Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

deciphering hijackthis log - help please


  • This topic is locked This topic is locked
6 replies to this topic

#1 pburrier

pburrier

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 03 June 2004 - 09:48 PM

I am so glad that Security Forums turned me onto this site.

I am in need of your help. I have installed and ran several times Grisoft AVG 7.0 anti-virus as well as SpySweeper. They have done their thing but to no avail I am still overrun with Wintools and my computer keeps becoming more and more unstable.

below is my startup listing from MSconfig:

StartupList report, 06/03/2004, 9:18:30 PM
StartupList version: 1.52
Started from : C:MY DOWNLOADSHIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:WINDOWSSYSTEMKERNEL32.DLL
C:WINDOWSSYSTEMMSGSRV32.EXE
C:WINDOWSSYSTEMSPOOL32.EXE
C:WINDOWSSYSTEMMPREXE.EXE
C:PROGRAM FILESWILD FILEGOBACKGBPOLL.EXE
C:WINDOWSSYSTEMmmtask.tsk
C:WINDOWSEXPLORER.EXE
C:WINDOWSSYSTEMSYSTRAY.EXE
C:PROGRAM FILESGRISOFTAVG7AVGCC.EXE
C:PROGRAM FILESGRISOFTAVG7AVGAMSVR.EXE
C:PROGRAM FILESAWSWEATHERBUGWEATHER.EXE
C:WINDOWSSYSTEMWMIEXE.EXE
C:WINDOWSSYSTEMDDHELP.EXE
C:PROGRAM FILESINTERNET EXPLORERIEXPLORE.EXE
C:MY DOWNLOADSHIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:WINDOWSStart MenuProgramsStartUp]
Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun

SystemTray = SysTray.Exe
AVG7_CC = C:PROGRA~1GRISOFTAVG7AVGCC.EXE /STARTUP
AVG7_AMSVR = C:PROGRA~1GRISOFTAVG7AVGAMSVR.EXE
WinTools = C:Program FilesCommon filesWinToolsWToolsA.exe

--------------------------------------------------

Autorun entries from Registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices

GoBack Polling Service = C:Program FilesWild FileGoBackGBPoll.exe
WinTools = C:Program FilesCommon filesWinToolsWToolsA.exe

--------------------------------------------------

Autorun entries from Registry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun

Weather = C:PROGRAM FILESAWSWEATHERBUGWEATHER.EXE 1

--------------------------------------------------

Shell & screensaver key from C:WINDOWSSYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv mfpdaemon

--------------------------------------------------

C:WINDOWSWININIT.BAK listing:
(Created 3/6/2004, 9:45:40)

[RENAME]
NUL=C:WINDOWSTEMPWTA1WTOOLSA.EXE
NUL=C:WINDOWSTEMP~732300.TMP
NUL=C:WINDOWSTEMP~732300.TMP
NUL=C:WINDOWSTEMPWTA1WTOOLSA.EXE
NUL=C:WINDOWSTEMP~865297.TMP
NUL=c:WINDOWSTEMP~865297.TMP

--------------------------------------------------

C:AUTOEXEC.BAT listing:

C:PROGRA~1GRISOFTAVG7BOOTUP.EXE
C:PROGRA~1WILDFI~1GOBACKGB_PROG.EXE /i C:2000
SET BLASTER=A220 I7 D1 H5 P330 T6
SET CTSYN=C:WINDOWS
C:PROGRA~1CREATIVESBLIVEDOSDRVSBEINIT.COM

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPN1YCOMP5_3_16_0.DLL - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:PROGRA~1COMMON~1WINTOOLSWTOOLSB.DLL - {87766247-311C-43B4-8499-3D5FEC94A183}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Disk Defragmenter.job
Disk Cleanup.job
ScanDisk.job
Windows Critical Update Notification.job
McAfee.com Update Check 03212004214411.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:WINDOWSSYSTEMMACROMEDFLASHFLASH.OCX
CODEBASE = https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

[BrowseFolderPopup Class]
InProcServer32 = C:WINDOWSMCBINSHAREDMGBRWFLD.DLL
CODEBASE = http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

[{9771C160-AD19-11D5-91BE-0048546CB511}]
CODEBASE = http://216.176.203.29/data/program3/download.exe

[MetaStreamCtl Class]
InProcServer32 = C:PROGRAM FILESVIEWPOINTVIEWPOINT MEDIA PLAYERAXMETASTREAM_03000C09.DLL
CODEBASE = https://components.viewpoint.com/MTSInstall...MetaStream3.cab

[McAfee.com Operating System Class]
InProcServer32 = C:WINDOWSSYSTEMMCINSCTL.DLL
CODEBASE = http://bin.mcafee.com/molbin/shared/mcinsc...55/mcinsctl.cab

[CV3 Class]
InProcServer32 = C:WINDOWSSYSTEMWUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1044/V...en/actsetup.cab

[YInstStarter Class]
InProcServer32 = C:WINDOWSDOWNLOADED PROGRAM FILESYINSTHELPER.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

[Update Class]
InProcServer32 = C:WINDOWSSYSTEMIUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7899.6887847222

[InstallShield International Setup Player]
InProcServer32 = c:WINDOWSDOWNLO~1ISETUP.DLL
CODEBASE = http://www.installengine.com/engine/isetup.cab

[{9DBAFCCF-592F-FFFF-FFFF-00608CEC297C}]
CODEBASE = http://download.weatherbug.com/minibug/tri...uginstaller.cab

[{0335A685-ED24-4F7B-A08E-3BD15D84E668}]
CODEBASE = http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

[Shockwave ActiveX Control]
InProcServer32 = C:WINDOWSSYSTEMMACROMEDDIRECTORSWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Brix6ie Control]
InProcServer32 = C:WINDOWSBRIX6IE.OCX
CODEBASE = http://a19.g.akamai.net/7/19/7125/1410/ftp.../v7/brix6ie.cab

[Office Update Installation Engine]
InProcServer32 = C:WINDOWSOPUC.DLL
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[Yahoo! Photos Easy Upload Tool Class]
InProcServer32 = C:WINDOWSDOWNLOADED PROGRAM FILESYDROPPER.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab

[RdxIE Class]
InProcServer32 = C:WINDOWSDOWNLOADED PROGRAM FILESRDXIE.DLL
CODEBASE = http://software-dl.real.com/287e7789f6012f...ip/RdxIE601.cab

[ActiveDataInfo Class]
InProcServer32 = C:WINDOWSDOWNLOADED PROGRAM FILESSYMADATA.DLL
CODEBASE = http://www.symantec.com/techsupp/activedata/SymAData.dll

[Live Collaboration]
InProcServer32 = C:WINDOWSDOWNLO~1RNTX.DLL
CODEBASE = http://liveca04.rightnowtech.com/sonystyle...l/java/RntX.cab

[Uninstall Control]
InProcServer32 = C:WINDOWSDOWNLO~1UNINST~1.OCX
CODEBASE = http://www.worldwinner.com/games/shared/uninstall.cab

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:WINDOWSSYSTEMWEBCHECK.DLL

--------------------------------------------------
End of report, 7,354 bytes
Report generated in 0.213 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

whew!!! Okay now here is my hijackthis log...

Logfile of HijackThis v1.97.7
Scan saved at 5:20:29 PM, on 06/03/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSYSTEMKERNEL32.DLL
C:WINDOWSSYSTEMMSGSRV32.EXE
C:WINDOWSSYSTEMMPREXE.EXE
C:WINDOWSEXPLORER.EXE
C:WINDOWSSYSTEMPSTORES.EXE
C:MY DOWNLOADSHIJACKTHIS.EXE

R1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.gohip.com/
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.netscape.com
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://www.search-explorer.net/search_page.php
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.search-explorer.net/search_page.php
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = +w
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://www.gohip.com/hipsearch/?sc=%s
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:PROGRA~1COMMON~1WINTOOLSWTOOLSB.DLL
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com\"); (C:Program FilesNetscapeUsersjims_secret_fileprefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPN1YCOMP5_3_16_0.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:PROGRA~1COMMON~1WINTOOLSWTOOLSB.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSYSTEMMSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:PROGRAM FILESYAHOO!COMPANIONINSTALLSCPN1YCOMP5_3_16_0.DLL
O4 - HKLM..Run: [SystemTray] SysTray.Exe
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GRISOFTAVG7AVGCC.EXE /STARTUP
O4 - HKLM..Run: [AVG7_AMSVR] C:PROGRA~1GRISOFTAVG7AVGAMSVR.EXE
O4 - HKLM..Run: [WinTools] C:Program FilesCommon filesWinToolsWToolsA.exe
O4 - HKLM..RunServices: [GoBack Polling Service] C:Program FilesWild FileGoBackGBPoll.exe
O4 - HKLM..RunServices: [WinTools] C:Program FilesCommon filesWinToolsWToolsA.exe
O4 - HKCU..Run: [Weather] C:PROGRAM FILESAWSWEATHERBUGWEATHER.EXE 1
O4 - Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:PROGRA~1INTERN~1PluginsNPDocBox.dll
O16 - DPF: Dialpad Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://216.176.203.29/data/program3/download.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...MetaStream3.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...55/mcinsctl.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7899.6887847222
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...uginstaller.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1410/ftp.../v7/brix6ie.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/clients/y/gst1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/287e7789f6012f...ip/RdxIE601.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/sonystyle...l/java/RntX.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab

Your expertise and generous help would be greatly appreciated as I need to be getting some more resumes out as I am ungainfully employed. I will be sorting through your tutorial section on hijackthis but would like someone knowledgeable to verify what i interpret from the tutorial to fix before going any further.

I am thankful for your assistance in any manner and would happily take any advice regarding the matter.

It is my hope to learn from this all the way around. PLEASE KNOW I LOOK FORWARD TO YOUR HELP AND I THANK YOU IN ADVANCE FOR IT.

SINCERELY, Patty Burrier

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:01 PM

Posted 03 June 2004 - 10:43 PM

Ok lets do some cleaning up here.

Click on start then settings and then control panel. Double click on add/remove programs and remove the following if they exist:

Searchit
My toolbar
qidion
'masterbarHallmedia.net
Wintools

If you see any of those, or even similar ones that you do not recognize, please remove them. When you are done, reboot your computer and post a new log.

Thanks

#3 pburrier

pburrier
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 04 June 2004 - 11:35 AM

My thanks for your help Grinler...

I did as requested, the only file in the control panel add/remove area was Wintools for Internet Explorer 2. When I went to delete it had given me a window message that this program had already been deleted did i still want to remove it from the listing. I said yes.

In the meantime I saw in the control panel that it still had mcafee and Norton's in there from previous anti-virus programs I had. Although I had disabled them, I backed up these programs and associated files (I think) to a zip and removed them as well from the control panel add/remove.

I hope when you request that I run another log that you are referring to both the start up and hijackthis log. I apologize for any misinterpreting on my part.

Here is the latest:

I ran another start up log posted below:

StartupList report, 06/04/2004, 11:22:23 AM
StartupList version: 1.52
Started from : C:\MY DOWNLOADS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\WILD FILE\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
AVG7_CC = C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

GoBack Polling Service = C:\Program Files\Wild File\GoBack\GBPoll.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Weather = C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv mfpdaemon

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 3/6/2004, 22:17:6)

[Rename]
NUL=C:\PROGRA~1\MCAFEE.COM\AGENT\UNINST\VSOREMUI.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG7\BOOTUP.EXE
C:\PROGRA~1\WILDFI~1\GOBACK\GB_PROG.EXE /i C:2000
SET BLASTER=A220 I7 D1 H5 P330 T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_3_16_0.DLL - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL - {87766247-311C-43B4-8499-3D5FEC94A183}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Disk Defragmenter.job
Disk Cleanup.job
ScanDisk.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

[BrowseFolderPopup Class]
InProcServer32 = C:\WINDOWS\MCBIN\SHARED\MGBRWFLD.DLL
CODEBASE = http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

[{9771C160-AD19-11D5-91BE-0048546CB511}]
CODEBASE = http://216.176.203.29/data/program3/download.exe

[MetaStreamCtl Class]
InProcServer32 = C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MEDIA PLAYER\AXMETASTREAM_03000C09.DLL
CODEBASE = https://components.viewpoint.com/MTSInstall...MetaStream3.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\SYSTEM\MCINSCTL.DLL
CODEBASE = http://bin.mcafee.com/molbin/shared/mcinsc...55/mcinsctl.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1044/V...en/actsetup.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7899.6887847222

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.installengine.com/engine/isetup.cab

[{9DBAFCCF-592F-FFFF-FFFF-00608CEC297C}]
CODEBASE = http://download.weatherbug.com/minibug/tri...uginstaller.cab

[{0335A685-ED24-4F7B-A08E-3BD15D84E668}]
CODEBASE = http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Brix6ie Control]
InProcServer32 = C:\WINDOWS\BRIX6IE.OCX
CODEBASE = http://a19.g.akamai.net/7/19/7125/1410/ftp.../v7/brix6ie.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[Yahoo! Photos Easy Upload Tool Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YDROPPER.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://software-dl.real.com/287e7789f6012f...ip/RdxIE601.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SYMADATA.DLL
CODEBASE = http://www.symantec.com/techsupp/activedata/SymAData.dll

[Live Collaboration]
InProcServer32 = C:\WINDOWS\DOWNLO~1\RNTX.DLL
CODEBASE = http://liveca04.rightnowtech.com/sonystyle...l/java/RntX.cab

[Uninstall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\UNINST~1.OCX
CODEBASE = http://www.worldwinner.com/games/shared/uninstall.cab

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,042 bytes
Report generated in 0.084 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

I also ran another Hijackthis log - again posted below:

Logfile of HijackThis v1.97.7
Scan saved at 11:19:16 AM, on 06/04/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\WILD FILE\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gohip.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-explorer.net/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-explorer.net/search_page.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +w
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.gohip.com/hipsearch/?sc=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com\\"); (C:\Program Files\Netscape\Users\jims_secret_file\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_3_16_0.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_3_16_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Dialpad Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://216.176.203.29/data/program3/download.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...MetaStream3.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...55/mcinsctl.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7899.6887847222
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...uginstaller.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1410/ftp.../v7/brix6ie.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/clients/y/gst1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/287e7789f6012f...ip/RdxIE601.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/sonystyle...l/java/RntX.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab

I am very grateful to have you work with me on this dilema.

For you I wish many great things....

graciously, patty

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:01 PM

Posted 04 June 2004 - 11:53 AM

want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gohip.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-explorer.net/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-explorer.net/search_page.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = +w
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.gohip.com/hipsearch/?sc=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://216.176.203.29/data/program3/download.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...MetaStream3.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1410/ftp.../v7/brix6ie.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/sonystyle...l/java/RntX.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab

Reboot your computer into Safe Mode and delete the following files:

Then delete these files or directories
c:\program files\Common Files\wintools Delete the entire directory

Reboot your computer to go back to normal mode and post a new log.

#5 pburrier

pburrier
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 04 June 2004 - 02:06 PM

Grinler, I followed all your requests and below you will find new posting of startup as well as hijackthis log.

If I happen to win the lottery this weekend, I promise not to forget you sharing your generous expertise. I will not forget you Grinler.

Here are the updated posts:

StartupList report, 06/04/2004, 1:57:54 PM
StartupList version: 1.52
Started from : C:\MY DOWNLOADS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
AVG7_CC = C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Weather = C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv mfpdaemon

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 3/6/2004, 22:17:6)

[Rename]
NUL=C:\PROGRA~1\MCAFEE.COM\AGENT\UNINST\VSOREMUI.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG7\BOOTUP.EXE
C:\PROGRA~1\WILDFI~1\GOBACK\GB_PROG.EXE /i C:2000
SET BLASTER=A220 I7 D1 H5 P330 T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_3_16_0.DLL - {02478D38-C3F9-4efb-9B51-7695ECA05670}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Disk Defragmenter.job
Disk Cleanup.job
ScanDisk.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

[BrowseFolderPopup Class]
InProcServer32 = C:\WINDOWS\MCBIN\SHARED\MGBRWFLD.DLL
CODEBASE = http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\SYSTEM\MCINSCTL.DLL
CODEBASE = http://bin.mcafee.com/molbin/shared/mcinsc...55/mcinsctl.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1044/V...en/actsetup.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7899.6887847222

[{9DBAFCCF-592F-FFFF-FFFF-00608CEC297C}]
CODEBASE = http://download.weatherbug.com/minibug/tri...uginstaller.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[Yahoo! Photos Easy Upload Tool Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YDROPPER.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://software-dl.real.com/287e7789f6012f...ip/RdxIE601.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SYMADATA.DLL
CODEBASE = http://www.symantec.com/techsupp/activedata/SymAData.dll

[Uninstall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\UNINST~1.OCX
CODEBASE = http://www.worldwinner.com/games/shared/uninstall.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 5,573 bytes
Report generated in 0.140 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

and lastly - hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 2:03:33 PM, on 06/04/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com\\"); (C:\Program Files\Netscape\Users\jims_secret_file\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_3_16_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_3_16_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Dialpad Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...55/mcinsctl.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7899.6887847222
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...uginstaller.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/clients/y/gst1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/287e7789f6012f...ip/RdxIE601.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab

I will await word regarding the above posts and know that your service and this site have been a gift.

ever so grateful, Patty Burrier

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:01 PM

Posted 04 June 2004 - 03:27 PM

The log looks clean to me. Are you still having the same problems?

#7 pburrier

pburrier
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 04 June 2004 - 03:39 PM

I don't believe I am having any problems now. You are my hero.

I am going to do a thorough scandisk and defrag which is how i discoved this to begin with as I could not close wintoolsa & wsup before performing the scan.

It is my deepest heartfelt thanks for your assistance.

Patty




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users