Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This Noob Needs Help...


  • Please log in to reply
14 replies to this topic

#1 Sequence_Zero

Sequence_Zero

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 20 January 2005 - 11:19 PM

The title tells it all...
I believe that "Search Assistant" was installed without my notice.
I don't have any time to find out how to read it but if i did then i would.
Anyways, here's my log, and THANK YOU ahead of time.


Logfile of HijackThis v1.97.7
Scan saved at 10:09:44 PM, on 1/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJTBU\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eznsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.eznsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "webhancer" "2"
O4 - Startup: cookie.lnk = C:\Program Files\AnalogX\CookieWall\cookie.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/prot...b?1065365827326
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {999715EC-EDC8-44A7-8521-17A2EC4A755B} - http://download-ak.systemsoap.com/instilla/instilla-1.cab
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFD54740-3687-4ED4-8957-DB984C400342}: NameServer = 207.218.192.38 207.218.192.39


BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:06:00 PM

Posted 20 January 2005 - 11:22 PM

Hi, Sequence_Zero,
I'm going to ask you to reply to this thread with a new HJT log.
The one you used is out-of-date.
Please read HERE

You are seriously behind on Windows Updates also, which could adversely effect the situation as we begin to guide you towards a clean PC.

Please visit,
and if you are reluctant to install SP2 for some reason,
choose the custom installation which will give you additional options.

Edited by phawgg, 20 January 2005 - 11:25 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#3 Sequence_Zero

Sequence_Zero
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 22 January 2005 - 10:56 AM

Normally I would go to the lnk, but when i tried to browse it, the site said that an error occured. I couldn't view it.
And as for the update, i would if i could. I have dial-up :thumbsup:
I might get it sometime durring the week, mabey monday.

But for now, this is the best log i have...
Sorry, but ill try to get the update ASAP.

Oh and another thing, i tried to install it, but it was taking too long and i had to go somewhere. So i closed it, and turnred off my comp. When i logged back on, my ocmputer was wierd. I couldnt dial onto the net, and a lot of other things were skrewy. I found the part of the update that i had downloaded in add/remove programs so i deleted it and everything went back to normal. This is why i havent downloaded it yet. But if I need it then ill downoad it. And any problems i might have ill pose them here. I hope you understand.

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:06:00 PM

Posted 22 January 2005 - 11:16 AM

About Updates.
You need them.
At least SP1 and the critical patches to it.
Internet Explorer is out of date, too.
But you can't foulup doing it, either.
Shut down in the middle of it.
Uninstall it.

Your problems might involve not having the updates,
and removing the ones you did have.

Normally I would go to the lnk, but when i tried to browse it, the site said that an error occured. I couldn't view it.



The site is (was) experiencing problems.
Please try again.
If you post a new log,
I'd understand...
we could move forward.

HERE

Edited by phawgg, 22 January 2005 - 11:29 AM.

patiently patrolling, plenty of persisant pests n' problems ...

#5 Sequence_Zero

Sequence_Zero
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 22 January 2005 - 10:00 PM

Actually, i deepscanned my comp w/ ad-aware se and it seemed to solve my problem. But i still want my comp to be clean.

And another thing, i recently downloded fire-fox and am becoming more dependant on it because ive been told that it is more secure.

And about the updates, ill try to get them, but its hard downloading them with dialup because i dont get much free time, but ill try for my comp.
And heres my most recent log:
Logfile of HijackThis v1.97.7
Scan saved at 8:58:50 PM, on 1/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJTBU\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eznsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.eznsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: cookie.lnk = C:\Program Files\AnalogX\CookieWall\cookie.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/prot...b?1065365827326
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {999715EC-EDC8-44A7-8521-17A2EC4A755B} - http://download-ak.systemsoap.com/instilla/instilla-1.cab
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFD54740-3687-4ED4-8957-DB984C400342}: NameServer = 207.218.192.38 207.218.192.39

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:06:00 PM

Posted 23 January 2005 - 06:18 PM

The proposed fix I'm holding until we get a new updated log.
HJT version 1.99.
Each red "here" previously posted is your link to do this.
patiently patrolling, plenty of persisant pests n' problems ...

#7 Sequence_Zero

Sequence_Zero
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 25 January 2005 - 05:53 PM

I got the newest HJT version.
However, i still can't view the 1st "here"...
Anyways, this is what i got:

Logfile of HijackThis v1.99.0
Scan saved at 4:41:49 PM, on 1/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Project64 v1.5\Project64.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Cruz Monrreal\My Documents\Internet Downloads\Unorganised\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eznsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.eznsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchant.com/r=6&s=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - (no file)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: cookie.lnk = C:\Program Files\AnalogX\CookieWall\cookie.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {999715EC-EDC8-44A7-8521-17A2EC4A755B} - http://download-ak.systemsoap.com/instilla/instilla-1.cab
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFD54740-3687-4ED4-8957-DB984C400342}: NameServer = 207.218.192.38 207.218.192.39
O23 - Service: AVSync Manager - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Firewall - Networks Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe

#8 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:06:00 PM

Posted 25 January 2005 - 07:19 PM

That first here is to a link
that one would think
would link to the download,
but it doesn't.
It links to a post with the link
to the download
which is wrapped up
in a tutorial.


I'll check your log.
Expect it to be a day before a reply.
patiently patrolling, plenty of persisant pests n' problems ...

#9 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:06:00 PM

Posted 25 January 2005 - 11:19 PM

Sequece_Zero Some things to think about & do.
Please read through including the links.
You may choose what you'd like to do.

And about the updates, ill try to get them, but its hard downloading them with dialup because i dont get much free time, but ill try for my comp.

OK

Two programs appear in your log that are "marginally acceptable" from a spyware standpoint.

C:\PROGRA~1\DAP\DAP.EXE http://computercops.biz/startuplist-992.html
C:\Program Files\LimeWire\LimeWire 4.2.6\LimeWire.exe http://computercops.biz/startuplist-5068.html

It is possible they are also being counter-productive in regards to your downloading efforts.
Based on the information,
assuming you do agree they pose additional risks,
the following sequential steps are prepared for you to follow.
If you choose to keep them, do not delete the ones involving them (those names).
Delete the others.

Start-->Add or Remove Programs-->Uninstall (if found) any instances of DAP or Limewire.

Set your PC to: show hidden files. Additional information here.

Open your C:\HJT folder and double-click the icon.
Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects.

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchant.com/r=6&s=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =<--remove to reset default
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = <--remove to reset default
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - (no file)<--useless with no file
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - (no file)<--useless with no file
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)<--useless with no file
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

When you're sure that files marked for deletion are correct, click the Fix button.

Reboot your computer into Safe Mode
(by tapping F8 until the screen appears where you can use the up arrow to choose safe mode.)
Hit enter on your keyboard.

Search for, locate and delete these files or folders.
(Do not be concerned if they do not exist, the previous steps may have eliminated them.)
Do not delete the main folders such as:
C:\WINDOWS or C:\Program Files.
The best way to find them is to use:
Start-->Search-->select "all files & folders"-->select "more advanced options"-->
check search "system folders", "hidden files & folders" & "sub-folders".
You may also navigate to the appropriate folder
and right-click--> delete the individual file(s) or folder as indicated.

Delete manualy

C:\PROGRA~1\DAP\dapextie.htm<-- search for this filename. When found, delete it & the folder that contains it.

Delete Temp Files
From safe mode desktop:
Start-->Run-->type in: %temp% and press the ok button.
Please delete all files and those within the folders found in the temp folder.
If you get an error when deleting a file, skip that file and delete all the others.
Doing this in Safe Mode you should be able to delete all the files.

Reboot your computer to go back to normal mode.

Delete Temporary Internet Files
Start-->Internet Explorer-->Tools-->Internet Options-->General tab-->Delete Files button
and put a checkmark in Delete offline content.
Then press the OK button.
This may take quite a while, but when it is done your Temporary Internet Files will be deleted.

Empty the recycle bin.

Run HijackThis again and post the new log as a reply to this post.
(Include comments regarding any problems you might have had,
and let us know if its working better. Some additional options may exist)
patiently patrolling, plenty of persisant pests n' problems ...

#10 Sequence_Zero

Sequence_Zero
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 30 January 2005 - 12:19 PM

Sorry i hadn't replyed in so long. Ive been busy.
Anyways, everything is going smoothly.

I'd like to know, the firewall that i downloaded for free is called kerio.
As you can should be able to see, it was running durring my scan.
Anyways, i was wondering that since i have this firewall, can uninstall McAfee firewall? Because i have it turned off and its really just there, as far as i know...
So can i delete it?

Oh, and here's the updated log:
Logfile of HijackThis v1.99.0
Scan saved at 11:14:50 AM, on 1/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\DAP\DAP.exe
C:\WINDOWS\System32\taskmgr.exe
C:\HJTBU\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eznsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.eznsearch.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {999715EC-EDC8-44A7-8521-17A2EC4A755B} - http://download-ak.systemsoap.com/instilla/instilla-1.cab
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFD54740-3687-4ED4-8957-DB984C400342}: NameServer = 207.218.192.38 207.218.192.39
O23 - Service: AVSync Manager - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Firewall - Networks Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe

#11 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:06:00 PM

Posted 31 January 2005 - 03:46 AM

I'd like to know, the firewall that i downloaded for free is called kerio.

A good one, I'd agree with you.

As you can should be able to see, it was running durring my scan.

Running processes indicate three .exe's attributed to McAfee.
Shown in all logs so far.
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

Services, shown in the HJT 1.99 logs indicate (in the most recent two logs)
O23 - Service: McAfee Firewall - Networks Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
add'l online info
You have shut it down.
The service & files do remain "ready to be enabled".
Were it enabled,
the filepath mentained would also appear in running processes.

These also are shown, btw:
O23 - Service: AVSync Manager - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
It is responsible for one of the running processes above, and important.
add'l online info
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
add'l online info
It is essential to the proper operation of the anti-virus program, however.
You may have it disabled, too. That is OK.
We'll leave it alone.

Anyways, i was wondering that since i have this firewall, can uninstall McAfee firewall?
Because i have it turned off and its really just there, as far as i know...

Yes, it is "just there".
Yes, you can remove it.
We advice running only one at a time, in fact.
I appreciate your specific question, Sequence_Zero

Start-->Control panel-->Add/Remove programs-->uninstall McAfee Firewall
Navigate to C:\Program Files\McAfee\McAfee Firewall\CPD.EXE to double-check that it it gone.
If an empty folder remains, you can delete it.
Start-->control panel-->administrative programs-->services.
Look for a service called McAfee Firewall - Networks Associates, Inc. .
to double-check that it is gone.

Back once again to the IE update issue.
microsoft.com/windows/ie/downloads/default.mspx is a MS page strictly for IE patches/updates.
You might try it to expedite the IE part of updating first, then OS updates later, as time allows.

One more detail for you.
This entry we typically point out as unnecessary.
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
add'l online info
add'l online info
add'l online info
To disable "tkbell.exe" in the new version:
(1) Start RealOne Player.
(2) Tools -> Preferences.
(3) Automatic services in the Categories pane.
(4) Uncheck all options and then OK.

All that said, you have a cleanlog

Now you should disable & re-enable your System Restore to set a new restore point.
This insures that there are no infected files found in a restore point left over from what we have just cleaned.
Additional information & instructions are here.

Some other steps to be taken are:

1. Use secure Internet Explorer settings
  • Open IE and check tools-->internet options-->security-->click internet icon-->(default is medium).
    Click custom and check that these settings are:
  • Download unsigned ActiveX controls - prompt
  • Initialize and script ActiveX controls not marked as safe - disable
  • Installation of desktop items - prompt
  • Launching programs and files in IFRAME - prompt
  • Navigate sub-frames across different domains - prompt
2. Use AntiVirus Software & Update Frequently. It's best to use only one.
  • An excellent free program is AVG, if you need an option.
    This program can be set to automatically scan & either auto-update or
    you may choose to do that yourself.
    Virus definition updates with this program occur frequently, which is very good.
3. Use a Firewall, but use only one. If you install your own, disable the built-in winXP firewall.
  • Excellent free programs available include:
  • Sygate
  • Kerio
  • (others are also available)
  • Choose one (if you do not already use a firewall). Keep your Firewall up & monitor it's configurations
  • (fully understanding it's operation may require some thought & a little practice,
    but it helps greatly to have it installed and functioning)
4. Use Microsoft Windows Updates Frequently
  • SP2 is the most recent Service Pack available.
  • More updates have already been added to it, so try to remain current in regards to security issues in particular.
5. Use Spybot S&D & Update
  • Install and use this program with its TeaTimer option.
  • This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
  • You should also scan your computer with this program on a regular basis, just as you would an antivirus software.
  • Check for updates when you do. A tutorial is available here.
7. Use SpywareBlaster & Update
  • Install and use this program
  • Adding a large list of sites/programs into your Browser settings, it protects you from
    running or downloading known malicious programs.
  • You may customize it if required to accomodate your individual needs,
    and updates are also frequently issued with new definitions added
  • Make it a habit to run and update on a regular basis.
7. Use Ad-Aware & Update
  • Install, configure and use this program with the others.
  • It is very well thought of in it's effectiveness, it complements the actions of the others.
  • It provides for additional plug-in specialty tools as well as an upgrade if you choose them.
  • Updates are frequent, so I suggest that you do both that and run the program regularly.
8. Use an alternative Browser Frequently. You may use several if you like.
  • Consider using Firefox as an alternative to IE
    for fundamental security reasons.
  • You can have both easily. Doing so will provide you with several benefits and options.
  • Other alternative browsers are also available at no charge
  • They do not have inherent vulnerabilities to the extent that IE does.
  • They are not subject to the same attention by malware creators as IE, which is much more commonly used.
All of these recommendations will provide a valuable service to you,
and no conflicts exist when operating them together on your PC [winXP].

Please enact them for your own sake and that of the Internet itself.

9. Use BleepingComputer Tutorials & Resources Frequently. "and check for updates...:thumbsup:"
  • While cleaning your PC important tutorials were offered to explain what was being done.
  • Urgency to accomplish the task may have compromised your full understanding of what all was involved.
  • There is always room for improvement when using a personal computer.
  • Resources are available here and improving all the time.
    Some that deal with these recommendations & other topics include:
Tutorials available for more in-depth considerations.
Switching from Internet Explorer to Firefox
Four Simple Steps for removing Spyware, Hijackers, Viruses, and other Malware
Simple and easy ways to keep your computer safe and secure on the Internet
Using Spybot - Search & Destroy to remove Spyware from Your Computer
Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
Guide to Windows XP Recovery Features
Steps to take when connecting a new computer to the Internet

Edited by phawgg, 31 January 2005 - 03:51 AM.

patiently patrolling, plenty of persisant pests n' problems ...

#12 Sequence_Zero

Sequence_Zero
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 03 February 2005 - 07:45 PM

Several Questions.

First, what do you mean by "Tea Timer" option in Spybot?
I tried looking for it but was unable to locate it.
Second, if I only use Firefox, then why do i need to fix IE?

Third, I had to try two times while trying to remove McAfee.
The first time it crashed.
Now when i scanned with spybot, as one of the inconsistencies I see %systemroot%\system32\dumprep 0 -k and I want to know if i can remove it or not.

Another thing is that I'm trying to burn a Pocket CD-R for my friend but my comp is saying thatthe CD-R is already full at 0kb. Im just wondering if you know what the problem is and if it's fixable. The CD-Rs are made from Memorex and my writing hardware is called "Samsung CD-R/CD-RWSW-240B".
If you don't know the answer, then thats ok.

And One More Thing; My Log :thumbsup: :
Logfile of HijackThis v1.99.0
Scan saved at 6:31:56 PM, on 2/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Xinox Software\JCreatorV3 LE\JCreator.exe
C:\HJTBU\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eznsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.eznsearch.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\CRUZMO~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cslsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {999715EC-EDC8-44A7-8521-17A2EC4A755B} - http://download-ak.systemsoap.com/instilla/instilla-1.cab
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFD54740-3687-4ED4-8957-DB984C400342}: NameServer = 207.218.192.38 207.218.192.39
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVSync Manager - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe

#13 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:06:00 PM

Posted 04 February 2005 - 12:48 PM

First I'll try to answer your questions, Sequence_Zero

First, what do you mean by "Tea Timer" option in Spybot?


Tea Timer is the "resident protection" against spyware.
Essentially an anti-spyware process that protects you against spyware installing
without your knowledge.
You have not enabled that feature.
You didn't opt for installation of it when you first installed apparently.

In Spybot S&D 1.3 (or newer) it is found in Advanced Mode-->Tools-->Resident.
It alerts to all changes made in the registry, both "good" & "bad".
HJT makes changes in the registry when it cleans the entries you select.
Sometimes it is not understood to allow those changes.

Several other changes will be made as you operate your computer normally.
A change is alerted when you install a program,
or make changes to existing program configurations,
or use features of a built in windows program perhaps.
These you would choose to be "allowed".

You can choose to "deny" changes when alerted, also.

Unusual changes, while surfing the net or
perhaps some unanticipated
when you download something
you were not forewarned would make changes.

Second, if I only use Firefox, then why do i need to fix IE?

IE needs to be updated even though you use Firefox.
IE is needed for windows updates, for instance.
Some defaults that are set-up in windows XP utilize it.

It can't be (easily) uninstalled and remains, to a degree,
a vulnerablity to your operating system because of that.

one of the inconsistencies I see %systemroot%\system32\dumprep 0 -k and I want to know if i can remove it or not.

%systemroot%\system32\dumprep 0 -k is not necessary.
You can remove it.
From: http://castlecops.com/startuplist-1773.html
"Used in connection with memory dumps -
you can disable these by -
right clicking on My Computer, selecting Properties and then the Advanced tab.
Click on the Settings button in 'Startup and Recovery'.
In the bottom pane - under 'Write debugging information' - click on the down arrow
and then select 'None' - OK your way out

Third, I had to try two times while trying to remove McAfee

The McAfee file you removed was a Firewall related program process.
With Kerio now running as your Firewall, removal was appropriate.
Two firewall programs running together at the same time is not recommended.

The remaining McAfee programs and the remaining executable files are anti-virus programs.

However, the AVG now represents a second anti-virus program running at the same time.
We do not recommend two "resident" anti-virus programs running together either.

Use Add or Remove Programs to uninstall either AVG or McAfee, please.

Your new log indicates some additional changes, specifically this one:
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cslsp.dll' missing
It represents a problem created when removing the McAfee Firewall program.

Set your PC to Show hidden files.

Reboot your computer into Safe Mode
(by tapping F8 until the screen appears where you can use the up arrow to choose safe mode.)
Hit enter on your keyboard.

Open your C:\HJT folder and double-click the icon.
Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eznsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.eznsearch.com
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\CRUZMO~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

When you're sure that files marked for deletion are correct, click the Fix button.

Delete Temp Files
From safe mode desktop:
Start-->Run-->type in: %temp% and press the ok button.
Please delete all files and those within the folders found in the temp folder.
If you get an error when deleting a file, skip that file and delete all the others.
Doing this in Safe Mode you should be able to delete all the files.

Reboot

DownloadDisconnect from the Internet and close all Internet Explorer Windows.
Run the program and check the "I know what I'm doing" Button.
Place all listings of cslsp.dll into the remove section by clicking on the button that points to the right.
When all instances of this dll are in the Remove section, Press the finish button.

Then Reboot.

To see a tutorial on how to use this program click the link below:
Using LSP-Fix to remove LSP Spyware & Hijackers

Run HijackThis again and post the new log as a reply to this post.
patiently patrolling, plenty of persisant pests n' problems ...

#14 Sequence_Zero

Sequence_Zero
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 08 February 2005 - 06:00 PM

Heres My Log (I think i did everything... :thumbsup: ):
Logfile of HijackThis v1.99.0
Scan saved at 4:59:24 PM, on 2/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJTBU\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eznsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.eznsearch.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {999715EC-EDC8-44A7-8521-17A2EC4A755B} - http://download-ak.systemsoap.com/instilla/instilla-1.cab
O16 - DPF: {9E6C7461-FE4A-41A9-9D35-7468796CF9E7} (AVXControl Class) - http://threatlevel.pcsecurityshield.com/control/avxnew.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFD54740-3687-4ED4-8957-DB984C400342}: NameServer = 207.218.192.38 207.218.192.39
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe

#15 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:06:00 PM

Posted 08 February 2005 - 11:05 PM

Set your PC to Show hidden files.

Reboot your computer into Safe Mode
(by tapping F8 until the screen appears where you can use the up arrow to choose safe mode.)
Hit enter on your keyboard.

Open your C:\HJT folder and double-click the icon.
Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eznsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.eznsearch.com

When you're sure that files marked for deletion are correct, click the Fix button.

Delete Temp Files
From safe mode desktop:
Start-->Run-->type in: %temp% and press the ok button.
Please delete all files and those within the folders found in the temp folder.
If you get an error when deleting a file, skip that file and delete all the others.
Doing this in Safe Mode you should be able to delete all the files.

Reboot into normal mode.

Delete Temporary Internet Files
Start-->Internet Explorer-->Tools-->Internet Options-->General tab-->Delete Files button
and put a checkmark in Delete offline content.
Then add either http://www.google.com/ or http://www.yahoo.com into the HOMEPAGE box.
Press the OK button.

Run HijackThis again and post the new log as a reply to this post.
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users