\Run: [SAHAgent] D:\WINNT\System32\SahAgent.exe

O10 - Broken Internet access because of LSP provider 'lsp.dll' missing

Next, close all browser Windows, and have HT fix all checked.
When you are done, re-boot.

Download and install the free Ad-aware 6 Personal Build 181, from this list of mirror sites: http://www.lavasoft.de/support/download/

Start the program ... on the start-up screen, you will need to first run the Webupdate Feature (gear wheel at the top), or click "check for updates" to get the Reference File up to date. Currently there are multiple updates each week to keep up with the latest developments in this anti-trackware arena. Ad-Aware's database is almost twice as big as some of the other anti-trackware applications, and new targets are added/updated 2 or 3 times a week lately.

Ad-aware 6 Build 181 introduced scanning the Hosts file. The Hosts file is used by your computer as a quick means for finding out where a web site address is. Some targets use the Hosts file to assist in installing, executing, or maintaining their presence on your computer. The most common is redirecting web pages.

Please use the Custom Scan with Memory and Both registry scans ON. Also.... make sure that you activate IN-DEPTH scanning before you proceed.

See that you have these options checked:
Under Ad-aware 6 Settings, Scanning:
"Scan my Hosts File"
Under Ad-aware 6 Settings, Tweaks, Scanning Engine: 
"Unload recognized processes during scanning."
Under Ad-aware 6 Settings, Tweaks, Cleaning Engine: 
"Automatically try to unregister objects prior to deletion."
"Let Windows remove files in use after reboot."

Next ...

Run Ad-aware 6.
Mark the objects you wish to eliminate for removal. There are many options available with a right-click.
Make a Quarantine only if you do not have the Auto-Quarantine option ON.
Then choose "Next" to remove the chosen objects.
Finally ... Reboot

Please run HT again and post that log.

We might want you to submit winupdate.exe if it is still there. Also might want you to post your A-A logfile.

[EDIT]: The release of the new reference file is going to be tomorrow ... you might want to get it, and re-run A-A before running HT again.


----------



## buckaroo (Mar 25, 2001)

Good deal winchester73 :up: 

Appreciate the help here and thanks for those recommended AdAware settings....mine was not set for those, but now they are.

kimkay, you have to get your OS updated so you can get that patch installed, otherwise you're prone to re-infection of MSBlast at any time. How is your HD partitioned?


----------



## winchester73 (Aug 18, 2003)

Thanks for the kind words. A scan with A-A 6.181 and the latest reference file will definitely be to Kimkay's advantage.

Just wait until you see what v6.2 will do when it is released ...


----------



## kimkay (Aug 24, 2003)

Thanks a bunch guys! I had work and other annoying stuff to do so I'm just getting back to working on this. MySearch is gone now, yay!!! I'm running AdAware as I type--I downloaded it a year or so ago and didn't really know how to use it, so I'd uninstalled it. The new version is so much more user-friendly. As far as the hard drive goes, I have a C, D, E, and F that are one drive partitioned that way, and then a separate 120-gig hard drive. D is totally full, but I couldn't find any way to tell the service pack where I wanted it to install, it just automatically goes to D. I've got lots of room on G if I can put it there...help???


----------



## kimkay (Aug 24, 2003)

as per your request, here's the new log that I ran after using AdAware...

Logfile of HijackThis v1.96.2
Scan saved at 10:20:14 PM, on 8/25/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Norton Personal Firewall\NISUM.EXE
D:\WINNT\system32\spoolsv.exe
E:\Program Files\Norton Personal Firewall\ccPxySvc.exe
D:\WINNT\System32\crypserv.exe
D:\WINNT\System32\svchost.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\explorer.exe
D:\WINNT\system32\winupdate.exe
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\program files\adobe 6\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Support.com\bin\tgcmd.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Winamp\Winampa.exe
G:\INTERNET FILES\Temporary Internet Files\Netscp.exe
E:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
D:\WINNT\system32\RUNDLL32.exe
D:\WINNT\system32\RUNDLL32.exe
E:\PROGRA~1\HEWLET~1\HPPSC7~1\bin\hpoevm07.exe
E:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\AIM95\aim.exe
F:\PROGRA~1\WinZip\winzip32.exe
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=explorer.exe winupdate.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (D:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\6idjj3p5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://G%3A%5CINTERNET%20FILES%5CTemporary%20Internet%20Files%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\6idjj3p5.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\program files\adobe 6\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "D:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ccApp] D:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] D:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [windowsupdate] winupdate.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "g:\INTERNET FILES\Temporary Internet Files\Netscp.exe" -turbo
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SnagIt 5.lnk.disabled
O4 - Global Startup: Billminder.lnk.disabled
O4 - Global Startup: HPAiODevice.lnk = E:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk.disabled
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Add to FireViewer Conduit (HKLM)
O9 - Extra 'Tools' menuitem: Add to FireViewer Conduit (HKLM)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030105/cccabs/CleverContent.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {3717DF55-0396-463D-98B7-647C7DC6898A} - http://tb-static.adpowerzone.com/mtb/toolbar.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2992916e43b292d40e18/netzip/RdxIE601.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://hawaiilive.sheraton-hawaii.com/AxisCamControl.ocx
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - http://www.adsrvr.com/promos/Aff_Installer_4.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio4_0_2_10.cab

I can already tell a difference in my computer's stability and speed--this is awesome! Now if I can just figure out how to get that MSBlast patch downloaded and installed I'll feel better. Muchas gracias, Winchester and Buckaroo.


----------



## $teve (Oct 9, 2001)

hello kim 

in hijackthis check the following,close all browser windows and fix checked.

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=explorer.exe winupdate.exe
O4 - HKLM\..\Run: [windowsupdate] winupdate.exe
O16 - DPF: {3717DF55-0396-463D-98B7-647C7DC6898A} - http://tb-static.adpowerzone.com/mtb/toolbar.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2992916e43b292...ip/RdxIE601.cab
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - http://www.adsrvr.com/promos/Aff_Installer_4.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab

re-boot into safe mode (by tapping the f8 key on boot up)
find and delete:
D:\WINNT\system32\winupdate.exe


----------



## $teve (Oct 9, 2001)

COULD YOU PLEASE POST YOUR HIJACKTHIS LOGFILES IN NEW AND SEPARATE THREADS IN THE SECURITY FORUM.....IF YOU TAG THEM ONTO THIS OR ANY OTHER EXISTING THREAD,SOME MAY GET MISSED,AND WE WOULDNT WANT THAT NOW WOULD WE......THANKYOU


----------



## kimkay (Aug 24, 2003)

$teve--did all you said, then got this message when I rebooted in regular mode: "Cannot find the file 'winupdate.exe' (or one of its components). Make sure the path and filename are correct and that all required libraries are available." What do I do now? And thanks for the tip on posting the logfiles in a new thread, I just assumed it was better to post in the same thread to keep things together.


----------



## Flrman1 (Jul 26, 2002)

kimkay

You will have to run Hijack This again and look for one or both of these entries and have HT fix them. One of these entries is still there and that is why you are receiving that message at startup.

F0 - system.ini: Shell=explorer.exe winupdate.exe

O4 - HKLM\..\Run: [windowsupdate] winupdate.exe


----------



## kimkay (Aug 24, 2003)

I actually had both of those, flrman--I fixed them and started up normally. All the help has been great, my computer is running soooo much better. Thanks!!!


----------



## Flrman1 (Jul 26, 2002)

:up:


----------

