HijackThis log results help please!

Computing.Net > Forums > Security and Virus > HijackThis log results help please!

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

HijackThis log results help please!

Name: Scott
Date: July 16, 2003 at 14:02:49 Pacific
OS: Windows 98
CPU/Ram: Pentium III

Comment:

hi I get all kinds of browser spam crap all the time. I really need help getting rid of it. I ran HijackThis! and here is the log file results:
Logfile of HijackThis v1.95.1
Scan saved at 4:47:46 PM, on 07/16/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\WILD FILE\GOBACK\GBPOLL.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\IEXPLORE32.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\ETRENDS\ETREND32.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\STARTER.exe
C:\WINDOWS\GWHOTKEY.exe
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.exe
C:\WINDOWS\LOADQM.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\PROGRAM FILES\AHEAD\INCD\INCD.exe
C:\WINDOWS\SYSTEM\LEXBCES.exe
C:\PROGRAM FILES\ACCESSORIES\SYSTEM\EM_EXEC.exe
C:\WINDOWS\SYSTEM\RPCSS.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe
C:\WINDOWS\SYSTEM\AUPDATE.exe
C:\PROGRAM FILES\AIM95\AIM.exe
C:\PROGRAM FILES\CALLWAVE\IAM.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.exe
C:\WINDOWS\SYSTEM\LEXPPS.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.exe
C:\PROGRAM FILES\RB32\RB32.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +w
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +w
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxycfg.marketscore.com/gencfg.asp?id1=ZZZZZZZZ010&id2=9139096CSMM&lp=1&nsv=5.1.1.1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
F1 - win.ini: load=C:\ETRENDS\etrend32.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.exe /LOADQUIET
O4 - HKLM\..\Run: [MSN Messenger] C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\PIC1324(1)(1)(1).exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\ACCESS~1\SYSTEM\EM_EXEC.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Config32 Loader] iexplore32.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.exe" -noauth
O4 - HKCU\..\Run: [Config32 Loader] iexplore32.exe
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: AIM (HKLM)
O10 - Broken Internet access because of LSP provider 'csloa.dll' missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {6BE6BDA4-394F-11D3-B6AF-00105AA51E4C} - http://www.dash.com/DashInst.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/1070def0b87f1c3cde16/netzip/RdxIE.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00171.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37676.5813078704
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: ConferenceRoom Java Client (MSN Chat Control 4.5) - http://techchat.bright.net/java/cr.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
What do I need to delete/fix? Please Help! The browser spam include win250dollar.com/..., panch55.com/..., and cnt.rapidblaster.com
there are a few other servers/sites that pop up every once in a while too. All this stuff is mostly porn.

Sponsored Link

Ads by Google

Response Number 1

Name: safeTsurfa
Date: July 16, 2003 at 16:11:38 Pacific

Reply:

Have you run Spybot from security.kolla.de and AdAware from www.lavasoftusa.com ? Thse two anti spy proggies should clean out most bad stuff that HijackThis found.

Response Number 2

Name: Scott
Date: July 16, 2003 at 20:08:14 Pacific

Reply:

Adaware and Spybot found spyware but I have seen no change.

Response Number 3

Name: wawadave
Date: July 16, 2003 at 20:21:21 Pacific

Reply:

your fire wall picking up any out going programs?
when runing comaned or dos prompt with "netstat.exe 9" any funny things running thats getting past firewall?
do they pop up off line? thats when you have a problem. for sure.
this looks suspiciuse
Settings,AutoConfigURL = http://proxycfg.marketscore.com/gencfg.asp?
but i,m not an expert in hijack read outs.

Response Number 4

Name: Tom41
Date: July 17, 2003 at 02:24:01 Pacific

Reply:

You have some nasty 'malware' and a virus.
First, Download and run RapidBlaster Killer and reboot.
RapidBlaster Killer
Then run HT again and check the following items. Doublecheck so as to be sure not to miss one.
Next, close all browser Windows, and have HT fix all checked.
You NEED to restart your computer when you're done.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = +w
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +w
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxycfg.marketscore.com/gencfg.asp?id1=ZZZZZZZZ010&id2=9139096CSMM&lp=1&nsv=5.1.1.1
F1 - win.ini: load=C:\ETRENDS\etrend32.exe
O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.exe
O4 - HKLM\..\RunServices: [Config32 Loader] iexplore32.exe
O4 - HKCU\..\Run: [Config32 Loader] iexplore32.exe
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
O16 - DPF: {6BE6BDA4-394F-11D3-B6AF-00105AA51E4C} - http://www.dash.com/DashInst.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/1070def0b87f1c3cde16/netzip/RdxIE.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00171.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
After rebooting delete the following:
etrend32.exe
iexplore32.exe
aupdate.exe
Also uninstall SVA Player.
Thern go here and run an online virus scan:
RAV

Response Number 5

Name: Tom41
Date: July 17, 2003 at 02:27:00 Pacific

Reply:

Oops! missed one... Have HT fix this one as well:
O4 - HKLM\..\Run: [MSN Messenger] C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\PIC1324(1)(1)(1).exe
and delete PIC1324(1)(1)(1).exe after rebooting.

vbscript psexec log results python results help swdir.dll	techchat ea msn default c hijackthis alternative
See More

Response Number 6

Name: Setter
Date: July 17, 2003 at 03:44:58 Pacific

Reply:

Good Job TOM
Ya beat me too it. Your list matches the one I had, but I have one additional item for fixing.
Oh and I just thought I would mention that the following 04 item is the reason for running RapidBlaster Killer
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"

Here is the additional item; DAP is not good.
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

Response Number 7

Name: Scott
Date: July 17, 2003 at 08:22:22 Pacific

Reply:

you are sure about deleting Etrends? That's a program on our computer. It's kinda like Spyware but it's just a program that we get paid for for having. It monitors what we do and who in the family is doing it. Thanks for the help!

Response Number 8

Name: Tom41
Date: July 17, 2003 at 08:45:21 Pacific

Reply:

As long as your comfortable with it, then go ahead and keep it...
Don't have HT fix this line:
F1 - win.ini: load=C:\ETRENDS\etrend32.exe

Response Number 9

Name: Scott
Date: July 17, 2003 at 09:16:18 Pacific

Reply:

SHAT! It's gone! :( I still didn't do the second part yet tho :
"After rebooting delete the following:
etrend32.exe
iexplore32.exe
aupdate.exe "
O well, they'll send us a disk to reload it sooner or later. :P Hey, can Gateway GoBack fix this? Not really sure how to use that GoBack program. O well...I'm gonna do the second part now(excluding etrend32).

Response Number 10

Name: Tom41
Date: July 17, 2003 at 09:29:10 Pacific

Reply:

If you didn't already delete etrend32.exe, then don't. just add C:\ETRENDS\etrend32.exe
back to the Load= line of the win.ini.
Click Start > Run > type win.ini and click OK.
The win.ini will open in notepad, add the above to the Load= line. Close the win.ini and save the changes.

Response Number 11

Name: Scott
Date: July 17, 2003 at 09:31:34 Pacific

Reply:

and about the second part...

do you want me to just delete aupdate.exe or should I uninstall it?
delete iexplore32.exe (in C:\WINDOWS\SYSTEM)? are you 100% sure? BTW, I tried and it said "Cannot Delete iexplore32: Access is Denied. Make sure the disk is not full or write-protected and that the file is not currently in use." I'm assuming it said this because I was online at the time?
I can't find SVA player.
I can't find PIC1324(1)(1)(1).exe
aren't SVA and PIC1324 already deleted since I fixed/deleted them with HT?

Response Number 12

Name: Scott
Date: July 17, 2003 at 09:35:35 Pacific

Reply:

"If you didn't already delete etrend32.exe, then don't. just add C:\ETRENDS\etrend32.exe
back to the Load= line of the win.ini.
Click Start > Run > type win.ini and click OK.
The win.ini will open in notepad, add the above to the Load= line. Close the win.ini and save the changes."
do you want me to delete C:\ETRENDS\etrend32.exe from the noload= line?

Response Number 13

Name: Tom41
Date: July 17, 2003 at 09:45:30 Pacific

Reply:

Did you reboot after running HijackThis and before trying to delete iexplore32.exe? Yes, I'm 100% positive it's a virus.
SVA Player should be in Add/Remove programs.
Yes, delete the NoLoad= line.
When searching for PIC1324(1)(1)(1).exe make sure you can view hidden files and folders.
Let's see if iexplore32.exe has another registry entry, Open HijackThis and click 'Config' and 'Misc Tools'. Then click 'Generate StartupList log'. Copy and paste that log in a reply.

Response Number 14

Name: Scott
Date: July 17, 2003 at 10:42:46 Pacific

Reply:

StartupList report, 07/17/2003, 1:39:26 PM
StartupList version: 1.52
Started from : C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.exe
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\WILD FILE\GOBACK\GBPOLL.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\ETRENDS\ETREND32.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\STARTER.exe
C:\WINDOWS\GWHOTKEY.exe
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\AHEAD\INCD\INCD.exe
C:\WINDOWS\SYSTEM\LEXBCES.exe
C:\PROGRAM FILES\ACCESSORIES\SYSTEM\EM_EXEC.exe
C:\WINDOWS\SYSTEM\RPCSS.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\WINDOWS\SYSTEM\IEXPLORE32.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe
C:\PROGRAM FILES\AIM95\AIM.exe
C:\PROGRAM FILES\CALLWAVE\IAM.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.exe
C:\WINDOWS\SYSTEM\LEXPPS.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.exe
---------------------
Listing of startup folders:
Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScanRegistry = c:\windows\scanregw.exe /autorun
SystemTray = SysTray.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
EnsoniqMixer = starter.exe
Multi-function Keyboard = GWHotKey.exe
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.exe /LOADQUIET
LoadQM = loadqm.exe
LexStart = Lexstart.exe
LexmarkPrinTray = PrinTray.exe
InCD = C:\Program Files\ahead\InCD\InCD.exe
EM_EXEC = C:\PROGRA~1\ACCESS~1\SYSTEM\EM_EXEC.exe
NvCplDaemon = RUNDLL32.exe NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
Config32 Loader = iexplore32.exe
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Config32 Loader = iexplore32.exe
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
GoBack Polling Service = C:\Program Files\Wild File\GoBack\GBPoll.exe
SchedulingAgent = mstask.exe
Config32 Loader = iexplore32.exe
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Start WingMan Profiler = "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe" /background
E6TaskPanel = "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.exe" -noauth
AIM = C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
Config32 Loader = iexplore32.exe
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
---------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
---------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
---------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S "%3"
---------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\SYSTEM\MSHTA.exe "%1" %*
---------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[SetupcPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 c:\windows\INF\setupc.inf
[AppletsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 c:\windows\INF\applets.inf
[FontsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 c:\windows\INF\fonts.inf
[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36
[PerUser_ICW_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 c:\windows\INF\icw97.inf
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\SYSTEM\ie4uinit.inf,Shell.UserStub,,36
[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe
[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
[PerUser_Msinfo] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 c:\windows\INF\msinfo.inf
[PerUser_Msinfo2] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 c:\windows\INF\msinfo.inf
[MotownMmsysPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 c:\windows\INF\motown.inf
[MotownAvivideoPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 c:\windows\INF\motown.inf
[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub
[MotownMPlayPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 c:\windows\INF\mplay98.inf
[PerUser_Base] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 c:\windows\INF\msmail.inf
[ShellPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 c:\windows\INF\shell.inf
[Shell2PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 c:\windows\INF\shell2.inf
[PerUser_winbase_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 c:\windows\INF\subase.inf
[PerUser_winapps_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 c:\windows\INF\subase.inf
[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L
[TapiPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 c:\windows\INF\tapi.inf
[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\webfdr16.inf,PerUserStub.Install,1
[PerUserOldLinks] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 c:\windows\INF\appletpp.inf
[MmoptRegisterPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 c:\windows\INF\mmopt.inf
[OlsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 c:\windows\INF\ols.inf
[OlsMsnPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 c:\windows\INF\ols.inf
[PerUser_Paint_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 c:\windows\INF\applets.inf
[PerUser_Calc_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 c:\windows\INF\applets.inf
[PerUser_dxxspace_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 c:\windows\INF\applets1.inf
[PerUser_MSBackup_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 c:\windows\INF\applets1.inf
[PerUser_CVT_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf
[PerUser_Enable_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 C:\WINDOWS\INF\enable.inf
[MotownRecPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 c:\windows\INF\motown.inf
[PerUser_Vol] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 c:\windows\INF\motown.inf
[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 c:\windows\INF\wordpad.inf
[PerUser_RNA_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 c:\windows\INF\rna.inf
[PerUser_Wingames_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 c:\windows\INF\appletpp.inf
[PerUser_Sysmon_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 c:\windows\INF\appletpp.inf
[PerUser_Sysmeter_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 c:\windows\INF\appletpp.inf
[PerUser_netwatch_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 c:\windows\INF\appletpp.inf
[PerUser_CharMap_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 c:\windows\INF\appletpp.inf
[PerUser_Onlinelnks_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 c:\windows\INF\appletpp.inf
[PerUser_Dialer_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 c:\windows\INF\appletpp.inf
[PerUser_ClipBrd_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 c:\windows\INF\clip.inf
[MmoptMusicaPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 c:\windows\INF\mmopt.inf
[MmoptJunglePerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 c:\windows\INF\mmopt.inf
[MmoptRobotzPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 c:\windows\INF\mmopt.inf
[MmoptUtopiaPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 c:\windows\INF\mmopt.inf
[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 c:\windows\INF\mmopt.inf
[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}
[OlsAolPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 c:\windows\INF\ols.inf
[OlsAttPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 c:\windows\INF\ols.inf
[OlsCompuservePerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 c:\windows\INF\ols.inf
[OlsProdigyPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 c:\windows\INF\ols.inf
[Shell3PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 c:\windows\INF\shell3.inf
[Theme_Windows_PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 c:\windows\INF\themes.inf
[Theme_MoreWindows_PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 c:\windows\INF\themes.inf
[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.d

Response Number 15

Name: Scott
Date: July 17, 2003 at 10:45:29 Pacific

Reply:

and also, i searched Document Folders and My Computer using Find>Files or Folders... in the Start menu. And put a check next to the uninstallation/deletion of SVA Player. And E-Trends is back to normal.

Response Number 16

Name: Scott
Date: July 17, 2003 at 10:47:43 Pacific

Reply:

whoops, is there a way to delete a post. I messed up my last one...o well. just ignore it, this is better...
i searched Document Folders and My Computer using Find>Files or Folders... in the Start menu for that PIC1324 thing and found nothing. Put a check next to the uninstallation/deletion of SVA Player. And E-Trends is back to normal.

Response Number 17

Name: Tom41
Date: July 17, 2003 at 11:01:07 Pacific

Reply:

Click Start > Run > type regedit and click OK
Click the + next to the following keys:
HKEY_CURRENT_USER
Software
Microsoft
Windows
CurrentVersion
Scroll down and click on the Run folder. In the right
hand window right click on Config32 Loader = iexplore32.exe
and click Delete.
Scroll up and click the - next to HKEY_CURRENT_USER.
Click the + next to the following keys:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Scroll down and click on the Run folder. In the right
hand window right click on Config32 Loader = iexplore32.exe
and click Delete.
Scroll down and click on the RunOnce folder. In the right
hand window right click on Config32 Loader = iexplore32.exe
and click Delete.
Scroll down and click on the RunServices folder. In the right
hand window right click on Config32 Loader = iexplore32.exe
and click Delete.
Close regedit and reboot. delete iexplore32.exe.

Response Number 18

Name: Scott
Date: July 17, 2003 at 13:02:48 Pacific

Reply:

hey. I got the same error when trying to delete the iexplore32.exe even after disconnecting and closing IE. I did, however, get all that stuff in the Registry deleted.

Response Number 19

Name: Scott
Date: July 17, 2003 at 14:31:09 Pacific

Reply:

i ran the RAV AntiVirus scan. How do I get rid of the viruses on my comp? Do i just delete the infected files?

Response Number 20

Name: Scott
Date: July 17, 2003 at 14:49:57 Pacific

Reply:

well, here are my results:

Scanned files: 43364
Scanned directories: 2602
Scanned archives: 1118
Size of the scanned files: 2086680618
Packed files: 559
Known viruses found: 13
Virus bodies: 8
Suspicious files: 2

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 131153
Mail files: 94

Found viruses
File: c:\Help.htm->(Hta)->(SCRIPT0000)
Virus: VBS/Haptime@mm.gen* Status: Infected

File: c:\BRI'2000\Help.hta->(Hta)->(SCRIPT0000)
Virus: VBS/Haptime@mm.gen* Status: Infected

File: c:\WINDOWS\SYSTEM\iexplore32.exe->(UPXW)
Virus: Backdoor:IRC/SdBot Status: Infected

File: c:\WINDOWS\TEMP\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/click4.exe
Virus: Nuker:Click (exact) Status: Infected

File: c:\WINDOWS\TEMP\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/icmpwtch.exe
Virus: PWS:Sphere Status: Infected

File: c:\WINDOWS\TEMP\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/Nuker.exe
Virus: Nuker:Vaite.1_0 Status: Infected

File: c:\WINDOWS\TEMP\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/iRCkiLL.exe
Virus: Trojan:IRCKill (exact) Status: Infected

File: c:\WINDOWS\TEMP\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/system/fserve.ini
Virus: IRC/Generic* Status: Suspicious

File: c:\WINDOWS\TEMP\ICD3.tmp\installer_george_test.exe
Virus: TrojanDropper:Win32/Delf.AV Status: Infected

File: c:\WINDOWS\Temporary Internet Files\Content.IE5\4RFZUST1\stc[1].htm->(OBJECT0000)
Virus: HTML/CodeBaseExec* Status: Infected

File: c:\RECYCLED\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/click4.exe
Virus: Nuker:Click (exact) Status: Infected

File: c:\RECYCLED\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/icmpwtch.exe
Virus: PWS:Sphere Status: Infected

File: c:\RECYCLED\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/Nuker.exe
Virus: Nuker:Vaite.1_0 Status: Infected

File: c:\RECYCLED\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/iRCkiLL.exe
Virus: Trojan:IRCKill (exact) Status: Infected

File: c:\RECYCLED\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/system/fserve.ini
Virus: IRC/Generic* Status: Suspicious

could you please tell me what I need to do with this too? But don't forget about that iexplore32.exe problem tho. I g2g c ya tonight.

Response Number 21

Name: Tom41
Date: July 17, 2003 at 21:16:44 Pacific

Reply:

Boot into safe mode and delete all files listed in the Rav report.

Response Number 22

Name: Scott
Date: July 18, 2003 at 08:18:03 Pacific

Reply:

sorry, not sure what you mean. And what do I do with that happyscript thing. Just delete the program? And what about c:\RECYCLED?

Response Number 23

Name: Tom41
Date: July 18, 2003 at 09:31:04 Pacific

Reply:

Restart the machine, as it is booting tap the F8 key. Keep tapping it and a boot menu will appear, choose safe mode and hit enter.
Empty the recycle bin to delete those files.
Delete the rest of the files listed in the report.

Response Number 24

Name: Scott
Date: July 18, 2003 at 11:17:22 Pacific

Reply:

woohoo! I got iexplore32.exe deleted! Am I done? I'll run another RAV scan soon and then a quick Spybot scan to make sure it is all gone. So far so good...no bad ads! Thank you so much!

Response Number 25

Name: Scott
Date: July 18, 2003 at 12:04:52 Pacific

Reply:

c:\RECYCLED\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/click4.exe - Nuker:Click (exact) -> Infected
c:\RECYCLED\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/icmpwtch.exe - PWS:Sphere -> Infected
c:\RECYCLED\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/Nuker.exe - Nuker:Vaite.1_0 -> Infected
c:\RECYCLED\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/bin/iRCkiLL.exe - Trojan:IRCKill (exact) -> Infected
c:\RECYCLED\HAPPYSCRIPT-V4-01.EXE->(ZipSfx)->HaPpYsCrIpT/system/fserve.ini - IRC/Generic* -> Suspicious

that stuff is still there. What do I do about that? There is nothing in c:\RECYCLED

Response Number 26

Name: Tom41
Date: July 18, 2003 at 12:19:08 Pacific

Reply:

Click Start > Shutdown > Restart in MS-DOS and click OK.
Type in the following commands and hit Enter after each.
smartdrv
deltree /y C:\Recycled
exit

Response Number 27

Name: holly
Date: July 18, 2003 at 13:37:44 Pacific

Reply:

I too am having issues with that rb32 and mediaman.exe and some point32 or pointer32 and a toolbar called qidion.
Here is what i have from that HT program.
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Real\RealJukebox\tsystray.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\SVA Player\SVAPLAYER.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\PopUp Killer\PopUpKiller.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\holly\Desktop\FreeRAM XP Pro 1.22.exe
C:\Program Files\ebkrdr\mediaman.exe
C:\WINDOWS\System32\aupdate.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\System32\notepad.exe
C:\Documents and Settings\holly\Desktop\HijackThis.exe
---------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
---------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
POINTER = point32.exe
RealJukeboxSystray = C:\Program Files\Real\RealJukebox\tsystray.exe
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
SVAPlayer = C:\Program Files\SVA Player\SVAPLAYER.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
rav_temp.exe = C:\DOCUME~1\holly\LOCALS~1\Temp\EACDownload\rav_temp.exe -k
PopUpKiller = E:\PopUp Killer\PopUpKiller.exe
WinStart001.EXE = C:\WINDOWS\System\WinStart001.exe -b
---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Iomega Active Disk = C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
WebCamRT.exe =
FreeRAM XP = "C:\Documents and Settings\holly\Desktop\FreeRAM XP Pro 1.22.exe" -win
media_manager = C:\Program Files\ebkrdr\mediaman.exe
Yahoo! Pager = C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
---------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sspipes.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
---------------------

Enumerating Browser Helper Objects:
(no name) - C:\WINDOWS\System32\F1.dll - {00000EF1-34E3-4633-87C6-1AA7A44296DA}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\System32\NetPal.dll - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F}
(no name) - C:\WINDOWS\System32\btiein.dll - {63B78BC1-A711-4D46-AD2F-C581AC420D41}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B}
---------------------
Enumerating Task Scheduler jobs:
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job
---------------------
Enumerating Download Program Files:
[Support.com SmartIssue]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlsi.dll
CODEBASE = http://support.charter.com/sdccommon/download/tgctlsi.cab
[Support.com Configuration Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlcm.dll
CODEBASE = http://support.charter.com/sdccommon/download/tgctlcm.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab
[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.25.44/055e3e86685dd3c12f21/netzip/RdxIE.cab
[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\System32\opuc.dll
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab
[Yahoo! Audio UI1]
InProcServer32 = C:\Program Files\Yahoo!\Messenger\yacsui.dll
CODEBASE = http://chat.yahoo.com/cab/yacsui.cab
[{8AD9C840-044E-11D1-B3E9-00805F499D93}]
[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37629.6945023148
[Communities.com Passport]
InProcServer32 = c:\Program Files\Communities.com\CartoonOrbit\QU2LMT59HBCAYVJABNCYUN6DT7XKQLE3.dll
CODEBASE = http://cartoonorbit.cartoonnetwork.com/orbiter11020/winorbiter.cab
[{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]
[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805/v1500/www.contentwatch.com/audit/includes/ContentAuditControl.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
---------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
---------------------
End of report, 9,085 bytes
Report generated in 0.211 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

can someone let me know what on here needs to leave so that the popups and porn stuff go away.
thanks

Response Number 28

Name: Setter
Date: July 18, 2003 at 14:38:59 Pacific

Reply:

Holly, Please Post your HijackThis Log file instead of the Startuplist log.

Response Number 29

Name: Holly
Date: July 18, 2003 at 17:15:20 Pacific

Reply:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Real\RealJukebox\tsystray.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\SVA Player\SVAPLAYER.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\PopUp Killer\PopUpKiller.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\holly\Desktop\FreeRAM XP Pro 1.22.exe
C:\Program Files\ebkrdr\mediaman.exe
C:\WINDOWS\System32\aupdate.exe
C:\Program Files\WinZip\WZQKPICK.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Documents and Settings\holly\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\F1.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINDOWS\System32\NetPal.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: Qidion - {3789CBF0-C4CA-4e98-B93B-22ACF0587FBA} - C:\WINDOWS\qi32.dll
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [rav_temp.exe] C:\DOCUME~1\holly\LOCALS~1\Temp\EACDownload\rav_temp.exe -k
O4 - HKLM\..\Run: [PopUpKiller] E:\PopUp Killer\PopUpKiller.exe
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.exe -b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\holly\Desktop\FreeRAM XP Pro 1.22.exe" -win
O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msiets.dll//iemenu
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.yahoo.com/games/clients/y/kr2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.yahoo.com/games/clients/y/ir2_x.cab
O16 - DPF: Yahoo! Games Voice Chat - http://yog55.games.scd.yahoo.com/yog/y/va1_x.cab
O16 - DPF: Yahoo! Literati - http://download.yahoo.com/games/clients/y/ts0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.charter.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44/055e3e86685dd3c12f21/netzip/RdxIE.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37629.6945023148
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/orbiter11020/winorbiter.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1500/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Thanks, sorry

Response Number 30

Name: Scott
Date: July 18, 2003 at 19:22:04 Pacific

Reply:

thank you so much Tom41! I think the bad popups are gone!

Response Number 31

Name: Tom41
Date: July 19, 2003 at 00:28:23 Pacific

Reply:

Hi Holly, Run HT again and check the following items. Doublecheck so as to be sure not to miss one.
Next, close all browser Windows, and have HT fix all checked.
You NEED to restart your computer when you're done.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\F1.dll
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINDOWS\System32\NetPal.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: Qidion - {3789CBF0-C4CA-4e98-B93B-22ACF0587FBA} - C:\WINDOWS\qi32.dll
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.exe -b
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msiets.dll//iemenu
After restarting delete WinStart001.exe
Then download, update and run Spybot-S&D
Spybot

Response Number 32

Name: Setter
Date: July 19, 2003 at 01:06:12 Pacific

Reply:

Make sure to run Spybot Search and Destroy http://security.kolla.de/ with all the current updates. Many of the spyware items should be removed.
After running Spybot S&D and rebooting, close all browser windows. Then using HijackThis put a check in the proper boxes for all the following items, double check and then click the �fix checked� button. Reboot and verify that everything listed is gone.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\F1.dll
http://217.115.153.73/parasite/FavoriteMan.html
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINDOWS\System32\NetPal.dll
http://217.115.153.73/parasite/NetPal.html
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
http://217.115.153.73/parasite/HuntBar.html
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
http://www.doxdesk.com/parasite/HuntBar.html
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: Qidion - {3789CBF0-C4CA-4e98-B93B-22ACF0587FBA} - C:\WINDOWS\qi32.dll
See http://www.doxdesk.com/parasite/Pugi.html
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.exe �b
See http://www.doxdesk.com/parasite/IGetNet.html
O4 - HKCU\..\Run: [media_manager] C:\Program Files\ebkrdr\mediaman.exe
Mini-Player, IMESH related foistware. See http://www.pacs-portal.co.uk/startup_pages/startup_m.php

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44/055e3e86685dd3c12f21/netzip/RdxIE.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) �
-------
After you reboot navigate to these locations and delete the files within.
C:\WINDOWS\System32\aupdate.exe ---------Delete �aupdate.exe�
C:\WINDOWS\System\WinStart001.exe -------Delete �Winstart001.exe�
C:\Program Files\ebkrdr\ ------- Delete the whole folder �ebkrdr�
For the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051
In addition to using SpywareBlaster (mentioned in the thread) I would also use SpywareGuard http://www.wilderssecurity.net/spywareguard.html
Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected.

Response Number 33

Name: Setter
Date: July 19, 2003 at 01:15:46 Pacific

Reply:

Holly the above message is for you, I forgot to address it in your name.
And yes Holly, Tom is also correct on removing
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msiets.dll//iemenu
http://www.doxdesk.com/parasite/HuntBar.html

Response Number 34

Name: Holly
Date: July 19, 2003 at 14:40:41 Pacific

Reply:

Thank you both for so much help. I think all is finally fixed.
I had been having major issues with my computer.

Response Number 35

Name: Tom41
Date: July 19, 2003 at 20:18:04 Pacific

Reply:

Nice catch on mediaman.exe and aupdate.exe Setter!...I've looked at sooo many ht logs in the past day, they are all starting to blur together...:(

Response Number 36

Name: Setter
Date: July 19, 2003 at 22:47:26 Pacific

Reply:

Thanks Tom. I had passed right by that context menu item myself. It sure helps to have a few eyes looking everything over don�t you think?
Holly's was different as there was sign of Rapidblaster, but it isn't there.
The 03 toolbar CLSID with the file missing is for Huntbar, yet I see still see Huntbar. I'm not sure how one item is missing but the rest are still there? Well anyway�
Of course looking back (hindsight is easy right) probably should have had Holly delete the MSIETS folder C:\PROGRA~1\COMMON~1\MSIETS\ and the BTLINK folder C:\PROGRA~1\COMMON~1\BTLINK\ Oh well, no harm done.
In Holly�s case many of the items were ActiveX drive-by�s and I�m sure she did not even know it happened. Those IE ActiveX settings must be tightened up or the same will happen again and again and�LOL
By the way Tom, how do you create a hyperlink on this forum anyway? I�ve been wondering how you do that bit of wizardry, and you do it in color besides!

Response Number 37

Name: Tom41
Date: July 20, 2003 at 00:08:56 Pacific

Reply:

Just use a little HTML code:
This: (change the [ ] to the less-than and greater-than characters {the sideways v's})
[a href="http://www.lurkhere.com/~nicefiles/index.html"][font color="blue"]Spybot[/a]
Will =
Spybot

Sponsored Link

Ads by Google

SpywareBlaster updates...

Anti-virus, anti-spyware ...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: HijackThis log results help please!

CWS is Here!Hijackthis log pls help

Summary

www.computing.net/answers/security/cws-is-herehijackthis-log-pls-help/11404.html

HijackThis log - please help

Summary

www.computing.net/answers/security/hijackthis-log-please-help/9942.html

Help with Hijackthis log

Summary

www.computing.net/answers/security/help-with-hijackthis-log/18159.html

From the Geek Dictionary
pew pew - Spunk, usually used near the term QQ. The term was made from the sound of...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 2 Days.
Discuss in The Lounge
Poll History

Recent Posts
Video Playing

Paste work-around

CPU Speeds

rolling screen

how can i run geexbox mplayer in debug mode ?

All Awaiting Reply

Tom's News
New Final Fantasy XIII Trailer is 5 Minutes Long

TV Market to Launch Cross-Platform App Store

Used ATM Machines for Sale on Craigslist

Rival Publishers Collaborate on iTunes-type Store

Guy Quits Job With Error Message

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE