ColdStone Posted January 19, 2005 Share Posted January 19, 2005 hello, i've recently been hit with some very annoying browser redirects... I've purchased two different spyware removals with no luck... ( Xsoft & Noadware ) i'm also running spybot S&D, adaware, CWShredder, A2, and the new Microsoft Beta Antispyware .. I dont have much experience running these prog's, but found them simple enough to use. I'm running XP home ( was on win98, updated a little over a year ago. ) I am about to the point to format/reinstall, and wouldn't be upset having to do that, as... i could certainly use the cleaning. I've got plenty of disk space on 4 storage hdd's. And would greatly appreciate any advice as to my next move... ( either helping remove the files slammin me or, suggesting the files i wanna keep if i do a reinstall ) thank you Link to comment Share on other sites More sharing options...
matrix0978 Posted January 19, 2005 Share Posted January 19, 2005 Well first i would suggest reformatting. Once your attacked they dont go back. And just save the fiels you think you are going to need. Like special documents. Music, etc. Link to comment Share on other sites More sharing options...
Martin Zugec Posted January 19, 2005 Share Posted January 19, 2005 2ColdStone: First uninstall NoAdware and XoftSpy (sorry u spent money on this)... Then download HijackThis and post a log here Link to comment Share on other sites More sharing options...
ColdStone Posted January 19, 2005 Author Share Posted January 19, 2005 Logfile of HijackThis v1.98.2Scan saved at 10:58:14 AM, on 1/19/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\pctspk.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\System32\ZoneLabs\vsmon.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exeC:\PROGRA~1\AIM\aim.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\WINDOWS\explorer.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Mozilla Firefox\firefox.exeD:\Program Files\Spyware\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.aspR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.aspR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.comR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%sR1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%sR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Arlink.org LLC...R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = <local>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>F1 - win.ini: run= C:\C&C\INSTICON.EXEO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exeO4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exeO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quietO4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exeO4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exeO4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htmO8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htmO8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLLO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLLO9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLLO9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exeO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU)O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLLO12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dllO12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dllO16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.0.4.31/aces...s-ob-assets.cabO16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet-5.9.1.28/slot...a-ob-assets.cabO16 - DPF: All-Star Football Challenge by pogo - http://allstarfb2.pogo.com/applet-5.9.4.22...2-ob-assets.cabO16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.3.35/ccta...k-ob-assets.cabO16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet-6.1.0.39/bac...n-ob-assets.cabO16 - DPF: Big Shot Roulette TM by pogo - http://roulet.pogo.com/applet-6.0.1.20/rou...e-ob-assets.cabO16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-6.0.0.32/vid...k-ob-assets.cabO16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.4.37/ca...a-ob-assets.cabO16 - DPF: Checkers by pogo - http://checkers.pogo.com/applet-6.0.2.21/c...s-ob-assets.cabO16 - DPF: Command and Conquer Comanche by pogo - http://game4.pogo.com/applet-6.0.2.29/ccst...e-ob-assets.cabO16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cabO16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet-6.0.1.20/cribb...e-ob-assets.cabO16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.2...g-ob-assets.cabO16 - DPF: Dominoes by pogo - http://game4.pogo.com/applet-6.0.4.37/domi...o-ob-assets.cabO16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet-6.0.1.2...e-ob-assets.cabO16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-6.0.2.29/euc...e-ob-assets.cabO16 - DPF: First Class Solitaire by pogo - http://solitaire.pogo.com/applet-5.9.2.21/...2-ob-assets.cabO16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-6.0.0.25...o-ob-assets.cabO16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.0.1.28/...k-ob-assets.cabO16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-6.0.3.35/hea...s-ob-assets.cabO16 - DPF: High Stakes Poker by pogo - http://game5.pogo.com/applet-6.0.4.37/draw...r-ob-assets.cabO16 - DPF: High Stakes Pool by pogo - http://game4.pogo.com/applet-6.1.0.39/pool...l-ob-assets.cabO16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/jigs...w-ob-assets.cabO16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.com/applet-6.0.1.28/vid...d-ob-assets.cabO16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cabO16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.4.37/gin/gin-ob-assets.cabO16 - DPF: Keno by pogo - http://keno.pogo.com/applet-6.0.1.20/keno/keno-ob-assets.cabO16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.3.35/mahj...g-ob-assets.cabO16 - DPF: Multiline Slots by pogo - http://game6.pogo.com/applet-6.0.2.29/mlsl...s-ob-assets.cabO16 - DPF: NASCAR Web Racing by pogo - http://nascar.pogo.com/applet-5.9.2.21/nas...r-ob-assets.cabO16 - DPF: Pai Gow by pogo - http://game3.pogo.com/applet-6.0.2.29/paig...w-ob-assets.cabO16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-6.0.4.31/f...l-ob-assets.cabO16 - DPF: Pebble Beach Golf by pogo - http://pebble.pogo.com/applet-5.9.2.21/peb...e-ob-assets.cabO16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-6.0.2.21...l-ob-assets.cabO16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.1.28/flin...r-ob-assets.cabO16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.3.28/pino...e-ob-assets.cabO16 - DPF: Pirate's Gold by pogo - http://swashbucks.pogo.com/applet-6.0.2.29...d-ob-assets.cabO16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.0.4.37/popf...u-ob-assets.cabO16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.2.21/pop...t-ob-assets.cabO16 - DPF: Showbiz Slots 2 by pogo - http://showbiz2.pogo.com/applet-6.0.1.28/s...2-ob-assets.cabO16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.28...s-ob-assets.cabO16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-6.0.1.20...h-ob-assets.cabO16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/hold...m-ob-assets.cabO16 - DPF: Top Down Baseball Challenge by pogo - http://topdown2.pogo.com/applet-5.8.3.20/t...2-ob-assets.cabO16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cabO16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.0.4.37/peak...s-ob-assets.cabO16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-6.0.2.21/jum...e-ob-assets.cabO16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.com/applet-6.0.0.25/turb...1-ob-assets.cabO16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cabO16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.1.20/vid...r-ob-assets.cabO16 - DPF: Win32 Classes - O16 - DPF: Word Whomp by pogo - http://game5.pogo.com/applet-6.0.1.20/word...p-ob-assets.cabO16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-6.0.4.37/...n-ob-assets.cabO16 - DPF: WordJong by pogo - http://game5.pogo.com/applet-6.0.4.31/word...g-ob-assets.cabO16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-6.0.4.31/worl...s-ob-assets.cabO16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cabO16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cabO16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cabO16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cabO16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cabO16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cabO16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cabO16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cabO16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cabO16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cabO16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cabO16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cabO16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cabO16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cabO16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cabO16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cabO16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cabO16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocxO16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb01.pogo.com/game/deluxe/insa...aploader_v6.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46 Link to comment Share on other sites More sharing options...
matrix0978 Posted January 20, 2005 Share Posted January 20, 2005 Wow. Thats alot well. here is one of your problems. C:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeGet rid of that. Thats a BIG virus or spyware i forget.Isnt it. The big virus tpye thing was like svchost or something like that. Link to comment Share on other sites More sharing options...
epic Posted January 20, 2005 Share Posted January 20, 2005 Wow. Thats alot well. here is one of your problems. C:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeGet rid of that. Thats a BIG virus or spyware i forget.Isnt it. The big virus tpye thing was like svchost or something like that.svchost.exe is needed for windows to run properly. However, it has a vulnerability that was exploited. This process was registered as 'W32.Welchia.Worm', however it is not a worm. There is a hotfix to eliminate the buffer overflow.Usually a normal running operating system will be running at least 2-4 instances of the process.Running spyware detectors should have removed most of these redirects and settings. Should only be 4 settings here. However, If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it.R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.aspR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.aspR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.comR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%sR1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%sR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Arlink.org LLC...R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = <local>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>Command and Conquer Generals more or less... remove this from win.ini no reason it should be there.F1 - win.ini: run= C:\C&C\INSTICON.EXEDisable most of these, keep the keyboard and moust if they are usb/wireless; disable nwiz.exe, icqnet.exe,aim, yahoo,msn,atix10.exe,launchpad,psfree,weather. These are autoloading programs from the registry or Startup group.O4 - HKLM\..\Run: [systemTray] SysTray.Exe KEEPO4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe KEEP O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe KEEPO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup KEEPO4 - HKLM\..\Run: [nwiz] nwiz.exe /install REMOVEO4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe MAYBE...O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" KEEPO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP KEEP (but I would consider looking for other alternative AV productsO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" KEEPO4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet REMOVE, consider condensing to TrillianProO4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl REMOVE, consider condensing to TrillianProO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background REMOVE, consider condensing to TrillianProO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background REMOVE, consider condensing to TrillianProO4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe KEEP, unless you do not care about the GUIO4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe" REMOVE, not neccesary to run at startupO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE" KEEP, a free version of Popup StopperO4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 REMOVE, unless you want weather bug to start with windowsDisable most of these from startup. Commented on these.O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe REMOVE, unless you use Photoshop and design often.O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe KEEP, its your zonealarmO4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe REMOVE, not widely used and no big difference is dispayed. What it does however: Sets the colour of your monitor when running games that recognise E-Color so that you get 'what the game designer intended' when you see the game. Also allows monitor callibration through a program called 3-Deep. If you play a lot of games it can be useful. Can be disabled from starting up from within the programO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE REMVOE, Resource hog that launches common MS Office componentsInternet Security settings you changedO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentExtra items in IE right-click menu or also the Menu bar in IE. (If you use multiple messengers. Consider moving to TrillianPro) It's not recommended running 3rd party applications within IE; to disable 3rd party applications (Goto: tools->Internet Options-> Advanced Tab -> Uncheck "Enable third-party browser extensions")O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htmO8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htmO8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLLO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLLO9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLLO9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exeO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU)O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)Netscape Communicator Plugin.. Not exactly sure what it's used forO12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLLnppdf32.dll, the Netscape plug-in which will allow Netscape Navigator and compatible browsers to display PDF documentsO12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll NPDocBox.dll is a module related to Adobe Acrobat and provides a plugin for both Netware (if installed) and Internet Explorer.O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dllActiveX Objects (aka Downloaded Program Files) This stuff is not needed and will cause problems.O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.0.4.31/aces...s-ob-assets.cabO16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet-5.9.1.28/slot...a-ob-assets.cabO16 - DPF: All-Star Football Challenge by pogo - http://allstarfb2.pogo.com/applet-5.9.4.22...2-ob-assets.cabO16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.3.35/ccta...k-ob-assets.cabO16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet-6.1.0.39/bac...n-ob-assets.cabO16 - DPF: Big Shot Roulette TM by pogo - http://roulet.pogo.com/applet-6.0.1.20/rou...e-ob-assets.cabO16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-6.0.0.32/vid...k-ob-assets.cabO16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.4.37/ca...a-ob-assets.cabO16 - DPF: Checkers by pogo - http://checkers.pogo.com/applet-6.0.2.21/c...s-ob-assets.cabO16 - DPF: Command and Conquer Comanche by pogo - http://game4.pogo.com/applet-6.0.2.29/ccst...e-ob-assets.cabO16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cabO16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet-6.0.1.20/cribb...e-ob-assets.cabO16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.2...g-ob-assets.cabO16 - DPF: Dominoes by pogo - http://game4.pogo.com/applet-6.0.4.37/domi...o-ob-assets.cabO16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet-6.0.1.2...e-ob-assets.cabO16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-6.0.2.29/euc...e-ob-assets.cabO16 - DPF: First Class Solitaire by pogo - http://solitaire.pogo.com/applet-5.9.2.21/...2-ob-assets.cabO16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-6.0.0.25...o-ob-assets.cabO16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.0.1.28/...k-ob-assets.cabO16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-6.0.3.35/hea...s-ob-assets.cabO16 - DPF: High Stakes Poker by pogo - http://game5.pogo.com/applet-6.0.4.37/draw...r-ob-assets.cabO16 - DPF: High Stakes Pool by pogo - http://game4.pogo.com/applet-6.1.0.39/pool...l-ob-assets.cabO16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/jigs...w-ob-assets.cabO16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.com/applet-6.0.1.28/vid...d-ob-assets.cabO16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cabO16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.4.37/gin/gin-ob-assets.cabO16 - DPF: Keno by pogo - http://keno.pogo.com/applet-6.0.1.20/keno/keno-ob-assets.cabO16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.3.35/mahj...g-ob-assets.cabO16 - DPF: Multiline Slots by pogo - http://game6.pogo.com/applet-6.0.2.29/mlsl...s-ob-assets.cabO16 - DPF: NASCAR Web Racing by pogo - http://nascar.pogo.com/applet-5.9.2.21/nas...r-ob-assets.cabO16 - DPF: Pai Gow by pogo - http://game3.pogo.com/applet-6.0.2.29/paig...w-ob-assets.cabO16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-6.0.4.31/f...l-ob-assets.cabO16 - DPF: Pebble Beach Golf by pogo - http://pebble.pogo.com/applet-5.9.2.21/peb...e-ob-assets.cabO16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-6.0.2.21...l-ob-assets.cabO16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.1.28/flin...r-ob-assets.cabO16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.3.28/pino...e-ob-assets.cabO16 - DPF: Pirate's Gold by pogo - http://swashbucks.pogo.com/applet-6.0.2.29...d-ob-assets.cabO16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.0.4.37/popf...u-ob-assets.cabO16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.2.21/pop...t-ob-assets.cabO16 - DPF: Showbiz Slots 2 by pogo - http://showbiz2.pogo.com/applet-6.0.1.28/s...2-ob-assets.cabO16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.28...s-ob-assets.cabO16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-6.0.1.20...h-ob-assets.cabO16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/hold...m-ob-assets.cabO16 - DPF: Top Down Baseball Challenge by pogo - http://topdown2.pogo.com/applet-5.8.3.20/t...2-ob-assets.cabO16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cabO16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.0.4.37/peak...s-ob-assets.cabO16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-6.0.2.21/jum...e-ob-assets.cabO16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.com/applet-6.0.0.25/turb...1-ob-assets.cabO16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cabO16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.1.20/vid...r-ob-assets.cabO16 - DPF: Win32 Classes -O16 - DPF: Word Whomp by pogo - http://game5.pogo.com/applet-6.0.1.20/word...p-ob-assets.cabO16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-6.0.4.37/...n-ob-assets.cabO16 - DPF: WordJong by pogo - http://game5.pogo.com/applet-6.0.4.31/word...g-ob-assets.cabO16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-6.0.4.31/worl...s-ob-assets.cabO16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cabO16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cabO16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cabO16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cabO16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cabO16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cabO16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cabO16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cabO16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cabO16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cabO16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cabO16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cabO16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cabO16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cabO16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cabO16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cabO16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cabO16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocxO16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb01.pogo.com/game/deluxe/insa...aploader_v6.cabDomain hijacksO17 - HKLM\System\CCS\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46Concluding... way too much stuff on your machine just by viewing your log here. I would consider doing a low level format and resinstall your os. Just a TIP do not use yahoo, aim, msn messengers there just a tool for advertising products (DOWNLOAD TRILLIANPRO) if you need a messenger, it combines all types of collaboration. Also NEVER install ActiveX controls from 3rd party sites unless its a well known site requesting it to be installed (i.e. Microsoft, Cisco, Macromedia, etc... etc... NOT sites like fileplanet, google, yahoo, etc... etc...) Link to comment Share on other sites More sharing options...
Spyder2k Posted January 20, 2005 Share Posted January 20, 2005 Nice assist epic, I cound't even make it halfway through that list. Link to comment Share on other sites More sharing options...
Tarun Posted January 20, 2005 Share Posted January 20, 2005 O17 - Domain hijackNo offense, but you're also telling him to stop loading his Multimedia keyboard and more.I'll reply tomorrow with a log of what to remove.First, check out my site. Go to the Forums, Hijack This forum, and in the Introduction is a link to cleaning your pc. Click it, Download All Applications, then follow the instructions thoroughly.Run CWShredder at LEAST twice, then Ad-Aware with the said settings, followed by Spybot.Also, update Hijack This to 1.99.0! It has improved a lot since 1.98.2. Link to comment Share on other sites More sharing options...
Martin Zugec Posted January 20, 2005 Share Posted January 20, 2005 2Matrix: SvcHost is hosting process for your services 2ColdStone: Heh, long list... Probably it will be better to reinstall computer and stop spyware at entry point...2epic: NameServer - dont have nothing with CS, it is DNS address C:\Program Files\Microsoft AntiSpyware\gcasServ.exe - it is MSAS Link to comment Share on other sites More sharing options...
epic Posted January 20, 2005 Share Posted January 20, 2005 Basically that was a quick run-down. I noticed his multimedia profiles for his keyboard & a few others. I just noted to disable some of the drivers that load not all.However with all the added criteria in the list it would be essential to reinstall and eliminate some of the programs he is running. I mainly mention this since most of whats on this list is from yahoo/pogo software. That stuff is bad news and would be fairly time consuming to clean it, but good experience.ATI Multimedia Center has a lot of unnecessary additions. Only install what is needed.Multimedia software for keyboards & mice. Watch during the prompts during installation (advanced / custom) make sure to just install the drivers. Unless those 3rd party menu options catch your functionality taste.AVG/ZA process I noticed as well, IMHO I wouldnt suggest neither of these products to anyone, I would suggest Norton before these and thats is low in my book.I will revise it in detail when I get some time tomorrow. Link to comment Share on other sites More sharing options...
JoeMSFN Posted January 20, 2005 Share Posted January 20, 2005 To answer your question on what to keep, (assuming you have one of those 4 extra HDs plugged in) first clean your IE (and other browser) cache for all user accounts, then run disk cleanup wizzard.Then copy your "Documents and Settings" folder. This will get most stuff (reason for 1st step, is so this maneuver won't take nearly as long )If you use a palm, look for the "Palm" folder. you can copy all of it or just your Palm Desktop profile name subfolder will do. but I like to play it safe and grab it all.If you use Quicken, (and have your data saved in the program folder like it's default) be sure to run Quicken then do a backup (but tell it to go to a folder on your other HD).Umm... Of course any download folders that arent in the aforementioned files. and any misc junk you saved in the C: root.Probably other things, but that's all I can think of... (saw everyone telling you what to remove, but noone suggesting what files to keep) sounds like it's a good time to put all this Unattended Install knowledge to practical use !!Oh yeah.... I backup "Documents and Settings" like this:(assuming your other hard drive is "G:" and your default is "C:")open a command prompt and type...g:mkdir ccd cxcopy /e /s /c /i /h /k /v c:\ . and when that's finished you might want to un hide and such with g:cd \attrib -r -s -h rattrib -r -s -h r\*.* /s /d The first snippet is becuase I ALWAYS get failures copying stuff from the Docs'nSettin's folder using the GUI and what it errors on is stuff I've never needed. (also better than doing a move on my live system). The second snippet is the "c" folder always seems to be hidden, so one attrib for that, and to unhide all the "Local Settings" stuff the second attrib is necessary. Link to comment Share on other sites More sharing options...
ColdStone Posted January 21, 2005 Author Share Posted January 21, 2005 i booted to safe mode, and ran every spy ware i had, then my virus check...this is the fresh hijack log..... no problems yet....( did my spy scans and antivirus scans in safe mode.... turned off system restore, and created a new restore point, the ran another hijack this.Is this looking better ?Logfile of HijackThis v1.98.2Scan saved at 2:30:44 AM, on 1/21/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\WINDOWS\system32\CTHELPER.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\Program Files\Logitech\Video\LogiTray.exeC:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeC:\WINDOWS\system32\pctspk.exeC:\WINDOWS\system32\LVComS.exeC:\PROGRA~1\ICQ\ICQ.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\PROGRA~1\MOZILL~1\FIREFOX.EXED:\Program Files\Spyware\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.comR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%sR1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%sR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Arlink.org LLC...O4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quietO4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htmO8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htmO8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLLO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLLO9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLLO9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exeO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU)O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLLO12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dllO12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dllO16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.0.4.31/aces...s-ob-assets.cabO16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-6.0.0.32/vid...k-ob-assets.cabO16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.4.37/ca...a-ob-assets.cabO16 - DPF: Dominoes by pogo - http://game4.pogo.com/applet-6.0.4.37/domi...o-ob-assets.cabO16 - DPF: High Stakes Pool by pogo - http://game4.pogo.com/applet-6.1.0.39/pool...l-ob-assets.cabO16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.com/applet-6.0.1.28/vid...d-ob-assets.cabO16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/hold...m-ob-assets.cabO16 - DPF: Top Down Baseball Challenge by pogo - http://topdown2.pogo.com/applet-5.8.3.20/t...2-ob-assets.cabO16 - DPF: Win32 Classes - O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cabO16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cabO16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cabO16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocxO16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb01.pogo.com/game/deluxe/insa...aploader_v6.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46 Link to comment Share on other sites More sharing options...
epic Posted January 21, 2005 Share Posted January 21, 2005 I would go through the first list you posted first (similar to the second). Disable the criteria I suggested with Hijackthis, but use your judgement with a few that I made comments on. After that re-run Hijackthis. Link to comment Share on other sites More sharing options...
ColdStone Posted January 22, 2005 Author Share Posted January 22, 2005 ok, i did everything you suggested, it's running much better...... however, i'm not interested in using trillion..... but i did get a different firewall. now using black ice instead of zonealarm. and i'm interested in what you consider the best anti virus program i can use. ( payware is ok )Hopefully this log, will be better. , but i was unsure about this line ( last line ) " O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 " Thanks again for your help..... additionally 3rd party disabled in IE. Logfile of HijackThis v1.98.2Scan saved at 7:35:47 PM, on 1/21/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\ISS\BlackICE\blackd.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\pctspk.exeC:\Program Files\ISS\BlackICE\rapapp.exeC:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\WINDOWS\system32\CTHELPER.EXEC:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exeC:\PROGRA~1\AIM\aim.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Messenger\msmsgs.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXEC:\Program Files\ISS\BlackICE\blackice.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\jhcarter\Desktop\HijackThis.exeC:\Program Files\Winamp\winamp.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.comR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%sR1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%sR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Arlink.org LLC...O4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quietO4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htmO8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htmO8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLLO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLLO9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exeO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXEO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU)O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLLO12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dllO12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 Link to comment Share on other sites More sharing options...
epic Posted January 22, 2005 Share Posted January 22, 2005 i'm interested in what you consider the best anti virus program i can use. ( payware is ok )Hopefully this log, will be better. , but i was unsure about this line ( last line ) " O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 "O16 - Windows Genuine Advantage Validation Tool: When you access Microsoft Download Center, it may perform a validation process, to see whether your Windows is genuine, if so, you can continue to downlod software from download center.As far as anti-viral protection, I would recommend McAfee Enterprise Edition. However, you may want to do a little research of your own to determine which is best for you. A topic a few have been debating regarding which is the right AV solution. (Free AV protection is not the answer)http://www.msfn.org/board/index.php?showtopic=36139However, I would re-run the latest version of hijackthis again (v1.99, delete the old one) C:\WINDOWS\system32\CTsvcCDA.exe->Disablectsvccda.exe this process was authored by Creative Labs, and is usually installed alongside Soundblaster card drivers or some Creative Labs applications. It assists Windows manage the CD-Rom on Windows 9x and Me systems, however it has no use on faster CD-Rom drivesC:\WINDOWS\system32\pctspk.exe->Disablepctspk.exe is a diagnostic tool for PCTEL modems. This is a non-essential process. Disabling or enabling this is down to user preferenceC:\WINDOWS\system32\CTHELPER.EXE->Disablecthelper.exe is installed with Creative Labs Soundblaster Devices. It's purpose is to aid 3rd party developers create plugins/software for the card. In this way it is a non-essential system process and can be removed from the task-bar/startup.C:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Messenger\msmsgs.exe->Seems that you are running two versions of MSN messenger, 4.0 is installed by default in XP and still resides there. Remove it using this script in the run prompt. Start-> Run-> Paste this without the quotes: "RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove"C:\WINDOWS\system32\MsPMSPSv.exe->Disablemspmspsv.exe is a process which normally comes with a specific update of Windows Media player. It allows for the SDMI protocol (Secure Digital Music Initiative) to be used during dealing with music media. This is a non-essential process. Disabling or enabling this is down to user preferenceO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE->DisableSame as above (C:\WINDOWS\system32\CTHELPER.EXE) but in startup folder.O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE->Disableupdreg.exe is a process from Creative Technology Ltd. It is used to reminds users to register for their Creative Labs products. This is a non-essential process. Disabling or enabling this is down to user preference.After that follow this guide. http://www.bleepingcomputer.com/forums/ind...t=0entry54989You are starting to see the light Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now