TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Guest on December 09, 2004, 08:00:47 PM

Title: help
Post by: Guest on December 09, 2004, 08:00:47 PM: Logfile of HijackThis v1.98.2
Scan saved at 5:09:20 PM, on 09/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\system32\addkb32.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\crin32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\RON\Desktop\hijackthis-2.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C682057F-E371-B29A-848C-7D9B32E2DD9C} - C:\WINDOWS\system32\appje.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [sysyc.exe] C:\WINDOWS\system32\sysyc.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [addkb32.exe] C:\WINDOWS\system32\addkb32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrc...kr.cab27571.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab27571.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab\")
Title: help
Post by: Guest on December 09, 2004, 08:22:17 PM: Could you also Download and save to desktop ServiceFilter.zip (http://\"http://home.comcast.net/~rand1038/vbscript/ServiceFilter.zip\")
A script by rand1038 that reveals potential unauthorised running services in your system.
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, ignore it, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.
Title: help
Post by: Guest on December 09, 2004, 08:33:07 PM: The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Dec 9, 2004 5:40:59 PM

===> Begin Service Listing <===

Unknown Service #1
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Auto
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect Archive ...
Service Type: Own Process
Path: c:\program files\norton antivirus\savscan.exe
State: Running
Process ID: 332
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{be7900e3-1471-4c33-8be0-37a13a2eb7e7}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: %AFå¤¶À¨
Display Name: Network Security Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\crin32.exe /s
State: Running
Process ID: 952
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 84 Win32 services on this machine.
3 were unrecognized.

Script Execution Time: 88.48438 seconds.
Title: help
Post by: Guest on December 09, 2004, 09:47:40 PM: Create a New folder on your Desktop, call it AboutBuster
Download to desktop About:Buster.zip (http://\"http://www.malwarebytes.biz/AboutBuster.zip\")
by RubbeR Ducky
Unzip it to that new folder===Open About:Buster and Check for Updates
Don't run a Scan yet

Download and install Windows CleanUp! by Steve Gould (http://\"http://downloads.stevengould.org/cleanup/CleanUp312.exe\")
Give the link time to load, this is a small download
This will help you to clean you temporary files, cookies, prefetch folder
Don't run this yet

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>>SAVE AS
Name the file as fix.reg
Important>>>Change the Save as Type to All Files.
Save this file on the desktop, well need this later, don't run it yet

Quote
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Restart your computer into safe Mode

Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Offending Service Name <--will enter appropriate name when identified
Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

Open Task Manager (Right click the bottom Task bar and select Task Manager) and end process on these if still running

addkb32.exe
crin32.exe

navigate to and delete these files or folders if they exist

FILES in bold
C:\WINDOWS\system32\addkb32.exe
C:\WINDOWS\system32\sysyc.exe
C:\WINDOWS\crin32.exe

===Do another scan with Hijackthis and put a check next to these entries, not all might appear in safe mode, but check all that you can see

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tmslw.dll/sp.html#96676
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {C682057F-E371-B29A-848C-7D9B32E2DD9C} - C:\WINDOWS\system32\appje.dll

O4 - HKLM\..\Run: [addkb32.exe] C:\WINDOWS\system32\addkb32.exe

O4 - HKLM\..\Run: [sysyc.exe] C:\WINDOWS\system32\sysyc.exe

After you have put a check next to the above entries, close out All other windows
Leave Hijackthis open and click FIX CHECKED
YES to the prompt and exit Hijackthis

Open Cleanup and click the Cleanup button,let it finish scanning,DON'T reboot when prompted
Exit the program

. Go to Start | Run and type regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and expand Services in the left pane. Look for any entries named as:

%AFå¤¶À¨ or Network Security Service

If any are listed, right-click that entry in and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and expand Root in the Left Pane. Look for any entries like this:

LEGACY %AFå¤¶À¨ or LEGACY Network Security Service

If any are listed, right-click the entry and choose Delete.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again

Navigate to About:Buster
Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time.
Save the log to a convenient location, I will want to see it later. Then hit exit

===Double click on fix.reg you saved to desktop earlier
and Allow it to merge to the Registry

===Open Ad-aware---Click the GEAR at the top
# Click on the General button on the left hand side.

1. Make sure the following items under the Safety category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Automatically save logfile
2. Automatically quarantine objects prior to removal
3. Safe Mode (always request confirmation)

# Next click on the Advanced button on the left hand side.

1. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Include additional object information
2. Include negligible objects information
3. Include environment information
4. Include Alternate data stream details in log file

# Next click on the Tweak button on the left hand side.

1. Then click on the + (plus) sign next to the Log Files section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Include basic Ad-Aware settings in logfile
2. Include additional Ad-Aware settings in logfile

2. Then click on the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Unload recognized processes & modules during scan
2. Scan registry for all users instead of current user only

3.
Then click on the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

1. Always try to unload modules before deletion
2. During removal, unload Explorer and IE if necessary
3. Let Windows remove files in use at next reboot

Once these settings have been completed, you should click on the Proceed button

Make sure you change the scan mode to Perform full system scan. Then uncheck the Search for negligible risk entries.

Step 5: Start the Actual Scan
Now click on the Next button to have Ad-Aware SE start scanning your system. Ad-Aware SE will start scanning your system for Spyware and Hijackers

When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode to finish the cleaning process
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

===Download Hoster
Unzip it to it's own folder
Open Hoster and click the "Restore Original Hosts" and press "OK". Exit Program.

===Look in your system32 folder for shell.dll
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

===# Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

Do another scan with hijackthis and save the log and post it back here
Title: help
Post by: guestolo on December 09, 2004, 11:08:37 PM: SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free!

With both, Check for updates every couple of weeks
Title: help
Post by: Guest on December 09, 2004, 11:33:03 PM: Logfile of HijackThis v1.98.2
Scan saved at 8:43:11 PM, on 09/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RON\Desktop\hijackthis-2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goggle.ca/ (http://\"http://www.goggle.ca/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrc...kr.cab27571.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab27571.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab\")
Title: help
Post by: guestolo on December 09, 2004, 11:50:14 PM: Asked the user to remove these 2 entries with Hijackthis

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot

Not all instruction are complete on this log, this is a friends log from work
Posted the log here for easy access as well as being on the phone
Title: help
Post by: Guest on December 10, 2004, 12:37:20 AM: Logfile of HijackThis v1.98.2
Scan saved at 9:46:26 PM, on 12/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\gearsec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\TPPALDR.EXE
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\System32\svchost.exe
D:\program files\quicktime\qttask.exe
D:\OPLIMIT\Opware12.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
D:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
D:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
D:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
D:\Program Files\Logitech\ImageStudio\LowLight.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Banks\Desktop\Aluria Spyware Eliminator\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.html (http://\"http://www.oemji.com/side_search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.com (http://\"http://www.oemji.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enca (http://\"http://start.shaw.ca/start/enca\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html (http://\"http://www.oemji.com/side_search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.html (http://\"http://www.oemji.com/side_search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.shaw.ca/ (http://\"http://start.shaw.ca/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiSearchPlus.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSearch.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Register MediaRing Talk] D:\Program Files\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Opware12] "D:\OPLIMIT\Opware12.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "D:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Startup: ASE Scheduler.lnk = D:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Event Reminder.lnk = G:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = G:\Program Files\CreataCard\Gold\FMRMD32.EXE
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...utoinstall.html (http://\"https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://developer.viewpoint.com/download/autoinstall.html\")
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EC..._1029_EN_XP.cab (http://\"http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1029_EN_XP.cab\")
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab (http://\"http://download.zonelabs.com/bin/free/cm/ICSCM.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab (http://\"http://www.imgag.com/cp/install/AxCtp.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1393ddbe99ba6312f706/...ip/RdxIE601.cab (http://\"http://207.188.7.150/1393ddbe99ba6312f706/netzip/RdxIE601.cab\")
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab (http://\"http://www.pestscan.com/scanner/ppctlcab.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab (http://\"http://www.napster.com/client/isetup.cab\")
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab (http://\"http://web1.shutterfly.com/downloads/Uploader.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab (http://\"https://www-secure.symantec.com/techsupp/activedata/SymAData.cab\")
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://vegasvilla.microgaming.com/vegasvil...lla/FlashAX.cab (http://\"https://vegasvilla.microgaming.com/vegasvilla/FlashAX.cab\")
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/UCSearch.CAB (http://\"http://www.zuvio.com/UCSearch.CAB\")
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab (http://\"https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab\")
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab (http://\"http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab\")
Title: help
Post by: guestolo on December 10, 2004, 11:06:54 PM: Sorry cliff, not much time to look at Your log

I realize you have Spybot but can you open it up and Click on HELP>>>ABOUT
Tell me Version and Latest detection update date? thanks

But if you could for now, take a look at this link, this is what I think of SpySpotter
You decide if you want to keep it
I wouldn't
http://www.spywarewarrior.com/rogue_anti-spyware.htm (http://\"http://www.spywarewarrior.com/rogue_anti-spyware.htm\")

I see a few 016's in your log that we have to get rid of
As well as the Rogue Anti-Spyware program if you didn't pay for it
That would be SpySpotter

NEXT: Download these free programs that I trust
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version
If you don't have this verision,install this one
After installation-CHECK FOR UPDATES
Allow to download updates
Do a Full system scan----Remove All Critical objects
RESTART your computer to finish the cleaning process

Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
After installation--SEARCH FOR UPDATES
Download all updates
Check for Problems---FIX everything in RED
RESTART your computer one more time

Post back a fresh hijackthis log afterwards and let me know how everythings going
Cliff, don't just think you have the latest version, make sure you have the above versions of the above Spyware Removers

ECIT>>>HEY RON>>Take a look at this link and get the free version of AVG 7
http://free.grisoft.com/freeweb.php/doc/2/ (http://\"http://free.grisoft.com/freeweb.php/doc/2/\")
Title: help
Post by: guestolo on December 11, 2004, 12:59:01 AM: https://ssl.perfora.net/tools.radiosplace.c.../HijackThis.exe (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\")
Title: help
Post by: Guest on December 11, 2004, 01:09:39 AM: Logfile of HijackThis v1.98.2
Scan saved at 10:19:44 AM, on 10/12/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMPAQ\COMPAQ EASY ACCESS BUTTON SUPPORT\CPQBZL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\AMEDDTCT.EXE
C:\PROGRA~1\COMPAQ\COMPAQ~1\OSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CYBERMEDIA UNINSTALLER\IMONITOR.EXE
C:\WINDOWS\TWAIN_32\LOGISCAN\LGMNTR.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\RunDLL.exe
C:\TOOLS_95\IMGICON.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/ (http://\"http://start.shaw.ca/start/enca/addons/search/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://start.shaw.ca/start/enca/addons/search/ (http://\"http://start.shaw.ca/start/enca/addons/search/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca (http://\"http://start.shaw.ca\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com (http://\"http://home.netscape.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html (http://\"http://home.netscape.com/home/winsearch.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/ (http://\"http://start.shaw.ca/start/enca/addons/search/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com (http://\"http://www.google.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home (http://\"http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/ (http://\"http://start.shaw.ca/start/enca/addons/search/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s (http://\"http://www.google.com/keyword/%s\")
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s (http://\"http://www.google.com/keyword/%s\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.microsoft.com/isapi/redir.dll?P...ie5update&O1=b1 (http://\"http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.searchalot.com (http://\"http://www.searchalot.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
F1 - win.ini: run=Qtstub.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM\..\Run: [MHInit] C:\Program Files\CyberMedia UnInstaller\mhinit.exe
O4 - HKLM\..\Run: [InstallationMonitor] "C:\Program Files\CyberMedia UnInstaller\imonitor.exe" /MM
O4 - HKLM\..\Run: [Logimonitor] c:\windows\TWAIN_32\LogiScan\lgmntr.Exe
O4 - HKLM\..\Run: [SpdStart] C:\Program Files\Norton Utilities\NSS\SPDSTART.EXE /AutoStart
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Norton FastLoadFS] C:\Program Files\Norton Utilities\NSS\FASTLOAD.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CPQEASYACC] C:\Program Files\Compaq\Compaq Easy Access Button Support\cpqbzl.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AOL Instant Messenger (tm)] D:\NETSCAPE\Program\AIM\aim.exe -cnetwait.odl
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Corel Family and Friends Reminders.LNK = C:\Program Files\Corel\Print House Magic\cffrem.exe
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = C:\Program Files\CreataCard\Gold\FMRMD32.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
Title: help
Post by: guestolo on December 11, 2004, 01:14:57 AM: Quote
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"
Title: help
Post by: guestolo on December 11, 2004, 01:19:37 AM: Most of what I'm asking is legit
Don't everyone follow this

Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version
If you don't have this verision,install this one
After installation-CHECK FOR UPDATES
Allow to download updates
Do a Full system scan----Remove All Critical objects
RESTART your computer to finish the cleaning process
Title: help
Post by: Guest_Cliff on December 11, 2004, 02:50:49 AM: Logfile of HijackThis v1.98.2
Scan saved at 11:57:27 PM, on 12/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TPPALDR.EXE
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
D:\program files\quicktime\qttask.exe
D:\OPLIMIT\Opware12.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
D:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\fxssvc.exe
D:\Program Files\Logitech\ImageStudio\LowLight.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Banks\Desktop\Aluria Spyware Eliminator\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.html (http://\"http://www.oemji.com/side_search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.com (http://\"http://www.oemji.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enca (http://\"http://start.shaw.ca/start/enca\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html (http://\"http://www.oemji.com/side_search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.html (http://\"http://www.oemji.com/side_search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.shaw.ca/ (http://\"http://start.shaw.ca/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiSearchPlus.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSearch.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Register MediaRing Talk] D:\Program Files\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Opware12] "D:\OPLIMIT\Opware12.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "D:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Startup: ASE Scheduler.lnk = D:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Event Reminder.lnk = G:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = G:\Program Files\CreataCard\Gold\FMRMD32.EXE
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...utoinstall.html (http://\"https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://developer.viewpoint.com/download/autoinstall.html\")
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EC..._1029_EN_XP.cab (http://\"http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1029_EN_XP.cab\")
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab (http://\"http://download.zonelabs.com/bin/free/cm/ICSCM.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab (http://\"http://www.imgag.com/cp/install/AxCtp.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1393ddbe99ba6312f706/...ip/RdxIE601.cab (http://\"http://207.188.7.150/1393ddbe99ba6312f706/netzip/RdxIE601.cab\")
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab (http://\"http://www.pestscan.com/scanner/ppctlcab.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab (http://\"http://www.napster.com/client/isetup.cab\")
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab (http://\"http://web1.shutterfly.com/downloads/Uploader.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab (http://\"https://www-secure.symantec.com/techsupp/activedata/SymAData.cab\")
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://vegasvilla.microgaming.com/vegasvil...lla/FlashAX.cab (http://\"https://vegasvilla.microgaming.com/vegasvilla/FlashAX.cab\")
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/UCSearch.CAB (http://\"http://www.zuvio.com/UCSearch.CAB\")
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab (http://\"https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab\")
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab (http://\"http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab\")
Title: help
Post by: Guest_Cliff on December 11, 2004, 03:07:05 AM: Followed your instructions and the latest run of HijackThis is above.
Thanks for the help.
Title: help
Post by: Guest on December 11, 2004, 08:38:10 PM: Hi Cliff, sorry if this thread is confusing, I'm posting replies for reference to yourself and Ron
I'll try to seperate replies a bit

This is for you C...
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Oemji toolbar should be removed, what worries me it that most of the time it Hijacks your Winsock settings and improper removal can leave your computer without Internet access
Of course there's Winsock Fix or LSP fix to help with this
Hijackthis will usually indicate if this area has been hijacked but I see no reference to it in your log
But, let's make sure, Could you go to this link and download and save to desktop
LSP fix.exe
http://www.cexx.org/lspfix.htm (http://\"http://www.cexx.org/lspfix.htm\")
Double click to run it---Let me know what you see in the KEEP and REMOVAL panes
Most/All will be legit
Post that info back here---Just close out the program when done

The below is instructions of your log if LSP fix is all clear: I figured I'd kill 2 birds with one stone
So you may not want to try the below until we know that LSP fix is clear
Hold onto LSP fix until we're done

Oemji search toolbar is almost considered optional for removal but almost everyone I know that reads hijackthis logs has removed it
Also remember to Uninstall SpySpotter if you haven't paid for it, that entry may be just a leftover in your registry if you have
I also noticed this in your running processes
D:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
http://computercops.biz/StartupList.html (http://\"http://computercops.biz/StartupList.html\")
I'm not sure what other Spyware Removal tools you have on your computer, but anything related to Aluria is not usually good news
I hope you didn't get goaded into purchasing SpywareEliminator or SpySpotter
If you did, use it for now but you don't need it running on startup I don't believe

They associated themselves with WhenU, which can bring unwanted popups to ones computers
Use that link I supplied earlier to Track down info on Aluria

Here's what I recommend removing for now, some are optional, I'll point them out to you
I would Access your Add/Remove Programs and remove Oemji toolbar or SearchPlus if there
Restart your computer afterwards if removed

Do another scan with Hijackthis and put a check next to these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.html (http://\"http://www.oemji.com/side_search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.com (http://\"http://www.oemji.com\")

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html (http://\"http://www.oemji.com/side_search.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.html (http://\"http://www.oemji.com/side_search.html\")

O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiSearchPlus.dll

O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSearch.dll

O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe

O4 - Startup: ASE Scheduler.lnk = D:\Program Files\Aluria Software\ASE\ASE Scheduler.exe

The next 016's I'm recommending for removal are ActiveX controls for IE
A couple are Malware related, one is a dialer and another related to Netster<--spyware
016's will be reinstalled if needed, of course you don't want a couple back /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Have Hijackthis fix the next entries

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...utoinstall.html (http://\"https://components.viewpoint.com/MTSInstall...utoinstall.html\")
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EC..._1029_EN_XP.cab (http://\"http://akamai.downloadv3.com/binaries/P2EC..._1029_EN_XP.cab\") <--Dialer, bad

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1393ddbe99ba6312f706/...ip/RdxIE601.cab (http://\"http://207.188.7.150/1393ddbe99ba6312f706/...ip/RdxIE601.cab\") <--Netster spyware

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab\")
The one above is related to Realplayer, not needed, will reinstall if needed, optional for you too fix

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://vegasvilla.microgaming.com/vegasvil...lla/FlashAX.cab (http://\"https://vegasvilla.microgaming.com/vegasvil...lla/FlashAX.cab\")
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/UCSearch.CAB (http://\"http://www.zuvio.com/UCSearch.CAB\")

After you have ticked the above entries, close down All other open windows, including this one
Leave Hijackthis open and Click FIX CHECKED
YES and exit hijackthis

RESTART your computer

When your back in Windows, I linked Ron to a couple Spyware Blockers
That are free for personal use
SpywareBlaster and IE-Spyad
Both don't run in the background---They add registry entries
As mentioned Spyware Blaster will block bad cookies and Bad ActiveX controls
IE-Spyad will add a long list of entries to your Restricted Sites settings in IE's Internet Options--Security tab
SpywareBlaster does this as well, IE-Spyad just adds a lot more
Meaning---Sites in the Restricted Sites zones must follow the rules set out by IE for Restricted sites settings
Not being able to run ActiveX controls and such

Could you post back a fresh Hijackthis log afterwards and let me know if your having any problems

I also noticed this on your computer
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
Backweb is considered just as bad as spyware by many
Of course it's optional for you to have it running

and Kodaks software updater--related to the above
You could go to
Start > Programs > Kodak > Kodak software updater > Kodak software updater setup.
Disable the Updater
Many just have the user fix backweb, I leave it up to the user's decision

Of course, I have Windows XP SP2 installed on this machine
I don't like controlling startup applications with Msconfig
I use the free utility called
Starter 5.6.1.38 (http://\"http://freedownloadswindows.com/65276/starter_56138.html\")

You can track down what you need on startup by using these links
http://www.answersthatwork.com/Tasklist_pa...es/tasklist.htm (http://\"http://www.answersthatwork.com/Tasklist_pages/tasklist.htm\")
http://computercops.biz/modules.php?name=StartupList (http://\"http://computercops.biz/modules.php?name=StartupList\")

Tasklists will recommend the Ultimate Troubleshooter to disable Startups
I believe you have to pay for this
I check within a program itself first and then use Codestuff's Starter to disable it
Which, of course is free
Title: help
Post by: guestolo on December 11, 2004, 08:39:14 PM: Forgot too log in---the above is from me
Check this reply for any Edit if needed afterwards

We should add this one too the list to fix with Hijackthis
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...tterInstall.cab (http://\"http://download.spyspotter.com/spyspotter/...tterInstall.cab\")

Let's see the LSP fix entries first
Title: help
Post by: Guest_Cliff on December 12, 2004, 02:40:40 AM: Ran the LSP fix with the following results
Under KEEP:
mswsock.dll Tcpip
winmr.dll NTDS
RSVPSP.dll (Protocol Handler)

REMOVE was blank
Title: help
Post by: guestolo on December 12, 2004, 03:00:28 AM: Lsp fix shows your clear
Keep it just in case or you always have System Restore, shouldn't need it

Hijackthis makes backups of anything we remove, so don't delete the backups until everything is running smooth

Go ahead and do the other fixes I suggested

FYI--If the Hijacker had hijacked your winsocks settings this would of been the instructions

Disconnect from the Internet--Double click to run Lsp fix
Check "I know what I'm doing".
Then select all instances of sfbnsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane) Click Finish

Restart your computer
Post back a fresh hijackthis log afterward, let me know how everythings running
Title: help
Post by: Guest_Cliff on December 12, 2004, 09:24:58 PM: I have spent the day trying to make a backup of the registry as per Microsoft's instruction but kept getting error message "Volume shadow copy:80042301". After Googlin around and checking out dozens of sites I came across ByFai.com which suggested to run "regsvr32 ole32.dll" which I did, restarted the machine and tried the backup routine again and it worked. The log indicated that in order to run it reverted to non-shadow copy backup mode.

I then followed all you instructions and suggestions and here is the latest HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 6:24:26 PM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\gearsec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\TPPALDR.EXE
D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
D:\program files\quicktime\qttask.exe
D:\OPLIMIT\Opware12.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
D:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\FinePixViewer\QuickDCF.exe
D:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
D:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Banks\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enca (http://\"http://start.shaw.ca/start/enca\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.shaw.ca/ (http://\"http://start.shaw.ca/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Register MediaRing Talk] D:\Program Files\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Opware12] "D:\OPLIMIT\Opware12.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "D:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Event Reminder.lnk = G:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Global Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = G:\Program Files\CreataCard\Gold\FMRMD32.EXE
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab (http://\"http://download.zonelabs.com/bin/free/cm/ICSCM.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab (http://\"http://www.pestscan.com/scanner/axscanner.cab\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab (http://\"http://www.imgag.com/cp/install/AxCtp.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab (http://\"http://www.pestscan.com/scanner/ppctlcab.cab\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab (http://\"http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab (http://\"http://www.napster.com/client/isetup.cab\")
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab (http://\"http://web1.shutterfly.com/downloads/Uploader.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab (http://\"https://www-secure.symantec.com/techsupp/activedata/SymAData.cab\")
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab (http://\"https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab\")
Title: help
Post by: guestolo on December 12, 2004, 11:29:10 PM: Wow Cliff, sorry for the grief
I was suggesting using the built in System Restore feature
In START>>ALL Programs>>Accessories>>System Tools
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Are you saying this feature wasn't working?

I'm still curious as to why Oemji didn't hijack your Winsock

That's okay, glad you got it figured out
I guess this is the link you used
Click Here (http://\"http://www.mcse.ms/showthread.php?threadid=34183&perpage=10&pagenumber=2\")

Besides the optionals you have running on startup how are things on your end?

If you have time and want to track down what you need on startup check out those 2 links I supplied to startup entries
Again--I wouldn't install the Ultimate Troubleshooter
I'd grab that free Starter program, it's a small download
to disable any unnecessary startups after checking within the program itself to disable it

I also linked Ron to Windows CleanUp!
A great little utility to clean out your Temporary folders, cookies, prefetch folder,etc...
If you decide to install it---It's a small download
Check out the options---I suggest a Standard Cleanup at first, but later uncheck Prefetch
That only needs cleaned out every couple of months
Unless your like me and Install and uninstall a lot of programs

Hope everything is running fine for you, give it a week or so and go ahead and delete the backups made by Hijackthis
Usually I recommend disabling System Restore after a cleanout, Restarting the computer and then enabling System Restore
This removes all Restore points and creates a fresh one

Don't need to restore no nasties
Your log wasn't bad enough to recommend it, but Ron should probably do it..../smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

I would definitely install SpywareBlaster

For a little added protection
You can also utilizie the Immunize feature in Spybot
Open Spybot>>Click Immunize>>OK>>Immunize at the top
Do this after every update

Oh, by the way, this is the end of my canned speech on another forum that I frequent at
Not my total canned speech but I like to end it like this

Quote
Be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....
Title: help
Post by: Guest on December 31, 2004, 01:58:21 AM: Hi
Ron says that the eMachine I got for them is loaded with virus and it also indicates that it has 192mb of ram whereas it should have 256mb. The system board has two slots for ram and one slot is empty and the other has a stick of ram but 192mb seems to be an odd number, is it possible that part of ram is bad on that stick? Do think the virus problem was already in the machine when I bought it did it get in there at Ron's place although I don't think that they were able to access the internet because of a bad cable?
Title: help
Post by: guestolo on December 31, 2004, 02:06:48 AM: Yah that sounds wierd Cliff, if it's only got one stick of Ram in it
Maybe we should doublecheck to make sure that it's not 256
I think he should upgrade to 512 mb /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
I told him that at work too
XP loves 512, mind you depends what he's really needs it for
Can't be shared video taking up the 64 can it?
That's probably the reason he's seeing 192

I hope we got him mostly clean, a lot of it is/was related to ISTbar
a couple others that were unrelated

Funny thing is date created was around Dec 26 on a couple of them

I forgot to mention, I emailed them a pdf file to set up the Router in case they have to Restore default settings and start again
They were having troubles with it......
Ad-Aware found over 600 Criticals--Heehee
Spybot an additional 17 after the cleaning with Ad-Aware
TrojanHunter, we were having troubles running, I'll get him to try it again later on
It's good for 30days
Still hasn't put in AVG yet, didn't want to chance a bad install until we got him somewhat clean
Windows CleanUp! cleaned out a ton of temp files and cleaned the Prefetch folder

Manually cleaned his hijackthis log and deleted some bad files in safe mode
All over the phone, so we'll have to see

Here's what his log looked like
Logfile of HijackThis v1.99.0
Scan saved at 7:16:43 PM, on 12/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WINDOWS.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\hllcxpa.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\WINDOWS\naendnwg.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\WINDOWS\System32\delxp.exe
C:\WINDOWS\System32\alg32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\taskmgr32.exe
C:\WINDOWS\System32\sps32.exe
C:\Program Files\BigFix\BigFix.exe
c:\windows\system32\schtst.exe
c:\windows\system32\sschst.exe
C:\24tgs.exe
C:\24tgs.exe
C:\24tgs.exe
c:\windows\system32\schqst.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ (http://\"http://www.google.ca/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com (http://\"http://www.emachines.com\")
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [HLL Data Parameter] hllcxpa.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [bReCS] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [USB Driver] WINDOWS.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKLM\..\Run: [TURXP Protocol] sps32.exe
O4 - HKLM\..\Run: [DELXP Protocol] delxp.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzîžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]ú"ü‰¸u0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\naendnwg.exe
O4 - HKLM\..\Run: [Microsoft ALGXP Protocol] alg32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [HLL Data Parameter] hllcxpa.exe
O4 - HKLM\..\RunServices: [USB Driver] WINDOWS.exe
O4 - HKLM\..\RunServices: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKLM\..\RunServices: [TURXP Protocol] sps32.exe
O4 - HKLM\..\RunServices: [DELXP Protocol] delxp.exe
O4 - HKLM\..\RunServices: [Microsoft ALGXP Protocol] alg32.exe
O4 - HKLM\..\RunOnce: [USB Driver] WINDOWS.exe
O4 - HKCU\..\Run: [HLL Data Parameter] hllcxpa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [USB Driver] WINDOWS.exe
O4 - HKCU\..\Run: [Microsoft Task32 Protocol] taskmgr32.exe
O4 - HKCU\..\Run: [TURXP Protocol] sps32.exe
O4 - HKCU\..\Run: [DELXP Protocol] delxp.exe
O4 - HKCU\..\Run: [Microsoft ALGXP Protocol] alg32.exe
O4 - HKCU\..\RunServices: [HLL Data Parameter] hllcxpa.exe
O4 - HKCU\..\RunOnce: [USB Driver] WINDOWS.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab\")
O16 - DPF: {B1B7606A-D7B9-42A8-AFA2-476308413211} (VacPro.canada_ver4) - http://advnt01.com/dialer/canada_ver4.CAB (http://\"http://advnt01.com/dialer/canada_ver4.CAB\")
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

We'll have to see what it looks like after
Also asked him too run the Symantec's ISTbar Removal tool
Title: help
Post by: Guest on December 31, 2004, 04:58:03 AM: Thanks Bill

I guess you are right, it has an intergrated graphics so I suppose that's the answer. I will pick up another 256mb of ram for the empty slot.

My other concern was that somehow the virus problems were already on the maching when I purchased it so I thought I would go after Future Shop but I think Alyssa was doing her thing on MSN Messenger before setting up the Norton Anti-Virus and that could have been on Dec. 25 and later so no doubt that is how it happened. Glad you were able to clean it out for them.

Since they are on the Shaw Internet they should be able to instal and use the Shaw Secure application and forget about Norton. Shaw also has an add-on containing Anti-Spyware & Pop-Up Blocker software. Do you think that would be the way to go?

Thanks so much for all your help and as Chris says, you are "awsome".
Title: help
Post by: guestolo on December 31, 2004, 05:39:13 PM: Hi again Cliff, let me look into it more
It appears that Shaws anti-spyware recommendation is an Ad-Aware set up
Take a look
http://support.shaw.ca/shawsecure/2-7-5.htm (http://\"http://support.shaw.ca/shawsecure/2-7-5.htm\")

Same settins and such
They must have had permission from Lavasoft to use it
I also got him to install Spybot
It has an integrated TEA TIMER that is a great feature

I also have some other free tools that are developed by experts at another forum I frequent
SpywareGuard for one
I'll see which way he wants to go with

He was trying out AVG anit-Virus--it's free and very good
but he may want to try AVAST's free version
I'm going to talk to him Saturday about it

Has 5 scanners incorporated into it and it's a very good AV software program
I use it on my other computer--he won't need all the scanners running
Standard Shield
Outlook Scanner>>won't need it if they don't use Outlook
Internet Email scanner>>for Outlook Express and such
Instant Messaging scanner>>I think he may need this /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
P2P scanner>>Probably won't need it running

Take a look
http://www.avast.com/eng/avast_4_home.html (http://\"http://www.avast.com/eng/avast_4_home.html\")

He only needs one AV running on the computer, I'll see which one he decides on

EDIT>>Yup, they definitely have a deal going with Lavasoft's Ad-Aware
They are also recommending Spybot too
http://support.shaw.ca/internetsafety/6steps.htm#6 (http://\"http://support.shaw.ca/internetsafety/6steps.htm#6\")

The Ad-Watch feature of Ad-Aware is a feature that protects certain parts of the registry from being changed by the likes of Spyware, hijackers, malware
Shaw is calling Ad-Monitor

More or less the same idea as Spybot's Tea Timer
So he won't need no paid version
Mind you he may want to go with SpywareGuard
With both SpywareGuard, SpywareBlaster installed--A good AV
Hooks that Router back up
They should stay fairly protected
But nothing is 100% guaranteed

Having Ad-Watch, Tea Timer, and SpywareGuard running may be a bit overkill

I also have IE-Spyad2 installed on our computers
Regular IE-Spyad for the individual user account
IE-Spyad 2 for Global use, All user accounts
You only need one or the other
I can't keep the other member of my household off of Internet Explorer
My machines keep clean, and I have to visit a lot of nasty sites when checking out some of these logs>>Mind you, that's why I use Firefox
Title: help
Post by: Guest on November 01, 2005, 03:40:43 AM: http://www.onlinesportdiscount.com (http://\"http://www.onlinesportdiscount.com\")