# Is it possible to get your friend's emails?



## wendyth (Jan 22, 2003)

I have a friend who went to University and got a degree in computers. What exactly I'm not sure. I am taking a course from him because I know very little about computers. Two days ago he Networked my computer with his laptop. He said he needed a disc burned and his burner didn't work very good. He downloaded the files off his laptop on my computer and then burned the disc. Knowing nothing about Networking this was to be a lesson. 

This morning before he came over to teach he said to me on the phone "Oh I didn't know you knew so and so that well". We have a mutual friend, more his friend than mine. He's a customer of his and they've become friends. He introduced me to him. The friend is away on holidays with his girlfriend right now. I told him we're not that good of friends why would you say that? What brought him up? He told me the e-mails I sent the friend came to him. We send jokes to each other through e-mail. (the mutual friend and myself) I don't send him any jokes (the teacher friend) because he has a dry sense of humor and would think they're funny.
What are the odds of that? One in a million that they would go to his address instead of the mutual friends? His e-mail address wasn't on the e-mails at all. He even varified it. 

My question is: 

1) How possible is this? Why would the friend's e-mails go to him (the teacher)? The address on the e-mails were the mutual friends not the teachers.

2) Did he download things off my computer to snoop?
(He found out his roomates password and goes into her mail box to read her mail. She is unaware of this.)

3) He put Ghost Logger on my computer so I could monitor where my kids go. They don't go on the computer alot because they don't know to much about it. They are kept very busy with activities and homework. My kids are 9 and 11. Where they go is boring not worth monitoring. I trust my kids and know they aren't going anywhere they shouldn't. He's the one that thought the program would be a good idea. Did he put the program on so he could find my password out for my mailbox?

4) He tells me he could get into my computer if he wanted to from home. But of course why would he want to he told me. I just laugh when he tells me that and say things aren't to exciting on my computer. Is this the way he got into my mailbox? 

There are things on my computer I consider private. Not only him, I wouldn't want anyone on my computer to see what I do and get into my files. 

5) How did he get those e-mails sent to him?

I don't think he got the e-mails. I think he got into my mailbox and looked threw it. It drove him crazy to see I've been sending the mutual friend jokes. He saw the people I e-mail and his name was on the list. (mutual friends) He asked me about it because it bothered him. He knew I would ask him how he knew about the e-mails. Knowing very little about the computer he didn't think I would question the answer but I did. I dropped it, but thought about it all day. 

Someone please tell me if this is at all possible? What are the odds of it happening? I won't rest until I find out.

I can't help but question it. How convienent for him to receive those e-mails!

Waiting for some answers.

Thanks,

Wendyth


----------



## $teve (Oct 9, 2001)

wendy....im going to re-post this in the security forum.
there are a lot of questions there,i think your friend is not to be trusted.not only is it coincidence that your emails ended up on his computer,its impossible.


----------



## pyritechips (Jun 3, 2002)

Hello Wendy! This does not sound good! I'm not sure what this ghost logger is that he put in your computer but I am highly suspicious! I will request that this be moved to the Security thread where very knowledgable people can help you out.

In the mean time, I would not trust this person. If he can network your computer he can open any file he wants, including your most private files and e-mails! Ghost logger could be like a trojan virus that couls spy on your information and send it to him whenever you were connected to the internet.

Please deny him access to your computer (my suggestion) until you get more help here.


----------



## bassetman (Jun 7, 2001)

*Welcome to TSG!*

Well that's alot of questions! 



> 1) How possible is this? Why would the friend's e-mails go to him (the teacher)? The address on the e-mails were the mutual friends not the teachers


They could be using a packet sniffer!



> 2) Did he download things off my computer to snoop?


Maybe, maybe not.



> 3. ...Did he put the program on so he could find my password out for my mailbox?


Maybe, do you trust him?



> 4) He tells me he could get into my computer if he wanted to from home. But of course why would he want to he told me. I just laugh when he tells me that and say things aren't to exciting on my computer. Is this the way he got into my mailbox?


Possibly, they are starting to sound creapy! 



> 5) How did he get those e-mails sent to him?


See packet snifffer!

Odds? That I don't know, but seeing he had access to your PC I'd say very possible.

Do a search for startup cop and run it and post results here and someone should be able to tell you whether there is a prob or not.

Good Luck
John


----------



## angelize56 (Apr 17, 2002)

Wendy: Sounds like he installed a key logger similiar to this one  here. I think he has more in mind than helping you see where your children go on the net! Sounds very suspicious and certainly he doesn't sound like a friend I'd want. Hopefully TSG can help you find out exactly what he installed and how to remove it. I wouldn't stay networked with him either if I were you. Sounds like the beginning of a bad tv drama. Be careful Wendy! Take care. angel 

Post your start up log as others have suggested ASAP so they can help you.


----------



## Davey7549 (Feb 28, 2001)

Wendy
Will move this to the Security forum for you. Also if a Keylogger is being used on your computer it is entirely possible He is having all your key activity, not to mention what sites you are visiting sent to Him via E-mail. Several major logger programs have this ability. Some will use screen captures not key logging and others will use both options. If a key logger or screen capture device is on your system it will be hard to detect it without aid of another program designed for identification. To my knowledge all these programs all cost money to purchase but maybe someone knows of a free one. Once found you will also have the task of uninstalling it without the aid of an uninstaller unless you can identify the program and contact the manufacturer with your situation.
Another idea you could try to help identify the source is to download a free firewall, set it up and have it monitor all activity going out and coming in. Go to http://www.zonelabs.com/store/content/catalog/products/zonealarm/znalm_details.jsp for a free personal copy.
Note: If you had a firewall installed prior to the possible intrusion then it was reconfigured to allow for the free access.

Good luck in identification and if found I hope you take some sort of legal action against this type of Cyber Stalking.

Oh and by the way if a logger is being used in any form the individual probably already knows you are posting here and are suspicious.

Dave


----------



## angelize56 (Apr 17, 2002)

Dave:  Here is an example of a key logger. If you read down it states: "*Our keylogger has unique remote installation feature. You can attach keylogger to any other program and send it by e-mail to install on the remote PC in the stealth mode. Attach keylogger to the beautiful screensaver and send it to your friend!"* Isn't that illegal? Take care. angel


----------



## Davey7549 (Feb 28, 2001)

Marlene


> Attach keylogger to the beautiful screensaver and send it to your friend!" Isn't that illegal?


Such friends we really need!

I am not an Attorney and do not know all laws governing this activity but this type of activity does not pass the smell test!!

What you are describing is a form of Spyware with Trojan traits and yes it sould be illegal but it may be hard to prove and less likely to be pursued by authorities unless it was used in Identity Theft or some similiar greater crime. Merely peering into ones private matters is tacky and underhanded but not necessary illegal to my knowledge. 
In Wendys case She said this individual is a teacher if I read correctly and there She may have recourse with the administration.
Consider this.... If you were at work and someone was peering over your shoulder to watch what you were doing, you would be extremely uncomfortable but that individual would not be in any violation of law. Now if the same individual stole your password and used it to access sensitive info from your computer and then sold that info the a violation would occur.

In any event this is a terrible violation of ones privacy and should not be tolerated. If it was your work machine with the keylogger then that is a different story because of the right of Employer property usage and liability!

Dave


----------



## angelize56 (Apr 17, 2002)

Dave: I was wondering if the site I posted itself could get in trouble were it forwarded to whoever investigates such matters? Invasion of privacy is rotten! Thanks for your reply and I hope you guys and gals with the smarts can help Wendy. Take care and have a nice day! Marlene


----------



## Monstrous Mi (Jul 20, 2002)

Just my two cents on legalities.

I am sure all of this is legal if you agree to it. For example, lots of spyware is downloaded and installed on people's computers quite legally. When install a freeware or shareware program, or any program for that matter, you always see a "License Agreement" which you should read and then you agree to it to install the program. If you don't read that agreement, you could be unknowingly agreeing to something you never would otherwise.

I believe other methods of installing spying programs on your computer, like e-mail attachments that you open, are not legal. In these cases, you have not given consent to have personal information transmitted over the Internet.

Another interesting issue is with cookies. When you use your web browser to visit websites, you have settings for the use of cookies. If you allow all cookies, you explicitly agree to allow websites to collect information about. This is not the same sort of malicious activity that a key logger could carry out, but it is a level of personal information nontheless. I personally only accept cookies from the originating server (first party cookies).


----------



## wendyth (Jan 22, 2003)

Thank you for the welcome. 

Some of the replies I don't understand. Thank you all for replying. 
Key Logger, (Ghost Logger) are the same. It knows everything you've done and everywhere you've been on the computer. It shows all the passwords you enter too.

It's not a matter of legalities, it's a matter of TRUST. I'm upset because he (the teacher) knows way to much about me. 
I've noticed his attitude towards me has changed. He's very aloof now. He said some of my e-mails were awful...how could I send them. In my eyes, and most people's, there's nothing wrong with them. 
Yesterday when he came for the lesson I told him I didn't believe his story. I asked if he would tell me the truth, how he got them. 
Of course he lied and said he didn't know how they got to him they just showed up by mistake. At one time he commented it must be because of ??????? that he put on Rob's computer.(mutual friend that I sent the e-mails to) I didn't understand what he was talking about. He said forget it, it's to complicated to explain. Another thing he said more than once is "I'd have to prove it, to do anything". E-mails I've sent before, have never gone to him. 

Before he started teaching me he assumed there was more than a friendship between us. He would phone 20 times a day, ask me out constantly, and offer to do things for me. I have never gone out with him and declined any help he has offered us. I let him know all I want is a friendship and nothing more. 

I've tried to get packet sniffer but couldn't find any free one's. Startup cop and advanced startup the same thing. I thought I downloaded it but when I click on it the only thing that keeps coming up it a screen to register either online or later. 
I'm not very familar (if you can believe it) with downloading things. I don't know how to unzip a file either. Sorry guys I'm just a beginner. 

Is it or is it not possible for him to have received those e-mails? He keeps telling me that it is and that's how it happened.

Wendyth


----------



## suzi (Dec 27, 2002)

Wendy,

This person sounds really creepy.

Aside from that - you might be able to get rid of the keylogger with Spybot Search & Destroy. Go to this site and download it:

http://security.kolla.de/

To download it, click on one of the download links and let it install to your desktop. After that, click on the icon and it will run the setup program and install it.

After you install it, click the "online" button and click where it says search for updates. Then download all the updates. Then close Spybot and open it again. Then run it. It will show a list of problems - you should let it delete all the items listed in red.

That might remove the keylogger. If you are still suspicious, go to this site:

http://www.spywareinfo.com/downloads.php

and download the program called "HijackThis". Run it and them post the log it creates here - you can copy paste it here. Someone will check the log and tell you if there are other problems in your computer which need to be fixed.

You will need to have WinZip to unzip the HijackThis program. You can download WinZip free here: http://www.winzip.com/

It says evaluation program, but you can continue to use it forever. Just follow the instructions carefully and post back here if you need more help.

Good luck.


----------



## frenat (Jul 6, 1999)

Definitely do what you can to get rid of that key logger and be suspicious of anything this person sends to you or wants to do on your computer in the future. Then and *this is very important*, once you are sure the keylogger is gone, *change your password for your email* . You may have to call your ISP for this. *Change all passwords you have* for anything online, email, this site, all other sites, online banking, etc. If he got your email through use of a keylogger then he almost certainly has your password and can continue to get your email until and unless you *change your password.* You may never be able to do anything to prosecute him legally as it is very hard to prove but you can at least stop what he is doing now. You may want to warn any mutual acquaintances as well.


----------



## $teve (Oct 9, 2001)

> Is it or is it not possible for him to have received those e-mails? He keeps telling me that it is and that's how it happened.


just to clear things up on this question,which hasnt really been answered directly.

ABSOLUTELY NOT

this is tantamount to stalking.

keep posting back here wendy... and ask if you dont understand anything,we are all glad to help


----------



## bassetman (Jun 7, 2001)

Interesting that Wendy is the only one who has not posted back here!

I hope she is ok!


----------



## wendyth (Jan 22, 2003)

Everything is ok, thanks for asking. 

My life is extremely busy I'm a single parent of 3, (my soon to be ex does very little with the kids), taking a computer course, (I find it difficult) trying to get my business up and running, going through a expensive and horrendess divorce, and maintaining a household inside and out. I'm not having a "pity party" I just can't reply as quick as I would like to. 

I downloaded the Spybot Program and ran it. For the life of me I can't seem to do the copy and paste. My brain is in overdrive and this isn't working out. When I go into edit (on this page) the cut and copy words aren't lit up, only paste. It pastes the words from the last time I did. What am I doing wrong? The report is filed under log in the Spybot folder. I brought it up and clicked on edit and the same thing "paste" is lit up. Can someone explain how to do this to me? 

Suzi, thank you for the program and the instructions about downloading it. 

$teve, thanks for the answer. So....... he lied. I'm so naive and trusting he almost had me convinced it was possible. 

Must run it's 2:50 am. I have to get up in 4 hours. 

Bye,

Wendyth


----------



## jm100dm (May 26, 1999)

Wendy

I would not trust this person to continue teaching me anything. He is not being upfront with you. As for the course that you are taking with him I would go else where for help. What does he call the course? Whatever it is I believe that you would be able to replace it easily. Once connected to the internet there is a world of free info out here to learn anything that you want to at your pace when you want to. A good starting point is windows help. By clicking start\help you can look up in your own computer how to do many things. 

As for being able to paste. Your computer always remembers the last thing that you copied or cut in a file called clipboard. (till you restart the computer I believe) That is why the paste button is lit up. Once you copy or cut anything else it replaces the last item. By going to your startup list and selecting all then copy you will be able to come back here and paste that info. Hope that this helps. If you need anymore help with this just ask.

There are many knowledgeable people on this board that will help you without expecting anything in return. Keep us posted when you can.

Good luck

jm100dm


----------



## suzi (Dec 27, 2002)

Wendy,

For the Spybot program, you don't need to post that log here. Just let Spybot "fix the problems" that are listed in red when you run it. 

It's the HijackThis log that we want you to post here.

To copy and paste, highlight (or select) with the cursor the log. Highlight it by holding down the left click on the mouse and moving the cursor over the text. Then press Ctrl - C at the same time. That puts the highlighted text on the clipboard.

Then when you start your reply here, paste by placing the cursor at the top of the reply window and press Ctrl V at the same time. That will paste the text into your post.

It took me a while to get the hang of copying and pasting at first too. Don't feel bad. You will get it. 


About this "teacher" - is he a hired teacher of a school you are attending, or is he a supposed "friend" who is teaching you informally? 

If he is a hired employee of a school or institution, you could file a complaint about him. If he is an employee of a school, and he came to your home, he is way out of bounds by becoming personally involved with you (even as a friend) outside of the classroom setting. If he continues to bother you, you could get a restraining order. 

Don't take this the wrong way, but nurse Suzi here ( I am a nurse) thinks you could benefit from some counseling and learning to set appropriate boundaries. Your situation, going through a nasty divorce stress etc. has made you more vulnerable and this "teacher" is taking advantage of you at a vulnerable time. He is not a person to be trusted and you don't need people like that in your life anytime, but especially now when you are in a vulnerable situation. 

Good luck and keep coming back here. This is a supportive place and it's good for you.


----------



## wendyth (Jan 22, 2003)

Logfile of HijackThis v1.91.2
Scan saved at 11:19:55 PM, on 1/25/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet 
Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - 
{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: ZeroPopUp Bar - {72A58725-2635-4725-8C53-676DFD1FEB8D} - C:\WINDOWS\System32\ZEROPO~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] 
"C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Agent] C:\Program Files\Sync Manager\agent\syncagent.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [NeroCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Advanced Privacy Protector] C:\Documents and Settings\WT-edited Name, Dave\app.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\System32\ZEROPO~1.DLL/MENUSEARCH.HTM
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27c8e54eede331d42605/netzip/RdxIE6.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37563.9153703704
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} 
(Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll

Thank you guys for telling me how to do the cut and paste. This is the log from the hijackthis program. Suzi, the program only took seconds to scan. Is that right? What does the log tell you? Please let me know.

I have another problem. How do you open a pps file? I received
an e-mail that has this type of file in it. What do I need to open
this file?

Wendyth


----------



## pyritechips (Jun 3, 2002)

Hello again Wendy:

I am no security expert by a long shot but there is an item that looks suspicious. I did a seasrch on it but could not find anythuing on it:

ContentAuditX Control

There is also programs running at start that don't need to and suck up system resources. Especially Microsoft Office.

As far as I know a .pps file should open with Office power point.


----------



## $teve (Oct 9, 2001)

i think the auditxcontrol is something to do with a smartcard reader.

wendy,now your a copy/paste mistress could you download and run the startup list http://www.lurkhere.com/~nicefiles/
and do the same with that?

and did you do what frenat suggested and changed your passwords?


----------



## jm100dm (May 26, 1999)

this must go. 
Instructions to soon follow.

SyncAgent
syncagent.exe
"Ghost Keylogger is an invisible easy-to-use surveillance tool that records every keystroke to an encrypted log file. The log file can be sent secretly with email to a specified receiver."


----------



## Davey7549 (Feb 28, 2001)

jm100dm Great catch!

Here is some more information on the product.

See Attached.

Dave


----------



## jm100dm (May 26, 1999)

Wendy

First check your add\remove programs and see if any of these are listed (wfxsnt40.exe or syncagent.exe or Sync Manager). If so un-install them.
To get to add\remove Click start\setting\control panel.

If that doesn't work go to start\run\type regedit and hit enter. 

You are now in the registry. Just be careful of what you delete here and you will be fine. Click on the following + signs by the folders.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


HKEY_LOCAL_MACHINE (click + and scroll down to)
Software (click + and scroll down to)
Microsoft (click + and scroll down to)
Windows (click + and scroll down to)
currentversion (click + and scroll down to)
run

On the right side you will find

Sync Manager--------Click on this and delete it.


After the registry work you can delete the folder here.

C:\Program Files\Sync Manager\agent\syncagent.exe 

If you need any further assistance post back. Keep us updated.

You will soon be free of his receiving all your info.

jm100dm


----------



## brendandonhu (Jul 8, 2002)

Wendy-After you run Spybot, your Kazaa will probably no longer work. Kazaa includes spybot.
You will have to reinstall kazaa, uninstall it, run Spybot, then install KazaaLite.

But thats not as important as the problem going on in this thread, so you can take care of it later.


----------



## suzi (Dec 27, 2002)

I'm no expert on HijackThis logs, but I see you have Kazaa in there. First recommendation - uninstall Kazaa. However it you already ran Spybot, you won't be able to use or uninstall Kazaa. You will have to reinstall Kazaa, then uninstall it. Then run Spybot again to get rid of the spyware it leaves behind.

There are lots of threads here about the dangers lurking in Kazaa, you you might want to read up on them. 

I'm sure someone will come along who can tell more about you HijackThis log. 

The thing to do is to get rid of Kazaa, then run Spybot and get rid of the Kazaa spyware, then run HijackThis again and it will be easier to see what other problems you have.


----------



## suzi (Dec 27, 2002)

Brendan - great minds thinking the same thing.


----------



## wendyth (Jan 22, 2003)

StartupList report, 1/26/2003, 5:32:23 PM
StartupList version: 1.51
Started from : C:\unzipped\startuplist151\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\KaZaA Lite\Kazaa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sync Manager\agent\syncagent.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\regedit.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\startuplist151\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HPDJ Taskbar Utility = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
WinFaxAppPortStarter = wfxsnt40.exe
(Default) = 
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
Synchronization Agent = C:\Program Files\Sync Manager\agent\syncagent.exe
ICQ Lite = C:\Program Files\ICQLite\ICQLite.exe -minimize
KAZAA = C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
Advanced Privacy Protector = C:\Documents and Settings\Wendy Thornton\app.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ Lite = C:\Program Files\ICQLite\ICQLite.exe -trayboot

--------------------------------------------------

Enumerating Download Program Files:

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/27c8e54eede331d42605/netzip/RdxIE6.cab

[InstallShield International Setup Player]
InProcServer32 = c:\windows\DOWNLO~1\isetupml.dll
CODEBASE = http://ftp.hp.com/pub/automatic/player/isetupML.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37563.9153703704

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: \??\C:\DOCUME~1\vip\LOCALS~1\Temp\msiein\CAB37644.8262071296\msiein.dll|!\??\C:\WINDOWS\System32\msiein.dll|\??\C:\PROGRA~1\COMMON~1\MSIETS\tempss\msielink.dll|!\??\C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll|\??\C:\DOCUME~1\WENDYT~1\LOCALS~1\Temp\WZSE0.TMP\SETUP.EXE

--------------------------------------------------
End of report, 5,515 bytes
Report generated in 5.203 seconds

Command line options:
 /verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

I've mastered the cut/paste but can't do what jm100dm has told me too. I get as far as the software folder and when I click on the +, 3 folders appear. None of them are named microsoft. If I scroll down and find the microsoft folders that are further down (in alphabetical order) not one of them just say microsoft. There are a ton of folders that start with the word microsoft. The first one is microsoft internet mail. 
 

Sorry guys, What do I do?

I just thought I would mention the teacher told me last night I would never figure out how he got on my computer. He's to smart for anyone to find out, I was told. One minute he admits the e-mails came to him and the next minute he admits he was on my computer. I let him know I was told there is no way the e-mails conveniently ended up in his mail box. He said there are all kinds of ways he could get on. If he really wanted to he could get on in 15 minutes.

He told me he could phone the cable company I use for my internet conection and ask them to reset my mailbox. He would get access to my mailbox. The cable company doesn't ask for any identification, anyone can phone.
I never knew this.

The course I'm taking from him is the A+ Certification Computer Course. I've already paid him to teach the course. He's not the kind of person that would give me a refund. I don't know what to do. If I took it from a school I would have to pay 3x's as much. I can't afford it.

  

Wendy


----------



## brendandonhu (Jul 8, 2002)

OK a few things
-This is clearly illegal now that he is "baiting you" with his comments about how he is doing this. No matter what kind of person he is you can get a refund. Small Claims Court. All you need is to bring a printout of this thread. (which your "teacher" is probably reading).

-I don't see the keylogger in your startups. Maybe someone else will.

-Change your email password. Quick.

-Never, ever, give this person physical access to your computer.

-Tell this guy hes just an annoying little script kiddie with his keyloggers and mind games!

There are only 2 ways he can be getting keylog reports from your computer.
He either has phsical access, or its by email.
If its automaticalll emailing itself, you can use a firewall to block access.
Try ZoneAlarm .
Its free.

If hes not using a keylogger, he might have put something in your email client thats redirecting your messages.
What program do you use to check your email?


----------



## jm100dm (May 26, 1999)

Wendy

I don't have a answer for you as to what to do about the course. With the materials it may be able to be self taught but it would be a lot harder to comprehend. I purchased those books a few years ago and they are just lying around here collecting dust. Never made the time to follow through. Be aware that he is watching you and careful as to what you key into your computer.

If you still want to eliminate the program the location of it is below. If you search in the registry for these key words you may be able to rid yourself of the program. (wfxsnt40.exe or syncagent.exe or Sync Manager). 


C:\Program Files\Sync Manager\agent\syncagent.exe 

Good Luck with whatever you decide to do.

jm100dm


----------



## brendandonhu (Jul 8, 2002)

Can't beleive i missed the SyncAgent thing, someone told me about that just today!
I think its also in "Add/Remove Programs" control panel, that will remove the program and all traces of it, so it does a better job of a cleanup than just deleting the file. 

Hey suzi I have 1 cat pic up now if you want to check it out.


----------



## brendandonhu (Jul 8, 2002)

OK the program is Ghost Keylogger and does not appear in Add/Remove programs (thanks to a private converstion with jm100dm for this info).
Here are removal instructions.

Install a firewall as mentioned above. Dont allow access to anything with a name like SyncManager. This will stop it from sending the log emails. This is because it makes a direct connection to the internet.

Search your hard drive for the file syncconfig.exe.
Note what folder it is in. Launch that folder. Find the file "Uninstall.bat". Run uninstall.bat. 

Reboot.

You may get an error message when your system boots up. If you do, write down what it says, click OK, and tell us the message.


----------



## jm100dm (May 26, 1999)

Wendy

If all else fails.

I believe that you started in this key.
HKEY_CLASSES_ROOT
Need to start here.
HKEY_LOCAL_MACHINE
and work your way to here
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Those are what you have starting at startup. The next 6 keys may also have entries. Folders that end like so (run-) mean they will not be run.

I hope this helps.

jm100dm


----------



## brendandonhu (Jul 8, 2002)

JM-Shouldnt need to go and do that as using the uninstaller, or even deleting the EXE file will stop it from running at startup.


----------



## jm100dm (May 26, 1999)

--------------------------------------------------

Autorun entries from Registry: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HPDJ Taskbar Utility = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" 
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot 
WinFaxAppPortStarter = wfxsnt40.exe 
(Default) = 
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime 
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP 
Synchronization Agent = C:\Program Files\Sync Manager\agent\syncagent.exe 
ICQ Lite = C:\Program Files\ICQLite\ICQLite.exe -minimize 
KAZAA = C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY 
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe

-------------------------------------------------- 
WinFaxAppPortStarter = wfxsnt40.exe 

Wendy
Appears that he is having it faxed to himself, if I'm reading this correctly.
But this will stop as soon as you rid yourself of the program.
jm100dm


----------



## pyritechips (Jun 3, 2002)

> He told me he could phone the cable company I use for my internet conection and ask them to reset my mailbox. He would get access to my mailbox. The cable company doesn't ask for any identification, anyone can phone.


Wendy: this is not true!

Contact your cable company and explain the situation to them. Have all your account passwords changed and do not allow them to give access to anybody except yourself!

Hang in there girl and we can help you beat this S.O.B. Brendan mentioned small claims court. You can pursue this, and there are laws in place to protect you from animals like this. Keep records of everything, including these entire posts, as they have printouts of your system and what was on it, plus all the comments of all these good people here that have been helping you. I don't know how much he has been charging you but hopefully you have some kind of receipt to show the authorities.

Good luck and please keep us here informed as to your situation. I guarantee you that the people here are caring folks that will help you any way they can!


----------



## brendandonhu (Jul 8, 2002)

JM-I guess faxing is possible, as Ghost Keylogger never dials a connection to the internet. It waits until one already exists, then does its dirty work.

And we are serious about small claims court, PC and I were talking yesterday. Could be considered stalking, and he could be up to something really sick, because; he kept calling you and asking you out, he wants to monitor YOUR kids, and the emails YOU sent bother him.


----------



## suzi (Dec 27, 2002)

Wendy wrote:


> The course I'm taking from him is the A+ Certification Computer Course. I've already paid him to teach the course. He's not the kind of person that would give me a refund. I don't know what to do. If I took it from a school I would have to pay 3x's as much. I can't afford it.


Wendy, whatever he is charging you - its too much because along with the money you are paying in emotional stress. You can find A+ cert classes in a lot of places, like community colleges, school systems adult ed classes that are not so expensive as like a tech school.

I think this "teacher" is a very dangerous individual and poses a definite risk/threat to you and your children. For your sake and theirs, fire him - even if you lose the money you paid him, it's not worth the danger he puts you in. And like the others suggested you could go after him in small claims court and even file harassement and stalking charges.

I think if the police even saw this thread, they would agree.

Did you sign a contract with him, or an agreement. Do you have a receipt for the money you paid him? How did you meet him?

I'm not asking you to post the replies to my questions here, but its for you to think about.

I see you haven't posted here for a while - hope you are ok and come back here soon!


----------



## jm100dm (May 26, 1999)

Wendy

Whatever you decide to do. Please keep us posted. As you can see from the attachment (times viewed) there are a lot of concerned listeners here.

jm100dm


----------



## bassetman (Jun 7, 2001)

> Suzi
> 
> I think if the police even saw this thread, they would agree.


I think the police would be a good place to go. He may even have a history of this. Especially if he doesn't really work for a school, but is "teaching" you on his own.

John


----------



## Guest (Jan 29, 2003)

I've been following this thread intently. It's like a movie that keeps you on the edge of your seat. I'm amazed that there are people out there (in the world) that would actually do something like this. I dunno about you guys... but I'm truly concerned about Wendy... Could the Mods check on her via her IP addy? Just a thought.

And hey "teacher", if you can see this ... you're lower than pond scum!


----------



## Firejay (Apr 26, 2002)

Wendy,

Just to reiterate what everyone else has said, this person is up to no good. He's playing games that no one should have to put up with. Class or no class. Money or no money. If it comes down to money, I'll start a collection somewhere to help defray the cost. This person isn't a teacher nor is he someone that can call himself an Information Technology anything. He is an abominable person.

As everyone else has said, remove the offending program, call your service provider and change your password(s). Set a password on your local computer that only you know, install the recommended firewall software and above all do lot let him have access to your house, let alone your computer. 

And please, please, contact your local police department, sheriffs office, whoever has jurisdiction and fill them in on all the details. 

We're here to help any way we can.

FJ


----------



## suzi (Dec 27, 2002)

from Jonesiegirl


> I dunno about you guys... but I'm truly concerned about Wendy... Could the Mods check on her via her IP addy? Just a thought.


That went throught my mind also. If this evil person has read her posts and/or this thread, he may become more hostile and dangerous.

Wendy, please come back here and tell us you are safe.


----------



## JustMe2 (May 31, 2001)

I'm one of those people who has been closely watching this thread. It is very scary for me to read. Haven't posted, because I know nothing about this kind of thing.
But I'm posting now...
Please, please, please, post back Wendy...let everyone know that you are okay.
JustMe2


----------



## Rhettman5.1 (Sep 25, 2002)

I to have followed along on this thread and , as the others have mentioned, I implore you to take action, at the very least, inform your family and friends of the situation, the best bet though would be to inform the police and seek legal action!

If this"friend" was worth a bugs spit, he wouldn't bother you when you were going through a challenging time in your life.

We ,as a group, implore you to take action soon, and report your progress, you are not alone, we're all right here !...Rhett


----------



## Dark Star (Jun 8, 2001)

Wendy....

There's at least ten people in here literally hanging on a thread ... this thread to be exact. On Sunday at 1/26/2003, 5:32:23 PM was the last time you posted in here, today is Wed 1/29 PM and we've not heard from you. 
I'm not sure that you really understand just how concerned everyone in here is about your well being and with very good reason. 

You first posted in here one week ago today and from all I've read in this thread I really don't think that you're completely aware of WHO exactly this "friend" or teacher/instructor guy is... I doubt that you've seen his credentials other then he's told you that he has a degree of some sort and not that it matters at this point but admittedly you don't really know anything about the guy.

I'm not concerned that the guy may be a con artist and that you're not likely to ever get a refund from him .... I'm much more concerned with your safety first ..... him we can let the police deal with later. I hope that you really, really understand just why we're all so concerned about you, with all that has happened so far this is all gone waaaaaaaaaaay beyond scary so please just let us know that you are well so that we can all breathe a collective sigh of relief.

How did you find TSG anyway?........... just curious.

DS


----------



## glo (Jul 2, 2002)

I've been looking at this thread the last several days and am also concerned for Wendy. I agree with Dark Star that Wendy may not fully recognize the danger of her situation.

I don't have Windows XP, but seems I remember reading that XP has a remote access function by which you can allow someone to take control of your PC for diagnostic purposes, etc. Since the "teacher" has had full access to her computer, he could have given himself that access -- in addition to the keylogger and whatever else he may have put in place. Maybe some one on the Board has experience with XP and could explore that with Wendy if she ever posts back.

Please Wendy, let us all know you are safe.


----------



## wendyth (Jan 22, 2003)

Hi guys,

I haven't been able to keep up I've been sick and my business is getting busy. Valentines Day should be the best time of year for it.

Let me update everyone. Monday morning the teacher called to confirm the class, I told him I wasn't going to do anymore classes. He was choked but never once offered me my money back.

Yesterday when I was out he came over and my kids let him in. He apparently downloaded windows 98 to a cd. He put the
program on my computer when he was showing me how to network with another computer. We have XP so we didn't need 98. My daughter told me he was deleting some of my programs. (spybot, Zone Alarm and a few more) Was I ever choked. Thank goodness I had changed my passwords. He couldn't get access to my site or mailbox. I asked him why he would do that it wasn't his computer. He told me those programs just mess my computer up, I don't need them. He was shocked I had them on the computer. Ghost Keylogger was gone, I don't think he got any info.

Is it possible to get through the firewall of Zone Alarm? He told me he could do it.

I'm not sure why he was snooping in my computer. There isn't any top secret things in it. Would it be for the challenge to see if he could do it?
It's driving him crazy wondering how I knew about Zone Alarm and Hyjackthis. I never told him a thing.

I met him in the fall. My computer needed fixing and I saw his ad in the paper. I phoned him and he came out and fixed the problems. About 10 minutes after he left he called and said if I ever need any help with anything he would help. I thanked him and told him I can manage. I've been a single parent with no help for the last 3 years I'll be fine. He just started calling to talk after that. Numerous times I let him know I didn't want anything but a friendship from him. That's how it's been. I have found myself starting to like him more.........BUT I stopped myself immediately.

Here is the log after I used Hyjackthis a second time. How is it? 
Everything gone?

Wendy

Logfile of HijackThis v1.91.2
Scan saved at 1:30:59 AM, on 1/26/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: ZeroPopUp Bar - {72A58725-2635-4725-8C53-676DFD1FEB8D} - C:\WINDOWS\System32\ZEROPO~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Agent] C:\Program Files\Sync Manager\agent\syncagent.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Advanced Privacy Protector] C:\Documents and Settings\Wendy Thornton\app.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\System32\ZEROPO~1.DLL/MENUSEARCH.HTM
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27c8e54eede331d42605/netzip/RdxIE6.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37563.9153703704
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll


----------



## Davey7549 (Feb 28, 2001)

Wendy
Zone Alarm can be bypassed if a port was configured open\trusted for the intruder. Also the statement of ZoneAlarm and Spybot messing up the computer is false. This man certainly is devious.
If Zone alarm was indeed removed from your computer then I would download and reinstall it and be very careful about allowing transactions for anything that it alerts you to. If you do not know what it is then do not allow it, record what it is and let us know the detail.

Also you do have some Spyware on your computer and Spybot should be downloaded, setup and run to remove same. If you need instructions on how to properly set up let us know.

Lastly I am glad you responded to let us know you are OK because someone with this ambition could be dangerous.

Dave

PS: It is your own personal business and your choice but I would be very cautious about letting him in considering what statements he has made and what he installed on your computer.

PSS: I guess we can let the dogs in now since we sent them out to find you. Take care and let us know daily how all is going if you can find the time.


----------



## jm100dm (May 26, 1999)

Glad to see you are ok. Get zone-alarm back in please. Search for zasetup if he did not delete that you can reinstall quickly without downloading again. I don't think the un-install removes it.
Not knowing what he has done you should also run spybot again and post current reports here.

Going back to an earlier registry may put everything back but not sure, if someone knows please advise. Highjack this is 4 days old and does not show if he has redone anything to your computer.

If you don't ever fax you may also want to eliminate that as a possible door to the teacher.

Don't be afraid to ask for help.


----------



## Moby (Mar 19, 2002)

Not knowing what he has done this time or any other time, wouldn't it be worth formatting the lot (or using the restore discs, whatever wendy has) Just back up what you need, then wipe the lot and start again, you'll know there's nothing on there for sure then.


----------



## suzi (Dec 27, 2002)

A few words of advice:

Instruct your kids to NEVER let this guy in. 

Get a chain lock or something where you can see who is at your door before opening it.

If Iwere you I would report him to the police. Things to consider: 

If he has done this to you, he might have possibly done it to other women as well. He probably knows how to pick his targets. Single women, going through a bad time (divorce or what ever), trusting...

If no one ever reports him, he will continue to do to others what he did to you. People like that are sick... Sometimes that kind of behavior leads to other more serious crimes. 

I think this guy needs to be stopped and you are in a position to do it. You have this entire thread that shows the contents of yoru computer and more. 

Your actions might prevent the same thing or something worse from happening to another woman in a situation like yours.


----------



## pyritechips (Jun 3, 2002)

> Thank goodness I had changed my passwords. He couldn't get access to my site or mailbox. I asked him why he would do that it wasn't his computer. He told me those programs just mess my computer up, I don't need them


Obviously he is a script kiddie. Any hacker worth his salt can crack open a password protected computer. And he is also obviously a liar!


> My computer needed fixing and I saw his ad in the paper


It may be worth seeing if he is still advertising. If he is show this to the authorities and at least the Better Business Bureau. At the least let the newspaper know what he has done and they will black list the scum!


----------



## JustMe2 (May 31, 2001)

Wendy,
Very glad to know that you're okay.
I agree with Suzi, please consider reporting this scum. 
JustMe2


----------



## anlore2001 (Sep 6, 2001)

> _Originally posted by Moby:_
> *Not knowing what he has done this time or any other time, wouldn't it be worth formatting the lot (or using the restore discs, whatever wendy has) Just back up what you need, then wipe the lot and start again, you'll know there's nothing on there for sure then. *


I've been also watching this thread and glad to see you are still OK.

I agree with Moby, Back-up what you need from the computer, re-format and re-install.

As far as the arse who is doing this to you. NAIL HIM TO THE FREAKING WALL!!!!! and report him to the proper authorities. Good luck and let us all know how it is going.


----------



## wendyth (Jan 22, 2003)

Hi,

Thank you all for your support and concern. I find it overwhelming. I don't understand the danger in what he did. I see it as a breach of "Trust". I didn't consider it a criminal case.
What is so bad about it? I don't have alot of important things on my computer. Maybe he thought I did.

I've been out of town for the last few days and didn't have access to a computer. BUT the movie is still rolling. He's still calling and trying hard to be part of our life. I screen my calls and have talked to him once. Last night I went out to a movie with a friend and he phoned quite a few times. He left messages wanting to know where I was and who I was with. I couldn't believe it.

I can't figure out why he wants to include me in his harem. He's told me he wants to help. Out of the blue this guy comes into my life and wants to help us. My family doesn't help us. Why him? He thinks I work to hard with my business for the money it brings in. Plus being a single mother with no help from the ex. This is why he wants me to take the computer course. This way I can get into computers and make better money.

When I met him it was a vulnerable time for me. I know his roomate (female) is going through a rough time. Maybe he needs to be needed. The last 2 1/2 years have been horrible. It seems crisis and trauma follow me. I hope he doesn't think I have any money. He's wasting his time if he does....I don't have any. My lawyer has it all.

I haven't reinstalled the programs yet. I just got home yesterday and will do it either tonight or tomorrow.

I found TSG through a search I did on Google. I wanted to find a support group to find out the truth. I didn't believe him and wanted it confirmed.

Wendyth

PS Did I mention he was East Indian?


----------



## wendyth (Jan 22, 2003)

Hi,

Thank you all for your support and concern. I find it overwhelming. I don't understand the danger in what he did. I see it as a breach of "Trust". I didn't consider it a criminal case.
What is so bad about it? I don't have alot of important things on my computer. Maybe he thought I did.

I've been out of town for the last few days and didn't have access to a computer. BUT the movie is still rolling. He's still calling and trying hard to be part of our life. I screen my calls and have talked to him once. Last night I went out to a movie with a friend and he phoned quite a few times. He left messages wanting to know where I was and who I was with. I couldn't believe it.

I can't figure out why he wants to include me in his harem. He's told me he wants to help. Out of the blue this guy comes into my life and wants to help us. My family doesn't help us. Why him? He thinks I work to hard with my business for the money it brings in. Plus being a single mother with no help from the ex. This is why he wants me to take the computer course. This way I can get into computers and make better money.

When I met him it was a vulnerable time for me. I know his roomate (female) is going through a rough time. Maybe he needs to be needed. The last 2 1/2 years have been horrible. It seems crisis and trauma follow me. I hope he doesn't think I have any money. He's wasting his time if he does....I don't have any. My lawyer has it all.

I haven't reinstalled the programs yet. I just got home yesterday and will do it either tonight or tomorrow.

I found TSG through a search I did on Google. I wanted to find a support group to find out the truth. I didn't believe him and wanted it confirmed.

Wendyth

PS Did I mention he was East Indian? I don't think I will get my money back. When I did talk to him he avoided an answer.


----------



## bassetman (Jun 7, 2001)

It's not so much *what* he did to your PC as it is *why*!

What is his motivation to want to know everywhere you go and who you email?

How many friends do you know that have said about some other guy "He seemed like such a nice guy!" ?

John


----------



## suzi (Dec 27, 2002)

> I don't understand the danger in what he did. I see it as a breach of "Trust". I didn't consider it a criminal case.


Your PC is your personal property. He invaded it and violated your privacy as well.

How would you feel if he came into your house and went through your private papers, checkbook etc. Or if he rearranged your household goods without your approval. I don't see any difference - same principle.

In my opinion, what he has done is a form of abuse - emotional and psychological abuse. A normal person does not do that.

I pray that you will see how dangerous this person is and put him out of your life completely.


----------



## jm100dm (May 26, 1999)

> _Originally posted by wendyth:_
> * My daughter told me he was deleting some of my programs. (spybot, Zone Alarm and a few more) Was I ever choked. Thank goodness I had changed my passwords. He couldn't get access to my site or mailbox. I asked him why he would do that it wasn't his computer. He told me those programs just mess my computer up, I don't need them. He was shocked I had them on the computer. Ghost Keylogger was gone, I don't think he got any info.
> *


Wendy,

He deleted these so that they can not be used to stop him from spying on you. I believe any reputable tech would tell you that you need a firewall (zone-alarm). Spybot had to go because using it may expose him. Till you find out for sure I would assume he is spying on you again.



> *I've been out of town for the last few days and didn't have access to a computer. BUT the movie is still rolling. He's still calling and trying hard to be part of our life. I screen my calls and have talked to him once. Last night I went out to a movie with a friend and he phoned quite a few times. He left messages wanting to know where I was and who I was with. I couldn't believe it.*


It appears to me that he is trying to control you. Who knows what he may do. I would continue to keep my distance from him. And if you haven't *stress how important to your children* that they don't let him in without your okay.



> _Originally posted by wendyth_
> *He's told me he wants to help.*


If you speak to him why not tell him the best why that he can help is to refund your money as you are not continuing his classes.

If for some reason you need to find this site again an easy way to find it is www.helponthe.net and at that point you can select search within this site http://forums.techguy.org/ and put wendyth in the search by user box. I included this just in case he removes all your mail and links to here from your computer. If he has another keylogger in there he may also decide that you should not be getting any other advice on computers except from him. (Not trying to scare you but we don't know his real motives.) Also if you can't get back here from your computer most libraries allow you on the net for up to an hour at a time for free.

Just here to help. I will continue to follow this thread in case you encounter any more problems or need any tech help.
Good luck to you.


----------



## brendandonhu (Jul 8, 2002)

Wendy, with him wanting to "help" you (by removing your computer security programs) and "fix" your comp (by reading your email) and "teach" you by breaking into your computer, I think he is just a sick person and hopefully you will see that before something bad happens.
Plus, your children probably know and trust him already and would let him into your house and onto your computer again.


----------



## Guest (Feb 2, 2003)

oh my
I have read and re-read this thread and I wanted to cry ... scream ... and find Wendyth to give her a hug and some real support. 
I speak from *expereince ... make someone in your locality aware of this toad - without delay!!.*

Wendyth, I see you are in Canada - I don't know what area of the country, but p-l-e-a-s-e call your local Women's Shelter - they will give you a wealth of advice ... not only with the obvious, ill-fated stalker, but with a ton of resources for learning computers, business skills, etc..

I have lived in every province of this country, except Quebec, and the support for Women is enourmous. I am a volunteer for Victims Services ... and I see the horrible reprecusions of these "helpers" all too often.

This all may sound very scary to you - all of the responses of this thread - but this is not something to pooh-pooh - not for a second.
It is not just your computer, but a (oh my if I could think of an appropriate word!) moron who is abusing you whether you see it now or not. 
The computer is the easy part (we are all here to help, 24/7 no matter what) - the hard part is erasing this guy and his influence from your and your children's lives. Screw the money - consider it a lesson learned - and keep him farrr away.

As you can see, you have a bevy of caring followers in here - I hope you start a thread in the Community / Random Discussion just so we can see how you are!

Please try to check in, even with just a "hi - all is ok" as often as you can.

... thinking about you 

best cheers
Louise
MDM


----------



## jm100dm (May 26, 1999)

Wendy

New to this forum you may not be aware that you can send an e-mail to anyone here without revealing your e-mail address by using the links below their posts. If you have something to say that you don't want everyone to have access to that may be a route to take.

I'm sure Suzi or MadDogMugsy would love to hear from you.


----------



## suzi (Dec 27, 2002)

> I'm sure Suzi or MadDogMugsy would love to hear from you.


Yes!!! And I agree 100% with MadDogMugsy.

Wendy, even if you don't see why we are all so concerened and why we think this man is an abuser... talk to your local women's center like MadDogMugsy suggested. It will be helpful for you to learn more about yourself and the the implications of this man's behavior toward you. I think he is a dangerous individual and will continue to harrass you until you take some definitive action against him. Just do it before it gets worse...for you children's sake as well as your own.

Please feel free to email me or private message me at any time...

Suzi


----------



## cmlyon (Feb 16, 2003)

Hi Wendy,
Have just read this thread and am concerned that you have not replied for 2 weeks. Is everything ok?


----------



## wendyth (Jan 22, 2003)

Hi Everyone,

I haven't had time to reply in the last 2-3wks. Things have been very busy. I invested alot of money into my business, hoping it would pay off. Unfortunately it didn't. 

When I was out one of the girls (that was working for me) let the guy in. Two of the girls knew him so they thought it was ok. He said he was going to wait until I got home. In the meantime he downloaded a program. I have no idea what. I was told it was a program he needed.... because of this and not buying a birthday present has ended his phone calls and appearances at my house. His birthday was on Valentine's Day and I know he expected a birthday present from us. He didn't get one.

I haven't heard from him since.

I have another question. Can the icons on my desk top change the order they're in by themselves? They are completely different from the last time I was on the computer. I didn't rearrange them nor was anyone on the computer.

My menu bar in my e-mail (outlook express) is in the wrong place. It's on the side of the screen....... How do I get it back on top?

On my desk top a red flashing envelope is there and I want to get rid of it. When I click on the right (of the mouse) there isn't the word "delete" to get rid of it. Clicking on the left does nothing. What now?

Thanks for helping,

Wendy


----------



## brendandonhu (Jul 8, 2002)

Sometimes Windows forgets window/icon settings.
Search your hard drive for the file "shelliconcache" and delete it and reboot.
If this doesn't fix the problems, this guy probably downloaded some joke or trojan program. Maybe he just messed with a few things as a way of saying goodbye.

Unfortunately, everytime he gets on your computer you are going to need to run Spybot, virus scan again to see if he added a new keylogger or something.
You can also check your Add/Remove Programs control panel and see if there is any software you don't recognize. 

For the red envelope, try this:
Right Click a blank space on the desktop, go to properti
es. GO to the web tab. Uncheck the box that says "Show Web Content on my Active Desktop".
These are the instructions for Windows ME, if its not the same for your computer, someone reading the thread should be able to "transpose" for you.


----------



## $teve (Oct 9, 2001)

and usually you can left click.... and while holding down the mouse button drag your taskbar to where you want it.

glad to see your ok wendy


----------



## jm100dm (May 26, 1999)

Quote
"My menu bar in my e-mail (outlook express) is in the wrong place. It's on the side of the screen....... How do I get it back on top?"

I played around in OE and did not find a solution for that. Anyone else have any ideas?

Wendy,

It's good to hear that you are okay. If the teacher comes again playing on your computer be sure to ask for help if needed. It wouldn't hurt to post your startups or highjackthis list again. Better safe than sorry. And good luck with your business.


----------



## bassetman (Jun 7, 2001)

Hi wendyth

Have you tried View/Current View/Customize Current View?

John


----------



## freecho (Jan 28, 2003)

wow. this is like a soap opera. Tune in next week where wendy.... If I was you, i'd bring the computer to someone who knows computer and ask them to backup, reformat and reinstall anything needed. It may cost you. I know everyone in this forum is against this but you'll never know exactly all the stuff he did to your computer. It shouldn't be so bad if you have your OS and all your software on cds. Computers normally come with restore disks and I think you can get it to the purchased state. By formating you are 100% sure he is completely cut off (I think). BUT you can cut yourself off to your own computer as well. that's why you should prob have someone else do it.

You are a hackers wet dream, by allowing a hacker direct contact with your computer. If the computer isn't used for work and is not kept on all the time maybe have it so you need a password to boot. i never did it before and forget what its called (CMOS password or something like that), but i'm sure people on this forum can help. Being that you have so many people allowing this guy thru that front door and allowing him full access to the computer, maybe a password will cut him off with direct contact with the computer. Of course he can always ask whoever let him in the password, or take apart the computer to pullout the battery.


----------



## wendyth (Jan 22, 2003)

Logfile of HijackThis v1.91.2
Scan saved at 11:19:55 PM, on 1/25/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: ZeroPopUp Bar - {72A58725-2635-4725-8C53-676DFD1FEB8D} - C:\WINDOWS\System32\ZEROPO~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Agent] C:\Program Files\Sync Manager\agent\syncagent.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Advanced Privacy Protector] C:\Documents and Settings\Wendy Thornton\app.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\System32\ZEROPO~1.DLL/MENUSEARCH.HTM
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27c8e54eede331d42605/netzip/RdxIE6.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37563.9153703704
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll

Logfile of HijackThis v1.91.2
Scan saved at 8:15:14 AM, on 3/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O1 - Hosts: indows.
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\System32\ipinsigt.dll
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\gig.dll
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Program Files\SuperBar\SuperBar.Dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: ZeroPopUp Bar - {72A58725-2635-4725-8C53-676DFD1FEB8D} - C:\WINDOWS\System32\ZEROPO~1.DLL
O3 - Toolbar: SuperBar - {0011135B-5363-4999-A66A-BC3C31F01B39} - C:\Program Files\SuperBar\SuperBar.Dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [ContinueInstall] C:\WINDOWS\bpsinstall.exe /s
O4 - HKLM\..\Run: [msbb] \\Wendy\c\Program Files\TwistedHumor\Rich Black Cartoon\msbb.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Advanced Privacy Protector] C:\Documents and Settings\Wendy Thornton\app.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\System32\ZEROPO~1.DLL/MENUSEARCH.HTM
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27c8e54eede331d42605/netzip/RdxIE6.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37563.9153703704
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll

Hello everyone,

I have posted 2 of the hyjackthis lists, hope everything is ok and 
nothing is on my computer.

I've just been terrorized by my ex's lawyer at "Examinations for Discovery" for 3 days. He thinks he needs another day to examine me. Why? I don't know. I have nothing and I've hidden nothing. I haven't been working for 12 years and my ex doesn't want to pay alimony. I've been a stay at home mom. For the past 3 years I've been on unpaid medical leave, for stress and depression. My ex thinks I've faked it and he is trying to proove that I am fit for work and always have been. He fired his first lawyer and has an "Ace" lawyer now. I sat across from him wondering how he could allow this man to interrogate me like he was. I spent 17 years of my life with someone I never really knew. The lawyers made allot of money through this, nothing else was accomplished. It won't be long and my lawyer will own my interest in our house. I think it's crimminal what they charge.

I have a couple of questions about my computer. The other night I wanted to defrag my computer. ( I still have'nt found out how to do it) I went into control panel, systems properties and user profiles.

Under Full Complete Name: was the guy's name that had been on my computer. Under Workgroup: MSHome was typed in. I changed his name to my name, do I change the workgroup name?

In User Profiles he had his initials \ then one of our names. 
ex: RB2\Wendy
RB2\Christopher
RB2\Hayley
"RB2\RB" His own accoount!

I deleted his account. How would I find out what else has his name on?

I haven't spoken to him for some time now. I wouldn't anwer his calls and he finally quit calling.

Thanks,

Wendy

P.S. How do you put Smilies in your messages?

P.P.S. I some how I've messed my tool bar up in my Outlook Express. It's ok when I bring my mail box up. When I go to reply or create mail it's not ok. I don't know how I did it.

At the top there is no File, Edit, View, etc.

When I go to forward something (create or reply) there isn't ny tool bar. Well, there sorta is, but it's all messed up.

It says send, cut, copy, paste, undo and File.

How do I get it back to the way it use to be? 
It use to say create, reply, repy all, forward, delete, etc.


----------



## bassetman (Jun 7, 2001)

I'm only going to address part of your post.

I hope you hang in there through all this.

The smiley things are to the left of the window you type in to post here. Just click on the one(s) you want and a script will put them in your post.

Or you can type in the symbol for each one.


----------



## Steppinstone (Aug 18, 2002)

For the outlook issue try this, hit view then layout and place a check next to the items you want to show in your tool bar. Good luck with everything that is going on in your life. Chari


----------



## $teve (Oct 9, 2001)

hi wendy......good to know your still around here 

you have something to remove in that last list.

O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\System32\ipinsigt.dll 
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\gig.dll 
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Program Files\SuperBar\SuperBar.Dll 
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL 

look for entries in add/remove programs for "ipinsight"and "superbar ie plugin"
if they are there this should remove them adequately.

im not sure about gig.dll but if its dodgy spybot should take it out.
update spybot and close all IE windows before scanning.

now then....BHO001.dll is the "igetnet" parasite,spybot will remove this one but you will have to edit the "hosts" file manually.

like this:
open the Hosts file(you may need to enable "show all files,my comp/tools tab/folder options/view) This is called 'HOSTS' without a file extension (not Hosts.SAM); it is in the Windows folder on Windows 95/98/Me, or Windows\System32\drivers\etc\ on Windows NT/2000/XP. Find and remove these entries: 

216.177.73.139 auto.search.msn.com 
216.177.73.139 search.netscape.com 
216.177.73.139 ieautosearch 
any probelms with the last bit just ask for help.

you also have "network essentials"and "downloadware"spybot should remove these as well.
im still reading here,lol.
"go-hip".again spybot will nuke this one.
we need to get you some serious spyware blockers!!!

and you hoped it would be clean

we will need another list after you do the cleaning
 

take care


----------



## Guest (Mar 7, 2003)

Hi Wendy
Glad to see you in here
... we are going to have to start a new thread in Random cuz so many have asked after you!
- trusting all is well in life
best cheers
Louise


----------



## SkieLok (Feb 8, 2003)

I just read every post in this 75 post thread. I skipped one of my college classes so I could finish, needless to say I was quite distraught by the things I heard hear.

I would suggest using the internet as a tool for learning the innerworkings of your computer. If you dont really have time, because your out all day. Find some pages that look like they have useful content and print them off for later use (reading material for your coffee break, or dare I say toilet break ).

an example if your ever curious as to what your computer is running, try pressing ctrl+alt+del, it should bring up a list of programs in your task manager (dont close anything, just cancel after you've taken a gander). Start at the beginning, get its name and type it into google search engine www.google.com then just see what it does. The more you use your computer the easier it becomes to learn.


----------



## jm100dm (May 26, 1999)

> _Originally posted by wendyth:_
> *I have a couple of questions about my computer. The other night I wanted to defrag my computer. ( I still haven't found out how to do it) I went into control panel, systems properties and user profiles.
> 
> Under Full Complete Name: was the guy's name that had been on my computer. Under Workgroup: MSHome was typed in. I changed his name to my name, do I change the workgroup name?
> ...


Wendy,
You have many programs starting each time you use your computer and may want to address that first. Items that you don't use all the time can be opened when needed. Steve has listed a few items to remove with highjackthis and running spybot will remove the spy-ware. Your second list shows kazaa where as the first one showed kazaa lite [version without the spy-ware]. If you need help with this just ask.

To defrag you should do a scan disk first.
If you use a screen-saver change it to none.
Close all programs except explorer and systray.
Close by selecting in the system-tray with a right mouse click. Look for exit, shutdown,quit etc...
After closing all you can use three fingers to press these three keys: ctrl+alt+delete
A box called close program comes up showing programs that can still be closed. Select one at a time and press end task. Continue till all are gone except explorer and systray. You may get another pop-up with some programs asking if you want to end them just go ahead and do it.

start\run type scandisk 
press ok [this opens the program]
when its done.

start\run type defrag 
press ok [this opens the program]
select the drive and ok
This will take a while. At least an hour and maybe much longer depending on your drive size.

Tried to be thorough enough to anticipate any questions you or others may have doing this.


----------



## jm100dm (May 26, 1999)

From one of my favorite sites.

An even more detailed scandisk and defrag can be found here.
http://9337387.home.icq.com/main2.html

Want to learn more? Just ask questions and the people here are very willing to help.

Good to hear from you again.


----------



## freecho (Jan 28, 2003)

I have a few questions. Why can't you end task systray while defrag or scandisk? I can understand why you would need explorer. Isn't systray for the system tray? Also when I do a full virus scan of my hard drive do I need to end running programs as I would for scandisk and defrag?. In other words if a virus was running in the background would it detect it while scanning for viruses?


----------



## jm100dm (May 26, 1999)

I believe that you can also shutdown systray. I just read this to be the most common practice. I've even had it removed from msconfig without any apparent problems. If you do not use power settings or the volume control then I don't think you even need it. Just my opinion though.

Good question. Think about this though. The most common response I see to double check your system is to do an on-line scan which usually picks up anything that your machine may miss due to an infection. You would not be able to do this without being on-line and having at least some programs running. So I would have to say it checks all files even running processes.


----------



## suzana (Feb 7, 2003)

Hi..
Whan I open task manager , on processes i see capFac.exe. I look in tesk list program but is not listed any where.


----------



## freecho (Jan 28, 2003)

thanks jm. the reason I ask is because I read somewhere long ago, to do a good virus scan, you should turn off win Me restore function. The reason I think is maybe it can detect it but maybe you cannot delete it if it is present.


----------



## $teve (Oct 9, 2001)

hi suzana,you would be better posting your problem as a new post so we dont get confused with the answers


----------



## Guest (Mar 8, 2003)

freecho - yes disable the restore function on full ME scans - 

Wendy - as before, glad you are back online & in here.
Please feel free to eMail me directly should you want any 'personal protection' info, as well as some contacts for enhancing your business life ... there is a mega ton of free services available to you. (you can just click the email link at the bottom of my message) I also have a cache of info on dealing with lawyers in this area. I think about you often. I am not going to post 'personal' in here anymore ... but do get in touch with me even if you just want to chat
best cheers
Louise


----------



## $teve (Oct 9, 2001)

BUMP!


----------



## $teve (Oct 9, 2001)

and bump again


----------



## Dark Star (Jun 8, 2001)

> _Originally posted by $teve:_
> *and bump again *


Thanks $teve...

*Is it possible to get your friend's emails? (01-22-2003 12:09 AM)*

.... almost 2 months since this thread began ... 85 posts later and I wonder what if?

and like the sands of time, these are....

DS


----------



## $teve (Oct 9, 2001)

hi DS.....i think wendy sounds like quite a busy mother so it may be she can only get the time to visit us every now and then.
i was just trying to keep this thread at the top of the board seeing as there are a lot of people on here,including me have taken an interest into her well being.
cheers buddy


----------



## happy wander (Mar 13, 2003)

I have been reading all these posts about defragging, and even though I have been using a computer for years I did have extreme difficulty doing mine till a few weeks ago, I did exactly what was said in earlier posts, I turned off my screen saver and did all the ctrl del of all my background stuff, but my computer for some reason wouldnt let me even do a scandisk, I could only do it by using scandisk via MS DOS.

A real pain, as you know if you cant do a scan in windows ME you cant always successfully do a defrag.

A friend of mine introduced me to a neat program called Power Defrag, its great, it cuts out all the hard work of defragging, takes me 4 hours but it does it all for me now ctrl del etc, all I do is click on the icon, and go start, it automatically turns off the screensaver and then does a full standard scandisk then goes into a defrag and then turns the screensaver back on, and soft boots computer and when I get up in the morning my system is all nice and clean, I run regedit after to make sure I dont have any registry problems then do a AVG scan too, I do this once a week, and if you do this before you go to bed, its all done by the time you wake up.


----------



## Guest (Mar 24, 2003)

> _Originally posted by Dark Star:_
> *Thanks $teve...
> 
> Is it possible to get your friend's emails? (01-22-2003 12:09 AM)
> ...


And we all hang in the balances, awaiting her return...


----------



## titanfanof89 (Sep 6, 2002)

Is Wendy out there? I just stumbled on this post!! I can't believe this!

Wendy, honey- this guy has taken complete advantage of you at a vulnerable time. Just like everyone has said- it IS NOT normal to want to hack in a "FRIEND's" computer. By the number of times he's called you and by the way he questions your whereabouts.....I'd say he has some obsession with you. This sounds like typical behavior of a stalker......you initially trusted him and established a friendship with this guy- PLEASE don't think that his hacking in your computer was a mild thing and forget about it. NOTIFY your local authorities! He has to have done this before. 

I really hope all is well with you and your family. As you mentioned earlier you are going through a divorce so I could only imagine how stressful that must be. PLEASE come and post an update on how you are and wheither your computer is cleaned of this individuals tracking!


----------



## heartsvertig (Mar 26, 2003)

Has anyone heard from Wendy?
is she ok?


----------



## Steppinstone (Aug 18, 2002)

Haven't heard from you since March just wanted to know how things are going for you!
Chari


----------



## wendyth (Jan 22, 2003)

Logfile of HijackThis v1.91.2
Scan saved at 9:41:52 PM, on 6/3/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: ZeroPopUp Bar - {72A58725-2635-4725-8C53-676DFD1FEB8D} - C:\WINDOWS\System32\ZEROPO~1.DLL
O3 - Toolbar: (no name) - {0011135B-5363-4999-A66A-BC3C31F01B39} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [System MScvb] C:\Documents and Settings\Wendy Local Settings\Temporary Internet Files\Content.IE5\ZMNPHHBF\movie.pif
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Advanced Privacy Protector] C:\Documents and Settings\Wendy \app.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [System MScvb] C:\Documents and Settings\Wendy Local Settings\Temporary Internet Files\Content.IE5\ZMNPHHBF\movie.pif
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\System32\ZEROPO~1.DLL/MENUSEARCH.HTM
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27c8e54eede331d42605/netzip/RdxIE6.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37563.9153703704
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll



Hi Everyone,

I've been so busy these past few months I apologize for not keeping up. On May 5th I had an operation and due to complications I ended up back in the operating room "3 more times" the same day. After 2 weeks in the hospital my doctor got tired of me begging to go home and let me out. I'm still having trouble but at least I'm home with my children.

I have written back (3x's) but each time I tried to send the message I lost everything. Why.........? I don't know... I ended up getting frustrated over the whole thing.

I'm positive the ex friend has been or still is on my computer. I came back after being away for a week and his "outlook express" mail box was on my screen. His name is now on my identities login for outlook express. I put a password on my mail box..... lately it doesn't come up.

I hadn't talked to him for quite sometime, when I did and he kept trying to sell me a computer for my kids. This would solve my problems of mine freezing up and running slow. After several times of saying no I don't have the money he ends up on my door step with it. My son let him in and within minutes he had it hooked it up. I came into the room and told him we had to leave for dancing. He wanted $250.00 plus traveling time ($50.00) for the computer. He knew I was upset and told me he would pick the money up tomorrow. After dancing I took the computer to a store and asked the guy to tell me what it was worth. At the most $100.00 - $150.00 I was told. I told him the price I was given and he told me to give it back. The next day when he called I told him I didn't have the money and he was taking advantage of me. He went on and on..........I hung up and haven't spoke to him since. The phone calls are getting less and less but haven't quit yet.

Please let me know about the file I've sent.

Thanks guys,

Wendy


----------



## brendandonhu (Jul 8, 2002)

I dont see anything in the log...but you better wait for an expert to check out the BHOs.

But this guy is what some people like to call a Stalker. Yopu really should call the police, or when he finally figures out that you don't like him, he can just come to your house, your kids will let him in, and he can do whatever he wants to you, your house, or your children. I think this is beyond a computer problem now.


----------



## Steppinstone (Aug 18, 2002)

Hi Wendy! I am so sorry to hear about your recent hospital stay. I sure hope that you are on the road to speedy healing.

One thing that I do to prevent my posts from getting lost is that after I have everything typed out, I highlight the words then right click and hit copy that way if something goes wrong all I need to do is right click and paste the info back in. I also sometimes write my posts in notepad then copy/paste from there into a thread.

You told this guy that you couldn't afford a computer for the kids...
If he shows up with it anyways it now becomes a *gift* . I can't believe that he tried to bill you for something you didn't want. I wish I lived by you, because I personally would kick this guys a$$ for you and yes I'm female!!!!

You know that if this guy keeps bothering you, it may be time to get a retraining order against him. He is stalking you and your children, he has built enough trust with your children that they still are letting him in the door. This could be very dangerous to you and your family. You really have to push the issue with the kids about not letting this man into your home..
I sure hope I don't sound pushy, I am not trying to tell you how to run your life, just concerned for your saftey. Please take care Wendy!
Chari


----------



## Aaron.W (May 9, 2003)

I know a lady in my town who went through the same experience. I put a stop to that right away. ;]

I'll send you a PM. If you're anywhere near me I might have a handle on this guy already. His M.O. is identical.


----------



## RSM123 (Aug 1, 2002)

Just an idea here - if this man failed to refund money from your training course then consider the extra computer as restitution. It is highly unlikely he would want any close scrutiny from any authorities given his apparent business practices ....


----------



## wendyth (Jan 22, 2003)

Hi, yes I have thought about keeping the computer for the money he owes me. On one of his "apologetic" messages he left he thinks I planned the whole thing. He has turned it around to make him look like the "victim". Of course he goes on and on how the "friendship" means allot to him. Would I please phone him so we can talk about the issue. 

Months ago he borrowed my XP disk promising to bring it back the next day. I still haven't seen it. After he hooked up the computer I noticed he had windows millennium on it. I asked him why he hadn't installed XP he has my disk. Well........he forgot to tell me someone broke into his vehicle and stole it........ He once told me he charges $100.00 to install XP. 

I would like some input about this. I have his parents phone # and last name. I thought of paying them a visit and letting them know what's happened. They're 1 1/2 hrs. away. He grew up in a very rich environment. His father a retired eye surgeon and his mother a retired nurse. I know he himself has money because once and awhile he would tell me how he just bought his girlfriend $400.00 shoes, or took her skiing for the weekend at $475.00 an night etc. They might speak to him.........

I'm tired of being nice, doing for everyone and taken advantage of. I certainly have bad boundaries and made allot of bad choices...........

How this guy does these things and sleeps at night I'll never understand.

Can anyone see anything suspicious in the file I sent?

Thanks everyone,

Wendy


----------



## RSM123 (Aug 1, 2002)

Although not on the topic of pc repair ... do not 'pay a visit' to his relatives they are uninvolved and your actions could be construed as threatening. Just cut your losses and forget this person.

As for charging for installing XP - If you must have XP then buy it and get help here for rather less than $100.

Have a good weekend.


----------



## Dark Star (Jun 8, 2001)

wendyth ...

I'm glad that you're ok ... well at least for the most part you seem to be alright.

Still dealing with this creep? .... try saying NO and disconnect already. Creeps like him manage to suck the life out of nice people like you because they allow it. 
Why talk to his parents? The best case scenario there is that they'll listen and side with you but thats that. I doubt they will call the police and have him arrested. He IS the problem just remove him completely and don't look back ...m that's akin to "if it hurts when you do that the don't do that."

One last thing ... Please take the HijackThis file that you posted and make a brand new thread ... title it something like "Please help me with my HijackThis log file" and post it so that one of the resident experts will look at it and let you know whats up or if it's ok, otherwise it's gonna stay buried in this thread I'm afraid.

a side note: Chari said *"I wish I lived by you, because I personally would kick this guys a$$ for you and yes I'm female!!!!"* ... I can tell that she means it too.  At any rate he needs to be "enlightened" and maybe he wouldn't be sleeping so damn good if he found himself in jail.

DS


----------



## Aaron.W (May 9, 2003)

The rundll16.exe rings a bell. 
I remember a trojan used that name but I can't remember which one.

C:\WINDOWS\System\WINSTA~1.EXE -b could be another.

Hit Control-Alt-Delete and stop both and then change the .EXE part of their names to .EXX and email them to me.

P.S: have you checked your PM inbox yet? *Click here.*


----------



## Steppinstone (Aug 18, 2002)

Hi Wendy, You know that story about your xp disc is most likely another lie this man has told you. Sounds like he is making money off the use of your disc by installing on peoples systems. That is illegal as far as I know and if you have that copy of xp registered and if he is registereing the same copy on other machines then it can all catch up to you in the long run. Someone correct me if I am wrong in my last statement!!

If he continues to harass you please get a retraining order on him, print your story out and any other documentation you have and go to the police and get a order of protection.

Pehaps if one of our canadian friends are close to you they can come and do my butt kicking for me 

Please take care! Chari

I am going to try to get one of the Hijack this experts in here to look at the log for you!!


----------



## $teve (Oct 9, 2001)

hello again wendy...nice to see your still fine.
now lets get rid of a few more nasties.

O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [System MScvb] C:\Documents and Settings\Wendy Local Settings\Temporary Internet Files\Content.IE5\ZMNPHHBF\movie.pif

O4 - HKCU\..\Run: [System MScvb] C:\Documents and Settings\Wendy Local Settings\Temporary Internet Files\Content.IE5\ZMNPHHBF\movie.pif
(the 2 above are listed twice)

these 2 entries could be the remnants of a worm.
can you go here: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c.removal.tool.html and look down the page for the removal tool.download and run it.

then post yet another "startuplist"

cheers


----------



## NiteHawk (Mar 9, 2003)

> _Originally posted by Steppinstone:_
> *Hi Wendy, You know that story about your xp disc is most likely another lie this man has told you. Sounds like he is making money off the use of your disc by installing on peoples systems. That is illegal as far as I know and if you have that copy of xp registered and if he is registereing the same copy on other machines then it can all catch up to you in the long run. Someone correct me if I am wrong in my last statement!! *


Chari, you are absolutely right!! He has now added software piracy to his list. I am sure that Microsoft and others, would like to know this, if they don't already. XP has a tendancy to phone home to the Mother Ship. I don't know for a fact that the Activation Code Key in the registry are pasted back to M$, but I would be surprised if it wasn't. It is my understanding that upon finding duplicate Activation Keys, M$ has the ability to remotely disable XP. Especially if these other people registered their software. Since I am sure that he never told them that they had a stolen copy and they are under the belief that their software is completely legal.

Although Her copy of XP might get disabled, in the end it would be a simple (but no doubt time consuming) task to have M$ see who was the first to register that copy. Once again a print out of this whole thread should help in convincing them just who is the rightful owner.

Wendy, please print out a copy, or better yet cut and paste it to Word or Notepad and save to a FLOPPY. NOT on your hard drive. There is no sense in giving this low live any more information than he already has.
Plus a complete record of this thread could be invaluable in helping you in many other legal ways.


----------



## wendyth (Jan 22, 2003)

Logfile of HijackThis v1.91.2
Scan saved at 2:09:31 AM, on 6/8/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: ZeroPopUp Bar - {72A58725-2635-4725-8C53-676DFD1FEB8D} - C:\WINDOWS\System32\ZEROPO~1.DLL
O3 - Toolbar: (no name) - {0011135B-5363-4999-A66A-BC3C31F01B39} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Advanced Privacy Protector] C:\Documents and Settings\Wendy \app.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: EPEL.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\System32\ZEROPO~1.DLL/MENUSEARCH.HTM
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27c8e54eede331d42605/netzip/RdxIE6.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37563.9153703704
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll



Hi guys,

I did what you suggested Steve. How do things look now?

I must ask, How do you get into your PM inbox? 
I agree I must make a copy of this whole thread. I have a feeling things aren't finished yet with him.

How do I stop all the pop ups?

Thanks for all the help,

Wendy


----------



## Dark Star (Jun 8, 2001)

To go into your PMs and the PM Inbox etc. you need to click on the "User Panel" link at the top of the page.

I still see a few things in that list like...

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY

theres other stuff in there too but that one just jumped out at me and got my attention surely you see that 's still in there right?

DS


----------



## Dark Star (Jun 8, 2001)

O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu

That one is a parasite and a problem so it needs to be removed.

http://allentech.net/parasite/HuntBar.html


----------



## Dark Star (Jun 8, 2001)

O8 - Extra context menu item: &Sample Toolband *Serach* - res://C:\WINDOWS\System32\ZEROPO~1.DLL/MENUSEARCH.HTM

is relative to this item ...

http://www.codeproject.com/useritems/PopupBlocker2.asp

PopupBlocker it appears that's not working too well. I'd get rid of it just to clean out some dead weight but then again that's just my opinion. See what some of the more knowledgeable members suggest you do with that item.

edit: Ha! what a trip I just noticed the word *Serach* (I made it bold) ... I guess spelling wasn't one of the classes they Aced ... *Search* ... 
I need to get me some shuteye, however I'm sure that either Steve or someone else in here who knows these things much better than I do will come along soon to continue.

Cheers...

DS


----------



## Top Banana (Nov 11, 2002)

Scan with HijackThis, put a checkmark at and "Fix checked" *all* the following entries. Close all browser windows before fixing.

O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: ZeroPopUp Bar - {72A58725-2635-4725-8C53-676DFD1FEB8D} - C:\WINDOWS\System32\ZEROPO~1.DLL
O3 - Toolbar: (no name) - {0011135B-5363-4999-A66A-BC3C31F01B39} - (no file)
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\System32\ZEROPO~1.DLL/MENUSEARCH.HTM
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O15 - Trusted Zone: http://free.aol.com
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll

*Restart* your computer.

Navigate to and delete:

WinStart001.exe
uptodate.exe
rundll16.exe

Don't know what this is.
O4 - Global Startup: *EPEL.EXE*
Find it, rightclick > Properties > Version. What does it say?


----------



## Dark Star (Jun 8, 2001)

Ok just one more ...

O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)

is not a good thing either ...

http://www.doxdesk.com/parasite/HuntBar.html

have you downloaded HijackThis and run it yet?

I'm really tired and I can't recall what you have or have not done yet if you haven't then you really need to do that because there's just a group of baddies and spyware and junk in your system.

I really think that Steve or someone else in here must have suggested that you download and run HijackThis by now right?

goodnite...

DS


----------



## jm100dm (May 26, 1999)

> _Originally posted by Dark Star:_
> *Ok just one more ...
> 
> have you downloaded HijackThis and run it yet?
> ...


Post 107 is a log from hijackthis. So yes she has I must add.

Welcome back Wendy. It's good to hear from you.


----------



## wendyth (Jan 22, 2003)

Hi,

Yes I have Hyjack this. I have another problem. I did everything Top Banana told me to do except "shut down" all the programs.
Something is wrong because windows takes forever to come up and it tells me some of the components are missing. Now what do I do?

Here is the latest startup list.

Logfile of HijackThis v1.91.2
Scan saved at 3:29:27 PM, on 6/12/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Advanced Privacy Protector] C:\Documents and Settings\Wendy Thornton\app.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: EPEL.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27c8e54eede331d42605/netzip/RdxIE6.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37563.9153703704
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll

Thanks,

Wendy


----------



## wendyth (Jan 22, 2003)

Hi guys,

Does anyone see anything in this start up list? 

Can this guy get on my computer and delete programs from his? Is that possible?

Wendy


----------



## Steppinstone (Aug 18, 2002)

Wendy I had Tony Klein look at this about a week ago and he said the log was clean. I am not sure on your other question though. hang in there.

take care 
Chari


----------



## wendyth (Jan 22, 2003)

Logfile of HijackThis v1.91.2
Scan saved at 2:48:18 AM, on 6/25/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Advanced Privacy Protector] C:\Documents and Settings\Wendy Thornton\app.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17f9fce115089abe6c04/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37563.9153703704
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll

Is it possible for someone to get on my computer and take off a "program" from their computer? Or do they have to be right at my computerto do so?

Thanks 
Wendy


----------



## NiteHawk (Mar 9, 2003)

I would get rid of these two:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17f9fce115089a...ip/RdxIE601.cab
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll

msielinl.dll is part of the huntbar parasite.


----------



## Steppinstone (Aug 18, 2002)

Hi Wendy Sure hope everything is going ok for you! If you should happen to pop in here please let us know how you are doing!
Take care
Chari


----------



## Steppinstone (Aug 18, 2002)

A Bump for Wendy


----------



## PuterPerson (Jul 16, 2003)

Man, I have been reading this just now and I am in shock. And worse yet, no more posts from Wendy, at least at this thread.

Wendy, I hope you are ok and that you got rid of this person who is trying to mess with your mind.

Please tell whoever opens the door to NEVER ever let him in again. You don't know what he will do next.

Also, I know a lot of time has passed, but don't contact his parents. (I have done that before about my ex due to some money issues and they ended up taking his side, despite the fact that they never had much good to say about him til then).

I sure hope you are ok. I will try and see if I can find you in another thread.

Hang in there. Everyone here is so nice and helpful. You are not alone.

Take care,
Sus


----------



## jm100dm (May 26, 1999)

Sus
This is the only thread Wendy has ever written in. You can research anyone's posts by clicking on the number of posts under their name. I also believe that a few of the women here did communicate with her through e-mails but I don't believe she has been here for quite a while.
Jeff


----------



## Steppinstone (Aug 18, 2002)

Sure hope that all is well with you Wendy! Please let us know how you are doing!

Chari


----------



## Dexter_Spike (Mar 7, 2003)

Praying that all is ok with you and yours, Wendy...

Sincerely...


----------

