Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alright All Virus Experts I NEED YOU!


  • Please log in to reply
38 replies to this topic

#1 chriscwirla

chriscwirla

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 24 June 2004 - 01:19 AM

Hello everyone. I've been reading this website 4 ever and am very impressed of how you all know your stuff with virus's. Well I'am letting and giving my computers fate to you guys. Their is a program on my computer in Common Files called Win tools. Access denied everytime and I have spywareGuard Adware. Search and destroy and they still can't take this out. They see it and quaratine it and i delete of course not the whole file though cuz it wont let me. But it keeps coming back. Just today also Ezula? Ended up on my computer. My firewall detected it and asked if it could grant access on my internet. I declined because i knew their was something strange about the program. Turns out it is. I went to a website and it told me all about it and how 2 get rid of it (its gone for now and i hope forever). Search and destory and those other 2 got rid of it and helped alot also. But when it comes to this win tools thing. Well i followed a fourm and i did what it said and it still won't let me. Even in safe mode. I also had a little problem with this file called infamous.exe (was a virus i got rid of in safe mode) But while i was searching in my hijaked files when i scanned i saw it in wm (windows media i believe) and Hijacked it. Hope thats gone. I do have the whole Mcaffe program with firewall and viruscan too just to let you guys know and so far everytime when i scan it can't find anything. And i scan everything. A Tool bar keeps popping on my computer too and it keep wanting to change my home website or something to about:blank. i believe though that that is suppose to be with the win tools thing. So please Can anybody help me out thier? lol I need your expertise on my problem and if their is anything you guys need 2 help my computer out. I'll TELL YOU!! Thank you very much.
A Man indeed of trouble p.s. I have a Dell Dimension XPS T600r and is a pentium 3. I use Window's XP Professional Also

Edited by chriscwirla, 24 June 2004 - 01:23 AM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:43 AM

Posted 24 June 2004 - 10:54 AM

NO problem. We can get this removed for you. PLease follow these steps:

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

or here:

http://computercops.biz/downloads-cat-14.html

Save this file into the directory you made previously and then run the program named hijackthis.exe. When the program opens click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. When it completes checking/applying updates press the back button.

Now click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial with screenshots on using HijackThis you can click on the link below:

How to use HijackThis to remove Browser Hijackers & Spyware

#3 chriscwirla

chriscwirla
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 24 June 2004 - 04:35 PM

Ok here it is. But by the way, i did my adware today and virtumundo came up. i deleted it all. Not sure what it was. Probably anotheir program. Also my mcaffe keeps finding this and i cannot delete, clean or quaratine it. and when i scan it can't find it. C:\System Volume Information\_restore{549883FE-C6AF-440D-B044-C92837E6104F}\RP254\A0112039.exe\A0112039.EXE Virus name: StartPage-Cw Thank you very much for all the help too.

Logfile of HijackThis v1.97.7
Scan saved at 4:34:05 PM, on 6/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\c\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50138
O1 - Hosts: ed by at least one
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Part Creative - {99913526-EC1D-ADDA-542E-9D069B9EC087} - C:\PROGRA~1\EXTRAG~1\admin tray.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [UpromiseRemindU] javaw -cp "C:\Program Files\UpromiseRemindU\System\Code" Main lp: "C:\Program Files\UpromiseRemindU"
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Blah2] C:\PROGRA~1\stop about\City Enc Dent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: RemindU (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.../v6/brix6ie.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/v44/co...se/collapse.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v54/cubis/cubis.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7863.4878703704
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/So...eDownloader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.5/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp...20/cpbrxpie.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} (Genealogy Browser) - http://66.119.139.74/cabs/zinst.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Edited by chriscwirla, 24 June 2004 - 05:25 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:43 AM

Posted 24 June 2004 - 08:43 PM

I want you to fix some of those entries. Please do the following:


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50138
O1 - Hosts: ed by at least one
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Part Creative - {99913526-EC1D-ADDA-542E-9D069B9EC087} - C:\PROGRA~1\EXTRAG~1\admin tray.dll
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [Blah2] C:\PROGRA~1\stop about\City Enc Dent.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab


Reboot your computer into Safe Mode and delete the following files:

Then delete these
C:\Program Files\TV Media\
C:\PROGRAM FILES\stop about\

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#5 chriscwirla

chriscwirla
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 25 June 2004 - 12:49 AM

Ok i did everything you told me too but i could not find the files C:\Program Files\TV Media\ anywhere even in search or C:\PROGRAM FILES\stop about\ in safemode. I hijacked what you told me. and i disabled system and then renabled. Also everything that i have hijacked made a back-up file. Should i delete the back-up files? Anyways i logged in and windows media pop's up (Not for sure if we can do that manually or is doing that for a reason. And my spyguard came up again saying it wanted to change my internet explore homepage again 3 times. Good grief whats wrong with comp. lol Help

Logfile of HijackThis v1.97.7
Scan saved at 12:43:46 AM, on 6/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\c\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50138
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50138
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [UpromiseRemindU] javaw -cp "C:\Program Files\UpromiseRemindU\System\Code" Main lp: "C:\Program Files\UpromiseRemindU"
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [cryptsvc] C:\WINDOWS\System32\cryptsvc.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: RemindU (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.../v6/brix6ie.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/v44/co...se/collapse.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v54/cubis/cubis.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7863.4878703704
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/So...eDownloader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.5/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp...20/cpbrxpie.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} (Genealogy Browser) - http://66.119.139.74/cabs/zinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

#6 chriscwirla

chriscwirla
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 25 June 2004 - 09:26 PM

Ok Top notch information. Alright This wintools thing is so A pain in the butt. i went to http://www.pchell.com/support/wintools.shtml and followed all thier instructions and it still wont GO!!!!!!!!!!!! i deleted a lot of the information of registry key's though with wintools but their were some files that just wont DELETE! errr... this makes me so upset. And the file wintools is still their in the common files. I've been deleting stuff of wintools of what it lets me and now its stuck on my service of which i deleted. All in safemode and still it does not help. I've been looking over my hijacking see any suspicion and still no luck. Here's all the information of gotten and a new hijack log. This is my system services of whats going on. Note this is what i mean about stuck on my service. the first one. I disabled earlier. now its just their for i don't know what.
Name Description Status Startup Type Log On As
WinTools for IE service Local SystemAOL Connectivity Service Automatic Local System
Automatic Updates Automatic Local System
AVSync Manager Automatic Local System
Computer Browser Automatic Local System
Cryptographic Services Started Automatic Local System
DHCP Client Automatic Local System
Distributed Link Tracking Client Automatic Local System
DNS Client Automatic Network Service
Error Reporting Service Automatic Local System
Event Log Started Automatic Local System
Fax Automatic Local System
GEARSecurity Automatic Local System
Help and Support Started Automatic Local System
IPSEC Services Automatic Local System
LexBce Server Automatic Local System
Logical Disk Manager Started Automatic Local System
McAfee Firewall Automatic Local System
NVIDIA Driver Helper Service Automatic Local System
Plug and Play Started Automatic Local System
Print Spooler Automatic Local System
Protected Storage Automatic Local System
Remote Procedure Call (RPC) Started Automatic Local System
Remote Registry Automatic Local Service
Secondary Logon Automatic Local System
Security Accounts Manager Automatic Local System
Server Automatic Local System
Shell Hardware Detection Automatic Local System
System Event Notification Automatic Local System
System Restore Service Automatic Local System
Task Scheduler Automatic Local System
TCP/IP NetBIOS Helper Automatic Local Service
Themes Automatic Local System
Upload Manager Automatic Local System
WebClient Automatic Local Service
Windows Audio Automatic Local System
Windows Management Instrumentation Started Automatic Local System
Windows Time Automatic Local System
Wireless Zero Configuration Automatic Local System
WMDM PMSP Service Automatic Local System
Workstation Automatic Local System
Human Interface Device Access Disabled Local System
Messenger Disabled Local System
Routing and Remote Access Disabled Local System
SSDP Discovery Service Disabled Local Service
Universal Plug and Play Device Host Disabled Local Service
Alerter Manual Local Service
Application Layer Gateway Service Manual Local Service
Application Management Manual Local System
Background Intelligent Transfer Service Manual Local System
ClipBook Manual Local System
COM+ Event System Manual Local System
COM+ System Application Manual Local System
Distributed Transaction Coordinator Manual Network Service
Fast User Switching Compatibility Manual Local System
IMAPI CD-Burning COM Service Manual Local System
Indexing Service Manual Local System
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Manual Local System
Logical Disk Manager Administrative Service Manual Local System
McAfee SecurityCenter Update Manager Manual Local System
McShield Manual Local System
MS Software Shadow Copy Provider Manual Local System
Net Logon Manual Local System
NetMeeting Remote Desktop Sharing Manual Local System
Network Connections Manual Local System
Network DDE Manual Local System
Network DDE DSDM Manual Local System
Network Location Awareness (NLA) Manual Local System
NT LM Security Support Provider Manual Local System
Performance Logs and Alerts Manual Network Service
Portable Media Serial Number Service Manual Local System
QoS RSVP Manual Local System
Remote Access Auto Connection Manager Manual Local System
Remote Access Connection Manager Manual Local System
Remote Desktop Help Session Manager Manual Local System
Remote Procedure Call (RPC) Locator Manual Network Service
Removable Storage Manual Local System
Smart Card Manual Local Service
Smart Card Helper Manual Local Service
Telephony Manual Local System
Telnet Manual Local System
Terminal Services Manual Local System
Uninterruptible Power Supply Manual Local System
Volume Shadow Copy Manual Local System
Windows Image Acquisition (WIA) Manual Local System
Windows Installer Manual Local System
Windows Management Instrumentation Driver Extensions Manual Local System
WMI Performance Adapter Manual Local System
YPCService Manual Local System
Now here is what my Ad-ware picked up

(note some things i'am sure are of no use to you but i'll try)


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Friday, June 25, 2004 8:23:52 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R324 22.06.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan within archives


6-25-2004 8:23:52 PM - Scan started. (Smart mode)

Listing running processes


#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 6-25-2004 11:58:07 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\System32\
ThreadCreationTime : 6-25-2004 11:58:20 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-25-2004 11:58:23 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 6/26/2004 1:23:52 AM
Last modified : 8/23/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-25-2004 11:58:23 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 6/26/2004 1:23:52 AM
Last modified : 8/23/2001 12:00:00 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-25-2004 11:58:25 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 6/26/2004 1:23:52 AM
Last modified : 8/23/2001 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-25-2004 11:58:26 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 6/26/2004 1:23:52 AM
Last modified : 8/23/2001 12:00:00 PM

#:7 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-25-2004 11:58:44 PM
BasePriority : Normal
FileSize : 31 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 6/26/2004 1:23:52 AM
Last modified : 8/23/2001 12:00:00 PM

#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-25-2004 11:58:47 PM
BasePriority : Normal
FileSize : 977 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 6/26/2004 12:39:35 AM
Last modified : 8/23/2001 12:00:00 PM

#:9 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 6-26-2004 1:15:25 AM
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 8/30/2003 12:05:35 AM
Last accessed : 6/26/2004 1:19:54 AM
Last modified : 8/30/2003 12:05:35 AM

#:10 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 6-26-2004 1:15:26 AM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 8/29/2003 4:14:56 PM
Last accessed : 6/26/2004 1:17:59 AM
Last modified : 8/29/2003 4:14:56 PM

#:11 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 6-26-2004 1:23:41 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/11/2004 10:42:27 PM
Last accessed : 6/26/2004 1:23:41 AM
Last modified : 7/13/2003 2:00:20 AM

Memory scan result :

New objects : 0
Objects found so far: 0


Started registry scan


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\BTIEIN (I CANT GET RID OF THIS) NEITHEIR CAN ANY OF MY OTHER PROGRAMS) IN SAFEMODE 2.


Registry scan result :

New objects : 1
Objects found so far: 1


Started deep registry scan

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Barwww.websearch.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.websearch.com/ie.aspx?tb_id=50138"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://www.websearch.com/ie.aspx?tb_id=50138"


Deep registry scan result :

New objects : 1
Objects found so far: 2




Tracking Cookie Object recognized!
Type : File
Data : christopher@ad6.bannerbank[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 6/24/2004 11:03:04 PM
Last accessed : 6/26/2004 1:26:10 AM
Last modified : 6/24/2004 11:03:04 PM



Tracking Cookie Object recognized!
Type : File
Data : christopher@cgi-bin[2].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 6/24/2004 10:30:14 PM
Last accessed : 6/26/2004 1:26:10 AM
Last modified : 6/24/2004 10:30:14 PM



Tracking Cookie Object recognized!
Type : File
Data : christopher@dcsgcxwngpifwznfzlmv83o6w_5w4m[2].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 6/24/2004 9:27:17 PM
Last accessed : 6/26/2004 1:26:10 AM
Last modified : 6/24/2004 9:27:17 PM



Tracking Cookie Object recognized!
Type : File
Data : christopher@edge.ru4[2].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 6/24/2004 11:35:22 PM
Last accessed : 6/26/2004 1:26:10 AM
Last modified : 6/24/2004 11:35:22 PM



Tracking Cookie Object recognized!
Type : File
Data : christopher@hotlog[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 6/24/2004 11:03:04 PM
Last accessed : 6/26/2004 1:26:11 AM
Last modified : 6/24/2004 11:03:04 PM



Tracking Cookie Object recognized!
Type : File
Data : christopher@realmedia[2].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 6/24/2004 11:35:31 PM
Last accessed : 6/26/2004 1:26:11 AM
Last modified : 6/24/2004 11:35:31 PM



Tracking Cookie Object recognized!
Type : File
Data : christopher@s111319[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 6/24/2004 9:27:16 PM
Last accessed : 6/26/2004 1:26:11 AM
Last modified : 6/24/2004 9:27:16 PM



Tracking Cookie Object recognized!
Type : File
Data : christopher@spylog[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 6/24/2004 11:03:04 PM
Last accessed : 6/26/2004 1:26:11 AM
Last modified : 6/24/2004 11:03:04 PM



Tracking Cookie Object recognized!
Type : File
Data : christopher@tribalfusion[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 6/24/2004 9:27:32 PM
Last accessed : 6/26/2004 1:26:11 AM
Last modified : 6/24/2004 9:27:32 PM



Tracking Cookie Object recognized!
Type : File
Data : christopher@z1.adserver[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 6/24/2004 11:07:53 PM
Last accessed : 6/26/2004 1:26:11 AM
Last modified : 6/24/2004 11:07:53 PM



Tracking Cookie Object recognized!
Type : File
Data : christopher@zedo[2].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 6/24/2004 11:07:55 PM
Last accessed : 6/26/2004 1:26:11 AM
Last modified : 6/24/2004 11:07:55 PM





Deep scanning and examining files (C:)


VX2.BetterInternet Object recognized!
Type : File
Data : 6jo4svc.dll
Object : C:\WINDOWS\System32\
FileSize : 309 KB
Created on : 6/25/2004 5:36:51 AM
Last accessed : 6/26/2004 1:26:11 AM
Last modified : 5/10/2004 11:27:26 PM



VX2.BetterInternet Object recognized!
Type : File
Data : amlui.dll
Object : C:\WINDOWS\System32\
FileSize : 309 KB
Created on : 6/25/2004 6:41:50 PM
Last accessed : 6/26/2004 1:26:12 AM
Last modified : 5/10/2004 11:27:26 PM



VX2.BetterInternet Object recognized!
Type : File
Data : avtiveds.dll
Object : C:\WINDOWS\System32\
FileSize : 309 KB
Created on : 6/25/2004 11:58:44 PM
Last accessed : 6/26/2004 1:26:13 AM
Last modified : 5/10/2004 11:27:26 PM



VX2.BetterInternet Object recognized!
Type : File
Data : axd.dll
Object : C:\WINDOWS\System32\
FileSize : 309 KB
Created on : 6/25/2004 5:20:30 AM
Last accessed : 6/26/2004 1:26:13 AM
Last modified : 5/10/2004 11:27:26 PM




Performing conditional scans..


IBIS Toolbar Object recognized!
Type : Folder
Object : c:\program files\common files\WinTools


IBIS Toolbar Object recognized!
Type : File
Data : temp
Object : c:\program files\common files\wintools\

Created on : 4/10/2004 5:53:37 AM
Last accessed : 4/21/2004 11:22:18 PM
Last modified : 4/10/2004 5:53:37 AM



Conditional scan result:

New objects : 2
Objects found so far: 19


8:28:31 PM Scan complete

Summary of this scan

Total scanning time :00:04:38:971
Objects scanned :51959
Objects identified :19
Objects ignored :0
New objects :19

Now when i hit alt ctrl everything that was processing was this. On non safe mode
taskmgr.exe CHRISTOPHER
IEXPLORE.EXE CHRISTOPHER
wkcalrem.exe CHRISTOPHER
mmtask.exe CHRISTOPHER
ycommon.exe CHRISTOPHER
ybrwicon.exe CHRISTOPHER
realplay.exe CHRISTOPHER
notepad.exe CHRISTOPHER
PLNRnote.exe CHRISTOPHER
AcBtnMgr_X73.exe CHRISTOPHER
ACMonitor_X73.exe CHRISTOPHER
CloneCDTray.exe CHRISTOPHER
Playlist.exe CHRISTOPHER
wuauclt.exe CHRISTOPHER
point32.exe CHRISTOPHER
RxMon.exe CHRISTOPHER
DrgToDsc.exe CHRISTOPHER
CMGrdian.exe CHRISTOPHER
VSStat.exe CHRISTOPHER
mcagent.exe CHRISTOPHER
type32.exe CHRISTOPHER
nvsvc32.exe SYSTEM
gearsec.exe SYSTEM
avsynmgr.exe SYSTEM
acsd.exe SYSTEM
spoolsv.exe SYSTEM
LEXBCES.EXE SYSTEM
avonconsol.exe SYSTEM
notepad.exe CHRISTOPHER
cpd.exe CHRISTOPHER
explorer.exe CHRISTOPHER
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE
svchost.exe SYSTEM
Mcshield.exe SYSTEM
svchost.exe SYSTEM
lsass.exe SYSTEM
services.exe YSTEM
winlogon.exe SYSTEM
csrss.exe SYSTEM
cpd.exe SYSTEM
vshwin32.exe SYSTEM
smss.exe SYSTEM
rundll32.exe CHRISTOPHER
fxssvc.exe SYSTEM
VSStat.exe SYSTEM
MsPMSPSv.exe SYSTEM
System SYSTEM
System Idle Process SYSTEM

(note when i did this i had of course my internet, my doc's and 2 notepads out also just to get you not confused with some things.

OK NOW THIS IS WHAT SPYBOT GOT


Advertising.com: Tracking cookie or cookie of tracking site (File, fixed)
C:\Documents and Settings\Christopher\Cookies\christopher@servedby.advertising[2].txt

Advertising.com: Tracking cookie or cookie of tracking site (File, fixed)
C:\Documents and Settings\Christopher\Cookies\christopher@advertising[1].txt

HuntBar: Global settings (Registry key, fixing failed) <<, again!!
HKEY_LOCAL_MACHINE\Software\BTIEIN

Unknown: IE Search assistent (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchAssistant=about:blank

ValueClick: Tracking cookie or cookie of tracking site (File, fixed)
C:\Documents and Settings\Christopher\Cookies\christopher@valueclick[2].txt


--- Spybot-S&D version: 1.2 ---
2004-02-26 Includes\Cookies.sbi
2004-02-29 Includes\Dialer.sbi
2004-02-29 Includes\Hijackers.sbi
2004-02-26 Includes\Keyloggers.sbi
2004-02-29 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2004-03-09 Includes\Revision.sbi
2004-02-26 Includes\Security.sbi
2004-02-29 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2004-02-26 Includes\Tracks.uti
2004-02-29 Includes\Trojans.sbi

ok my spyware guard got those things popping up again as usually and i wrote it down this time. it kept popping up this one about 6 times
Internet Explorer Current user search page has been changed from http:\\red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com to <none> restore old value or keep new value. i always clicked restore old value. Another 1 came up 2 except it was diffrent and this popped up once. http://www.websearch.com/ie.aspx?tb_id=50138 to
(seriouly blank, no words it just had nothing.)

Now when i was going to my HKEY_LOCAL_MACHINE TO SOFTWARE TO CONTROL LOOKING FOR WINTOOLS IT CAME UP TO

CONTROL SET 002
CONTORL SET 003
AND CURRENT CONTROL SET
TO> ENUM> ROOT> Legacy_wintoolssvc. all those 3 had this besides the BTIEN which i could not get rid of. I hope all this information well help you and anyone else who has any ideas lol. I also hijacked 3 of the red.client apps that came back up on . Here is my hijack log Good luck. lol please do your best i appreciate this all. WINTOOLS IS A PAIN! and i'am unsure about this BTIEN that it wont allow to delete. NOTE THE RED CLIENTS JUST CAME BACK WHEN I RESTARTED AND DID THIS SCAN. I DO HAVE SBC CABLE FOR YAHOO? would that be part of it? anyways here it is.

Logfile of HijackThis v1.97.7
Scan saved at 9:24:57 PM, on 6/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\c\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50138
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50138
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [UpromiseRemindU] javaw -cp "C:\Program Files\UpromiseRemindU\System\Code" Main lp: "C:\Program Files\UpromiseRemindU"
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: RemindU (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.../v6/brix6ie.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/v44/co...se/collapse.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v54/cubis/cubis.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7863.4878703704
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/So...eDownloader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.5/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp...20/cpbrxpie.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} (Genealogy Browser) - http://66.119.139.74/cabs/zinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Again ty and gl

Edited by chriscwirla, 25 June 2004 - 09:27 PM.


#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:43 AM

Posted 27 June 2004 - 04:10 AM

Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

Window Search
Win Tools
WindowsSA
Windows Search Assistant
Search Assistant
IESearch

When uninstalling you wil prompted to insert a security code. Please do so and reboot when done.

If you do not see thsee two programs in your Add/Remove programs then download and run both of these uninstallers:

http://lop.com/new_uninstall.exe
http://lop.com/toolbar_uninstall.exe

Then do the following:

Fix these with hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50138
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50138

Reboot and post a new log. The red.clients. thing that spywareguard is showing is because of the yahoo toolbar or yahoo messenger. You can remove those or just deal with them as there is no way to stop those when its installed

#8 chriscwirla

chriscwirla
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 15 July 2004 - 12:41 AM

Hello Grinler, I'am so sorry for not getting you back with this information in the longest time. I was on a business trip in Florida and my hands have been tied up with work and family problems. I had a little trouble dl these 2 programs so i went to my work computer and copied it on a cd. Ran it any possible way First clicking yes. Then no and yes. And I read (I'am probably confused of what you said, my fault though) of if you want me to just run this program or actually install this so that it comes up in my add/remove programs. It thats the case though i need some information and help of how to do this cause it just keeps wanting to just run.
I looked in my hijack scan today also and say some wintools update thing on it. I hijacked it but i didn't touch anything else cause i was unsure. Here is my new log and i'am very sorry for such a delay and wasting your time.

Logfile of HijackThis v1.97.7
Scan saved at 12:40:48 AM, on 7/15/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\c\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [UpromiseRemindU] javaw -cp "C:\Program Files\UpromiseRemindU\System\Code" Main lp: "C:\Program Files\UpromiseRemindU"
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: RemindU (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.../v6/brix6ie.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/v44/co...se/collapse.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v54/cubis/cubis.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7863.4878703704
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/So...eDownloader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.5/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp...20/cpbrxpie.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} (Genealogy Browser) - http://66.119.139.74/cabs/zinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:43 AM

Posted 15 July 2004 - 09:59 AM

Fix these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50138/QDow_AS2.cab


Then post a new log

#10 chriscwirla

chriscwirla
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 17 July 2004 - 01:18 AM

Err.... It seems like whenever i try and get rid of it. It seems and does come back with a lot harder complication things and more stuff trying to access the interenet. I hate this. This program is smart. Is somebody messing around with this doing this physically with just a couple of taps on the keyboard or is this just some bot being a pain in the butt!!! I'll be giving you my adware, spybot and new hijack log. Fingers crossed (X) Also this "Wintools" Will hijack help get rid of this or will you be giving me instructions with it? Also same with other registry keys like that btien and some weird other programs. I have a lot of these direct 9 hotfixes and window xp hotfixes too. And some kind of program called Java web start? Should i remove that? i found Gain (with a aligator picture when it tried to access internet) and some werid other programs. also a system called wupdt been on 2. Don't know what that is. I unistalled what i found on mcaffe but still their are some programs that i'am unsure what it is. I will post whats in my add or remove programs if it helps. Just ask. Well thank you again (X)

Logfile of HijackThis v1.97.7
Scan saved at 11:40:11 PM, on 7/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\c\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Mskexe] c:\PROGRA~1\mcafee\SPAMKI~1\spamkiller.exe
O4 - HKLM\..\Run: [UpromiseRemindU] javaw -cp "C:\Program Files\UpromiseRemindU\System\Code" Main lp: "C:\Program Files\UpromiseRemindU"
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: RemindU (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.../v6/brix6ie.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/v44/co...se/collapse.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v54/cubis/cubis.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7863.4878703704
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/So...eDownloader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.5/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp...20/cpbrxpie.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} (Genealogy Browser) - http://66.119.139.74/cabs/zinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Advertising.com: Tracking cookie or cookie of tracking site (File, fixed)
C:\Documents and Settings\Christopher\Cookies\christopher@servedby.advertising[2].txt

Avenue A, Inc.: Tracking cookie or cookie of tracking site (File, fixed)
C:\Documents and Settings\Christopher\Cookies\christopher@atdmt[2].txt

DoubleClick: Tracking cookie or cookie of tracking site (File, fixed)
C:\Documents and Settings\Christopher\Cookies\christopher@doubleclick[1].txt

HuntBar: Global settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\BTIEIN

IE Plugin: DLL use (1 apps) (Registry value, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\WINDOWS\wupdt.exe

IE Plugin: Installer (File, fixed)
C:\WINDOWS\Downloaded Program Files\default.inf

IE Plugin: Module usage setting (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/wupdt.exe

IE Plugin: System file (File, fixed)
C:\WINDOWS\wupdt.exe

MediaPlex: Tracking cookie or cookie of tracking site (File, fixed)
C:\Documents and Settings\Christopher\Cookies\christopher@mediaplex[1].txt


--- Spybot-S&D version: 1.2 ---
2004-02-26 Includes\Cookies.sbi
2004-02-29 Includes\Dialer.sbi
2004-02-29 Includes\Hijackers.sbi
2004-02-26 Includes\Keyloggers.sbi
2004-02-29 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2004-03-09 Includes\Revision.sbi
2004-02-26 Includes\Security.sbi
2004-02-29 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2004-02-26 Includes\Tracks.uti
2004-02-29 Includes\Trojans.sbi


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, July 17, 2004 12:32:56 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R324 22.06.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan within archives


7-17-2004 12:32:56 AM - Scan started. (Smart mode)

Listing running processes


#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 7-17-2004 3:58:17 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\System32\
ThreadCreationTime : 7-17-2004 3:58:30 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 3:58:30 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 5:32:56 AM
Last modified : 8/23/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 3:58:30 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 5:32:56 AM
Last modified : 8/23/2001 12:00:00 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 3:58:31 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 5:32:56 AM
Last modified : 8/23/2001 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-17-2004 3:58:31 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 5:32:56 AM
Last modified : 8/23/2001 12:00:00 PM

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 3:58:34 AM
BasePriority : Normal
FileSize : 304 KB
FileVersion : 5,13,00,00
ProductVersion : 5,13,00,00
Copyright : 1993 - 2000 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 4/21/2004 12:36:24 AM
Last accessed : 7/17/2004 5:32:56 AM
Last modified : 10/12/2001 7:42:48 AM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 3:58:34 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 5:32:56 AM
Last modified : 8/23/2001 12:00:00 PM

#:9 [acsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\
ThreadCreationTime : 7-17-2004 3:58:42 AM
BasePriority : Normal
FileSize : 1356 KB
FileVersion : 1,0,22,1
ProductVersion : 1,0,22,1
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Connectivity Service
InternalName : acsd
OriginalFilename : acsd.exe
ProductName : AOL Connectivity Service
Created on : 1/12/2004 6:39:33 PM
Last accessed : 7/17/2004 5:32:56 AM
Last modified : 9/16/2003 10:55:36 PM

#:10 [avsynmgr.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 7-17-2004 3:58:42 AM
BasePriority : Normal
FileSize : 196 KB
FileVersion : 7.03.6000
ProductVersion : 7.03.6000
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : VirusScan Synchronization Service
InternalName : AvSynMgr
OriginalFilename : AvSynMgr.exe
ProductName : VirusScan Home Edition
Created on : 2/5/2003 12:02:00 PM
Last accessed : 7/17/2004 5:32:56 AM
Last modified : 6/3/2003 11:03:00 AM

#:11 [gearsec.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ThreadCreationTime : 7-17-2004 3:58:42 AM
BasePriority : Normal
FileSize : 48 KB
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
Copyright : Copyright
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
OriginalFilename : gearsec.exe
ProductName : gearsec
Created on : 6/18/2004 11:46:45 PM
Last accessed : 7/17/2004 5:32:56 AM
Last modified : 9/25/2002 7:36:32 PM

#:12 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-17-2004 3:58:42 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 6.13.10.4072
ProductVersion : 6.13.10.4072
Copyright : NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 40.72
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 40.72
Created on : 4/21/2004 12:28:44 AM
Last accessed : 7/17/2004 5:32:57 AM
Last modified : 9/27/2002 11:38:00 PM

#:13 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-17-2004 3:58:42 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
Copyright : Copyright Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
OriginalFilename : MSPMSPSV.EXE
ProductName : Microsoft DRM
Created on : 5/1/2001 10:06:22 PM
Last accessed : 7/17/2004 5:32:57 AM
Last modified : 5/1/2001 10:06:22 PM

#:14 [fxssvc.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-17-2004 3:58:43 AM
BasePriority : Normal
FileSize : 243 KB
FileVersion : 5.2.1776.0
ProductVersion : 5.2.1776.0
CompanyName : Microsoft Corporation
FileDescription : Fax Service
InternalName : FXSSVC.EXE
OriginalFilename : FXSSVC.EXE
ProductName : Microsoft
Created on : 4/30/2004 4:50:57 PM
Last accessed : 7/17/2004 5:32:57 AM
Last modified : 8/23/2001 12:00:00 PM

#:15 [vsstat.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 7-17-2004 3:58:46 AM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 7.03.6000
ProductVersion : 7.03.6000
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : VirusScan System Tray
InternalName : VsStat
OriginalFilename : VsStat.exe
ProductName : VirusScan Home Edition
Created on : 2/5/2003 12:02:00 PM
Last accessed : 7/17/2004 5:07:18 AM
Last modified : 6/3/2003 11:03:00 AM

#:16 [vshwin32.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 7-17-2004 3:58:47 AM
BasePriority : Normal
FileSize : 132 KB
FileVersion : 7.03.6000
ProductVersion : 7.03.6000
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : VirusScan System Scan
InternalName : VshWin32
OriginalFilename : VshWin32.exe
ProductName : VirusScan Home Edition
Created on : 2/5/2003 12:02:00 PM
Last accessed : 7/17/2004 5:32:57 AM
Last modified : 6/3/2003 11:03:00 AM

#:17 [cpd.exe]
FilePath : C:\PROGRA~1\McAfee\MCAFEE~3\
ThreadCreationTime : 7-17-2004 3:58:48 AM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 4.02.6000.0
ProductVersion : 4.02.6000.0
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : McAfee Firewall
OriginalFilename : cpd.exe
ProductName : McAfee Firewall
Created on : 2/5/2003 9:02:00 AM
Last accessed : 7/17/2004 5:32:57 AM
Last modified : 2/5/2003 9:02:00 AM

#:18 [mcshield.exe]
FilePath : C:\Program Files\Common Files\Network Associates\McShield\
ThreadCreationTime : 7-17-2004 3:58:49 AM
BasePriority : High
FileSize : 240 KB
Created on : 2/3/2003 12:02:00 PM
Last accessed : 7/17/2004 5:32:58 AM
Last modified : 5/15/2003 11:03:00 AM

#:19 [avconsol.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 7-17-2004 3:58:52 AM
BasePriority : Normal
FileSize : 196 KB
FileVersion : 7.03.6000
ProductVersion : 7.03.6000
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : VirusScan Console
InternalName : AvConsol
OriginalFilename : AvConsol.exe
ProductName : VirusScan Home Edition
Created on : 2/5/2003 12:02:00 PM
Last accessed : 7/17/2004 5:32:58 AM
Last modified : 6/3/2003 11:03:00 AM

#:20 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-17-2004 5:07:07 AM
BasePriority : Normal
FileSize : 977 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/17/2004 5:32:41 AM
Last modified : 8/23/2001 12:00:00 PM

#:21 [cpd.exe]
FilePath : C:\PROGRA~1\McAfee\MCAFEE~3\
ThreadCreationTime : 7-17-2004 5:07:11 AM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 4.02.6000.0
ProductVersion : 4.02.6000.0
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : McAfee Firewall
OriginalFilename : cpd.exe
ProductName : McAfee Firewall
Created on : 2/5/2003 9:02:00 AM
Last accessed : 7/17/2004 5:32:57 AM
Last modified : 2/5/2003 9:02:00 AM

#:22 [type32.exe]
FilePath : C:\Program Files\Microsoft Hardware\Keyboard\
ThreadCreationTime : 7-17-2004 5:07:16 AM
BasePriority : Normal
FileSize : 92 KB
FileVersion : 2.20.447.0
ProductVersion : 2.2
Copyright : Copyright Microsoft Corp. 1995-2001
CompanyName : Microsoft Corporation
FileDescription : Microsoft IntelliType Pro
InternalName : Type32
OriginalFilename : Type32.exe
ProductName : Microsoft IntelliType Pro
Created on : 3/22/2002 4:41:56 AM
Last accessed : 7/17/2004 5:07:15 AM
Last modified : 3/22/2002 4:41:56 AM

#:23 [mcagent.exe]
FilePath : C:\PROGRA~1\mcafee.com\agent\
ThreadCreationTime : 7-17-2004 5:07:17 AM
BasePriority : Normal
FileSize : 196 KB
FileVersion : 4, 2, 0, 8
ProductVersion : 4, 2, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
OriginalFilename : mcagent.exe
ProductName : McAfee SecurityCenter
Created on : 11/3/2003 7:44:23 PM
Last accessed : 7/17/2004 5:17:04 AM
Last modified : 3/18/2003 7:53:52 PM

#:24 [vsstat.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 7-17-2004 5:07:19 AM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 7.03.6000
ProductVersion : 7.03.6000
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : VirusScan System Tray
InternalName : VsStat
OriginalFilename : VsStat.exe
ProductName : VirusScan Home Edition
Created on : 2/5/2003 12:02:00 PM
Last accessed : 7/17/2004 5:07:18 AM
Last modified : 6/3/2003 11:03:00 AM

#:25 [cmgrdian.exe]
FilePath : C:\Program Files\McAfee\McAfee Shared Components\Guardian\
ThreadCreationTime : 7-17-2004 5:07:21 AM
BasePriority : Normal
FileSize : 144 KB
FileVersion : 3.01.1000.0
ProductVersion : 3.01.1000.0
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : McAfee Guardian Agent
InternalName : CMGrdian
OriginalFilename : CMGrdian.exe
ProductName : McAfee Windows Guardian
Created on : 1/29/2003 8:01:00 AM
Last accessed : 7/17/2004 5:07:19 AM
Last modified : 1/29/2003 8:01:00 AM

#:26 [drgtodsc.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\
ThreadCreationTime : 7-17-2004 5:07:23 AM
BasePriority : Normal
FileSize : 848 KB
FileVersion : 6.1.0.74
ProductVersion : 6.1.0.74
Copyright : Copyright 1999-2003 Roxio, Inc.
CompanyName : Roxio
FileDescription : Drag To Disc Application
InternalName : D2D
OriginalFilename : BurnCtrl.EXE
ProductName : Drag-to-Disc
Created on : 5/9/2003 5:17:46 AM
Last accessed : 7/17/2004 5:07:22 AM
Last modified : 5/9/2003 5:17:46 AM

#:27 [rxmon.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\
ThreadCreationTime : 7-17-2004 5:07:24 AM
BasePriority : Normal
FileSize : 312 KB
FileVersion : 1.1.264
ProductVersion : 1.1.264
Copyright : Copyright
CompanyName : Roxio, Inc.
FileDescription : Roxio AudioCentral Media Manager Tray App
InternalName : Roxio AudioCentral Media Manager Tray App
OriginalFilename : RxMon.exe
ProductName : AudioCentral Media Manager
Created on : 5/9/2003 5:35:08 AM
Last accessed : 7/17/2004 5:07:23 AM
Last modified : 5/9/2003 5:35:08 AM

#:28 [point32.exe]
FilePath : C:\Program Files\Microsoft Hardware\Mouse\
ThreadCreationTime : 7-17-2004 5:07:24 AM
BasePriority : Normal
FileSize : 172 KB
FileVersion : 4.10.0851.0
ProductVersion : 4.1
Copyright : Copyright Microsoft Corp. 1983-2002
CompanyName : Microsoft Corporation
FileDescription : Microsoft IntelliPoint
InternalName : POINT32
OriginalFilename : POINT32.EXE
ProductName : Microsoft IntelliPoint
Created on : 4/11/2002 4:47:52 PM
Last accessed : 7/17/2004 5:07:24 AM
Last modified : 4/11/2002 4:47:52 PM

#:29 [spamkiller.exe]
FilePath : C:\PROGRA~1\mcafee\SPAMKI~1\
ThreadCreationTime : 7-17-2004 5:07:28 AM
BasePriority : Normal
FileSize : 2308 KB
FileVersion : 4.5.56.0
ProductVersion : 4.5
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc.
FileDescription : McAfee SpamKiller
InternalName : SpamKiller
OriginalFilename : SPAMKILLER.EXE
ProductName : SpamKiller
Created on : 7/24/2003 10:24:22 PM
Last accessed : 7/17/2004 5:17:04 AM
Last modified : 4/21/2003 6:18:42 PM

#:30 [playlist.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\
ThreadCreationTime : 7-17-2004 5:07:30 AM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 1.1.264
ProductVersion : 1.1.264
Copyright : Copyright
CompanyName : Roxio, Inc.
FileDescription : Roxio AudioCentral Media Manager Playlist
InternalName : Roxio AudioCentral Media Manager Playlist
OriginalFilename : PlayList.exe
ProductName : AudioCentral Media Manager
Created on : 5/9/2003 5:35:08 AM
Last accessed : 7/17/2004 5:00:01 AM
Last modified : 5/9/2003 5:35:08 AM

#:31 [clonecdtray.exe]
FilePath : C:\Program Files\Elaborate Bytes\CloneCD\
ThreadCreationTime : 7-17-2004 5:07:30 AM
BasePriority : Normal
FileSize : 72 KB
FileVersion : 4, 2, 0, 0
ProductVersion : 4, 2, 0, 0
Copyright : Copyright
CompanyName : Elaborate Bytes AG
FileDescription : CloneCD Tray
InternalName : CloneCDTray
OriginalFilename : CloneCDTray.exe
ProductName : CloneCD
Created on : 12/2/2002 2:17:37 PM
Last accessed : 7/17/2004 5:07:30 AM
Last modified : 12/2/2002 2:17:37 PM

#:32 [acmonitor_x73.exe]
FilePath : C:\PROGRA~1\LEXMAR~1\
ThreadCreationTime : 7-17-2004 5:07:31 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 0
Copyright : Copyright c 2001
CompanyName : Silitek Corp.
FileDescription : ACMonitor
InternalName : ACMonitor
OriginalFilename : ACMonitor.exe
ProductName : ACMonitor
Created on : 10/8/2001 10:23:08 PM
Last accessed : 7/17/2004 5:22:00 AM
Last modified : 10/8/2001 9:21:28 PM

#:33 [acbtnmgr_x73.exe]
FilePath : C:\PROGRA~1\LEXMAR~1\
ThreadCreationTime : 7-17-2004 5:07:31 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Jetsoft Development Company
FileDescription : AcBtnMgr
InternalName : AcBtnMgr
OriginalFilename : AcBtnMgr.exe
ProductName : Jetsoft Development Company AcBtnMgr
Created on : 5/9/2001 5:21:34 PM
Last accessed : 7/17/2004 5:22:00 AM
Last modified : 7/11/2001 5:08:38 PM

#:34 [realplay.exe]
FilePath : C:\Program Files\Real\RealPlayer\
ThreadCreationTime : 7-17-2004 5:07:32 AM
BasePriority : Normal
FileSize : 25 KB
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
OriginalFilename : REALPLAY.EXE
ProductName : RealPlayer (32-bit)
Created on : 10/8/2003 3:16:34 AM
Last accessed : 7/17/2004 5:07:31 AM
Last modified : 10/8/2003 3:16:34 AM

#:35 [ybrwicon.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ThreadCreationTime : 7-17-2004 5:07:32 AM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2003, 7, 11, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Yahoo!, Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
OriginalFilename : YBrwIcon.exe
ProductName : Yahoo!, Inc. YBrwIcon
Created on : 2/27/2004 12:27:08 AM
Last accessed : 7/17/2004 5:07:32 AM
Last modified : 7/11/2003 8:51:16 PM

#:36 [mmtask.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 7-17-2004 5:07:36 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 9/9/2003 3:14:26 AM
Last accessed : 7/17/2004 5:07:36 AM
Last modified : 4/20/2004 9:50:16 PM

#:37 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ThreadCreationTime : 7-17-2004 5:07:38 AM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.3
ProductVersion : QuickTime 6.3
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 1/12/2004 6:41:55 PM
Last accessed : 7/17/2004 5:07:38 AM
Last modified : 1/12/2004 6:41:55 PM

#:38 [ycommon.exe]
FilePath : C:\PROGRA~1\Yahoo!\browser\
ThreadCreationTime : 7-17-2004 5:07:39 AM
BasePriority : Normal
FileSize : 212 KB
FileVersion : 2003, 9, 3, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2003 Yahoo! Inc.
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
OriginalFilename : YCommon.EXE
ProductName : YCommon Exe Module
Created on : 5/11/2004 12:12:12 AM
Last accessed : 7/17/2004 4:59:56 AM
Last modified : 9/3/2003 6:16:56 PM

#:39 [plnrnote.exe]
FilePath : E:\Temp\CardStudio\SIERRA\CardStudio\
ThreadCreationTime : 7-17-2004 5:07:49 AM
BasePriority : Normal
FileSize : 164 KB
FileVersion : 1.0.82
ProductVersion : 1.0
Copyright : Copyright
CompanyName : Sierra Online, Inc.
FileDescription : Event Planner Reminder Application
InternalName : PLRNNOTE
OriginalFilename : PLNRnote.EXE
ProductName : Hallmark Card Studio
Created on : 8/30/2003 6:12:28 PM
Last accessed : 7/17/2004 5:00:00 AM
Last modified : 3/24/2000 8:43:58 PM

#:40 [wkcalrem.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\
ThreadCreationTime : 7-17-2004 5:07:50 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 5.00.1928.1
ProductVersion : 5.00.1928.1
CompanyName : Microsoft
FileDescription : Microsoft
InternalName : WkCalRem
OriginalFilename : WKCALREM.EXE
ProductName : Microsoft
Created on : 9/4/1999 10:23:00 PM
Last accessed : 7/17/2004 5:07:50 AM
Last modified : 9/4/1999 10:23:00 PM

#:41 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-17-2004 5:08:02 AM
BasePriority : Normal
FileSize : 145 KB
FileVersion : 5.4.3790.20 built by: lab04_n
ProductVersion : 5.4.3790.20
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
OriginalFilename : wuauclt.exe
ProductName : Microsoft
Created on : 7/14/2003 9:36:55 PM
Last accessed : 7/17/2004 5:33:00 AM
Last modified : 2/10/2004 3:09:02 AM

#:42 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 7-17-2004 5:32:43 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/11/2004 10:42:27 PM
Last accessed : 7/17/2004 5:32:43 AM
Last modified : 7/13/2003 2:00:20 AM

Memory scan result :

New objects : 0
Objects found so far: 0


Started registry scan


IBIS Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\BTIEIN


Registry scan result :

New objects : 1
Objects found so far: 1


Started deep registry scan


Deep registry scan result :

New objects : 0
Objects found so far: 1




Tracking Cookie Object recognized!
Type : File
Data : christopher@a.as-us.falkag[2].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 7/15/2004 5:03:37 AM
Last accessed : 7/17/2004 5:36:24 AM
Last modified : 7/15/2004 5:03:39 AM



Tracking Cookie Object recognized!
Type : File
Data : christopher@adrevolver[2].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 7/12/2004 5:18:38 AM
Last accessed : 7/17/2004 5:36:24 AM
Last modified : 7/12/2004 5:18:38 AM



Tracking Cookie Object recognized!
Type : File
Data : christopher@ads.tripod.lycos.co[2].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 7/12/2004 3:26:46 AM
Last accessed : 7/17/2004 5:36:24 AM
Last modified : 7/12/2004 3:26:46 AM



Tracking Cookie Object recognized!
Type : File
Data : christopher@as-us.falkag[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 7/15/2004 5:05:11 AM
Last accessed : 7/17/2004 5:36:24 AM
Last modified : 7/15/2004 5:05:11 AM



Tracking Cookie Object recognized!
Type : File
Data : christopher@centrport[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 7/12/2004 4:44:31 AM
Last accessed : 7/17/2004 5:36:24 AM
Last modified : 7/12/2004 4:44:31 AM



Tracking Cookie Object recognized!
Type : File
Data : christopher@cgi-bin[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 7/12/2004 3:23:18 AM
Last accessed : 7/17/2004 5:36:24 AM
Last modified : 7/12/2004 3:23:18 AM



Tracking Cookie Object recognized!
Type : File
Data : christopher@maxserving[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 7/15/2004 5:03:38 AM
Last accessed : 7/17/2004 5:36:25 AM
Last modified : 7/15/2004 5:03:38 AM



Tracking Cookie Object recognized!
Type : File
Data : christopher@realmedia[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 7/15/2004 5:02:48 AM
Last accessed : 7/17/2004 5:36:25 AM
Last modified : 7/15/2004 5:03:36 AM



Tracking Cookie Object recognized!
Type : File
Data : christopher@tmpad[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 7/12/2004 6:36:01 AM
Last accessed : 7/17/2004 5:36:25 AM
Last modified : 7/12/2004 6:36:01 AM



Tracking Cookie Object recognized!
Type : File
Data : christopher@trafficmp[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 7/12/2004 6:36:00 AM
Last accessed : 7/17/2004 5:36:25 AM
Last modified : 7/12/2004 6:56:04 AM



Tracking Cookie Object recognized!
Type : File
Data : christopher@z1.adserver[1].txt
Object : C:\Documents and Settings\Christopher\Cookies\

Created on : 7/12/2004 3:58:13 AM
Last accessed : 7/17/2004 5:36:26 AM
Last modified : 7/12/2004 3:58:14 AM





Deep scanning and examining files (C:)



Performing conditional scans..


IBIS Toolbar Object recognized!
Type : Folder
Object : c:\program files\common files\WinTools


IBIS Toolbar Object recognized!
Type : File
Data : temp
Object : c:\program files\common files\wintools\

Created on : 4/10/2004 5:53:37 AM
Last accessed : 4/21/2004 11:22:18 PM
Last modified : 4/10/2004 5:53:37 AM



Conditional scan result:

New objects : 2
Objects found so far: 14


12:37:57 AM Scan complete

Summary of this scan

Total scanning time :00:05:00:311
Objects scanned :45742
Objects identified :14
Objects ignored :0
New objects :14
Good luck again and ty

Edited by chriscwirla, 17 July 2004 - 01:20 AM.


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:43 AM

Posted 17 July 2004 - 04:10 PM

I do not see much here that is considered spyware or malware. Did you clean a lot up with spybot/ad-aware?


Fix these with hijackthis:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab


Reboot and post a new log. Tell me if you are having a problem. If you see messagees from ad-aware or spybot saying something is trying to infect/change settings, let ie happen so that I know what to tell you to remove. I cant see it if you block it.

#12 chriscwirla

chriscwirla
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 10 August 2004 - 03:09 AM

Grinler can you give me an up-to-date with hijack on this computer problem Also any advice with wintool. Btw Why isnt this wintools thing deleteing anyways. I mean i know it doesnt seem to pop up in my hijack logs anymore yet when i go to delete it, it never seems to want to delete. I disabled i've looked in regkeys. Gone to SOO MANY diffrent websites to get this thing removed and hasnt worked yet. And with Adaware i noticed that BTIEN keeps popping up in reg keys. I looked in their before and it wont allow me to delete. MY YOUNGER BROTHER also seems to always hit adaware and spybot (He lives with me) so everything thats hiding and i'am allowing, he hits those 2 programs and their gone. So you can't really see. And i haven't used hijack yet until i know i should use it or not cause it might not really matter. With being UP-TO-DATE. I have 1.97.7 Hijack and i know their is 1.98.2. Whenever i hit update it doesnt seem to work so if you have a link that can pop up right to hijack zip the new 1 that would be GREAT!!! And then i can start sending you my hijack logs. Also If you can if you know anyways to get rid of this Wintools thing. Its in my C drive, program files, common files, and right their wintools. AND I H8 IT!!! i think this and mayby that btien regkey is making all this crazy stuff happening. SO I'd Like your opinion on this. Anyways. Thank you as always with your Brilliant Smarts!! You Guys are a brilliant team. And Thank you of always Grinler for putting your time into fixing my computer and others. lol Thank you again
A TARGETER OF ADWARE ROOTING FOR GRINLER! AND THE TEAM! TO REMOVE IT!! lol (;
Chris

Edited by chriscwirla, 10 August 2004 - 03:15 AM.


#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:43 AM

Posted 10 August 2004 - 01:05 PM

Chris do the following:
You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site #1

Then post a new log

or

HijackThis Download Site #2

Then post a new log

#14 chriscwirla

chriscwirla
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 16 August 2004 - 01:18 AM

Alright back on this, here is my new hijack log and thanks for the zip! Javaw.exe try to access internet yet i found it and it gave me the option to unistall all of it so i did but every 5 mins msbb.exe program try's to enter the internet. and probably others. Would it be possible possible to give you a copy of everything i have on my computer? Cause i see all this stuff. and .dll on my windows. But it wont go away! and some how keeps coming back probably with wintools and such. So if i could i would like to do that. Mayby you could sort of check it out yourself if its possible cause mayby i'am missing something or skipping something you you need. here is my hijack and thanks

Logfile of HijackThis v1.98.2
Scan saved at 1:21:16 AM, on 8/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MCAFEE~3\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\msbb.exe
C:\c\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [UpromiseRemindU] javaw -cp "C:\Program Files\UpromiseRemindU\System\Code" Main lp: "C:\Program Files\UpromiseRemindU"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = E:\Temp\CardStudio\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.../v6/brix6ie.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/v44/co...se/collapse.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v54/cubis/cubis.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/So...eDownloader.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp...20/cpbrxpie.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} (Genealogy Browser) - http://66.119.139.74/cabs/zinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

Edited by chriscwirla, 16 August 2004 - 01:21 AM.


#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:43 AM

Posted 16 August 2004 - 10:21 AM

Fix these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

Reboot into safe mode and delete this:

c:\windows\msbb.exe

Reboot and do the following:

The first thing I need you to do is download the file from here:

Getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.


Post a new hiajckthis log along with this info




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users