# I've been hijacked!!!



## titanfanof89 (Sep 6, 2002)

Have Spybot 1.2 updated today. I have a THING- called Orbit and it won't let me delete it! It says windows in use error!

Here's my startup-StartupList report, 3/20/03, 11:33:48 AM
StartupList version: 1.52
Started from : C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE
Detected: Windows 95 B (Win9x 4.00.1111)
Detected: Internet Explorer v5.00 (5.00.2919.6304)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\SYSTEM\HPZTSB01.EXE
C:\PROGRAM FILES\ORBIT\UPDATE.EXE
C:\PROGRAM FILES\ORBIT\VIEW.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\RunDLL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Instant Update Reminder.lnk = C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
BrowserWebCheck = loadwc.exe
3Cmlink = C:\WINDOWS\SYSTEM\3cmlnkW.exe
QAGENT = C:\QUICKENW\QAGENT.EXE
HPDJ Taskbar Utility = C:\WINDOWS\SYSTEM\hpztsb01.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Reminder = C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 3/3/2003, 12:49:52)

[Rename]
NUL=C:\WINDOWS\WINSOCK.DLL
C:\WINDOWS\SYSTEM\AFVXD.VXD=C:\WINDOWS\SYSTEM\SET1302.TMP
C:\WINDOWS\SYSTEM\WSHTCP.VXD=C:\WINDOWS\SYSTEM\SET1303.TMP
C:\WINDOWS\SYSTEM\VTDI.386=C:\WINDOWS\SYSTEM\SET1304.TMP
C:\WINDOWS\SYSTEM\VTCP.386=C:\WINDOWS\SYSTEM\SET1305.TMP
C:\WINDOWS\SYSTEM\VIP.386=C:\WINDOWS\SYSTEM\SET1306.TMP
C:\WINDOWS\SYSTEM\VDHCP.386=C:\WINDOWS\SYSTEM\SET1307.TMP
C:\WINDOWS\SYSTEM\VNBT.386=C:\WINDOWS\SYSTEM\SET1308.TMP
C:\WINDOWS\SYSTEM\ICMP.DLL=C:\WINDOWS\SYSTEM\SET1309.TMP
C:\WINDOWS\SYSTEM\MSTCP.DLL=C:\WINDOWS\SYSTEM\SET130A.TMP
C:\WINDOWS\INETMIB1.DLL=C:\WINDOWS\SET1310.TMP
C:\WINDOWS\ARP.EXE=C:\WINDOWS\SET1311.TMP
C:\WINDOWS\FTP.EXE=C:\WINDOWS\SET1312.TMP
C:\WINDOWS\NETSTAT.EXE=C:\WINDOWS\SET1313.TMP
C:\WINDOWS\NBTSTAT.EXE=C:\WINDOWS\SET1314.TMP
C:\WINDOWS\PING.EXE=C:\WINDOWS\SET1315.TMP
C:\WINDOWS\ROUTE.EXE=C:\WINDOWS\SET1316.TMP
C:\WINDOWS\TELNET.EXE=C:\WINDOWS\SET1317.TMP
C:\WINDOWS\TELNET.HLP=C:\WINDOWS\SET1318.TMP
C:\WINDOWS\TRACERT.EXE=C:\WINDOWS\SET1319.TMP
C:\WINDOWS\WINIPCFG.EXE=C:\WINDOWS\SET131A.TMP
C:\WINDOWS\SYSTEM\WSOCK.VXD=C:\WINDOWS\SYSTEM\SET1313.TMP
C:\WINDOWS\SYSTEM\WSOCK32.DLL=C:\WINDOWS\SYSTEM\SET1321.TMP
C:\WINDOWS\SYSTEM\WS2_32.DLL=C:\WINDOWS\SYSTEM\SET1330.TMP
C:\WINDOWS\SYSTEM\WSASRV.EXE=C:\WINDOWS\SYSTEM\SET1331.TMP
C:\WINDOWS\SYSTEM\NDIS.VXD=C:\WINDOWS\SYSTEM\SET1334.TMP
C:\WINDOWS\WINSOCK.DLL=C:\WINDOWS\SET1340.TMP

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
SET CLASSPATH=C:\PROGRA~1\PHOTOD~1.0\ADOBEC~1

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRAM FILES\COMMON FILES\OE\REDIRECTOR.DLL (file missing) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7}
(no name) - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL - {702AD576-FDDB-4d0f-9811-A43252064684}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\SHOCKWAVE 8\DOWNLOAD.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL
CODEBASE = http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[mhLabel Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MHLBL.DLL
CODEBASE = http://www.pcpitstop.com/mhLbl.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/Static_w95/V31Controls/x86/w95/en/actsetup.cab

[Loader Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OELOADER.DLL
CODEBASE = http://www.orbitexplorer.com/OELoader.cab

--------------------------------------------------
End of report, 6,423 bytes
Report generated in 0.106 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
--------------

I want all of this orbit thing gone!!! Please help!! It's taken over my home page and my search engine! I have reported this to Spybot just to let them know that it isn't picking this up.


----------



## TonyKlein (Aug 26, 2001)

Please do this:

Go to http://www.spywareinfo.com/downloads.php#det , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

We'll be able to remove it easily using this application. Don't fix anything yet, but please post the log first.


----------



## Talamasca (Mar 23, 2003)

ctrl-alt-delete
turn it off
go into program files and delete it


----------



## TonyKlein (Aug 26, 2001)

> _Originally posted by Talamasca:_
> *ctrl-alt-delete
> turn it off
> go into program files and delete it *


That won't get rid of it's two browser plugins, nor of the ActiveX object.

Hijack this _will_ allow us to do that.


----------



## titanfanof89 (Sep 6, 2002)

I had to run the hijack this program several times to remove it....for some reason. My search engine is gone!! It will go to a search page but it opens up like it's another web page...not the side panel search option like I had before. I also can't get in to the customize option to try and change the search engine settings.

I can deal with it- Atleast i don't have this orbit thing taking over anymore! It still makes me mad that this happened!! I can't see how this is legal!!

Thanks for all your help!


----------



## TonyKlein (Aug 26, 2001)

Upgrading Internet Explorer will fix that.

Try Internet Explorer 5.01 Service Pack 2


----------



## bassetman (Jun 7, 2001)

If you mean the one on the side, this is where you turn it on or off.


----------



## titanfanof89 (Sep 6, 2002)

I downloaded IE again and this got my search engine back to normal. I did an update again for the Spybot and it did pick up some more of the orbit stuff on my PC and fixed it. 

I have the following things in my Program files.....(.I did uninstall the Kazaa, and thought it was gone!)

Orbit
Iwon
Kazaa
Media enhancement

Can I delete these? I don't want to delete something that is going to take a needed dll file, that happened when I unistalled kazaa from "kazaa's" unistall option......How IRONIC!!

Guess it never ends!


----------



## gkimble (Oct 30, 2002)

Use Kazaa lite. NOT the regular Kazaa.


----------



## titanfanof89 (Sep 6, 2002)

I will not use Kazaa at all, but thanks anyway. 

I really don't feel comfortable using any of those type programs due to the high risk of viruses and I'd rather pay for a CD than go through all the mess of getting rid of a virus.

I just want to make sure I am rid of all of this program.


----------



## bassetman (Jun 7, 2001)

Do you have AdAware (and updated) and have run that too?

It sometimes find things that SpyBot misses and visa versa.

John


----------



## titanfanof89 (Sep 6, 2002)

I don't have the Ad Aware program.

I still want to get these out of my C:/programs
Orbit
Iwon
Kazaa
Media Enhancer

The thing that I worry about is deleting them and it taking some needed dll files.....this has happened many times when removing programs.

I don't know why I would need any of these to remain on my Programs page and none of them are listed in the control panel under the add/remove programs.

Can someone advise me as to what I should do?


----------



## gkimble (Oct 30, 2002)

But you can get much much more than just music! Don't be scared of viruses! You can get movies, pictures, documents, spreadsheets, video's, etc.. free software, heck, I sat down one night with my computer magazine, circled all the software I liked then hopped on my T1 line and within an hour, I had over $30,000 worth of software to take everywhere I go and sell. 

~nuff said.


----------



## vlrbsf (Jan 11, 2002)

Here's some info that you might want to read: www.doxdesk.com/parasite/Xupiter.html


----------



## titanfanof89 (Sep 6, 2002)

Thanks for the link- Interesting article........I just wish someone would sue the pants off these people that do this kind of stuff! Wish there were some laws made to help prevent this from happening or else it will never in!


----------



## vlrbsf (Jan 11, 2002)

If you haven't done it already-run an update on Spybot. They just added Xupiter/OrbitExplorer and I ran it and it got rid of every trace. I had a registry entry that wouldn't go away-now it's gone!Good Luck!


----------



## titanfanof89 (Sep 6, 2002)

yeah, I updated spybot- the orbit fix was in one of the last updates I think. I had originally emailed spybot about this orbit thing and they said it this latest update would be able to fix it.

I still have it listed in my program files though! Think I'm just going to delete those folders and keep my fingers crossed. I'll keep it in the recycle bin until I make sure I have not startup probs.....I just don't want it to take a needed file with it!


----------



## gkimble (Oct 30, 2002)

go into your registry and delete the folder key


----------



## vlrbsf (Jan 11, 2002)

Titanfanof89-what I would suggest is that you follow TonyKlein's advice in the previous posts(believe me-he knows what he's doing.) Post your log from HijackThis and let the pros see it. And go to www.spywareinfo.com and read all the info there.


----------



## titanfanof89 (Sep 6, 2002)

I have done all of what Tony said to do and it did get rid of it. Orbit is not in my hijackthis list nor is it found in spybot. (last spybot udate took care of it completely)

BUT........it is still in the program files, as well as Kazaa, iwon, and the media thing.

Here's my startup list-

StartupList report, 3/25/03, 2:34:16 PM
StartupList version: 1.52
Started from : C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE
Detected: Windows 95 B (Win9x 4.00.1111)
Detected: Internet Explorer v5.00 SP2 (5.00.3314.2100)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\SYSTEM\HPZTSB01.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\RunDLL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
Instant Update Reminder.lnk = C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
BrowserWebCheck = loadwc.exe
3Cmlink = C:\WINDOWS\SYSTEM\3cmlnkW.exe
QAGENT = C:\QUICKENW\QAGENT.EXE
HPDJ Taskbar Utility = C:\WINDOWS\SYSTEM\hpztsb01.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Reminder = C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 25/3/2003, 14:9:30)

[rename]
NUL=C:\~MSSETUP.T\~mdac.t\odbccp32.dll
NUL=C:\~MSSETUP.T\~mdac.t\odbcint.dll
NUL=C:\~MSSETUP.T\~mdac.t\odbcinst.hlp
NUL=C:\~MSSETUP.T\~mdac.t\odbcinst.cnt
NUL=C:\~MSSETUP.T\~mdac.t\odbcconf.exe
NUL=C:\~MSSETUP.T\~mdac.t\dagiecfg.exe
NUL=C:\~MSSETUP.T\~mdac.t\mssetup.dll
NUL=C:\~MSSETUP.T\~mdac.t\acmsetup.exe
NUL=C:\~MSSETUP.T\~mdac.t\odbcstf.dll
NUL=C:\~MSSETUP.T\~mdac.t\common98.dll
NUL=C:\~MSSETUP.T\~mdac.t\selfreg.dll
NUL=C:\~MSSETUP.T\~mdac.t\acmsetup.hlp
NUL=C:\~MSSETUP.T\~mdac.t\odbckey.inf
NUL=C:\~MSSETUP.T\~mdac.t\setup.ini
NUL=C:\~MSSETUP.T\~mdac.t\setup.tdf
NUL=C:\~MSSETUP.T\~mdac.t\setup.exe
NUL=C:\~MSSETUP.T\~mdac.t\mdacset.exe
NUL=C:\~MSSETUP.T\~mdac.t\mdac_IE5.inf
NUL=C:\~MSSETUP.T\~mdac.t\mdac_IE5.stf
NUL=C:\~MSSETUP.T\~mdac.t\setup.lst
NUL=C:\~MSSETUP.T\~mdac.t\_MSSETUP._Q_
NUL=C:\WINDOWS\SYSTEM\SCHANNEL.DLL
C:\WINDOWS\SYSTEM\SCHANNEL.DLL=C:\WINDOWS\SYSTEM\SET8213.TMP
C:\WINDOWS\SYSTEM\IEPEERS.DLL=C:\WINDOWS\SYSTEM\IEPEERS.RCX
C:\WINDOWS\SYSTEM\SHD401LC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\SHD401LC.DLL
C:\WINDOWS\SYSTEM\SHDOC401.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\SHDOC401.DLL
C:\WINDOWS\SYSTEM\RSASIG.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\RSASIG.DLL
C:\WINDOWS\SYSTEM\XENROLL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\XENROLL.DLL
C:\WINDOWS\SYSTEM\MSCAT32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSCAT32.DLL
C:\WINDOWS\SYSTEM\MSSIGN32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSSIGN32.DLL
C:\WINDOWS\SYSTEM\CRYPTUI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTUI.DLL
C:\WINDOWS\SYSTEM\CRYPTNET.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTNET.DLL
C:\WINDOWS\SYSTEM\CRYPTEXT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\CRYPTEXT.DLL
C:\WINDOWS\SYSTEM\DIGEST.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\DIGEST.DLL
C:\WINDOWS\SYSTEM\WLDAP32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\WLDAP32.DLL
C:\WINDOWS\SYSTEM\MMUTILSE.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MMUTILSE.DLL
C:\WINDOWS\SYSTEM\MMEFXE.OCX=C:\WINDOWS\SYSTEM\IE4SETUP\MMEFXE.OCX
C:\WINDOWS\SYSTEM\JSCRIPT.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\JSCRIPT.DLL
C:\WINDOWS\SYSTEM\PLUGIN.OCX=C:\WINDOWS\SYSTEM\IE4SETUP\PLUGIN.OCX
C:\WINDOWS\SYSTEM\MSRATING.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSRATING.DLL
C:\WINDOWS\SYSTEM\MSHTMLED.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSHTMLED.DLL
C:\WINDOWS\SYSTEM\HLINK.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\HLINK.DLL
C:\WINDOWS\SYSTEM\PROCTEXE.OCX=C:\WINDOWS\SYSTEM\IE4SETUP\PROCTEXE.OCX
C:\WINDOWS\SYSTEM\SHDOCLC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\SHDOCLC.DLL
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE=C:\WINDOWS\SYSTEM\IE4SETUP\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\COMCTL32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM82B3.TMP
C:\WINDOWS\SYSTEM\URL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM82B4.TMP
C:\WINDOWS\SYSTEM\INETCPLC.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM82D4.TMP
C:\WINDOWS\SYSTEM\MSHTML.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM82D5.TMP
C:\WINDOWS\SYSTEM\SHDOCVW.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM82E0.TMP
C:\WINDOWS\SYSTEM\URLMON.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM82E2.TMP
C:\WINDOWS\SYSTEM\WININET.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM82E3.TMP
C:\WINDOWS\SYSTEM\SHLWAPI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM82E4.TMP
C:\WINDOWS\SYSTEM\MLANG.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM82E6.TMP
C:\WINDOWS\SYSTEM\LOADWC.EXE=C:\WINDOWS\SYSTEM\IE4SETUP\ACM82F0.TMP
C:\WINDOWS\SYSTEM\BROWSEUI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM82F4.TMP
C:\WINDOWS\SYSTEM\SHFOLDER.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\ACM8301.TMP
NUL=C:\WINDOWS\SHELLI~1
NUL=C:\WINDOWS\fonts\ariblk.ttf
C:\WINDOWS\fonts\ariblk.ttf=C:\WINDOWS\ARIBLK.tt2
NUL=C:\WINDOWS\fonts\comic.ttf
C:\WINDOWS\fonts\comic.ttf=C:\WINDOWS\COMIC.tt2
NUL=C:\WINDOWS\fonts\comicbd.ttf
C:\WINDOWS\fonts\comicbd.ttf=C:\WINDOWS\COMICBD.tt2
NUL=C:\WINDOWS\fonts\impact.ttf
C:\WINDOWS\fonts\impact.ttf=C:\WINDOWS\IMPACT.tt2
NUL=C:\WINDOWS\fonts\VERDANA.TTF
C:\WINDOWS\fonts\VERDANA.TTF=C:\WINDOWS\VERDANA.tt2
NUL=C:\WINDOWS\fonts\VERDANAB.TTF
C:\WINDOWS\fonts\VERDANAB.TTF=C:\WINDOWS\VERDANAB.tt2
NUL=C:\WINDOWS\fonts\VERDANAI.TTF
C:\WINDOWS\fonts\VERDANAI.TTF=C:\WINDOWS\VERDANAI.tt2
NUL=C:\WINDOWS\fonts\VERDANAZ.TTF
C:\WINDOWS\fonts\VERDANAZ.TTF=C:\WINDOWS\VERDANAZ.tt2
C:\WINDOWS\SYSTEM\BROWSEUI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\BROWSEUI.DLL
C:\WINDOWS\SYSTEM\SHLWAPI.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\SHLWAPI.DLL
C:\WINDOWS\SYSTEM\WININET.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\WININET.DLL
C:\WINDOWS\SYSTEM\URLMON.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\URLMON.DLL
C:\WINDOWS\SYSTEM\MSHTML.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\MSHTML.DLL
C:\WINDOWS\SYSTEM\URL.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\URL.DLL
C:\WINDOWS\SYSTEM\COMCTL32.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\COMCTL32.DLL
C:\WINDOWS\SYSTEM\SHDOCVW.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\SHDOCVW.DLL
C:\WINDOWS\SYSTEM\SHFOLDER.DLL=C:\WINDOWS\SYSTEM\IE4SETUP\SHFOLDER.DLL
C:\WINDOWS\SYSTEM\MMUTILSE.DLL=C:\WINDOWS\SYSTEM\BND91D5.TMP
C:\WINDOWS\SYSTEM\MMEFXE.OCX=C:\WINDOWS\SYSTEM\BND91D6.TMP
C:\WINDOWS\SYSTEM\BROWSEUI.DLL=C:\WINDOWS\SYSTEM\BND91D7.TMP
C:\WINDOWS\SYSTEM\JSCRIPT.DLL=C:\WINDOWS\SYSTEM\BND91D8.TMP
C:\WINDOWS\SYSTEM\PLUGIN.OCX=C:\WINDOWS\SYSTEM\BND91D9.TMP
C:\WINDOWS\SYSTEM\SHLWAPI.DLL=C:\WINDOWS\SYSTEM\BND91DA.TMP
C:\WINDOWS\SYSTEM\MSRATING.DLL=C:\WINDOWS\SYSTEM\BND91E0.TMP
C:\WINDOWS\SYSTEM\WININET.DLL=C:\WINDOWS\SYSTEM\BND91E1.TMP
C:\WINDOWS\SYSTEM\URLMON.DLL=C:\WINDOWS\SYSTEM\BND91E2.TMP
C:\WINDOWS\SYSTEM\MSHTMLED.DLL=C:\WINDOWS\SYSTEM\BND91E3.TMP
C:\WINDOWS\SYSTEM\MSHTML.DLL=C:\WINDOWS\SYSTEM\BND91E4.TMP
C:\WINDOWS\SYSTEM\HLINK.DLL=C:\WINDOWS\SYSTEM\BND91E5.TMP
C:\WINDOWS\SYSTEM\PROCTEXE.OCX=C:\WINDOWS\SYSTEM\BND91E6.TMP
C:\WINDOWS\SYSTEM\ADVAPI32.DLL=C:\WINDOWS\SYSTEM\BND91E7.TMP
C:\WINDOWS\SYSTEM\URL.DLL=C:\WINDOWS\SYSTEM\BND91E8.TMP
C:\WINDOWS\SYSTEM\COMCTL32.DLL=C:\WINDOWS\SYSTEM\BND91E9.TMP
C:\WINDOWS\SYSTEM\SHDOCLC.DLL=C:\WINDOWS\SYSTEM\BND91EA.TMP
C:\WINDOWS\SYSTEM\SHDOCVW.DLL=C:\WINDOWS\SYSTEM\BND91EB.TMP
C:\WINDOWS\SYSTEM\WLDAP32.DLL=C:\WINDOWS\SYSTEM\BND91EC.TMP
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE=C:\PROGRA~1\INTERN~1\BND91E3.TMP
C:\WINDOWS\SYSTEM\SHD401LC.DLL=C:\WINDOWS\SYSTEM\BND91ED.TMP
C:\WINDOWS\SYSTEM\SHDOC401.DLL=C:\WINDOWS\SYSTEM\BND91EE.TMP
C:\WINDOWS\SYSTEM\SHFOLDER.DLL=C:\WINDOWS\SYSTEM\BND91EF.TMP
C:\WINDOWS\SYSTEM\XENROLL.DLL=C:\WINDOWS\SYSTEM\BND91F0.TMP
C:\WINDOWS\SYSTEM\MSCAT32.DLL=C:\WINDOWS\SYSTEM\BND91F1.TMP
C:\WINDOWS\SYSTEM\MSSIGN32.DLL=C:\WINDOWS\SYSTEM\BND91F2.TMP
C:\WINDOWS\SYSTEM\WINTRUST.DLL=C:\WINDOWS\SYSTEM\BND91F3.TMP
C:\WINDOWS\SYSTEM\SOFTPUB.DLL=C:\WINDOWS\SYSTEM\BND91F4.TMP
C:\WINDOWS\SYSTEM\CRYPTUI.DLL=C:\WINDOWS\SYSTEM\BND91F5.TMP
C:\WINDOWS\SYSTEM\CRYPTNET.DLL=C:\WINDOWS\SYSTEM\BND91F6.TMP
C:\WINDOWS\SYSTEM\CRYPTEXT.DLL=C:\WINDOWS\SYSTEM\BND91F7.TMP
C:\WINDOWS\SYSTEM\CRYPT32.DLL=C:\WINDOWS\SYSTEM\BND91F8.TMP
C:\WINDOWS\SYSTEM\MSOSS.DLL=C:\WINDOWS\SYSTEM\BND91F9.TMP

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
SET CLASSPATH=C:\PROGRA~1\PHOTOD~1.0\ADOBEC~1

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\SHOCKWAVE 8\DOWNLOAD.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL
CODEBASE = http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[mhLabel Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MHLBL.DLL
CODEBASE = http://www.pcpitstop.com/mhLbl.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/Static_w95/V31Controls/x86/w95/en/actsetup.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 11,177 bytes
Report generated in 0.236 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## gkimble (Oct 30, 2002)

go in your registry and delete the keys.


----------



## TonyKlein (Aug 26, 2001)

It's not in your log any more.

Did you actually uninstall Kazaa? If not, do that

If all that's remaining are the pertaining folders (Kazaa, Iwon) in Program Files, just delete them.

This isn't a registry issue, if I read you right.


----------



## titanfanof89 (Sep 6, 2002)

When I try to delete the "ORBIT" folder in the program files- it gives me the The file 'view' is a program if you remove it you will no longer be able to edit or view documents are you sure you want to remove it's components? yes, yes to all, no, cancel?

is yes to all ok? (I fear of it taking some needed files with it! as this has happened!)


----------



## TonyKlein (Aug 26, 2001)

It's a standard Windows notification. Don't worry about it.


----------



## titanfanof89 (Sep 6, 2002)

Thanks Tony! Last question-

What is this Media Enhancer thing? Isn't it one of those things that I don't really need? Seems like someone here told me to get rid of it.

Thanks-
Jodi


----------



## TonyKlein (Aug 26, 2001)

Im not sure what exactly this Media Enhancer/Enhancement thingie is that you're referring to.


----------



## gkimble (Oct 30, 2002)

If you can afford the time or effort depending on what all you have on your PC, just go ahead and reformat. Otherwise, first, uninstall the programs, then do a search on all the "names" of the program and delete what Windows didn't find. Then, go into your registry and delete the folder keys you don't want. Then, download and install Ad-aware by Lavasoft and run it. You should be pretty clean after these steps.


----------



## TonyKlein (Aug 26, 2001)

> _Originally posted by gkimble:_
> *If you can afford the time or effort depending on what all you have on your PC, just go ahead and reformat. *


I'm sorry to have to say this, but it's total nonsense to tell someone to format their drives just in order to get rid of some spyware.

Also, in case you hadn't noticed, the problem seems to have been solved! 

Cheers,


----------



## gkimble (Oct 30, 2002)

bubble and squeak your way on to another issue.


----------



## TonyKlein (Aug 26, 2001)

You have a nice day as well! 

Cheers,


----------



## andei (May 22, 2003)

Not only did orbit try to hijack me, it also changed my start up page to orbit. What a load of crud! How can this be legal? I almost feel like a squatter has plopped down in my backyard and is waiting for a chance at legal title.
What I did was use the run function, then into msconfig, and finally to the start up programs, where I UNCLICKED that piece of crud so it wouldnt start up in programs.
You can also stop Xupiter, Kazaa, Gator, and Comet Cursor from starting up at that point. 
I wish there was a more forceful way to keep these programs off of our computers.


----------



## THoey (Feb 12, 2001)

Andei, I believe there is. I believe the latest Spybot Search and Destroy has an Immunize function and you can have it block certain items from attacking. Not sure if the list you gave is part of the immunization, but worth a look.


----------



## Gordon7000 (Mar 22, 2003)

Hi,

If any advanced users of Sbybot Search and Destroy are interested in knowing how to set up the advanced features - like 'Immunize' - have a look here:

http://tomcoyote.org/~mosaic1/spybot/

Regards, Gordon


----------



## dwshaw82 (Jul 12, 2003)

HIGHJACKED

I need your help. If you can fix my problem then I will gladly provide a donation.

Here is one troubling problem with my Iexplore browser which should be renamed............theyexplore,

I use yahoo as a startup page but often this there orbit stuff pops up....

http://www.orbitexplorer.com/cgi-bin/dns.cgi?affid=212&bid=

Here is another popup that happened while I was building this post......
------------------------------------------------------------
http://www.ek11.com/promo/main/si/2.html
-------------------------------------------------------------------------
and here is another that popped up about 3 minutes later........
----------------------------------------------------------------------------------
http://z1.adserver.com/w/cp.x;rid=73;tid=2;ev=1;dt=3;ac=7;c=840;
------------------------------------------------------------------------------------

and then there is another that just popped up but the right click properties states it is disabled.....

they go by the name adult love line
-----------------------------------------------------------------------------

There are other pop ups that continualy plague me....
-------------------------------------------------------------------------------
I have two copies for you to look at after having downloaded hijackthis and running the zip file

#1 startuplist.txt which is immediatley below and and #2 hijackthis.log which follows stratuplist.txt and titled hijackthis.txt in UPPER CAPS.

---------------------------------------------------------------------------------
#1 startuplist.txt
StartupList report, 7/12/2003, 11:58:27 AM
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0100)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\SAITEK\SAITEK SMART TECHNOLOGY PROGRAMMING SOFTWARE\SAICNFIG.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\ORBIT\UPDATE.EXE
C:\PROGRAM FILES\ORBIT\VIEW.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DATA LIFEGUARD\8263142\PROGRAM\BACKWEB-8263142.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\RB32\RB32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
Data LifeGuard.lnk = C:\Program Files\Data LifeGuard\8263142\Program\backWeb-8263142.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IST Service = C:\Program Files\ISTsvc\istsvc.exe
rb32 lptt01 = "C:\Program Files\rb32\rb32.exe"
SystemTray = SysTray.Exe
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
Ati2cwxx = Ati2cwxx.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
AtiPTA = Atiptaxx.exe
PRPCMonitor = PRPCUI.exe
MotiveMonitor = C:\Program Files\Motive\motmon.exe
SAITEKAUTOCONFIGURE = C:\Program Files\Saitek\Saitek Smart Technology Programming Software\saicnfig.exe /autorun
CamMonitor = C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
OrbitUpdate = C:\Program Files\Orbit\update.exe
OrbitView = C:\Program Files\Orbit\view.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ATIPOLAB = ati2evxx.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
CSINJECT.EXE = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 10/7/2003, 13:54:42)

[rename]
NUL=C:\WINDOWS\DOWNLO~1\IEGATOR.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET PROMPT=$P$G
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\COMMON FILES\OE\REDIRECTOR.DLL - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7}
(no name) - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL - {702AD576-FDDB-4d0f-9811-A43252064684}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Loader Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MACONNECT.DLL
CODEBASE = http://connect.online-dialer.com/MaConnect.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 6,830 bytes
Report generated in 0.149 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

---------------------------------------------------------------------------------AND

#2 HIJACKTHIS.TXT

Logfile of HijackThis v1.95.0
Scan saved at 11:59:01 AM, on 7/12/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\SAITEK\SAITEK SMART TECHNOLOGY PROGRAMMING SOFTWARE\SAICNFIG.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\ORBIT\UPDATE.EXE
C:\PROGRAM FILES\ORBIT\VIEW.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DATA LIFEGUARD\8263142\PROGRAM\BACKWEB-8263142.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\RB32\RB32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R3 - URLSearchHook: OESearchHook Class - {341FB59F-3507-443b-8147-423B4E3B2B15} - C:\PROGRAM FILES\COMMON FILES\OE\SEARCH.DLL
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 66.250.171.136 auto.search.msn.com
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\PROGRAM FILES\COMMON FILES\OE\REDIRECTOR.DLL
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\Saitek Smart Technology Programming Software\saicnfig.exe /autorun
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Data LifeGuard.lnk = C:\Program Files\Data LifeGuard\8263142\Program\backWeb-8263142.exe
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\MGI\MGI PhotoSuite III SE\Temp\MGI00000.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab

Would very much appreciate your help in these matters.

up wait here is another pop up that just popped

up......http://affiliates.reunion.com/ads/ourads/720x540/femalefind/720x540_01_find.asp?

see what I mean....................................

Thanks

http://affiliates.reunion.com/ads/ourads/720x540/femalefind/720x540_01_find.asp?


----------



## Metallica (Jan 28, 2003)

Hi dwshaw82,

Your log was analyzed here:
http://forums.techguy.org/t146400/s.html

Regards,

Pieter


----------

