# [SOLVED] Porn Pop Up Removal Help Needed!



## jaymeboz (May 23, 2003)

Yes, I also am yet another victim of the infamous pron pop up problem. I have been trying to fix it for 2 weeks & just discovered your wonderful site! YEA! 
I just downloaded Hijack This , scared to check anything on the list without asking you guys first- so here's the list:
Logfile of HijackThis v1.94.0
Scan saved at 10:54:33 PM, on 5/22/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.findwhatevernow.com/searchband/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.xxxtoolbar.com/ist/scripts/searchpages_manager.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://approvedlinks.com/hp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.yahoo.com/ext/hp/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Cox High Speed Internet
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINDOWS\SYSTEM\SBSRCH_V22.DLL
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IEBHOS.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.EXE
O4 - HKLM\..\Run: [IST Service] C:\WINDOWS\istsvc.exe
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95.exe -w3svc
O4 - HKCU\..\Run: [SysReg] C:\WINDOWS\SYSTEM\SysReg
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Show Desktop.scf
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37590.2606365741
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {53E10C2C-43B2-4657-BA29-AAE179E7D35C} - http://www.adsrvr.com/auth/IE_InstllC.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4262/mcfscan.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/292/nCaseInstaller.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


----------



## Top Banana (Nov 11, 2002)

Close IE. Scan with HT, tick and "Fix" *all* the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.findwhatevernow.com/searchband/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.xxxtoolbar.com/ist/scripts/searchpages_manager.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://approvedlinks.com/hp.htm
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {1D870C86-AA3C-4451-81E4-71D480A1A652} - C:\WINDOWS\SYSTEM\SBSRCH_V22.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.EXE
O4 - HKLM\..\Run: [IST Service] C:\WINDOWS\istsvc.exe
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
O16 - DPF: {53E10C2C-43B2-4657-BA29-AAE179E7D35C} - http://www.adsrvr.com/auth/IE_InstllC.exe
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab

*Reboot* and remove/delete:

Program Files\ISTBAR
TVMD.exe
istsvc.exe
Program Files\rb32


----------



## jaymeboz (May 23, 2003)

THANK YOU! If I could hug your neck I would!!

I was able to do everything except rid myself of the ISTbar
which was lurking in my windows folder as you mentioned istsvr.exe. I tried removing it with HT & Spybot, and through my msconfig/startmenu nothing worked! I ran a search & saw someone had removed it by starting in safe mode & renaming the file-then deleting. VOILA! Gone as gone could be.
Ahhhhhhhh yes I am now one very happy girl. Thanks again!
Have a great Memorial Day Weekend!


----------



## jaymeboz (May 23, 2003)

oops, make that istsvc.exe
as you mentioned NOT istsvr.exe as my typo stated!


----------



## Top Banana (Nov 11, 2002)

That is good news. Glad you got it sorted. You have a good one too.


----------



## andrinia (Jun 24, 2003)

HI!
I am also infectes with these porn pop-ups..could you please tell me where i can download Hijack This??
Or can I do without it?

Really tired of porn ))

Looking forward to a reply!


----------



## TonyKlein (Aug 26, 2001)

You can get it here: http://www.tomcoyote.org/hjt/ ,

Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## andrinia (Jun 24, 2003)

Hey!! Thanks so much for helping me out.
So here is the log file. Please write back to tell what I should get rid of 

Logfile of HijackThis v1.95.0
Scan saved at 10:11:02 AM, on 6/25/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\uptodate.exe
C:\WINNT\rundll16.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\winupie.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\winhlp32.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kryska\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.xxxtoolbar.com/ist/scripts/searchpages_manager.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=about:blank
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\Program Files\CommonName\Toolbar\CNBabe.dll (file missing)
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\mpz300.dll
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINNT\System32\msiefr40.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINNT\System32\veg32.dll.dll
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINNT\rundll16.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINNT\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINNT\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [IST Service] C:\WINNT\istsvc.exe
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [winpopup] C:\WINNT\winupie.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [QNote] C:\Program Files\QNote\QNote.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Bookshelf - c:\Bookshelf.TR\TRBookshelf_.dll.button.js
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Browser Pal Toolbar (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: TR Bookshelf (HKLM)
O9 - Extra 'Tools' menuitem: TR Bookshelf (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/v2.0/0006.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...wPoint/MobilePhone_GSM_SGH_A800_ViewPoint.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/en/oneclick/uninstbb.cab
O16 - DPF: {9E472D58-F10C-11CF-B7A9-0020AFD6A362} (NeRemoteDoc Class) - https://vault.netvoyage.com/neWeb2/neWebCl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37746.1303356482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.home--page.com/u/Config.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


----------



## TonyKlein (Aug 26, 2001)

Thanks. 

You have the latest version of RapidBlaster. Read this advisory: http://www.wilderssecurity.net/specialinfo/rapidblaster.html

Before doing anything else, you NEED to run Javacool's RapidBlaster killer : http://www.wilderssecurity.net/downloads/rbkiller.exe
It's at present the only application that will effectively remove this pest!

Launch the program and hit the Scan button.
RBKiller will find any RapidBlaster variants on your system, kill the process, delete the Registry Run entry, _and_ remove the file itself.

To double-check, open the "scanlog.txt" file that was created when you scanned with RapidBlaster Killer - it will be located in the same folder as the rbkiller.exe executable that you downloaded. (The file will contain the full path to any RapidBlaster processes that were terminated.)

Now, in Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

*R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.xxxtoolbar.com/ist/scripts/searchpages_manager.php

O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\Program Files\CommonName\Toolbar\CNBabe.dll (file missing)
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\FOne.dll
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\mpz300.dll
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINNT\System32\msiefr40.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINNT\System32\veg32.dll.dll
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINNT\rundll16.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)

O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINNT\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINNT\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [IST Service] C:\WINNT\istsvc.exe
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [winpopup] C:\WINNT\winupie.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O15 - Trusted Zone: http://free.aol.com

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/v2.0/0006.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - 
O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/en/oneclick/uninstbb.cab
O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.home--page.com/u/Config.cab*

After rebooting, download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Also, you have an unknown file, that's possibly viral in nature.
Would you mind terribly sending me a copy of C:\WINNT\winupie.exe for analysis, please? 
If it turns out to be bad news, the folks at Lavasoft, SpyBot, and others in the security field would welcome the opportunity of having a look at it

Just click this to send me the email.

TIA! 

Cheers,


----------



## IMM (Feb 1, 2002)

There's a fair amount of spyware there - but before that - can you email me. I'll reply and what I'd like you to do is zip and email me (as a reply to the one I send) a copy of C:\WINNT\winupie.exe

I think it might be viral. (I've only seen it once before and didn't get a copy)

---- edit -------
Great minds think alike  Send it to Tony (and I hope he'll send it to me)


----------



## andrinia (Jun 24, 2003)

woow..seems like my poor computer is full of..spyware 
I'll follow your instructoins and try not to miss anything..

Thanks a lot!


----------



## TonyKlein (Aug 26, 2001)

You're welcome. Please don't forget to send me that file!
It's important to determine what exactly it is.

I'd really appreciate it.


----------



## andrinia (Jun 24, 2003)

Guys, I sent the winupie thing to Tony. Hope he sends it to IMM as well, so that you don't fight over it Please keep me posted on what it is! confused: 
Best of luck!


----------



## andrinia (Jun 24, 2003)

Ok..so I will be gone for a while to do the cleanup 
Hope to get back!


----------



## TonyKlein (Aug 26, 2001)

Thanks for the file. 

Most probably no virus, but adware from www.tradeexit.com. The site is down, though.

Feel free to nuke that file!

Cheers,


----------



## andrinia (Jun 24, 2003)

Thanks, I sure will!
But there's a weird thing: RapidBlaster Killer found no RB processes...hmmm...should I continue with Hijack This??
Guide me


----------



## andrinia (Jun 24, 2003)

access to winupie denied..guess it's doing its job, that's why. I will get rid of it safe mode only, right?


----------



## TonyKlein (Aug 26, 2001)

You shouldn't need to.

If you have Hijack This fix its startup entry, the way I advised you to, you should be able to dekete it AFTER restarting your computer.

Did you do that?

Otherwise Safe Mode will be fine.


----------



## andrinia (Jun 24, 2003)

Yes! Winupie gone!

You guys are smart !! 

Downloading spybot now. I am on dial-up so it shall take a while...


----------



## TonyKlein (Aug 26, 2001)

No prob. We'll be here!


----------



## andrinia (Jun 24, 2003)

Hey,
so I did everything you told and seems like it worked!  Thanks a lot!! You're doing a great job here!!


----------



## TonyKlein (Aug 26, 2001)

You're welcome.

Glad we were able to help!


----------



## eke21 (Jun 27, 2003)

Please Help Me! This is my log!

Logfile of HijackThis v1.95.0
Scan saved at 2:58:03 AM, on 6/28/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SLAVE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\VIRTUAL CD V4\SYSTEM\VCDPLAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VIRTUAL CD V4\SYSTEM\VCDTRAY.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PCCILLIN\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [VCDPlayer] C:\PROGRA~1\VIRTUA~1\SYSTEM\VCDPLAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [RA Server] C:\WINDOWS\Slave.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll


----------



## RFKFREAK (Jun 27, 2003)

I've done the same and this is my hijacked log. If anyone can help I'd appreciate it!

Logfile of HijackThis v1.95.0
Scan saved at 12:47:15 PM, on 6/27/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPNRA.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MEMORYMETER\MEMORYMETER.EXE
C:\WINDOWS\TVMD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\PROGRAM FILES\TIGER TECHNOLOGIES\DESKFLAG\DESKFLAG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\TIVOLI\LCF\BIN\WIN95\MRT\LCFD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\APPS\NOTES\DONOTES.EXE
C:\APPS\NOTES\NLNOTES.EXE
C:\APPS\NOTES\NHLDAEMN.EXE
C:\APPS\NOTES\NWEB.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\TEMP\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://vipguestlist.ync.net/cgi-bin/ultimatebb.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.jonesday.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Jones Day
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://lw12fd.law12.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=F000000001&a=c5495f87b9e3fbbbf6791bfc8d80f9da"); (C:\Program Files\Netscape\Users\default\prefs.js)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\PROGRAM FILES\LEXIS-NEXIS\CHECKCITE\LLIEOBJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\SYSTEM\HPNRA.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [XWP7Pol] c:\windows\regedit.exe /s c:\windows\system\Wp7pol.reg
O4 - HKLM\..\Run: [1JDCopy] C:\Windows\System\JDCopy.Exe "C:\Windows\System\JDInit32.Lnk" "C:\Windows\All Users\Start Menu\Programs\StartUp\JDInit32.Lnk"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O4 - Startup: DeskFlag.lnk = C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
O4 - Global Startup: JDInit32.Lnk = C:\WINDOWS\SYSTEM\JDINIT32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.jonesday.com/
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: Yahoo! Pool 2 - http://download.yahoo.com/games/clients/y/por7_x.cab
O16 - DPF: {C58009C0-5321-11D4-99E0-204C4F4F5020} (PhotoUploader Control (www.fotki.com)) - http://images.fotki.com/activex/PhotoUploader(www.fotki.com).cab
O16 - DPF: {9A013A76-AD34-11D0-8D9B-00A0C9080C73} (ActiveLedIt! Control) - https://www4.lsac.org/RTFControl/ActiveLedIt_3.0b8.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = global.jdrp.com,ny.jdrp.com,jdrp.com


----------



## TonyKlein (Aug 26, 2001)

Eke21, you have this trojan:

http://www.avp.ch/avpve/trojan/backdoor/ra.stm

Have Hijack This fix the following:

*O4 - HKLM\..\RunServices: [RA Server] C:\WINDOWS\Slave.exe*

Next, restart your computer, and delete the C:\WINDOWS\Slave.exe file itself.

RFKFREAK,

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

*O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O15 - Trusted Zone: http://free.aol.com*

Now restart your computer.

However, there are a few mystery items there.

Can you give us any additional information on the following three startup items:

*O4 - HKLM\..\Run: [XWP7Pol] c:\windows\regedit.exe /s c:\windows\system\Wp7pol.reg
O4 - HKLM\..\Run: [1JDCopy] C:\Windows\System\JDCopy.Exe "C:\Windows\System\JDInit32.Lnk" "C:\Windows\All Users\Start 
O4 - Global Startup: JDInit32.Lnk = C:\WINDOWS\SYSTEM\JDINIT32.EXE*

And would you please open the c:\windows\system\Wp7pol.reg in Notepad, and do a copy-and-paste of its contents?


----------



## eke21 (Jun 27, 2003)

thank you very much! i didnt notice that trojan huh! keep it up sir!


----------



## RFKFREAK (Jun 27, 2003)

Wp7pol.reg

REGEDIT4

[HKEY_CURRENT_USER\Software\PerfectOffice\WordPerfect\7\Location of Files]

[HKEY_CURRENT_USER\Software\PerfectOffice\WordPerfect\7\Location of Files\US]
"Label Folder"=hex(80000006):63,3a,5c,43,6f,72,65,6c,5c,4f,66,66,69,63,65,37,\
5c,57,50,57,69,6e,37,5c,53,79,73,74,65,6d,5c,00
"Label File"=hex(80000006):63,3a,5c,43,6f,72,65,6c,5c,4f,66,66,69,63,65,37,5c,\
57,50,57,69,6e,37,5c,53,79,73,74,65,6d,5c,57,50,5f,57,50,5f,55,53,2e,4c,41,\
42,00
"Macro Folder"=hex(80000006):63,3a,5c,43,6f,72,65,6c,5c,4f,66,66,69,63,65,37,\
5c,4d,61,63,72,6f,73,5c,57,50,57,69,6e,00
"Printer Folder"=hex(80000006):63,3a,5c,43,6f,72,65,6c,5c,4f,66,66,69,63,65,37,\
5c,57,50,57,69,6e,37,5c,53,79,73,74,65,6d,00
"Template Folder"=hex(80000006):63,3a,5c,43,6f,72,65,6c,5c,4f,66,66,69,63,65,\
37,5c,54,65,6d,70,6c,61,74,65,00
"Template File"=hex(80000006):43,3a,5c,43,6f,72,65,6c,5c,4f,66,66,69,63,65,37,\
5c,54,65,6d,70,6c,61,74,65,5c,4a,44,37,2e,77,70,74,00
"Backup Folder"=hex(80000006):63,3a,5c,4d,79,46,69,6c,65,73,5c,42,61,63,6b,75,\
70,00
"Fancy Borders Folder"=hex(80000006):63,3a,5c,43,6f,72,65,6c,5c,4f,66,66,69,63,\
65,37,5c,47,72,61,70,68,69,63,73,5c,42,6f,72,64,65,72,73,00
"Default save file format"=hex(80000006):57,6f,72,64,50,65,72,66,65,63,74,20,\
36,2e,30,2f,36,2e,31,00
"Default save file format index"=hex(8000000b):01,00
"Update Quick List with Changes"=hex(80000009):00,00,00,00
"Use Default Document Extension"=hex(80000009):01,00,00,00
"Use Explorer style file dialogs"=hex(80000009):01,00,00,00
"Default Document Extension"=hex(80000006):77,70,64,00
"Update Default Template From Additional"=hex(80000009):00,00,00,00
"Labels to Display"=hex(8000000b):00,00
"Use Default Form File Extension"=hex(80000009):01,00,00,00
"Default Merge Form File Extension"=hex(80000006):66,72,6d,00
"Use Default Data File Extension"=hex(80000009):01,00,00,00
"Default Merge Data File Extension"=hex(80000006):64,61,74,00

[HKEY_CURRENT_USER\Software\PerfectOffice\WordPerfect\7\Environment]
"Password Protect Enabled"=hex(80000001):00,00,00,00
"Activate Hypertext"=hex(80000009):00,00,00,00
"Save Workspace"=hex(8000000b):01,00

[HKEY_CURRENT_USER\Software\PerfectOffice\WordPerfect\7\Undo/Redo]
"Save Undo/Redo Levels to Document"=hex(80000009):00,00,00,00
"Number of Undo/Redo Levels"=hex(80000001):0a,00


----------



## RFKFREAK (Jun 27, 2003)

> _Originally posted by TonyKlein:_
> *RFKFREAK,
> 
> In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
> ...


Umm, JD probably stands for JonesDay...the company I work for (it's an office computer). I posted the Wp7pol.reg and I have no clue what that is except that apparently it works with WordPerfect which is installed on this computer.

Can you give me some more information about what TVMD is? I know it works with Memorymeter which apparently is linked to http://www.totalvelocity.com/. I'd like to get that off my hard drive as well but I can't find a way to remove it in the add/remove in the control panel nor an uninstall. It installed itself because I certainly didn't install it.

Thanks!


----------



## TonyKlein (Aug 26, 2001)

TVMD/Memorymeter is adware which comes with P2P applications like Grokster.
It may also get "stealth installed" by ActiveX at certain web sites, should your security settings be less than tight.


----------



## RFKFREAK (Jun 27, 2003)

Ok, I removed those items that you instructed me to...should I be good to go?


----------



## TonyKlein (Aug 26, 2001)

Yes, you should


----------



## helpdeskguy (Jul 7, 2003)

I think i've killed this thing but i still have teh xxxtoolbar in my add/remove programs. How do i get rid of that? I will paste my HJT LOG:

Logfile of HijackThis v1.95.0
Scan saved at 10:13:44 AM, on 7/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\TVTMD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\njawhar1\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=50108
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=50108
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.fatwallet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=50108
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://www.fatwallet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {690E2002-325F-4CFE-8CF2-580FC2DCFF44} (AffinityGui.Application) - http://webent.uhhs.com/affinity/AffinityGUI32.CAB
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37656.4013310185
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02) - http://kronosprod/wfc/plugins/j2re-1_3_1_02-win.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} - http://uhprod01.uhhs.com:8045/jinitiator/oajinit.exe
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.clock-sync.com/ClockSyncAutoSYNC0014.cab

Please help!


----------



## TonyKlein (Aug 26, 2001)

How to Manually Remove Programs from the Add/Remove Programs List


----------



## that's great (Jul 11, 2003)

Hi, sorry to be repetitive, but I'm not sure how I got this XXX Toolbar/IST whatnot on my computer, but it's there, and I am new to Hijack This and other such programs. I got rid of the IST thing through Add/Remove Programs, but the toolbar remains, so I would like to know if just manually deleting it (a la your previous post) will do the trick, or if there's something else I'd need to do.

Thanks a lot, I appreciate the help.


----------



## Flrman1 (Jul 26, 2002)

that's great

Go here: http://www.tomcoyote.org/hjt/ , and download HijackThis.

Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, copy and paste the log here.
Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## rakswp (Jul 12, 2003)

sorry..please delete this post


----------



## billoyd (Jul 12, 2003)

I've been getting these crummy porn pop-ups as well and have tried everything (except this). I also have trouble with running McAfee Guardian but that's a different subject.
Anyway, please let me know what to fix in my hijack log.

Logfile of HijackThis v1.95.0
Scan saved at 11:35:33 AM, on 7/12/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\lxamsp32.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\System32\wsys.exe
C:\WINDOWS\System32\Pelmiced.exe
C:\program files\gsoft\dialers\hotvideo_no\hotvideo_no.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\WINDOWS\DownloadWizard\DownloadWizard.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ONLINE~2\ADSL\ADSL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [windll] "C:\WINDOWS\System32\wsys.exe"
O4 - HKLM\..\Run: [HotVideo_no] c:\program files\gsoft\dialers\hotvideo_no\hotvideo_no.exe /noconnect
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: eBot.lnk = C:\WINDOWS\DownloadWizard\DownloadWizard.exe
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Win32 Classes - 
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://www.cabeagent.com/netagent/objects/custappx2.CAB
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned31b.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.4.17/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## $teve (Oct 9, 2001)

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
next....... close all browser Windows, and have HT fix all checked.

You MUST to restart your computer when you're done.

O4 - HKLM\..\Run: [HotVideo_no] c:\program files\gsoft\dialers\hotvideo_no\hotvideo_no.exe /noconnect
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars...rxsigned31b.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/mini...uginstaller.cab

after re-booting find and delete the following:
c:\Program Files\topMoxie(entire folder)
c:\program files\gsoft(entire folder)


----------



## PaulVM (Jul 12, 2003)

Hi there,

I was hoping you could help me too, here's what I got from hijack:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\winupie.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTbU.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.sharereactor.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Vinylmixer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [winpopup] C:\WINDOWS\winupie.exe
O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O4 - Startup: AHQTbU.lnk = C:\Program Files\Creative\SBLive\AudioHQ\AHQTbU.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager.egg.com/activex/accounttracking.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37676.8537384259
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.tradeexit.com/Config.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

Thanks!


----------



## billoyd (Jul 12, 2003)

Thanks, Steve. I followed your directions and was able to find and locate the gsoft folder and delete it but I never located the topMoxie folder...


----------



## $teve (Oct 9, 2001)

no problem bill if you cant find the folder,its gone

paul.......welcome to T.S.G

this is the only baddie i can see.
O4 - HKCU\..\Run: [winpopup] C:\WINDOWS\winupie.exe

these entries are usually un-necessary startups..decide whether or not you need them using up cpu cycles or not.
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
the programs will still work fine but dont need to be awake all the time while you not using them.
also see:http://www.pacs-portal.co.uk/startup_pages/startup_full.htm


----------



## PaulVM (Jul 12, 2003)

Thanks for the welcome 

Also for the help, i'm gonna be keeping this forum bookmarked for sure, very nice!


----------



## $teve (Oct 9, 2001)

glad to have helped


----------



## SpyderOnWeb (Jul 16, 2003)

Hi! ...kud anybody help me with the same thing here...here's what HijackThis dumped after scanning my machine... i caught a trojan WDC.exe running in here... i reanamed and relocated the exes for the time being but kud anybody tell me how to uninstall this properly ....i mean all registry entries...can hijakThis do it? also can ya temme which of these processes is responsible for popup ads... i 've this strange prob...a site Search4all.com opens up every time i goto any other site....

hijackThis Log file------------

Logfile of HijackThis v1.95.0
Scan saved at 11:08:36, on 07/16/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\COMMON~1\DATADY~1\ACTIVE~1\WEBCAC~1.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
D:\Program Files\Winamp\Winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\winupie.exe
C:\Program Files\Navnt\navapw32.exe
D:\MSSQL7\Binn\sqlmangr.exe
D:\Program Files\Tray Menu\TrayMenu.exe
C:\Program Files\WinMessenger\WinMesgr.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\neeraj\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=192.168.1.191
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINNT\IEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "d:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [wdc] C:\windows\wdc\wdc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [winpopup] C:\WINNT\winupie.exe
O4 - Startup: Shortcut to TrayMenu.lnk = D:\Program Files\Tray Menu\TrayMenu.exe
O4 - Startup: Shortcut to WinMesgr.lnk = C:\Program Files\WinMessenger\WinMesgr.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Service Manager.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.lyricsdomain.com/download.mp3.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.rediff.com/hindi/wfplayer/tdserver.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {54E7E082-1DA6-412E-96B5-C290FCEF5329} (DFRun Class) - http://webpdp.gator.com/v3/download/iegator_4090_hd3ptdmgainads.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.terra.es/personal5/bomb-mp3/mp3plugin.exe
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} (Installer Class) - http://www.exchangeexit.com/Config.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0010.cab


----------



## crocoduck (Jul 16, 2003)

hallo there,

same problem here. can't get rid of this porn pop ups. here's my hijack this log. can anybody help me please?

matteo

Logfile of HijackThis v1.95.0
Scan saved at 14.01.29, on 16/07/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sony\vaio media music server\SSSvr.exe
C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe
C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Programmi\Apoint\Apoint.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programmi\Sony\HotKey Utility\HKserv.exe
C:\Programmi\Apoint\Apntex.exe
C:\Programmi\Winamp\Winampa.exe
C:\Programmi\Sony\HotKey Utility\HKWnd.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programmi\File comuni\CMEII\CMESys.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\msbb.exe
C:\Program Files\ComSoft\Dialers\EasyDates_it\EasyDates_it.exe
C:\Programmi\File comuni\GMT\GMT.exe
C:\Programmi\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\m\Documenti\warez\Il Ragazzini 2003\Zan.exe
C:\Programmi\Copystar\Fantom CD\fcdm.exe
C:\Programmi\D-Tools\daemon.exe
G:\uhitalr.exe
C:\Programmi\Dizionario Devoto-Oli\DEVOTOOLI.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
C:\Programmi\BNL Multiservizi\multiCERTIFY® Client\MlsProxy.exe
C:\Programmi\Random House, Inc\Random House Webster's Unabridged Dictionary\RHUD30.EXE
C:\Programmi\Lavasoft Ad-Aware\Ad-aware.exe
C:\Programmi\Opera7\opera.exe
C:\PROGRA~1\PESTPA~1\PPCONT~1.EXE
C:\Programmi\PestPatrol\PestPatrol.exe
C:\Documents and Settings\m\Documenti\warez\Convert.exe
C:\DOCUME~1\m\IMPOST~1\Temp\Rar$EX00.551\HijackThis.exe
C:\Programmi\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.club-vaio.sony-europe.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=https=127.0.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://www.google.it/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Programmi\ISTbar\istbar.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Programmi\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADG] C:\WINDOWS\ADG.exe
O4 - HKLM\..\Run: [EasyDates_it] C:\Program Files\ComSoft\Dialers\EasyDates_it\EasyDates_it.exe /dontdial 
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programmi\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Programmi\PestPatrol\PPMemCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Programmi\File comuni\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://chat1.kataweb.it:4080/chat/data/html/misc/msichat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://216.65.38.226/downloader.cab


----------



## Svelix (Jul 16, 2003)

Hi everybody,

i have also a problem with XXX Popups.

This is my HT-log:
Logfile of HijackThis v1.95.0
Scan saved at 20:25:49, on 16.07.2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~2\FRONTI~1\FTCNTSRV.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\AEIWLSTA.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\TPPALDR.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\TV Movie\TV Movie Clickfinder\tvtip.EXE
C:\Programme\ICQ\ICQ.exe
C:\WINDOWS\msbb.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Programme\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\neo\Lokale Einstellungen\Temp\Temporäres Verzeichnis 1 für hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=131567
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.slotch.com/?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=131567
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://www.google.de/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll
O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programme\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TVTip] C:\Programme\TV Movie\TV Movie Clickfinder\tvtip.EXE /m
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe
O4 - HKLM\..\Run: [GNUBIPWEK] C:\WINDOWS\GNUBIPWEK.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - https://www-3.ibm.com/pc/support/access/sdccommon/download/tgctlar.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - https://www-3.ibm.com/pc/support/access/sdccommon/download/tgctlsi.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Can anybody tell me what causes them?


----------



## Flrman1 (Jul 26, 2002)

SpyderOnWeb

I can't find anything about a wdc.exe trojan anywhere. Where did you get the info that it was a trojan ? I would certainly be interested in seeing that info. Anyway this is ,as you can see, the only thing in the HT log that refers to that.

O4 - HKLM\..\Run: [wdc] C:\windows\wdc\wdc.exe

If you are sure it is a trojan let HT fix it. If you have a link that gives info on it please post it here.

OK these I know need to go. Run Hijack This again and close all windows except HT and put a check by and "Fix Checked" the following;

O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINNT\IEHelper.dll

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINNT\IEHelper.dll

O4 - HKCU\..\Run: [winpopup] C:\WINNT\winupie.exe

O15 - Trusted Zone: http://free.aol.com

O16 - DPF: {54E7E082-1DA6-412E-96B5-C290FCEF5329} (DFRun Class) - http://webpdp.gator.com/v3/download...ptdmgainads.cab

O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.terra.es/personal5/bomb-mp3/mp3plugin.exe

O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab

Reboot your computer when done and delete the C:\WINNT\winupie.exe file.


----------



## Flrman1 (Jul 26, 2002)

crocoduck

Run Hijack This again and close all windows except HT and put a check by and "Fix Checked" the following;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=131567

O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll

O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Programmi\ISTbar\istbar.dll

O4 - HKLM\..\Run: [EasyDates_it] C:\Program Files\ComSoft\Dialers\EasyDates_it\EasyDates_it.exe /dontdial

O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://216.65.38.226/downloader.cab

Reboot your computer and delete the C:\WINDOWS\msbb.exe
file.


----------



## Flrman1 (Jul 26, 2002)

Svelix

Run Hijack This again and close all windows except HT and put a check by and "Fix Checked" the following;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=131567

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.slotch.com/?&account_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=131567

O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll

O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-
55A7E017E69D} - C:\WINDOWS\newones.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe

Reboot your computer and delete the C:\WINDOWS\msbb.exe
file.


----------



## Flrman1 (Jul 26, 2002)

> _Originally posted by Svelix:_
> *
> 
> Can anybody tell me what causes them? *


Look here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent it. On this page you will find links to Spybot and SpywareBlaster. I recommend that you get both of them. These two will go a long way towards preventing future attacks. Always use the "Online" feature in Spybot and search for and install all updates before scanning and take advantage of the "Immunize" feature in Spybot. Search for updates in SpywareBlaster frequently as well.


----------



## LazyNinja (Jul 17, 2003)

Hello! I just registered today, because it looks like I am suffering from the same hijacking/popup problems  . If you don't mind, I would really appreciate a bit of assistance with this frustrating situation.

Here is my Hijack This scan log:

Logfile of HijackThis v1.95.1
Scan saved at 9:08:02 PM, on 7/16/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\WINDOWS\SYSTEM\EVENTMGR.EXE
C:\WINDOWS\CDI.EXE
C:\WINDOWS\SYSTEM\SXGTKBAR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\HOOKTOOL.EXE
C:\IMAGEMATE COMPACTFLASH USB\SANDICON.EXE
C:\PROGRAM FILES\WIN32_I\WIN32_I.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\TVTMD.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
D:\ALLEN\DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findwhatevernow.com/portal/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.white-pages.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.white-pages.ws/results.php?show=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.superaction.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.superaction.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\lj9di9du.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\lj9di9du.slt\prefs.js)
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\HOST.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Eventmgr.exe] C:\WINDOWS\SYSTEM\Eventmgr.exe
O4 - HKLM\..\Run: [CDInterceptor] cdi.exe
O4 - HKLM\..\Run: [Launcher] relaunch.exe
O4 - HKLM\..\Run: [TBTray] tbtray.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [win32_i lptt01] "C:\Program Files\win32_I\win32_i.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [MemoryMeter] C:\PROGRAM FILES\MEMORY METER\MEMORYMETER.EXE
O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Trash it Scheduler] C:\PROGRAM FILES\TRASH IT!\Trash it Scheduler.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/1203030306/VBouncerOuter1203.EXE
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.cox.net/custsup/supportaction/sdccommon/download/tgctlar.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.cox.net/custsup/supportaction/sdccommon/download/tgctlsi.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37780.8476273148
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23bcc4f9a3d254418018/netzip/RdxIE601.cab
O16 - DPF: {F0AA2376-F073-4E57-86E8-0238F99087C7} (AInst Class) - http://www.thesurveyonline.com/activeinstaller.dll
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8105/turbo.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = lvcm.com
O19 - User stylesheet: c:\windows\java\my.css

Thank you.


----------



## crocoduck (Jul 16, 2003)

flrman1,

thank u so much. the hideous popups seem to have disappeared. i haven't found two of the things u told me to fix, but that must be because in the meantime i had run Spybot Search & Destroy, which had deleted a couple of things (the .exe file included, i guess)

once again, thanx

matteo


----------



## Dumbsurfer (Jul 17, 2003)

but I was wondering if you could let me know if there's anything else here that should come out?

Thanks.

Logfile of HijackThis v1.95.1
Scan saved at 3:09:34 AM, on 7/17/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\TVTMD.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freelancesuccess.com/forum
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\PROGRAM FILES\SCBAR\V1\SCBAR.DLL (file missing)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\jgk091il.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: ineb Helper - {753AA023-02D1-447D-8B55-53A91A5ABF18} - C:\WINDOWS\SYSTEM\BMEB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Search Bar - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - C:\WINDOWS\SYSTEM\BMEB.DLL
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [pccguide.exe] "c:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "c:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "c:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "c:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "c:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] c:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\SYSTEM\winservn.exe
O4 - Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O8 - Extra context menu item: Capture Page - C:\PROGRAM FILES\CLICKGARDEN\capturepage.html
O8 - Extra context menu item: Capture Image - C:\PROGRAM FILES\CLICKGARDEN\captureimage.html
O8 - Extra context menu item: Capture Selection - C:\PROGRAM FILES\CLICKGARDEN\captureselection.html
O8 - Extra context menu item: Encrypt Selected Text - C:\PROGRAM FILES\CLICKGARDEN\encryptselection.html
O8 - Extra context menu item: Decrypt Selected Text - C:\PROGRAM FILES\CLICKGARDEN\decryptselection.html
O8 - Extra context menu item: Search for Selected Text - C:\PROGRAM FILES\CLICKGARDEN\searchforselection.html
O8 - Extra context menu item: Highlight Selection - C:\PROGRAM FILES\CLICKGARDEN\highlightselection.html
O8 - Extra context menu item: Add Text Annotation - C:\PROGRAM FILES\CLICKGARDEN\addtextannotation.html
O8 - Extra context menu item: Add Voice Annotation - C:\PROGRAM FILES\CLICKGARDEN\addvoiceannotation.html
O8 - Extra context menu item: Remove Annotation - C:\PROGRAM FILES\CLICKGARDEN\removetextvoiceannotation.html
O8 - Extra context menu item: Mail... - C:\PROGRAM FILES\CLICKGARDEN\mail.html
O8 - Extra context menu item: Mail Image - C:\PROGRAM FILES\CLICKGARDEN\mailimage.html
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {22E5705C-991A-4646-9053-A9525CA7222A} - http://a18.g.akamai.net/f/18/2868/1h/www.topmoxie.com/external/builds/mypoints/mpmoxie.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2597500b3bfd52cc2f05/netzip/RdxIE2.cab
O16 - DPF: DigiChat Applet - http://host6.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {73954DC6-A1B2-4157-966F-D9914A39F59C} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
O16 - DPF: Yahoo! Chat (Vividence Connector Launcher) - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37694.2695138889
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} - http://www.myfamily.com/plugins/ue/Install_UE.exe


----------



## dvk01 (Dec 14, 2002)

Lazy ninja

first thing I noticed is that you have rapidblaster 
As RapidBlaster tends to mutate if the process isn't terminated first, do download and run RapidBlaster killer by Javacool: http://www.wilderssecurity.net/downloads/rbkiller.exe

then Download Spybot - Search & Destroy from http://security.kolla.de

After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds.

That ought to get rid of most of your spyware.

then submit a new hjt log and we can see what is left


----------



## lexmark (Jul 17, 2003)

hi there 
I have been dealing with this porn popup problem and I have been using spybot and hijackThis and I have remowed some files but I need to know if there are som still left there.

Here is the list

Logfile of HijackThis v1.95.0
Scan saved at 12:08:18, on 17.7.2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Grímkell\Desktop\vírusar\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.visir.is/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.xnet.is:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://www.visir.is/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {23DDAE8C-6A79-4d62-80AA-E95D89CB9811} - (no file)
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CFLSYFM] C:\WINDOWS\CFLSYFM.exe
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Internet Security\IAMAPP.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {20B0A9E3-6C18-4DB1-9918-8C8F7891024F} (WebThor.ctlTree) - http://www.gk.is/admin/ocx/wtctls.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/6c1f950cb34796/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37627.5689351852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://media.windowsmediasolutions.com/10005/downloader.cab


----------



## Flrman1 (Jul 26, 2002)

Dumbsurfer

Run Hijack This again and close all windows except HT and put a check by and "Fix Checked" all of the following;

R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\PROGRAM FILES\SCBAR\V1\SCBAR.DLL (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: ineb Helper - {753AA023-02D1-447D-8B55-53A91A5ABF18} - C:\WINDOWS\SYSTEM\BMEB.DLL

O3 - Toolbar: Search Bar - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - C:\WINDOWS\SYSTEM\BMEB.DLL

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2597500b3bfd52...tzip/RdxIE2.cab

Restart your computer and delete the
C:\WINDOWS\TVTMD.EXE file

Look here http://www.net-integration.net/cgi-...=ST;f=38;t=3051 for info on how this happens and how to prevent it. On this page you will find links to Spybot and SpywareBlaster. I recommend that you get both of them. These two will go a long way towards preventing future attacks. Always use the "Online" feature in Spybot and search for and install all updates before scanning and take advantage of the "Immunize" feature in Spybot. Search for updates in SpywareBlaster frequently as well.


----------



## Flrman1 (Jul 26, 2002)

crocoduck

You're welcome! Glad to help.:up:


----------



## Flrman1 (Jul 26, 2002)

lexmark

This is the only one I see left in yours.

O3 - Toolbar: (no name) - {23DDAE8C-6A79-4d62-80AA-E95D89CB9811} - (no file)


----------



## LazyNinja (Jul 17, 2003)

dvk01,

Thanks, I downloaded and ran the programs you suggested.

Here is the new HjT log:

Logfile of HijackThis v1.95.1
Scan saved at 8:19:15 AM, on 7/17/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\WINDOWS\SYSTEM\EVENTMGR.EXE
C:\WINDOWS\CDI.EXE
C:\WINDOWS\SYSTEM\SXGTKBAR.EXE
C:\IMAGEMATE COMPACTFLASH USB\SANDICON.EXE
C:\WINDOWS\HOOKTOOL.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\ALLEN\DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.superaction.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.white-pages.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.white-pages.ws/results.php?show=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.superaction.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.superaction.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\lj9di9du.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\lj9di9du.slt\prefs.js)
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Eventmgr.exe] C:\WINDOWS\SYSTEM\Eventmgr.exe
O4 - HKLM\..\Run: [CDInterceptor] cdi.exe
O4 - HKLM\..\Run: [Launcher] relaunch.exe
O4 - HKLM\..\Run: [TBTray] tbtray.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [win32_i lptt01] "C:\Program Files\win32_I\win32_i.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Trash it Scheduler] C:\PROGRAM FILES\TRASH IT!\Trash it Scheduler.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/1203030306/VBouncerOuter1203.EXE
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.cox.net/custsup/supportaction/sdccommon/download/tgctlar.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.cox.net/custsup/supportaction/sdccommon/download/tgctlsi.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37780.8476273148
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23bcc4f9a3d254418018/netzip/RdxIE601.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8105/turbo.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = lvcm.com
O19 - User stylesheet: c:\windows\java\my.css


----------



## meccie (Jul 17, 2003)

Hi, can someone help me, please?
I downloaded HiJackThis because of porn pop-ups, and I'm wondering what to delete from here. Here's my list:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\ARQUIV~1\NORTON~1\navapw32.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\System32\rundll32.exe
C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Arquivos de programas\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\msbb.exe
C:\Arquivos de programas\ISTsvc\istsvc.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Sony Handheld\USBSwt.exe
C:\Arquivos de programas\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\Nhksrv.exe
C:\ARQUIV~1\Iomega\System32\AppServices.exe
C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Fernie\Configurações locais\Temp\Diretório temporário 1 para hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/intl/la/brazil/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/intl/la/brazil/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://Y32075.sbvr.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.veloxzone.com.br/templates/default/user.html
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\Arquivos de programas\CommonName\Toolbar\CNBabe.dll (file missing)
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\FOne.dll
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\ipinsigt.dll
O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSView.DLL
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\mpz300.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINDOWS\System32\veg32.dll
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NAV Agent] C:\ARQUIV~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [RealTray] C:\Arquivos de programas\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe
O4 - HKLM\..\Run: [KOUBLRYC] C:\WINDOWS\KOUBLRYC.exe
O4 - HKLM\..\Run: [IST Service] C:\Arquivos de programas\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [Eyeball Chat] "C:\Arquivos de programas\Eyeball\Eyeball Chat\EyeballChat.exe" -min
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Arquivos de programas\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: SonyPDA USB Switcher.lnk = C:\Program Files\Sony Handheld\USBSwt.exe
O4 - Startup: Velox.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\ARQUIV~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: PICgrabber -> Download Files from Page - C:\Arquivos de programas\PICgrabber\PICGRABBER.EXE
O9 - Extra button: Browser Pal Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: PICgrabber (HKCU)
O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.lyricsdomain.com/download.mp3.exe
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members18.clubphoto.com/_img/uploader/atl_uploader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/en/oneclick/uninstbb.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245/www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (C:\ARQUIV~1\eZula\mmod.exe) - http://ftp.uol.com.br/discadorUOL/light/UOLActiveInstall.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/afford/afford/rnt/rnl/java/RntX.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSignedAdvertisingcom.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB9F5D7F-910A-4099-97BD-42415FF3F1FB}: NameServer = 200.149.55.140 200.202.193.71

Thank you very much!


----------



## Flrman1 (Jul 26, 2002)

LazyNinja

Run Hijack This again and close all windows except HT and put a check by and "Fix Checked" the following;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.superaction.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.white-pages.ws/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.white-pages.ws/results.php?show=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/

O1 - Hosts: 193.125.201.50 ie.search.msn.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)

O4 - HKLM\..\Run: [win32_i lptt01] "C:\Program Files\win32_I\win32_i.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23bcc4f9a3d254...ip/RdxIE601.cab

O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...B8105/turbo.cab

O19 - User stylesheet: c:\windows\java\my.css

Restart your computer and delete the

C:\PROGRAM FILES\ISTSVC folder.


----------



## Flrman1 (Jul 26, 2002)

meccie

Run Hijack This again and close all windows except HT and put a check by and "Fix Checked all of the following;

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://Y32075.sbvr.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

O1 - Hosts: 216.177.73.139 auto.search.msn.com

O1 - Hosts: 216.177.73.139 search.netscape.com

O1 - Hosts: 216.177.73.139 ieautosearch

O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\Arquivos de programas\CommonName\Toolbar\CNBabe.dll (file missing)

O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\FOne.dll

O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\ipinsigt.dll

O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSView.DLL

O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\mpz300.dll

O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll

O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL

O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll

O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINDOWS\System32\veg32.dll

O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll

O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll

O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe

O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer

O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b

O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe

O4 - HKLM\..\Run: [IST Service] C:\Arquivos de programas\ISTsvc\istsvc.exe

O9 - Extra button: Browser Pal Toolbar (HKLM)

O16 - DPF: {9656B666-992F-4D74-8588-8CA69E97D90C} - http://www.commonname.com/en/oneclick/uninstbb.cab

Reboot your computer and delete the

C:\WINDOWS\msbb.exe file

and the

C:\Arquivos de programas\ISTsvc folder

Next go here http://security.kolla.de/ and get Spybot. Before you run the scan be sure to click on the "Online" tab and "search for updates" put a check by and install all updates then click "check for problems" and have Spybot Fix/remove all it finds. Use the "Immunize feature in Spybot as well.

Come back and post another HT log to make sure you got it all.

I would also recommend that you go here and read this http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 to get info on how this happens and how to prevent it. On this page you will find a link to SpywareBlaster get it to and be sure to keep it updated as well.


----------



## mattclem (Jul 17, 2003)

I join the ever growing group of peeps with a pop-up problem. Used HiJack as suggested and here are my results.Any help would be greatly appreciated.

Logfile of HijackThis v1.95.1
Scan saved at 21:35:24, on 17/07/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll
O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SDPhotoBar.exe] C:\SMARTD~1\SDPhotoBar.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\Program Files\VSTASCAN\vsaccess.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://media.windowsmediasolutions.com/10001/downloader.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx


----------



## meccie (Jul 17, 2003)

Thank you very much for helping me with the pop-ups. My computer is running smoother than ever! 
Here's my final log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\ARQUIV~1\NORTON~1\navapw32.exe
C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Sony Handheld\USBSwt.exe
C:\Arquivos de programas\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\Nhksrv.exe
C:\ARQUIV~1\Iomega\System32\AppServices.exe
C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fernie\Configurações locais\Temp\Diretório temporário 3 para hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/intl/la/brazil/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/intl/la/brazil/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.veloxzone.com.br/templates/default/user.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NAV Agent] C:\ARQUIV~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: SonyPDA USB Switcher.lnk = C:\Program Files\Sony Handheld\USBSwt.exe
O4 - Startup: Velox.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\ARQUIV~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: PICgrabber -> Download Files from Page - C:\Arquivos de programas\PICgrabber\PICGRABBER.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: PICgrabber (HKCU)
O9 - Extra 'Tools' menuitem: PICgrabber - Movie&Image Search/Download Software (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members18.clubphoto.com/_img/uploader/atl_uploader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245/www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (C:\ARQUIV~1\eZula\mmod.exe) - http://ftp.uol.com.br/discadorUOL/light/UOLActiveInstall.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/afford/afford/rnt/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB9F5D7F-910A-4099-97BD-42415FF3F1FB}: NameServer = 200.149.55.140 200.202.193.71

Thank you again,
Maria


----------



## Flrman1 (Jul 26, 2002)

You're welcome meccie!

That log looks good.:up: 


Happy surfing!


----------



## Flrman1 (Jul 26, 2002)

mattclem 

Please post another Hijack This log this one doesn't include the "Running Processes". We need that to.


----------



## SpyderOnWeb (Jul 16, 2003)

Thanks flrman1 !
that really helped...i think that was 'winupie' which caused all this pain in ***!

about WDC trojan u can follow these links...
http://www.prweb.com/releases/2002/8/prweb44033.php
http://www.kolosoft.com/

this might be with a positive purpose but at the end of the day it's a trojan!

Also i was wondering if ya can temme little bout C:\WINNT\IEHelper.dll ...is it really harmful? what is it for actually? isn't it a part of microsoft standard installations?


----------



## mattclem (Jul 17, 2003)

sorry about that here's the full log..
Logfile of HijackThis v1.95.1
Scan saved at 21:35:24, on 17/07/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Bargain Buddy\bin2\bargains.exe
C:\WINDOWS\msbb.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\SMARTD~1\SDPhotoBar.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\Program Files\VSTASCAN\vsaccess.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Program Files\mirc\mirc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Direct Connect\Direct Connect.exe
C:\Documents and Settings\m\Local Settings\Temporary Internet Files\Content.IE5\FVQRYH3S\winpup32[22].exe
C:\Program Files\KaZaA Lite\Kazaa.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\m\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webcache.blueyonder.co.uk:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll
O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SDPhotoBar.exe] C:\SMARTD~1\SDPhotoBar.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\Program Files\VSTASCAN\vsaccess.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://media.windowsmediasolutions.com/10001/downloader.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx


----------



## Flrman1 (Jul 26, 2002)

> _Originally posted by SpyderOnWeb:_
> *Thanks flrman1 !
> 
> Also i was wondering if ya can temme little bout C:\WINNT\IEHelper.dll ...is it really harmful? what is it for actually? isn't it a part of microsoft standard installations? *


You're Welcome!

Here's the info on IEhelper.dll

http://217.115.153.73/parasite/Transponder.html


----------



## Flrman1 (Jul 26, 2002)

mattclem

Run Hijack This again and close all browser windows. Put a check by and "Fix Checked" all of the following;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=131567

O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll

O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll

O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab

Restart your computer and delete this folder from your computer

C:\Program Files\ISTsvc

and

this file C:\WINDOWS\msbb.exe

Next download Spybot - Search & Destroy

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Be sure to take advantage of the "Immunize" feature in Spybot.

Go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent it. There is a link on this page to SpywareBlaster. Get it. Keep it updated. The Immunize feature in Spybot and SpywareBlaster will go a long way in protecting you from this in the future.


----------



## Keenblade (Jul 18, 2003)

I've had a look at some of the advice, and after reading some of the posts I downloaded Hijack This! and ran it. This is what came up...

*Logfile of HijackThis v1.95.1
Scan saved at 4:16:28 PM, on 18/07/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AOL 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\WHATTN.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: I-Lookup.com Bar - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - C:\WINDOWS\SYSTEM\INEB.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "c:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/303/nCaseInstaller.cab
O16 - DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} (Inst Class) - http://toolbar2.i-lookup.com/toolbar/ineb.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://216.65.38.226/downloader.cab
O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} (DownloadUL Class) - http://www2.skoobidoo.com/softwares//Download_2.cab*

Can you help me figure out the trash from the useful?


----------



## mattclem (Jul 17, 2003)

thanx for all the help i got...cheers guys...prob solved


----------



## TonyKlein (Aug 26, 2001)

Keenblade,

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=131567
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about :blank

O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com

O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\WHATTN.DLL

O3 - Toolbar: I-Lookup.com Bar - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - C:\WINDOWS\SYSTEM\INEB.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab
O16 - DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} (Inst Class) - http://toolbar2.i-lookup.com/toolbar/ineb.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://216.65.38.226/downloader.cab
O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} (DownloadUL Class) - http://www2.skoobidoo.com/softwares//Download_2.cab*

Now *restart* your computer, and delete the C:\Program Files\ISTsvc folder.

Finally, download Spybot - Search & Destroy, if you haven't already got the program.

Now press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

NOTE: Don't be taken aback by the fact that you will have installed so called "Beta" updates.
Unlike is the case with some of its competitors, SpyBot updates are first issued as betas for a few days in order to iron out possible problems.
These are extremely rare, and these updates are absolutely reliable.


----------



## Flrman1 (Jul 26, 2002)

Keenblade

Run Hijack This again and close all browser windows. Put a check by and "Fix Checked" all of the following;

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=131567

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
http://search.ieplugin.com/search.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://i-lookup.com/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s (obfuscated)

O1 - Hosts: 216.40.230.4 desktop.kazaa.com

O1 - Hosts: 216.40.230.4 alpha.kazaa.com

O1 - Hosts: 216.40.230.4 shop.kazaa.com

O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\WHATTN.DLL

O3 - Toolbar: I-Lookup.com Bar - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - C:\WINDOWS\SYSTEM\INEB.DLL

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab

O16 - DPF: {D35A69A7-7A34-4C67-814A-3F508C0BF371} (Inst Class) - http://toolbar2.i-lookup.com/toolbar/ineb.cab

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://216.65.38.226/downloader.cab

O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} (DownloadUL Class) - http://www2.skoobidoo.com/softwares//Download_2.cab

Restart your computer and delete the C:\Program Files\ISTsvc folder from your hard drive

Look here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent it. On this page you will find links to Spybot and SpywareBlaster. Get both of them. These two will go a long way towards preventing future attacks. Go ahead and run Spybot and be sure and use the "Online" feature in Spybot and search for and install all updates before scanning. Take advantage of the "Immunize" feature in Spybot. Search for updates in SpywareBlaster frequently as well.


----------



## Flrman1 (Jul 26, 2002)

> _Originally posted by mattclem:_
> *thanx for all the help i got...cheers guys...prob solved *


You're Welcome!


----------



## TonyKlein (Aug 26, 2001)

Same here!


----------



## Devyn (Jul 19, 2003)

Hello all and congratulations on the good work you're doing,

Same problem which started after I made the mistake of installing Kazaa, I think I've gotten rid of the Kazaa elements but want to make sure all this type of spyware is gone. If you could point out what Hijack This should remove I'd really appreciate it (and if there are any unnecessary start-ups I can get rid of could you stell me what they are as well, sorry to be a nuisance).

This is my log file from Hijack This,

Logfile of HijackThis v1.95.1
Scan saved at 19:54:13, on 19/07/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\windows\winlogon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Microsoft Office\OSA.EXE
C:\Program Files\AOL 7.0\aoltray.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Demos\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sharempeg.com/find/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/jp/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.search-2003.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ???
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\winshow.dll (file missing)
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
O3 - Toolbar: ???(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AdShield\AdShield\restrict.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://download.imagereality.co.jp/Download/DjVu/PlugIn/Win/DjVuControl_ja_JP.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/dribnif/jp/win/QuickTimeInstaller.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37818.8514467593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4277/mcfscan.cab

My thanks again.

All the best,

Devyn


----------



## TonyKlein (Aug 26, 2001)

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sharempeg.com/find/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.search-2003.com/

O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\winshow.dll (file missing)

O3 - Toolbar: ???(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - *

Now *restart* your computer, and delete the 
c:\windows\winlogon.exe file.

Finally, download Spybot - Search & Destroy, if you haven't already got the program.

Now press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

NOTE: Don't be taken aback by the fact that you will have installed so called "Beta" updates.
Unlike is the case with some of its competitors, SpyBot updates are first issued as betas for a few days in order to iron out possible problems.
These are extremely rare, and these updates are absolutely reliable.


----------



## phreax (Jul 19, 2003)

http://install.xxxtoolbar.com/download_straight.html?account_id=131903

Help , i have a problem , whenever i open mij explorer, and i open mij startpagina , it gose well , but when i open a new site in the same window, like www.msn.nl then this shows up :http://install.xxxtoolbar.com/download_straight.html?account_id=131903

i can'get it away . please help !!!


----------



## phreax (Jul 19, 2003)

antoher question , can you, Tony klein give me an answere ? i am also from holland and my english is very bad . thanx !


----------



## Flrman1 (Jul 26, 2002)

phreax

Go here http://www.tomcoyote.org/hjt/ , Download Hijack This.

Unzip it, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## phreax (Jul 19, 2003)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
c:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
c:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\loadqm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~4\dpps2.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\WINNT\Explorer.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Outlook Express\msimn.exe
c:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kazaa Lite\kazaalite.kpp
C:\Program Files\Kazaa Lite\speed up.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trojan Remover\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.ewebsearch.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Winsock driver] wuaumqr.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] c:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~4\dpps2.exe"
O4 - HKLM\..\Run: [iamapp] c:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [PPMemCheck] "C:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKLM\..\RunServices: [WinSocketComponent] C:\Progra~1\NetMeeting\conf\nthost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=1&s=
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=1&s=
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.terra.es/personal7/grandmama25/op/tray.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37675.0569560185
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} (McAfee.com Component Download Manager Class) - http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05331DE3-3423-4D59-98AA-D39A58F16335}: NameServer = 62.58.50.5 62.58.50.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{05331DE3-3423-4D59-98AA-D39A58F16335}: NameServer = 62.58.50.5 62.58.50.6
O19 - User stylesheet: c:\winnt\my.css

i have aready delited some programs from with i now that there were spyware ore bad programs

Thankx already Nico


----------



## Flrman1 (Jul 26, 2002)

phreax

Run Hijack This again and put a check by all of these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.ewebsearch.net/

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=1&s=

O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=1&s=

O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.terra.es/personal7/grandmama25/op/tray.exe

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab

O19 - User stylesheet: c:\winnt\my.css

Rwstart your computer.

Now download Spybot here http://www.tomcoyote.org/SPYBOT/, if you haven't already got the program.

Now press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.


----------



## phreax (Jul 19, 2003)

Ha Ha !!! it works !!! thats great !! i don't have any anoying pop ups ore what erver anymore !! 
The programs you have , such as :spybot and hijack this , works great , i din't now that there were programs like this , now i can see wat happends on mij pc the next time when it happens (if it hapens again) , i don't now how i dit get the programs om mij pc but there gone now !!

I am gonne email this site to mij friends , this is a great site !
Thanx thanx !

Greats from holland . Nico .


----------



## cheezeripper (Jul 20, 2003)

Could someone look threw mine? Please?

Logfile of HijackThis v1.95.1
Scan saved at 7:46:29 AM, on 7/20/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Kazaa K++\Kazaa.kpp
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JACOBS~1\LOCALS~1\Temp\Rar$EX00.933\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131567
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll
O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://www.shizmoo.com/activex/web659.cab
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37748.8622569444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://www.shizmoo.com/activex/web659.cab
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37748.8622569444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

Thank you in advance


----------



## Flrman1 (Jul 26, 2002)

Good job phreax! :up:

I would also recommend that you take advantage of the "Immunize" feature in Spybot.

Also go here http://www.net-integration.net/cgi-...=ST;f=38;t=3051 for info on how to help prevent future attacks. On this page you will find a link to Javacool's SpywareBlaster. Get it also and keep it updated frequently.
Also go


----------



## Flrman1 (Jul 26, 2002)

cheezeripper

Run Hijack This again and put a check by all of these. Close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=131567

O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll

O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll

O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll

O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://www.shizmoo.com/activex/web659.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://www.shizmoo.com/activex/web659.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

Restart your computer.

Now download Spybot here http://www.tomcoyote.org/SPYBOT/, if you haven't already got the program.

Now press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Also go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how to help prevent future attacks. On this page you will find a link to Javacool's SpywareBlaster. Get it also and keep it updated frequently.


----------



## mad-martin (Jul 5, 2002)

did you know that a lot of people actually pay a lot of money to see porn, and all we want is get rid of it


----------



## RichardC (Jul 21, 2003)

I have been very impressed with the help you have renderred to other users and hope you can do the same for me. With appreciaition and thanks, Richard.

Here is my Hijack This Log:
Logfile of HijackThis v1.95.1
Scan saved at 9:59:18 AM, on 7/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\WINTV\WINTV2K.EXE
C:\PROGRAM FILES\FIRSTCLASS\FCC32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/xfind/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sharempeg.com/xfind/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sharempeg.com/xfind/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2000 RealNetworks\Search Bar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.runsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.runsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.runsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.orbitexplorer.com/cgi-bin/IESearch.cgi?bid=&affid=212
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = kilroy was here!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.runsearch.com/search.php?qq=%s (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://search.xrenoder.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.bestcrawler.com/
R3 - URLSearchHook: OESearchHook Class - {341FB59F-3507-443b-8147-423B4E3B2B15} - C:\PROGRAM FILES\COMMON FILES\OE\SEARCH.DLL
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 auto.search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {00000000-5eb9-11d5-9d45-009027c14662} - C:\WINDOWS\VX2.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\PROGRAM FILES\COMMON FILES\OE\REDIRECTOR.DLL
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} (GigexCtrl ActiveX) - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/GSManager.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: Yahoo! Pool 2 - http://download.yahoo.com/games/clients/y/pos3_x.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.wecurious.com/clients/companywideshut/lotr/downloads/iaieplay.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37590.6136689815
O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.chicasmarcianas.com/ruboskizo.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://stat.trafficadvance.net/dialer/305233.exe
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {D7B3E460-9968-4191-BD6F-BEED1BC18482} (Loader Class) - http://www.orbitexplorer.com/OELoader.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://cdn.climaxbucks.com/mt/dialers/fc/UniDist.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = FU
O19 - User stylesheet: c:\windows\my.css


----------



## TonyKlein (Aug 26, 2001)

That's a lovely spyware collection you have there! 

You have the latest version of RapidBlaster. Read this advisory: http://www.wilderssecurity.net/specialinfo/rapidblaster.html

Before doing anything else, you NEED to run Javacool's RapidBlaster killer : http://www.wilderssecurity.net/downloads/rbkiller.exe
It's at present the only application that will effectively remove this pest!

Launch the program and hit the Scan button.
RBKiller will find any RapidBlaster variants on your system, kill the process, delete the Registry Run entry, _and_ remove the file itself.

Next, in Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, shut down _all_ browser Windows, and have HT fix all checked.

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/xfind/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sharempeg.com/xfind/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sharempeg.com/xfind/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.runsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.runsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.runsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.orbitexplorer.com/cgi-bi...?bid=&affid=212
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.runsearch.com/search.php?qq=%s (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://search.xrenoder.com

R3 - URLSearchHook: OESearchHook Class - {341FB59F-3507-443b-8147-423B4E3B2B15} - C:\PROGRAM FILES\COMMON FILES\OE\SEARCH.DLL

O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 auto.search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {00000000-5eb9-11d5-9d45-009027c14662} - C:\WINDOWS\VX2.DLL
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\PROGRAM FILES\COMMON FILES\OE\REDIRECTOR.DLL
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL

O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - 
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/mini...uginstaller.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.wecurious.com/clients/co...ds/iaieplay.dll
O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.chicasmarcianas.com/ruboskizo.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://stat.trafficadvance.net/dialer/305233.exe
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/0203...everContent.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {D7B3E460-9968-4191-BD6F-BEED1BC18482} (Loader Class) - http://www.orbitexplorer.com/OELoader.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://cdn.climaxbucks.com/mt/dialers/fc/UniDist.CAB

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = FU
O19 - User stylesheet: c:\windows\my.css*

Now *restart* your computer, and delete:

The C:\WINDOWS\SENTRY.exe file
The C:\Program Files\ISTsvc folder
The C:\Program Files\Orbit folder
The c:\windows\my.css file

Finally, download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.

Cheers,


----------



## RichardC (Jul 21, 2003)

Thanks for the help Tony, things seem to be working much smoother now. Just one quick question -- While I removed the ISTsvc folder, a folder named ISTbar still remains in Program Files. Should I also delete this folder? Thanks again,
Richard


----------



## VeNuS|A (Jul 22, 2003)

This is my log file, please help me to remove the **** 

Logfile of HijackThis v1.95.1
Scan saved at 16.08.41, on 22/07/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Norton\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\Programmi\Norton\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\PDesk.exe
C:\Programmi\Norton\vptray.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\ICQ\ICQ.exe
C:\Programmi\Ad-Aware\Ad-aware 6\Ad-aware.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=131567
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131567
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [vptray] C:\Programmi\Norton\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Programmi\File comuni\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programmi\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [EasyDates_it] C:\Program Files\ComSoft\Dialers\EasyDates_it\EasyDates_it.exe /dontdial 
O4 - HKLM\..\Run: [Corel Painter 8f] C:\Programmi\File comuni\Corel\Registration\EN\Registration.exe /title="Corel Painter 8" /date=080503 serial=PF08CTD-9999998-DDE
O4 - HKLM\..\Run: [MS Updates] C:\WINNT\mscache.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.7adpower.com/dialer/vaclg033108.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {16E166F9-35E8-4CA5-B50D-5CEFABF45B09} - http://www.new-freehost.com/webcamfree/xxx.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/sikes/it/win/QuickTimeInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/it/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.1931828704
O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} (DownloadUL Class) - http://www2.skoobidoo.com/softwares//Download_UL.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://69.1.71.212/grande_sms_archivio231.exe
O16 - DPF: {FFFF0003-0001-101A-A3F9-0844A22F49F5} - http://hqvirgins.com/d/sesso_del_hardcore6.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5C99FC-F9EB-4065-B9CE-4B71B6BD59D1}: NameServer = 192.168.1.1,192.168.1.10


----------



## Flrman1 (Jul 26, 2002)

Hi VeNuS|A

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=131567

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TkBellExe] C:\Programmi\File comuni\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [EasyDates_it] C:\Program Files\ComSoft\Dialers\EasyDates_it\EasyDates_it.exe /dontdial

O4 - HKLM\..\Run: [MS Updates] C:\WINNT\mscache.exe

O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.7adpower.com/dialer/vaclg033108.exe

O16 - DPF: {16E166F9-35E8-4CA5-B50D-5CEFABF45B09} - http://www.new-freehost.com/webcamfree/xxx.exe

O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} (DownloadUL Class) - http://www2.skoobidoo.com/softwares//Download_UL.cab

O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://69.1.71.212/grande_sms_archivio231.exe

O16 - DPF: {FFFF0003-0001-101A-A3F9-0844A22F49F5} - http://hqvirgins.com/d/sesso_del_hardcore6.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5C99FC-F9EB-4065-B9CE-4B71B6BD59D1}: NameServer = 192.168.1.1,192.168.1.10

Reboot your computer and delete

The C:\WINNT\mscache.exe file
The C:\Program Files\ComSoft folder

Go here http://www.tomcoyote.org/SPYBOT/ and download Spybot if you don't already have it.

Install spybot

Now press "Online", and "Search for Updates", put a check mark at, and install all updates. (Note: Always check for updates before scanning)

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

When you're done restart your computer.

Also go here http://www.net-integration.net/cgi-...=ST;f=38;t=3051 for info on how this happens and how to help prevent it. On this page you will find a link to Javacool's SpywareBlaster. Get it. Check for updates frequently. Also take advantage of the "Immunize" feature in Spybot


----------



## VeNuS|A (Jul 22, 2003)

Hi flrman1, thanks so much for the help, I hope that now SpywareBlaster will protect my pc by spyware and popup programs 
Tnx!
Great Forum!!!


----------



## Flrman1 (Jul 26, 2002)

You're most welcome!  

Happy Surfing!


----------



## fredskinz (Jul 25, 2003)

I went to Hijack this to get rid of my pop up problem...could someone please tell me what to get rid of??? THANK YOU VERY MUCH!
Logfile of HijackThis v1.95.1
Scan saved at 7:00:06 PM, on 7/24/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\winlogon.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Monster\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAB} - C:\DOCUME~1\Monster\LOCALS~1\Temp\winhbdh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - C:\WINDOWS\SYSTEM32\shdocvw.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE109330-F715-49D8-843F-23086F7F968C}: NameServer = 206.13.29.12 206.13.30.12


----------



## annieschi (Jun 17, 2003)

YOu guys really are awesome... I love this place, man!


----------



## Flrman1 (Jul 26, 2002)

Hi fredskinz

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAB} - C:\DOCUME~1\Monster\LOCALS~1\Temp\winhbdh.dll

O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - C:\WINDOWS\SYSTEM32\shdocvw.dll

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{DE109330-F715-49D8-843F-23086F7F968C}: NameServer = 206.13.29.12 206.13.30.12

Restart your computer and delete
The c:\windows\winlogon.exe file

Go here http://www.tomcoyote.org/SPYBOT/ and download Spybot if you don't already have it.

Install spybot

Now press "Online", and "Search for Updates", put a check mark at, and install all updates. (Note: Always check for updates before scanning)

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

When you're done restart your computer.

Also go here http://www.net-integration.net/cgi-...=ST;f=38;t=3051 for info on how this happens and how to help prevent it. On this page you will find a link to Javacool's SpywareBlaster. Get it. Check for updates frequently. Also take advantage of the "Immunize" feature in Spybot


----------



## Toddeo (Jul 25, 2003)

I am having a search / porn pop up problem.

When I make a search in Google - I get a new window with this address http://www.unipages.cc/frame.php?param= (or with my search phrase at the end in a coolwebsearch page). When I try to close the window I get a xxxtoolbar loaded which keeps popping up pages on me.

Here is my Hijack This Report ... any help appreciated ...

ogfile of HijackThis v1.95.1
Scan saved at 12:59:10 AM, on 7/25/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WIN32US.EXE
C:\PROGRAM FILES\BARGAIN BUDDY\BIN\BARGAINS.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP\SIXF.EXE
D:\PROGRAM FILES\SYMANTEC\PCANYWHERE\WINAW32.EXE
C:\PROGRAM FILES\ORL\VNC\WINVNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\SPAMASSASSIN POP3 PROXY\SAPROXY.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
C:\PROGRAM FILES\MICROSOFT INTERNET\IEXPLORE.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (d:\Program Files\Netscape\Users\tberkun\prefs.js)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [win32us] c:\windows\system\win32us.exe /noconnect
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\RapidBlaster\rb32.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [awhost32] d:\Program Files\Symantec\pcAnywhere\Awhost32.exe /A
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [explore] c:\windows\explore.exe
O4 - Startup: Symantec pcAnywhere.lnk = D:\Program Files\Symantec\pcAnywhere\WINAW32.EXE
O4 - Startup: Run WinVNC (App Mode).lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O4 - Startup: SAproxy.lnk = C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
O4 - Global Startup: ZoneAlarm.lnk = D:\ZoneAlarm\zonealarm.exe
O4 - Global Startup: SIXF.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks,
Todd


----------



## jkuhuski (Jul 25, 2003)

Here is my Hijack This log for your review. Thanks in advance for your help!!

Logfile of HijackThis v1.95.1
Scan saved at 10:49:43 PM, on 7/24/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\mcafee.com\VSO\mcvsshld.exe
C:\Program Files\mcafee.com\Agent\mcagent.exe
C:\Program Files\mcafee.com\Agent\mcupdate.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\Hotbar\bin\4.3.1.0\HbInst.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Webshots\WebshotsTray.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hotbar\bin\4.3.1.0\HbSrv.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://freehqmovies.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=82114
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=82114
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.125.201.50
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink Pop-Up Blocker\PnEL.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.1.0\HbHostIE.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink Pop-Up Blocker\PnEL.dll
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.1.0\HbHostIE.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\mcafee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\mcafee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.3.1.0\HbInst.exe /Upgrade
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -noauth
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://193.125.201.50/?trk=
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/07a11205840af8431f02/netzip/RdxIE2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAB7C2D8-7FEB-4D18-B22E-10B28163D166}: NameServer = 198.81.19.4


----------



## BlueSpruce (Jul 24, 2003)

Hi jkuhuski , Run Hijack this and put a check next to all the following entries. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://freehqmovies.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...ccount_id=82114
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mo...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...ccount_id=82114
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.125.201.50
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com

O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O13 - DefaultPrefix: http://193.125.201.50/?trk=
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
flash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAB7C2D8-7FEB-4D18-B22E-10B28163D166}: NameServer = 198.81.19.4

1) After Hijack fix , Reboot
2) Download and run Spybot search & destroy www.security.koll.de
3) Use the Spybot immunize option

Good luck.


----------



## Toddeo (Jul 25, 2003)

I have tried Spybot and a bunch of other programs - they even seem convinced my system is clean. But my searches at google keep getting redirected to unipages.cc/frame.php?param= followed by my search text.

Then the xxxtoolbar loads and its horrible. Any help appreciated.

Thanks,
Todd

Below is my log:

Logfile of HijackThis v1.95.1
Scan saved at 3:14:53 AM, on 7/25/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
D:\PROGRAM FILES\SYMANTEC\PCANYWHERE\AWHOST32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WIN32US.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP\SIXF.EXE
D:\PROGRAM FILES\SYMANTEC\PCANYWHERE\WINAW32.EXE
C:\PROGRAM FILES\ORL\VNC\WINVNC.EXE
C:\PROGRAM FILES\SPAMASSASSIN POP3 PROXY\SAPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT INTERNET\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (d:\Program Files\Netscape\Users\tberkun\prefs.js)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [win32us] c:\windows\system\win32us.exe /noconnect
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\RapidBlaster\rb32.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [awhost32] d:\Program Files\Symantec\pcAnywhere\Awhost32.exe /A
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [explore] c:\windows\explore.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Symantec pcAnywhere.lnk = D:\Program Files\Symantec\pcAnywhere\WINAW32.EXE
O4 - Startup: Run WinVNC (App Mode).lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O4 - Startup: SAproxy.lnk = C:\Program Files\SpamAssassin POP3 Proxy\saproxy.exe
O4 - Global Startup: ZoneAlarm.lnk = D:\ZoneAlarm\zonealarm.exe
O4 - Global Startup: SIXF.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/remove/ist_remove.cab


----------



## intenseas (Jul 25, 2003)

Ok guys, here it is:

Logfile of HijackThis v1.95.1
Scan saved at 8:28:41 AM, on 7/25/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hpha2mon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\LINKSYS\Configuration Utility\Config.exe
C:\Program Files\Starfish\TrueSync\tstool.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Alex\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=131567
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131567
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.whazit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.whazit.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\Updates\XTSearch.dll (file missing)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll
O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll
O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {C3F0C307-A620-417D-8FC5-47E68D98E259} - (no file)
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\System32\hpha2mon.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [BearShare] C:\Program Files\BearShare\BearShare.exe /m
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKCU\..\Run: [WFGStartup] C:\Program Files\WorldFlash\WFGStartup.exe
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone by A1Tech.com\adsgone.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\LINKSYS\Configuration Utility\Config.exe
O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/31a3a1b4e1f6cdfe8815/netzip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003071801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zinio.com/reader/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37639.3646412037
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ibdcharts/ocx/plotwon.ocx
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://216.65.38.226/downloader.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://indigoinvestor.webex.com/client/latest/webex/ieatgpc.cab


----------



## Katharsis (Jul 25, 2003)

@Toddeo

I have the same problem as you do, unipages.cc and all that crap with the xxxtoolbar. I have started an own thread, you might wanna take a look at it.

http://forums.techguy.org/showthread.php?s=&postid=1005554#post1005554


----------



## Flrman1 (Jul 26, 2002)

Hi Toddeo

Welcome to TSG!

First off you have the RapidBlaster parasite click on the link below and it will download RapidBlaser Killer. It is a program that can scan all running programs, detect RapidBlaster, and successfully terminate the process and remove the Run key registry entry. The newest version can also clean up various RapidBlaster remnants.

http://www.spywareinfo.com/download...er/rbkiller.exe

Run it and then come back here and post another Hijack This log.


----------



## Flrman1 (Jul 26, 2002)

Hi intenseas

Welcome to TSG!

Run Hijack This again and put a check by these. close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=131567

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=131567

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.whazit.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.whazit.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\Updates\XTSearch.dll (file missing)

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll

O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\whattt.dll

O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O3 - Toolbar: (no name) - {C3F0C307-A620-417D-8FC5-47E68D98E259} - (no file

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/31a3a1b4e1f6cd...ip/RdxIE601.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://zinio.earthc.net/images.zini...ader/isetup.cab

O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://216.65.38.226/downloader.cab

Restart your computer, preferably in safe mode(see this link on how to start in safe mode http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 ), and delete

The C:\Program Files\ISTsvc < entire folder
The C:\Program Files\Xupiter < entire folder
The C:\WINDOWS\System32\System32.exe < file
The C:\Program Files\Dap < entire folder

Also go here http://housecall.trendmicro.com/ and do an online virus scan.

Now download Spybot here http://www.tomcoyote.org/SPYBOT/, if you haven't already got the program.

Install the program and launch it.

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Also go here http://www.net-integration.net/cgi-...=ST;f=38;t=3051 for info on how to help prevent future attacks. On this page you will find a link to Javacool's SpywareBlaster. Get it also and keep it updated frequently.


----------



## intenseas (Jul 25, 2003)

Thanks a lot for the help! unfortunately I cannot delete the DAP folder. It says access denied. I checked for running processes and their were none. The only 2 files that I cannot delete are : dapie.dll and mfc42.dll. Any ideas? Thanks again


----------



## Flrman1 (Jul 26, 2002)

intenseas

Try starting in safe mode to delete the folder. See here http://service1.symantec.com/SUPPOR...001052409420406 on how to start in safe mode if you don't know how.


----------



## $teve (Oct 9, 2001)

firman..................your a trojan.........this thread was (resolved) last week i just thought i would take a look see what was keeping it bumped...........jeez!!!
you should get some sleep

anyone else reading this should post your hijackthis logfile in a new post,theyre comming so quick and fast someone is going to get unintentionally ignored.

oh...and someone buy that man a coffee

thanx


----------



## Flrman1 (Jul 26, 2002)




----------



## pascalreload (Jul 29, 2003)

Ok, so i guess i'm the next who have some problem with the unipages pop up...

Here is my log of HijackThis:

Logfile of HijackThis v1.95.1
Scan saved at 23:01:16, on 29/07/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\jeux\Counter-Strike\HLKeyFr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
E:\brolxp\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = javascript:window.close()
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WebCam Go Plus Sti Service Application] Wcgopsvc
O4 - HKLM\..\Run: [WpsRePsw] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE
O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe"
O4 - Startup: HLKeyFr.lnk = E:\jeux\Counter-Strike\HLKeyFr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/dribnif/fr/win/QuickTimeInstaller.exe
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/fr/big/1.1.62-big/GoogleNav.cab

Can you please help me ? thanks


----------



## TonyKlein (Aug 26, 2001)

Well, you happen to have the 'hard' version... 

Check, and have Hijack This fix the following:

*O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -*

Now download LSPfix here: http://www.cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of *msspi.dll* (and _nothing_ else) , and move them to the "Remove" pane. 
Then click Finish.

Now start your computer in Safe Mode, and find and delete the file itself


----------



## pascalreload (Jul 29, 2003)

Yep, it's working, good job, thanks a lot


----------



## TonyKlein (Aug 26, 2001)

EXcellent! Glad to hear that helped.


----------



## scinoz (Jul 30, 2003)

I hope I'm following protocol here -- Please help me get rid of the "Internet Optimizer" and anything else suspicious!

Logfile of HijackThis v1.95.1
Scan saved at 12:19:17 PM, on 7/30/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\INETSRV\INETINFO.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\PWSTRAY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s (obfuscated)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 172.19.20.13 asb110ap dor110ap fsb110ap msb110ap nsb110ap tfl110ap
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM211.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM213.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~2\DEFALERT.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [inetinfo.exe] C:\WINDOWS\SYSTEM\inetsrv\inetinfo.exe -e w3svc
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Microsoft Office.lnk = E:\access\Office\OSA9.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Startup: WinMySQLadmin.lnk = C:\MYSQL\_ISDEL.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: PlaceWare Console: PW-CC2K-2-0-2c2-f2q1u9 - http://pwn.ops.placeware.com/etc/pws/overview/lib/cc-full.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: PlaceWare Console: PWS-CC2K-3-0-j-g0j9o2 (Shockwave Flash Object) - http://pwp.ops.placeware.com/etc/pws/placeware/lib/cc-full.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37769.8521527778


----------



## TonyKlein (Aug 26, 2001)

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

*O1 - Hosts: 172.19.20.13 asb110ap dor110ap fsb110ap msb110ap nsb110ap tfl110ap

O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM211.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM213.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [LoadQM] loadqm.exe*

Now *restart* your computer, and download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.

Finally, copy the bold into Notepad, save as *Search.reg* (save as 'all files') and doubleclick that file. Click Yes when prompted to add its contents to the Registry.

*REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] 
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""*


----------



## taphxaz (Jul 31, 2003)

To all,

I'm glad I found this site... As you can see I need you help with XXXTOOLBAR PLEASE! Here is my Hijack this log:

Logfile of HijackThis v1.95.1
Scan saved at 6:37:52 PM, on 7/30/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\COMMON FILES\SCM\ICONFIG.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\SPYWATCH.EXE
C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\5734938B.DLL
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchdesire.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchdesire.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchdesire.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = javascript:window.close()
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unipages.cc/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://searchdesire.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchdesire.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [BCMHal] rundll32.exe bcmhal9x.dll,BCInit
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .hiv: C:\WINDOWS\DOWNLOADED PROGRAM FILES\nphijkjv.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {BC26D98E-4F8E-11D4-B523-94ED45C04971} (PrintQuickActiveXSetup Class) - http://www.pqvalet.com/plugin/win/ie/printQuick.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB


----------



## Iamurgod32 (Jul 31, 2003)

Yea, im having the same problems as the rest of the people in this thread.

here is my HijackThis scan

Logfile of HijackThis v1.95.1
Scan saved at 10:12:06 PM, on 7/30/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\tp4mon.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\rb32\rb32.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\Program Files\EarthLink 5.0\Browser.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.xupiter.com/toolbar2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.ewebsearch.net/
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msjcik.dll
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\Program Files\Xupiter\XTUpdate.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\XupiterToolbar.dll (file missing)
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .asp: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=0&s=
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=0&s=
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12FEAA15-98C7-49D8-8343-65067BFDB183}: NameServer = 207.69.188.187 207.69.188.186

Whatever is on my computer replaces whatever internet adresses i type in my web-browser with a porn site, either xxxtoolbar or a few other ones. The only way i have found to stop this is to type in the full web address including the HTTP:// part, and it still displays porn popups occasionaly. Any help would be appreciated.


----------



## Flrman1 (Jul 26, 2002)

Hi taphxaz

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchdesire.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchdesire.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchdesire.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = java script:window.close()

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unipages.cc/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://searchdesire.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchdesire.com

R3 - Default URLSearchHook is missing

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB

Restart your computer.

Now download LSPfix here: http://www.cexx.org/lspfix.htm

Launch the program, and click the "I know what I'm doing" checkbox.

Check all instances of msspi.dll (and nothing else) , and move them to the "Remove" pane. 
Then click Finish.

Now start your computer in safemode, and find and delete the file itself

Finally go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all browser windows, hit "Check for Problems", and have SpyBot remove/fix all it finds.


----------



## Flrman1 (Jul 26, 2002)

Iamurgod32

Welcome to TSG!

You have the RapidBlaster parasite.
First click on the link below and it will download RapidBlaster Killer. Close all browser windows. Launch the program and hit the Scan button.
RBKiller will find any RapidBlaster variants on your system, will kill the process, and delete the Registry Run entry. When it is finished restart your computer.

http://www.spywareinfo.com/downloads/rbkiller/rbkiller.exe.

After that post another Hijack This log.


----------



## Iamurgod32 (Jul 31, 2003)

Ummmmmm, that link didnt work


----------



## Iamurgod32 (Jul 31, 2003)

Found RBkiller, ran it. it found one RB file and deleted it, here is the new hijackthis log.

Logfile of HijackThis v1.95.1
Scan saved at 11:39:33 AM, on 7/31/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\tp4mon.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\ClockSync\Sync.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\Program Files\EarthLink 5.0\Browser.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.xupiter.com/toolbar2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.ewebsearch.net/
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msjcik.dll
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\Program Files\Xupiter\XTUpdate.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\XupiterToolbar.dll (file missing)
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .asp: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=0&s=
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=0&s=
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12FEAA15-98C7-49D8-8343-65067BFDB183}: NameServer = 207.69.188.187 207.69.188.186


----------



## Flrman1 (Jul 26, 2002)

Iamurgod32

Run Hijack This again and put a check by these. Doublecheck to be sure not to miss a single one. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.xupiter.com/toolbar2

R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.ewebsearch.net/

R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll (file missing)

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msjcik.dll

O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\Program Files\Xupiter\XTUpdate.dll

O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\XupiterToolbar.dll (file missing)

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q

O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=0&s=

O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=0&s=

O17 - HKLM\System\CCS\Services\Tcpip\..\{12FEAA15-98C7-49D8-8343-65067BFDB183}: NameServer = 207.69.188.187 207.69.188.186

Restart your computer and delete:
The C:\Program Files\ISTsvc folder

Now download Spybot here http://spybot.eon.net.au/index.php?lang=en&page=download if you haven't already got the program.

Install the program and launch it.

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Also go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how to help prevent future attacks. On this page you will find a link to Javacool's SpywareBlaster. Get it also and keep it updated frequently.


----------



## nobir (Jul 31, 2003)

i'm a victim of this s*** too! can you please help me?

here's the list

Logfile of HijackThis v1.95.1
Scan saved at 23:12:20, on 31.7.2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Kazaa\kazaa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program Files\Microsoft Office\Office\1060\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\_iz_c\Bla\HijackThis.exe
C:\Program Files\Outlook Express\msimn.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwsearch.com/z/a/x1.cgi?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.89.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.ewebsearch.net/
O1 - Hosts: 65.77.83.222 thehun.com
O1 - Hosts: 65.77.83.222 thehun.net
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [winregsrv] C:\WINDOWS\System32\winregsrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Vrata za Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1060\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=0&s=
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=0&s=
O15 - Trusted Zone: *.coolwwwsearch.com
O15 - Trusted Zone: *.msn.com
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.com/teleport/vacation/MaxisVacationTeleX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://209.58.242.206/downloads/UGO20.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EAFFD5D-09BB-4EDD-8063-3151A1D00640}: NameServer = 217.72.64.10 217.72.64.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3B7A8EC-1112-43E7-BF26-D987D5841EED}: NameServer = 193.189.160.11,193.189.160.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EAFFD5D-09BB-4EDD-8063-3151A1D00640}: NameServer = 217.72.64.10 217.72.64.11
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp (file missing)


----------



## Flrman1 (Jul 26, 2002)

nobir

The first thing you need to do is uninstall Kazaa. It is full of spyware. When we finish with this i will be glad to give you a link to Kazaalite which is the same as Kazaa but no spyware.

After you've done that click on this next link and it will download Cwshredder. Un zip it and close all browser windows and click on the Cwshredder.exe and let it do it's thing. It will take care of the Coolwwwsearch problem.

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Restart your computer.

Finally go here http://spybot.eon.net.au/index.php?...n&page=download and download Spybot.

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.

Restart your computer.

Come back and post another Hijack This log and we'll see if there is anything left.


----------



## nobir (Jul 31, 2003)

ok, here's the new log

Logfile of HijackThis v1.95.1
Scan saved at 0:58:26, on 1.8.2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program Files\Microsoft Office\Office\1060\OLFSNT40.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ICQ\ICQ.exe
C:\_iz_c\Bla\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.89.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [winregsrv] C:\WINDOWS\System32\winregsrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Vrata za Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1060\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.com/teleport/vacation/MaxisVacationTeleX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EAFFD5D-09BB-4EDD-8063-3151A1D00640}: NameServer = 217.72.64.10 217.72.64.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3B7A8EC-1112-43E7-BF26-D987D5841EED}: NameServer = 193.189.160.11,193.189.160.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EAFFD5D-09BB-4EDD-8063-3151A1D00640}: NameServer = 217.72.64.10 217.72.64.11


----------



## Flrman1 (Jul 26, 2002)

nobir

Run Hijack This again and put a check by these. Doublecheck to be sure not to miss a single one. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwsearch.com/z/a/x1.cgi?101 (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.89.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=0&s=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=

O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{0EAFFD5D-09BB-4EDD-8063-3151A1D00640}: NameServer = 217.72.64.10 217.72.64.11

O17 - HKLM\System\CCS\Services\Tcpip\..\{E3B7A8EC-1112-43E7-BF26-D987D5841EED}: NameServer = 193.189.160.11,193.189.160.12

O17 - HKLM\System\CS1\Services\Tcpip\..\{0EAFFD5D-09BB-4EDD-8063-3151A1D00640}: NameServer = 217.72.64.10 217.72.64.11

Restart your computer.


----------



## nobir (Jul 31, 2003)

it worked! thanks firman1, i owe you one! 

btw, could you give me the URL to Kazaa Lite?


----------



## Flrman1 (Jul 26, 2002)

You're Welcome!

Here is a direct download link to the latest version of Kazaalite. Th download will begin as soon as you click on it.

http://kd4.edskes.com/klitekpp241e.exe

Happy Surfing!


----------



## coldsteel (Aug 1, 2003)

I need some help getting rid of porn pop up's. I have read the previous posts and included the hijack this log file with this message. What do I need to get rid of? Your help is greatly appreciated!!!

Logfile of HijackThis v1.95.1
Scan saved at 10:37:37 AM, on 8/1/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe
C:\Documents and Settings\randerson\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/294215b6952562218505/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003071801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37721.5187384259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB

Thanks agian


----------



## Flrman1 (Jul 26, 2002)

Coldsteel

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/294215b6952562...ip/RdxIE601.cab

Restart your computer and delete:
The C:\Program Files\ISTsvc folder
The C:\Program Files\ClearSearch folder

Now download Spybot here http://spybot.eon.net.au/index.php?...n&page=download if you haven't already got the program.

Install the program and launch it.

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.


----------



## lazz (Aug 1, 2003)

Hi guys, I got the same problem with the google-unipages thing and it's driving me totally nuts! Hope someone here can help 

Here's the hijack log:

Logfile of HijackThis v1.96.0
Scan saved at 2:07:19 AM, on 2/08/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\PROJECT SELECTOR\PROJSELECTOR.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\DRAGTODISC\DRGTODSC.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\AUDIOCENTRAL\RXMON.EXE
C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\AUDIOCENTRAL\PLAYLIST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.austech.info/forums/forumdisplay.php?s=&forumid=38
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .psd: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe

Thanks...


----------



## slotnick (Aug 1, 2003)

I have the same problem too!!! This "cool web search" from unipages isn't cool. I'm trying to solve this for three days now, but i'm not a computerpro, and I'm afraid of messing things up.

I've tried several freeware (ad-aware, spybot, pow): nothing solved.

If someone could look at my hijack this logfile, and help me out?

thanx!

Logfile of HijackThis v1.96.0
Scan saved at 18:54:51, on 1/08/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\FIREWALL\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\INTERNET\CISRVR.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\FIREWALL\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0813&s=search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.breedband.telenet.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0813&s=search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0813&s=search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.runsearch.com/search.php?qq=%s (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pandora.be:8080
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Visitekaartjes 4.0] F:\setup.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\AD AWARE\AD-AWARE 6\AD-AWARE.EXE" +c
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\FIREWALL\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\FIREWALL\SMC.EXE
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Sexo (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O12 - Plugin for .com/cm/servlet/servletViewBlob?objId=298&name=ACT_PDF&artId=101&lanId=2: C:\PROGRA~1\Intern~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab


----------



## Flrman1 (Jul 26, 2002)

lazz

I don't see unipages in your log.

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll

O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)

You need to do this download LSPfix here: http://www.cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of msspi.dll (and nothing else) , and move them to the "Remove" pane. 
Then click Finish.

Now start your computer in Safe Mode, and find and delete the file itself.

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.


----------



## Flrman1 (Jul 26, 2002)

slotnick

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ewebsearch.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runsearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.runsearch.com/search.php?qq=%s (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/

O9 - Extra button: Sexo (HKLM)

O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll

Restart your computer.

You also need to do this download LSPfix here: http://www.cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of msspi.dll (and nothing else) , and move them to the "Remove" pane. 
Then click Finish.

Now start your computer in Safe Mode, and find and delete the file itself.

See here http://service1.symantec.com/SUPPOR...001052409420406 for how to start in safe mode if you don't know how.


----------



## lazz (Aug 1, 2003)

Thanks flrman1, will give it a go


----------



## lazz (Aug 1, 2003)

flrman1 my friend, you're an absolute champion!


----------



## Flrman1 (Jul 26, 2002)

My pleasure!  :up: 

Happy Surfing!


----------



## kombienzle (Aug 2, 2003)

Thanks god!! I finally found you guys! I have a hijacking problem: From time to time when I type an URL into the address bar of IE the address is automatically changed to xxxtoolbar.com and annoying popups appear as well. I ran spybot already and cleared all results. The logfile from hijackthis is added below. Would be amazing if somebody could provide help! This just drives me insane!!!

Thx a lot in advance

Logfile of HijackThis v1.96.0
Scan saved at 13:24:12, on 02.08.2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOKUME~1\Micha\LOKALE~1\Temp\msdgbp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE


----------



## Flrman1 (Jul 26, 2002)

kombienzle

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOKUME~1\Micha\LOKALE~1\Temp\msdgbp.dll

Restart your computer.

Now download Spybot here http://spybot.eon.net.au/index.php?...n&page=download if you haven't already got the program.

Install the program and launch it.

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.It will help protect you from future attacks.

Also go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent it. On this page you will find a link to Javacool's SpywareBlaster. Get it and install it . Be sure to check for udates frequently. These two together will go a long way toward keeping you spyware free.


----------



## Metallica (Jan 28, 2003)

kombienzle,

Please post your complete log.

You´ll probably have these entries as well:
O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=1&s= 
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=1&s=

and without removiong those the hijack will never end.

Regards,

Pieter


----------



## kombienzle (Aug 2, 2003)

Metallica,

I just scaned again. Here ist the complete log

Logfile of HijackThis v1.96.0
Scan saved at 15:47:34, on 02.08.2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programme\Outlook Express\msimn.exe
C:\Programme\Trillian\trillian.exe
C:\Programme\Microsoft Office\Office\WINWORD.EXE
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOKUME~1\Micha\LOKALE~1\Temp\msdgbp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...zdf.de/archiv/et8/et8_alpedhuez/alpedhuez.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F3FF673-7097-4542-ADD8-1B4A8C69E63A}: NameServer = 62.225.251.16 194.25.2.129

I will try to remove it with the instructions from flrman1. And post the result!!

Thx to both of you for the quick response!

Mike


----------



## slotnick (Aug 1, 2003)

Flrman1:

Thank you man!!! It's fixed. You're GOD!!!!

Greets,


slotnick


----------



## Flrman1 (Jul 26, 2002)

My Pleasure slotnick! :up:


----------



## stonera (Aug 2, 2003)

I too am having a porn pop up problem that almost caught the eyes of my 1.5 yr old -- please help!! I read over threads, downloaded HijackThis, ran it and here is the output. It only occurs when I start up IE ... along with my default home page pops up some pretty graphic sexual content. Thanks.

Logfile of HijackThis v1.96.0
Scan saved at 11:55:44 AM, on 8/2/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: ineb Helper - {753AA023-02D1-447D-8B55-53A91A5ABF18} - C:\WINNT\System32\bmeb.dll
O3 - Toolbar: Search Bar - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - C:\WINNT\System32\bmeb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Pinnacle PCTV Scheduler.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\pnrpnsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\pnrpnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0761dc6f58560da8ed03/netzip/RdxIE601.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} - http://global-service.oraclecorp.com/OA_JAVA/oajinit.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - 
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) -


----------



## escort1984 (Aug 2, 2003)

OK. It looks like I am not the only one! I've been fighting this for weeks (xxxtool, istbar, etc). I've been cleaning my register, removing the programs, deleting the folders, cookies, etc. and nothing has helped. I have just run rbkiller.exe. Here is the output from that:

The following processes were detected as RapidBlaster:
Scanned on: 14:07:03 08/02/2003
C:\Program Files\win32_I\win32_i.exe - [PID]: 788
[CLEANUP] Deleted File: C:\Program Files\win32_I\win32_i.exe
[CLEANUP] Deleted Folder: C:\Program Files\win32_I
[CLEANUP] Deleted Uninstall Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\win32_i

Here is my Hijack This log:

Logfile of HijackThis v1.96.0
Scan saved at 2:24:07 PM, on 8/2/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\mshta.exe
D:\ESM2\STMS.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\ESM2\EBRR.EXE
C:\WINNT\regedit.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\DU\Local Settings\Temp\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=75575
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=75575
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*[url]http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*[url]http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*[url]http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.search-2003.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 auto.search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - Global Startup: EPSON Background Monitor.lnk = D:\ESM2\STMS.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://193.125.201.50/?trk=
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,11/mcgdmgr.cab

Is there anything else I need to delete?

HELP!!!!!!!!


----------



## Flrman1 (Jul 26, 2002)

Hi stonera 

Welcome to TSG!

Please post another log you left out the "Running Processes"
We need to see that too.


----------



## Flrman1 (Jul 26, 2002)

escort1984

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...ccount_id=75575

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...ccount_id=75575

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.search-2003.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 

O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 auto.search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com

O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [winmain] winmain.exe

O13 - DefaultPrefix: http://193.125.201.50/?trk=

Restart your computer.

Now download Spybot here http://spybot.eon.net.au/index.php?...n&page=download if you haven't already got the program.

Install the program and launch it.

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.It will help protect you from future attacks.

Also go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent it. On this page you will find a link to Javacool's SpywareBlaster. Get it and install it . Be sure to check for udates frequently. These two together will go a long way toward keeping you spyware free.


----------



## escort1984 (Aug 2, 2003)

flrman1,

You'll never know how appreciative I am for the help.
After weeks of trying to clean this up, it is finally done!

Additional thanks for the informative links on what caused
this and how to prevent it.

THANK YOU, THANK YOU, THANK YOU!!!!

escort1984


----------



## Flrman1 (Jul 26, 2002)

My pleasure escort1984!  

Happy Surfing!


----------



## stonera (Aug 2, 2003)

flrman1,

Oops -- extracted as i noticed others did not include. Here you go... thanks!!

Logfile of HijackThis v1.96.0
Scan saved at 4:55:27 PM, on 8/2/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\AIM95\aim.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\PCLEScheduler.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Adobe\Web\AOM.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\stonera\Local Settings\Temp\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: ineb Helper - {753AA023-02D1-447D-8B55-53A91A5ABF18} - C:\WINNT\System32\bmeb.dll
O3 - Toolbar: Search Bar - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - C:\WINNT\System32\bmeb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Pinnacle PCTV Scheduler.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\pnrpnsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\pnrpnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0761dc6f58560da8ed03/netzip/RdxIE601.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {86ecb6a0-400a-11d5-b638-00c04faedb18} - http://global-service.oraclecorp.com/OA_JAVA/oajinit.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - 
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF} (JInitiator 1.3.1.9) -


----------



## Flrman1 (Jul 26, 2002)

stonera

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

O2 - BHO: ineb Helper - {753AA023-02D1-447D-8B55-53A91A5ABF18} - C:\WINNT\System32\bmeb.dll

O3 - Toolbar: Search Bar - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - C:\WINNT\System32\bmeb.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0761dc6f58560d...ip/RdxIE601.cab

I have PMed someone else for further instructions on these two(below). It will be tomorrow before he is back online but go ahead and have Hijack This fix them also and we'll await his reply.

O10 - Unknown file in Winsock LSP: c:\winnt\system32\pnrpnsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\pnrpnsp.dll

Restart your computer.

Now download Spybot here http://spybot.eon.net.au/index.php?...n&page=download if you haven't already got the program.

Install the program and launch it.

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.It will help protect you from future attacks.

Also go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent it. On this page you will find a link to Javacool's SpywareBlaster. Get it and install it . Be sure to check for udates frequently. These two together will go a long way toward keeping you spyware free.


----------



## stonera (Aug 2, 2003)

flrman1, thank you so much! i will try all that you note and report back once immunized.

stonera


----------



## Flrman1 (Jul 26, 2002)

:up:


----------



## dodgeway (Aug 4, 2003)

Here's my info: Thanks for any help/advice you can give.

Logfile of HijackThis v1.96.0
Scan saved at 8:53:03 PM, on 8/3/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\GRAVEXE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPCLIENT.EXE
C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\VERIZON ONLINE\VERIZON ONLINE CONTROL PAD\VERIZONCONTROLPAD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\VERIZON ONLINE\VERIZON ONLINE CONTROL PAD\UIENGINES\FLASHUIENGINE\CPSKIN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPCLIENT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globalwebsearch.com/ie_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.usaa.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalwebsearch.com/ie_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {61D029AC-972B-49FE-A155-962DFA0A37BB} - C:\WINDOWS\SYSTEM\INEB.DLL
O2 - BHO: ineb Helper - {FBAA0B9E-A059-43E4-9699-76EB0AEB975B} - C:\WINDOWS\SYSTEM\GWS.DLL
O3 - Toolbar: I-Lookup.com Bar - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - C:\WINDOWS\SYSTEM\INEB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: GlobalWebSearch.com Bar - {54A85A38-A699-4AEC-8F88-AB542210C93B} - C:\WINDOWS\SYSTEM\GWS.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" /NOCM
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUAL IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Verizon Online Control Pad] "C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.exe"
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Verizon Online Control Pad] "C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\gocuts.exe
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37647.8958449074


----------



## kahnatic (Aug 4, 2003)

Wow! This is such a great site. I've been searching around for ages for some sort of solution to all these annoying little spammers. I scanned my computer with Ad Aware but those things are still there. I found some very strange files on my computers, ClearSearch & ISTBar, but don't know what to do with it. Any help would be greatly appreciate it. Here's my HT log.

Logfile of HijackThis v1.96.0
Scan saved at 10:11:35 PM, on 8/3/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\iPod\bin\iPodManager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Y'z Dock\YzDock.exe
C:\Program Files\Y'z Shadow\YzShadow.exe
C:\Program Files\SysReset\mirc.exe
C:\WINDOWS\System32\notepad.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kahn Tong\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Y'z Dock.exe.lnk = C:\Program Files\Y'z Dock\YzDock.exe
O4 - Startup: Y'z Shadow.exe.lnk = C:\Program Files\Y'z Shadow\YzShadow.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2838266e4a1d25d38d23/netzip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37827.7687962963
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab


----------



## Flrman1 (Jul 26, 2002)

dodgeway

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.globalwebsearch.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.globalwebsearch.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.globalwebsearch.com/ie_search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.globalwebsearch.com/ie_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 

O2 - BHO: (no name) - {61D029AC-972B-49FE-A155-962DFA0A37BB} - C:\WINDOWS\SYSTEM\INEB.DLL

O2 - BHO: ineb Helper - {FBAA0B9E-A059-43E4-9699-76EB0AEB975B} - C:\WINDOWS\SYSTEM\GWS.DLL

O3 - Toolbar: I-Lookup.com Bar - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - C:\WINDOWS\SYSTEM\INEB.DLL

O3 - Toolbar: GlobalWebSearch.com Bar - {54A85A38-A699-4AEC-8F88-AB542210C93B} - C:\WINDOWS\SYSTEM\GWS.DLL

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

If you have not knowingly locked your homepage or IE options fix this one
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Restart your computer.

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks. 
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster will go a long way towards will go a long way towards keeping you spyware free.


----------



## drumminwoman (Aug 4, 2003)

Hello Everyone.

I have also been infected with ISTbar,xxxtoolbar,bargainbuddy, and tiny bar..all in one fell swoop.

I have already completed the steps at http://doxdesk.com/parasite/ISTbar.html
and it didn't work.

I have also used Ad-Aware 6.0 without any success.

So. I have a Hijack This log that I hope someone could help me with:

Logfile of HijackThis v1.96.0
Scan saved at 1:09:53 AM, on 8/4/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
D:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csufresno.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Program Files\Netscape\Users\cvip\prefs.js)
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] D:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] D:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O13 - DefaultPrefix: http://193.125.201.50/?trk=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt4_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab

Thank you all muchly...I hope to hear from someone soon.
--drumminwoman


----------



## Flrman1 (Jul 26, 2002)

kahnatic

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 

O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2838266e4a1d25...ip/RdxIE601.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB

Restart your computer:

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks. 
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster will go a long way towards will go a long way towards keeping you spyware free.


----------



## Flrman1 (Jul 26, 2002)

drumminwoman

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csufresno.edu/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://193.125.201.50

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 

R3 - Default URLSearchHook is missing

O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com

O4 - HKLM\..\Run: [winmain] winmain.exe

O13 - DefaultPrefix: http://193.125.201.50/?trk=

Restart your computer.

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks. 
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster will go a long way towards will go a long way towards keeping you spyware free.


----------



## Flrman1 (Jul 26, 2002)

stonera

As far as these two are concerned:

O10 - Unknown file in Winsock LSP: c:\winnt\system32\pnrpnsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\pnrpnsp.dll

Download LSPfix here: http://www.cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check both instances of pnrpnsp.dll (and nothing else) , and move them to the "Remove" pane. 
Then click Finish.

Now start your computer in Safe Mode, and find and delete the file itself


----------



## mike7474 (Aug 4, 2003)

It seems you are all quite good at this problem... so here is my HT log. I appreciate any help i can get. 
Logfile of HijackThis v1.96.0
Scan saved at 4:42:04 PM, on 8/4/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\wjview.exe
C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\InfoDailySchoolCashReminderService\InfoDailySchoolCashReminderService.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
O1 - Hosts: 65.77.83.222 thehun.com
O1 - Hosts: 65.77.83.222 thehun.net
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InfoDailySchoolCashReminderService] wjview /cp "C:\Program Files\InfoDailySchoolCashReminderService\System\Code" Main lp: "C:\Program Files\InfoDailySchoolCashReminderService"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Shortcut to CmLUC.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: InfoDaily - file://C:\Program Files\InfoDailySchoolCashReminderService\System\Temp\infod_script.htm
O8 - Extra context menu item: SchoolCash - file://C:\Program Files\InfoDailySchoolCashReminderService\System\Temp\scash_script.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: SchoolCash (HKCU)
O9 - Extra button: InfoDaily (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=1&s=
O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=1&s=
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bubbleny.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bubbleny.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bubbleny.com


----------



## Flrman1 (Jul 26, 2002)

mike7474

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/

O1 - Hosts: 65.77.83.222 thehun.com
O1 - Hosts: 65.77.83.222 thehun.net
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=1&s=

O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=1&s=

Restart your computer.
-----------------------------------------------------------------------------------
I am assuming you know what these are and you wittingly installed them yourself:

O8 - Extra context menu item: InfoDaily - file://C:\Program Files\InfoDailySchoolCashReminderService\System\Temp\infod_script.htm

O8 - Extra context menu item: SchoolCash - file://C:\Program Files\InfoDailySchoolCashReminderService\System\Temp\scash_script.htm

O9 - Extra button: SchoolCash (HKCU)

O9 - Extra button: InfoDaily (HKCU)

I can't find any info on them. If you don't know what they are and don't use them get rid of them too.
-----------------------------------------------------------------------------------

Next go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks. 
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster will go a long way towards will go a long way towards keeping you spyware free.


----------



## mike7474 (Aug 4, 2003)

Thanks so much, you are a gentleman and a scholar! I'll try to send a donation when i get paid next. Thanks again!


----------



## Flrman1 (Jul 26, 2002)

You're welcome!  

BTW what are these?

O8 - Extra context menu item: InfoDaily - file://C:\Program Files\InfoDailySchoolCashReminderService\System\Temp\infod_script.htm

O8 - Extra context menu item: SchoolCash - file://C:\Program Files\InfoDailySchoolCashReminderService\System\Temp\scash_script.htm

Just so I know in the future.


----------



## drumminwoman (Aug 4, 2003)

flrman1,
Thank you very much for the help!!

My search side bar does not work like it used to,..but I'm not getting those pop up ads, nor does ISTbar redirect me to it's host site to reinstall itself when I do a search from the address bar!

Thank you very much!! You're awesome!

-drumminwoman


----------



## Flrman1 (Jul 26, 2002)

Glad to help! :up: 

Happy surfing!


----------



## dcw_leung (Aug 4, 2003)

Hello - my log file. Having had a look at the hijack this guide, it doesn't look so good... (I'm new to HT so I though I twould ask)

Thanks!

Logfile of HijackThis v1.96.0
Scan saved at 1:05:12 AM, on 8/5/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\POWERPANEL\BAYSWAP\BAYSWAP.EXE
D:\NORTON UTILITIES\NPROTECT.EXE
D:\NORTON CLEANSWEEP\CSINJECT.EXE
D:\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\PROGRAM FILES\SONY\JOG DIAL UTILITY\JOGSERV2.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\WINDOWS\WINLOGON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\VIRUSSCAN\VSSTAT.EXE
D:\VIRUSSCAN\AVCONSOL.EXE
D:\VIRUSSCAN\VSHWIN32.EXE
D:\VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.coolwwwsearch.com/z/c/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwsearch.com/z/a/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.coolwwwsearch.com/z/a/x1.cgi?656387 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
O1 - Hosts: 1123694712 auto.search.msn.com
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: (no name) - {BC0D2038-2DE5-4A6F-92BC-B18A3E0DE32A} - (no file)
O2 - BHO: (no name) - {39AF31DD-EAFC-45EA-A56C-385B52E25CC0} - (no file)
O2 - BHO: (no name) - {4CEBBC6B-5CEE-4644-80CF-38980BAE93F6} - (no file)
O2 - BHO: (no name) - {6B12DABB-0B7C-44FA-B0B3-4BAFF3790256} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HKserv.exe] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [JogServ2.exe] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] c:\windows\dslaunch.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [NPROTECT] D:\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [BaySwap] C:\PROGRA~1\POWERP~1\BaySwap\BaySwap.exe
O4 - HKLM\..\RunServices: [NPROTECT] D:\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] D:\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] D:\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - Startup: BatteryScope.lnk = C:\Program Files\BatteryScope\batmgr.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
O4 - Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O15 - Trusted Zone: *.coolwwwsearch.com
O15 - Trusted Zone: *.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.60/Java/cfsn31235.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37831.3074305556
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp


----------



## Flrman1 (Jul 26, 2002)

dcw_leung

Welcome to TSG!

Click on the link below and it will download cwshredder. UnZipit and close all browser windows then click on the cwshredder.exe and let it do it's thing.

Restart your computer when it is finished.

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Come back here and post another HT log and we'll get rid of what's left.


----------



## suoiruc (Aug 5, 2003)

I've had trouble with this popup as well and removed a piece of software called Webserver that I thought might be causing it. The Webserver uninstall was kind of flaky and I ended up just deleting the folder as well as two exe's in the Windows folder that were for it.

I've run the HT software scan and was hoping you could verify I've gotten rid of the pesky infection. I'm pretty sure there's got to be something of it still around somewhere; although I haven't had any pop up trouble since I got rid of the Webserver "Screensaver".

HT Log:
Logfile of HijackThis v1.96.0
Scan saved at 5:58:15 PM, on 8/4/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\ACCESSORIES\NOADS.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\GOZILLA\GO.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.audioseek.net/iesearch/%s (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fastwebfinder.com/iesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.audioseek.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.audioseek.net/iesearch/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
R3 - URLSearchHook: ProtoHandler Class - {724F6607-4698-48F8-903F-120EA084E3F9} - C:\PROGRAM FILES\BROWSERENH\IE.DLL (file missing)
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRAM FILES\GOZILLA\GOIEHLP.DLL
O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR\4.1.5.0\EBAYBAND.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {BA3D9F56-5EC1-497D-881A-93A28F58D9AD} - (no file)
O2 - BHO: (no name) - {92D028E0-19A6-11D7-ADE5-0050BF14F8BD} - C:\WINDOWS\SYSTEM\MBHO.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR\4.1.5.0\EBAYBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\ACCESSORIES\NOADS.EXE"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: eBay Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: eBay Toolbar (HKLM)
O9 - Extra button: Dell Home (HKCU)
O9 - Extra button: PopupDummy! (HKCU)
O9 - Extra 'Tools' menuitem: PopupDummy! (HKCU)
O16 - DPF: {6EA1AC90-FAC5-11D3-9725-0090279053A3} (MP3.com Beam-it) - http://my.mp3.com/beamit/Beam-itActiveXControl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://aol.ea.com/downloads/games/common/boot_strap/iegils.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadcaster.com/player/MovieNetworks1.exe
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v10/investor.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} - http://www109.coolsavings.com/download/cscmv4X.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.charter.com/sdccommon/download/tgctlins.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {DBB2DE32-61F1-4F7F-BEB8-A37F5BC24EE2} (MozillaPluginHostCtrl Class) - http://www.musicnotes.com/download/adaptor.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37595.4390277778
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1267/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab

Thanks for any help!


----------



## suoiruc (Aug 5, 2003)

I've had trouble with this popup as well and removed a piece of software called Websaver that I thought might be causing it. The Websaver uninstall was kind of flaky and I ended up just deleting the folder as well as two exe's in the Windows folder that were for it.

I've run the HT software scan and was hoping you could verify I've gotten rid of the pesky infection. I'm pretty sure there's got to be something of it still around somewhere; although I haven't had any pop up trouble since I got rid of the Websaver "Screensaver".

HT Log:
Logfile of HijackThis v1.96.0
Scan saved at 5:58:15 PM, on 8/4/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\ACCESSORIES\NOADS.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\GOZILLA\GO.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.audioseek.net/iesearch/%s (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fastwebfinder.com/iesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.audioseek.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.audioseek.net/iesearch/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
R3 - URLSearchHook: ProtoHandler Class - {724F6607-4698-48F8-903F-120EA084E3F9} - C:\PROGRAM FILES\BROWSERENH\IE.DLL (file missing)
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRAM FILES\GOZILLA\GOIEHLP.DLL
O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR\4.1.5.0\EBAYBAND.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {BA3D9F56-5EC1-497D-881A-93A28F58D9AD} - (no file)
O2 - BHO: (no name) - {92D028E0-19A6-11D7-ADE5-0050BF14F8BD} - C:\WINDOWS\SYSTEM\MBHO.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR\4.1.5.0\EBAYBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\ACCESSORIES\NOADS.EXE"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: eBay Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: eBay Toolbar (HKLM)
O9 - Extra button: Dell Home (HKCU)
O9 - Extra button: PopupDummy! (HKCU)
O9 - Extra 'Tools' menuitem: PopupDummy! (HKCU)
O16 - DPF: {6EA1AC90-FAC5-11D3-9725-0090279053A3} (MP3.com Beam-it) - http://my.mp3.com/beamit/Beam-itActiveXControl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://aol.ea.com/downloads/games/common/boot_strap/iegils.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadcaster.com/player/MovieNetworks1.exe
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/public/investor/v10/investor.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} - http://www109.coolsavings.com/download/cscmv4X.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.charter.com/sdccommon/download/tgctlins.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {DBB2DE32-61F1-4F7F-BEB8-A37F5BC24EE2} (MozillaPluginHostCtrl Class) - http://www.musicnotes.com/download/adaptor.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37595.4390277778
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1267/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab

Thanks for any help!


----------



## Flrman1 (Jul 26, 2002)

suoiruc

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fastwebfinder.com/iesearch.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 

O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRAM FILES\GOZILLA\GOIEHLP.DLL

O2 - BHO: (no name) - {BA3D9F56-5EC1-497D-881A-93A28F58D9AD} - (no file)

O2 - BHO: (no name) - {92D028E0-19A6-11D7-ADE5-0050BF14F8BD} - C:\WINDOWS\SYSTEM\MBHO.DLL (file missing)

O2 - BHO: (no name) - {92D028E0-19A6-11D7-ADE5-0050BF14F8BD} - C:\WINDOWS\SYSTEM\MBHO.DLL (file missing)

O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadcaster.com/player/MovieNetworks1.exe

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} - http://www109.coolsavings.com/download/cscmv4X.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1.../v6/brix6ie.cab

O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab

Restart your computer.

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks. 
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster will go a long way towards keeping you spyware free.


----------



## Wayfarer (Aug 5, 2003)

Hi, I found this site by entering "istsvc" into Google. I'm not very computer saavy, so I hope I'm not duplicating something already posted. (I'm not sure I understand the similar posts.)

My daughter was surfing (what she told me were) rock band sites. Porno popped up and froze the computer. I had to shut down. Since then, I was afflicted with a XXXTOOLBAR, which I think I've gotten rid of.

Also, when I type a URL into the Address line and hit ENTER, I'm automatically redirected to porn sites. I shut them down as fast as they come up, but always end up at http://pluginaccess.com. When I try to close it, it freezes up IE. There seems to be a "Dc2" file associated with it, which I can't delete.

In addition, this attack seems to have added a dialer (?) called "PRPI" which disappears from the Control Panel when I try to highlight it.

Finally, there's a program file "istsvc" which I can't seem to delete. (It says access denied.)

So, I have problems and I hope someone can tell me where to begin in as simple language as possible.


----------



## $teve (Oct 9, 2001)

welcome to T.s.g wayfarer

1st,go here:http://beam.to/spybotsd
download "spybot" hit the online tab and download any updates.
now hit the "check for problems"tab......after the scan let spybot fix all it finds.

2nd,go here:http://www.tomcoyote.org/hjt/
download "hijackthis"
Unzip....... double-click HijackThis.exe and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
save the log somewhere(ie: desktop) and please copy & paste its contents in this security forum....but as a new thread.....that way it wont be tagged onto an existing thread.
thanx.

good luck

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## dcw_leung (Aug 4, 2003)

Thanks flrman1 for the initial advice

Revised Log file

Logfile of HijackThis v1.96.0
Scan saved at 10:24:56 AM, on 8/5/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\POWERPANEL\BAYSWAP\BAYSWAP.EXE
D:\NORTON UTILITIES\NPROTECT.EXE
D:\NORTON CLEANSWEEP\CSINJECT.EXE
D:\VIRUSSCAN\AVSYNMGR.EXE
D:\VIRUSSCAN\VSSTAT.EXE
D:\VIRUSSCAN\VSHWIN32.EXE
D:\VIRUSSCAN\AVCONSOL.EXE
D:\VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\PROGRAM FILES\SONY\JOG DIAL UTILITY\JOGSERV2.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HKserv.exe] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [JogServ2.exe] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] c:\windows\dslaunch.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [NPROTECT] D:\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [BaySwap] C:\PROGRA~1\POWERP~1\BaySwap\BaySwap.exe
O4 - HKLM\..\RunServices: [NPROTECT] D:\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] D:\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] D:\VirusScan\AVSYNMGR.EXE
O4 - Startup: BatteryScope.lnk = C:\Program Files\BatteryScope\batmgr.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
O4 - Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.60/Java/cfsn31235.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37831.3074305556
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

When running CWShredder I did get the message: -

Your hosts file is huge. I'm not scanning that!
File is > 580,000 bytes

Thanks for helping again!

dcw_leung


----------



## Flrman1 (Jul 26, 2002)

dcw_leung

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART

O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.60/Java/cfsn31235.cab

-----------------------------------------------------------------------------------
These next 2 are open to debate as to whether they are bad or not so I'll leave them up to you to keep or not:

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

Restart your computer.

That's it.


----------



## dcw_leung (Aug 4, 2003)

Thanks!

Good knows what could have happened mid-Powerpoint otherwise!


----------



## $teve (Oct 9, 2001)

must be a tag team firman


----------



## Flrman1 (Jul 26, 2002)

You're Welcome dcw_leung !


----------



## dude9111 (Aug 6, 2003)

I tried to post this somewhere else, but think I put it in the wrong place. If someone can help me out with what I should fix/remove from my log I would appreciate it. Thanks

Logfile of HijackThis v1.96.0
Scan saved at 5:54:35 PM, on 08/05/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HOUELYFLS] C:\WINDOWS\HOUELYFLS.exe
O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin8.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BEAC7E2-4360-4CCE-B732-661AC1528706}: NameServer = 198.81.19.4


----------



## $teve (Oct 9, 2001)

hello dude
just a couple to check in hijackthis......then close all browser windows and "fix checked"

O4 - HKLM\..\Run: [RDLL] RunDll16.exe
O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe

also..........do you recognise this one?:
O4 - HKLM\..\Run: [HOUELYFLS] C:\WINDOWS\HOUELYFLS.exe

re-boot and post another H/T logfile.


----------



## Dave155 (Aug 7, 2003)

I'm experiencing the same type of problem. Mine consists of the xxxtoolbar thing being a program stuck when I go to Control Panel>Add or Remove Programs.

When I try to Change/Remove nothing happens, and it stays there.

I've tried a number of the other things you guys have mentioned Hijackthis, RapidBlaster, SpyBot, etc before taking it this far, but still haven't gotten rid of the program file.

At this point I don't know if that xxxtoolbar program is the only thing that's left. It took a while to delete the ISTbar file, and a reason why I don't think xxxtoolbar is the only thing is that during the SpyBot search there were some xxxteen, etc stuff that appeared but didn't get identified.

Any advice would be greatly appreciated. Thanks so much in advance.


----------



## Flrman1 (Jul 26, 2002)

Dave155

Welcome to TSG!

Please do this. Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Un Zip it and click on the Hijachthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

Do NOT have Hijack This fix anything yet. Most of what it finds will be harmless. Someone here will be glad to advise you on what to fix.


----------



## Dave155 (Aug 7, 2003)

Unfortunately I already downloaded Hijack this, scaned everything, as well as fixed it all prior to my first reply. I guess I thought maybe I could fix the problem myself, boy was I wrong. Anyway, I restarted my computer, doesn't seem like it hurt too many other things (obvious alterior thing effected was my homepage was switched to blank). The xxxtoolbar program is still in the Add Remove Program folder, and I can't delete it.

Is there anything else that could help minus hijack this, cause now due to my error it reports nothing except my homepage again?


Once again, thanks in advance!


----------



## 10sne1 (Aug 7, 2003)

Please someone help me to get rid of that stupid ISTbar. I've downloaded Hijackthis and scanned. Here is the logfile.

Logfile of HijackThis v1.96.0
Scan saved at 11:25:05 PM, on 8/6/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\wuauclt.exe

Please let me know what files to delete. Thank you very very much!


----------



## dude9111 (Aug 6, 2003)

Thanx $teve........ I read the how to file in Hijack this and those were the same files I came up with, but there were a few others that I also took off that the file said were bad (017). I am still getting popups on my computer though from "Messenger Service"
regaurding system alert and messengerkiller.com, but this is nowhere in my registry. If you could help me stop these with a fix/program/regedit/firewall I would appreciate it.


----------



## dude9111 (Aug 6, 2003)

by the way.... here is my new hijack this log:

Logfile of HijackThis v1.96.0
Scan saved at 11:13:47 PM, on 08/06/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\BACKWE~1.EXE
C:\Program Files\KaZaA Lite\Kazaa.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin8.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Flrman1 (Jul 26, 2002)

10sne1 

Welcome to TSG!

Sorry but that is only part of your HT log. We can't do anything with just that. Please post the entire contents of the log. It would be best if you start your own thread you will get help quicker as more people will see it. It looks like $teve and I are the only two that are following this thread and I don't know what $teve's schedule is this week but mine is full and I just do not have much time this week. Please go back to the main Security page and click on "New thread" and post your log in a new thread and you'll probably get help before I even get back on here today. Be sure you Copy and Paste all of the log.


----------



## Flrman1 (Jul 26, 2002)

dude9111 
That log looks clean to me.
Have a look here http://www.itc.virginia.edu/desktop/docs/messagepopup/ concerning those popups.


----------



## danvorhaus (Aug 9, 2003)

Hi all,

I've been having some problems with my system for several weeks now and I hope I've come to the right place to solve them. In addition to the Unipages/coolwebsearch google hijack that's been described in this thread I also have (I think) another problem.

Fairly regularly (40%-60% of the time) when I have multiple windows open (not just IE but of any application) one of them all of sudden becomes "hot." That is to say that it will suddenly seem to repeatedly refresh itself, always making itself the active window no matter how often I try to click away. If I minimize the hot window I can often use the other windows while the hot one flashes at the bottom of the screen, indicating that it has been refreshed. However, that isn't always the case...sometimes I'm forced to close every application and start all over and the problem usually returns right away.

I've tried Ad-Aware, Spybot S&D, a program called Armor2Net Personal Firewall...nothing has fixed it. I also tried using the rbkiller program but that didn't find any instances of Rapid Blaster on my system. I'm at my wits end....here's my HT log, can somebody please please help me fix this problem.

Thanks so much.

HT LOG:

Logfile of HijackThis v1.96.0
Scan saved at 4:13:47 AM, on 8/9/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\ARMOR2NET\ARMOR2NET PERSONAL FIREWALL\ARMOR2NET.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/5/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchv.com/5/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/5/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://findloss.com/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/5/search.php?qq=%s (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=ftp-proxy.duke.edu:8080;gopher=gopher-proxy.duke.edu:8080;http=http-proxy.duke.edu:8080;https=https-proxy.duke.edu:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER COMPANION\CCHELPER.DLL
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL (file missing)
O2 - BHO: (no name) - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\PROGRAM FILES\ARMOR2NET\ARMOR2NET PERSONAL FIREWALL\POPUPKILLER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER COMPANION\POPUPUS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ARMOR2NET] C:\PROGRAM FILES\ARMOR2NET\ARMOR2NET PERSONAL FIREWALL\Armor2net.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\msspi.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.yahoo.com/java/y/mlbst8298_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab


----------



## $teve (Oct 9, 2001)

download LSPfix here: www.cexx.org/lspfix.htm 
launch the application........ and click the "i know what I'm doing" checkbox. 
check all instances of msspi.dll (and nothing else) and move them to the "remove" pane. .....then click Finish.

delete c:\windows\system\msspi.dll

now go here:www.spywareinfo.com/~merijn/files/cwshredder.zip
and download and run "cwshredder"

then post another H/T log.
good luck


----------



## danvorhaus (Aug 9, 2003)

Hi,

Thanks for the advice. I followed your instructions (though I didn't do the experimental fix in cwshredder - should I do that?). Anyway, here is the new HT log:

Logfile of HijackThis v1.96.0
Scan saved at 5:53:37 AM, on 8/9/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=ftp-proxy.duke.edu:8080;gopher=gopher-proxy.duke.edu:8080;http=http-proxy.duke.edu:8080;https=https-proxy.duke.edu:8080
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER COMPANION\CCHELPER.DLL
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL (file missing)
O2 - BHO: (no name) - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\PROGRAM FILES\ARMOR2NET\ARMOR2NET PERSONAL FIREWALL\POPUPKILLER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER COMPANION\POPUPUS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ARMOR2NET] C:\PROGRAM FILES\ARMOR2NET\ARMOR2NET PERSONAL FIREWALL\Armor2net.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! MLB StatTracker - http://aud5.sports.yahoo.com/java/y/mlbst8298_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab


----------



## donnyboy (Aug 10, 2003)

I too am suddenly plagued by this pesky porn bar. Please tell me what I need to remove!!!

Logfile of HijackThis v1.96.0
Scan saved at 5:56:22 PM, on 8/9/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = +s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lycos.com/srch/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131067
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R3 - URLSearchHook: (no name) - À[@ - (no file)
R3 - URLSearchHook: (no name) - Lsáw9 - (no file)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\Support Software\SS2.DLL
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspace.com/Java/cs4fs084.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.240:8000/Java/cfs40300.cab
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://64.85.20.110:8027/Java/cs4ms090.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.rediff.com/gujarati/wfplayer/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/3096284ca668d2cf4c02/netzip/RdxIE6.cab
O16 - DPF: {5DB05CB8-7751-469D-A1DD-45C8C201C013} (Blender 3D Plug-in Active X Control) - http://entropy8zuper.org/airport/customs/Blender3DPlugin.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {76D31A21-9402-11D6-97B6-0010DC2A6243} (SecureLogin.SecureControl) - https://secure2.comned.com/signuptemplates/ActiveSecurity.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37840.5075810185
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.ichat.com/custom/nativeclient/msichat.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4029.cab

Thank you!!!


----------



## Flrman1 (Jul 26, 2002)

donnyboy

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = +s

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=131067

R3 - URLSearchHook: (no name) - À[@ - (no file)

R3 - URLSearchHook: (no name) - Lsáw9 - (no file)

O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\Support Software\SS2.DLL

O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.240:8000/Java/cfs40300.cab

O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://64.85.20.110:8027/Java/cs4ms090.cab

O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream10k.redhotnetworks.com/cabs/videox.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/3096284ca668d2...tzip/RdxIE6.cab

Restart your computer and delete:
The C:\Program Files\ISTsvc folder.

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks. 
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster will go a long way towards keeping you spyware free.


----------



## Flrman1 (Jul 26, 2002)

ATTENTION!!!!

Anyone who has posted in this thread and has been overlooked or anyone who is about to post in this thread that needs help with a Hijack This log.

Please start your own thread. You will get help quicker. It is always better to start your own thread as these threads that have been going on and on get very confusing and many people get lost in the shuffle. Also many of the techs that come here will be looking for new threads and not likely to see your post buried in here.

As soon as donnyboy posts back his results and his problem has been resolved this thread will be closed.


----------



## $teve (Oct 9, 2001)

danvorhous...thats a whole lot better.....check these items in hijackthis....close all browser windows and "fix checked"

O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


thats it


----------



## Flrman1 (Jul 26, 2002)

$teve

These two 

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

I'm sure are present as a result of danvorhaus locking his home page and IE's control panel using Spybot's Immunize feature as indicated by this entry

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL


----------



## joannald1 (Aug 10, 2003)

I have been trying to get rid of these porn pop ups forever. I'll leave my computer and come back to sometimes up to 30 of them. I did the HiJack This thing, but none of it means anything to me and I read not to delete anything until I hear from someone who knows what they are doing..which is definitely not me...so here it is

Logfile of HijackThis v1.96.0
Scan saved at 3:17:38 PM, on 8/10/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\AIM+\AIM+.exe
C:\WINDOWS\System32\aupdate.exe
C:\Program Files\AIM95\aim.exe
C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AIM+\AIM+.exe
C:\Program Files\AIM95\AIM95_c1\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\rb32\rb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://aok.lib.umbc.edu/proxies.php3 
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\System32\ssurf022.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\Program Files\SafeSurfing\SSUpdate.exe
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 2.1.0.89 - http://63.102.227.45/Java/cs4fs089.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37510.6049768519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

after you tell me what to do, do i rerun the hijack this thing and then click and delete? I'm very confused about all of this and I dont want to mess up my computer!! Thanks


----------



## Flrman1 (Jul 26, 2002)

joannald1 

Welcome to TSG!

Please go back to the main security forum and start a new thread. This thread has gone on and on and needs to be closed. It gets too confusing when there are so many logs being posted back to back in the same thread. I will look for you're new thread there and have a look at your log.

I am going to request that the moderators close this one. 

Thank you,

Mark


----------



## Flrman1 (Jul 26, 2002)

ATTENTION!!!!

Anyone who has posted in this thread and has been overlooked or anyone who is about to post in this thread that needs help with a Hijack This log.

Please start your own thread. You will get help quicker. It is always better to start your own thread as these threads that have been going on and on get very confusing and many people get lost in the shuffle. Also many of the techs that come here will be looking for new threads and not likely to see your post buried in here.

I will be requesting that the mods close this thread tomorrow morning so it does not rear it's ugly head again. 

If you have posted in this thread and your problem is not yet resolved please reply by tomorrow morning.


----------

