Jump to content

Ad problems

ColdStone

By ColdStone
in Networks and the Internet

 Share

Recommended Posts

ColdStone

ColdStone

Posted
Posted

hello, i've recently been hit with some very annoying browser redirects... I've purchased two different spyware removals with no luck... ( Xsoft & Noadware ) i'm also running spybot S&D, adaware, CWShredder, A2, and the new Microsoft Beta Antispyware .. I dont have much experience running these prog's, but found them simple enough to use. I'm running XP home ( was on win98, updated a little over a year ago. ) I am about to the point to format/reinstall, and wouldn't be upset having to do that, as... i could certainly use the cleaning. I've got plenty of disk space on 4 storage hdd's. And would greatly appreciate any advice as to my next move... ( either helping remove the files slammin me or, suggesting the files i wanna keep if i do a reinstall ) thank you

Link to comment
Share on other sites

ColdStone

ColdStone

Posted
  • Author
Posted

Logfile of HijackThis v1.98.2

Scan saved at 10:58:14 AM, on 1/19/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\ZoneLabs\vsmon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe

C:\PROGRA~1\AIM\aim.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\explorer.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Arlink.org LLC...

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = <local>

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>

F1 - win.ini: run= C:\C&C\INSTICON.EXE

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm

O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm

O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.0.4.31/aces...s-ob-assets.cab

O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet-5.9.1.28/slot...a-ob-assets.cab

O16 - DPF: All-Star Football Challenge by pogo - http://allstarfb2.pogo.com/applet-5.9.4.22...2-ob-assets.cab

O16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.3.35/ccta...k-ob-assets.cab

O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet-6.1.0.39/bac...n-ob-assets.cab

O16 - DPF: Big Shot Roulette TM by pogo - http://roulet.pogo.com/applet-6.0.1.20/rou...e-ob-assets.cab

O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-6.0.0.32/vid...k-ob-assets.cab

O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.4.37/ca...a-ob-assets.cab

O16 - DPF: Checkers by pogo - http://checkers.pogo.com/applet-6.0.2.21/c...s-ob-assets.cab

O16 - DPF: Command and Conquer Comanche by pogo - http://game4.pogo.com/applet-6.0.2.29/ccst...e-ob-assets.cab

O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab

O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet-6.0.1.20/cribb...e-ob-assets.cab

O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.2...g-ob-assets.cab

O16 - DPF: Dominoes by pogo - http://game4.pogo.com/applet-6.0.4.37/domi...o-ob-assets.cab

O16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet-6.0.1.2...e-ob-assets.cab

O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-6.0.2.29/euc...e-ob-assets.cab

O16 - DPF: First Class Solitaire by pogo - http://solitaire.pogo.com/applet-5.9.2.21/...2-ob-assets.cab

O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-6.0.0.25...o-ob-assets.cab

O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.0.1.28/...k-ob-assets.cab

O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-6.0.3.35/hea...s-ob-assets.cab

O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.com/applet-6.0.4.37/draw...r-ob-assets.cab

O16 - DPF: High Stakes Pool by pogo - http://game4.pogo.com/applet-6.1.0.39/pool...l-ob-assets.cab

O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/jigs...w-ob-assets.cab

O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.com/applet-6.0.1.28/vid...d-ob-assets.cab

O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab

O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.4.37/gin/gin-ob-assets.cab

O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-6.0.1.20/keno/keno-ob-assets.cab

O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.3.35/mahj...g-ob-assets.cab

O16 - DPF: Multiline Slots by pogo - http://game6.pogo.com/applet-6.0.2.29/mlsl...s-ob-assets.cab

O16 - DPF: NASCAR Web Racing by pogo - http://nascar.pogo.com/applet-5.9.2.21/nas...r-ob-assets.cab

O16 - DPF: Pai Gow by pogo - http://game3.pogo.com/applet-6.0.2.29/paig...w-ob-assets.cab

O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-6.0.4.31/f...l-ob-assets.cab

O16 - DPF: Pebble Beach Golf by pogo - http://pebble.pogo.com/applet-5.9.2.21/peb...e-ob-assets.cab

O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-6.0.2.21...l-ob-assets.cab

O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.1.28/flin...r-ob-assets.cab

O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.3.28/pino...e-ob-assets.cab

O16 - DPF: Pirate's Gold by pogo - http://swashbucks.pogo.com/applet-6.0.2.29...d-ob-assets.cab

O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.0.4.37/popf...u-ob-assets.cab

O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.2.21/pop...t-ob-assets.cab

O16 - DPF: Showbiz Slots 2 by pogo - http://showbiz2.pogo.com/applet-6.0.1.28/s...2-ob-assets.cab

O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.28...s-ob-assets.cab

O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-6.0.1.20...h-ob-assets.cab

O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/hold...m-ob-assets.cab

O16 - DPF: Top Down Baseball Challenge by pogo - http://topdown2.pogo.com/applet-5.8.3.20/t...2-ob-assets.cab

O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab

O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.0.4.37/peak...s-ob-assets.cab

O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-6.0.2.21/jum...e-ob-assets.cab

O16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.com/applet-6.0.0.25/turb...1-ob-assets.cab

O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab

O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.1.20/vid...r-ob-assets.cab

O16 - DPF: Win32 Classes -

O16 - DPF: Word Whomp by pogo - http://game5.pogo.com/applet-6.0.1.20/word...p-ob-assets.cab

O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-6.0.4.37/...n-ob-assets.cab

O16 - DPF: WordJong by pogo - http://game5.pogo.com/applet-6.0.4.31/word...g-ob-assets.cab

O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-6.0.4.31/worl...s-ob-assets.cab

O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab

O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab

O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab

O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab

O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab

O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab

O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab

O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab

O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab

O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab

O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab

O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab

O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab

O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb01.pogo.com/game/deluxe/insa...aploader_v6.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46

O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46

Link to comment
Share on other sites
matrix0978

matrix0978

Posted
Posted

Wow. Thats alot well. here is one of your problems.

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

Get rid of that. Thats a BIG virus or spyware i forget.

Isnt it. The big virus tpye thing was like svchost or something like that.

Link to comment
Share on other sites
epic

epic

Posted
Posted
Wow. Thats alot well. here is one of your problems.

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

Get rid of that. Thats a BIG virus or spyware i forget.

Isnt it. The big virus tpye thing was like svchost or something like that.

svchost.exe is needed for windows to run properly. However, it has a vulnerability that was exploited. This process was registered as 'W32.Welchia.Worm', however it is not a worm. There is a hotfix to eliminate the buffer overflow.

Usually a normal running operating system will be running at least 2-4 instances of the process.

Running spyware detectors should have removed most of these redirects and settings. Should only be 4 settings here. However, If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Arlink.org LLC...

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = <local>

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>

Command and Conquer Generals more or less... remove this from win.ini no reason it should be there.

F1 - win.ini: run= C:\C&C\INSTICON.EXE

Disable most of these, keep the keyboard and moust if they are usb/wireless; disable nwiz.exe, icqnet.exe,aim, yahoo,msn,atix10.exe,launchpad,psfree,weather. These are autoloading programs from the registry or Startup group.

O4 - HKLM\..\Run: [systemTray] SysTray.Exe KEEP

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe KEEP

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe KEEP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup KEEP

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install REMOVE

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe MAYBE...

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" KEEP

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP KEEP (but I would consider looking for other alternative AV products

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" KEEP

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet REMOVE, consider condensing to TrillianPro

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl REMOVE, consider condensing to TrillianPro

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background REMOVE, consider condensing to TrillianPro

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background REMOVE, consider condensing to TrillianPro

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe KEEP, unless you do not care about the GUI

O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe" REMOVE, not neccesary to run at startup

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE" KEEP, a free version of Popup Stopper

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 REMOVE, unless you want weather bug to start with windows

Disable most of these from startup. Commented on these.

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe REMOVE, unless you use Photoshop and design often.

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe KEEP, its your zonealarm

O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe REMOVE, not widely used and no big difference is dispayed. What it does however: Sets the colour of your monitor when running games that recognise E-Color so that you get 'what the game designer intended' when you see the game. Also allows monitor callibration through a program called 3-Deep. If you play a lot of games it can be useful. Can be disabled from starting up from within the program

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE REMVOE, Resource hog that launches common MS Office components

Internet Security settings you changed

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Extra items in IE right-click menu or also the Menu bar in IE. (If you use multiple messengers. Consider moving to TrillianPro) It's not recommended running 3rd party applications within IE; to disable 3rd party applications (Goto: tools->Internet Options-> Advanced Tab -> Uncheck "Enable third-party browser extensions")

O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm

O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm

O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

Netscape Communicator Plugin.. Not exactly sure what it's used for

O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL

nppdf32.dll, the Netscape plug-in which will allow Netscape Navigator and compatible browsers to display PDF documents

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

NPDocBox.dll is a module related to Adobe Acrobat and provides a plugin for both Netware (if installed) and Internet Explorer.

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

ActiveX Objects (aka Downloaded Program Files) This stuff is not needed and will cause problems.

O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.0.4.31/aces...s-ob-assets.cab

O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet-5.9.1.28/slot...a-ob-assets.cab

O16 - DPF: All-Star Football Challenge by pogo - http://allstarfb2.pogo.com/applet-5.9.4.22...2-ob-assets.cab

O16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.3.35/ccta...k-ob-assets.cab

O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet-6.1.0.39/bac...n-ob-assets.cab

O16 - DPF: Big Shot Roulette TM by pogo - http://roulet.pogo.com/applet-6.0.1.20/rou...e-ob-assets.cab

O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-6.0.0.32/vid...k-ob-assets.cab

O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.4.37/ca...a-ob-assets.cab

O16 - DPF: Checkers by pogo - http://checkers.pogo.com/applet-6.0.2.21/c...s-ob-assets.cab

O16 - DPF: Command and Conquer Comanche by pogo - http://game4.pogo.com/applet-6.0.2.29/ccst...e-ob-assets.cab

O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab

O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet-6.0.1.20/cribb...e-ob-assets.cab

O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.2...g-ob-assets.cab

O16 - DPF: Dominoes by pogo - http://game4.pogo.com/applet-6.0.4.37/domi...o-ob-assets.cab

O16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet-6.0.1.2...e-ob-assets.cab

O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-6.0.2.29/euc...e-ob-assets.cab

O16 - DPF: First Class Solitaire by pogo - http://solitaire.pogo.com/applet-5.9.2.21/...2-ob-assets.cab

O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-6.0.0.25...o-ob-assets.cab

O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.0.1.28/...k-ob-assets.cab

O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-6.0.3.35/hea...s-ob-assets.cab

O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.com/applet-6.0.4.37/draw...r-ob-assets.cab

O16 - DPF: High Stakes Pool by pogo - http://game4.pogo.com/applet-6.1.0.39/pool...l-ob-assets.cab

O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/jigs...w-ob-assets.cab

O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.com/applet-6.0.1.28/vid...d-ob-assets.cab

O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab

O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.4.37/gin/gin-ob-assets.cab

O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-6.0.1.20/keno/keno-ob-assets.cab

O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.3.35/mahj...g-ob-assets.cab

O16 - DPF: Multiline Slots by pogo - http://game6.pogo.com/applet-6.0.2.29/mlsl...s-ob-assets.cab

O16 - DPF: NASCAR Web Racing by pogo - http://nascar.pogo.com/applet-5.9.2.21/nas...r-ob-assets.cab

O16 - DPF: Pai Gow by pogo - http://game3.pogo.com/applet-6.0.2.29/paig...w-ob-assets.cab

O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-6.0.4.31/f...l-ob-assets.cab

O16 - DPF: Pebble Beach Golf by pogo - http://pebble.pogo.com/applet-5.9.2.21/peb...e-ob-assets.cab

O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-6.0.2.21...l-ob-assets.cab

O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.1.28/flin...r-ob-assets.cab

O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.3.28/pino...e-ob-assets.cab

O16 - DPF: Pirate's Gold by pogo - http://swashbucks.pogo.com/applet-6.0.2.29...d-ob-assets.cab

O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.0.4.37/popf...u-ob-assets.cab

O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.2.21/pop...t-ob-assets.cab

O16 - DPF: Showbiz Slots 2 by pogo - http://showbiz2.pogo.com/applet-6.0.1.28/s...2-ob-assets.cab

O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.0.1.28...s-ob-assets.cab

O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-6.0.1.20...h-ob-assets.cab

O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/hold...m-ob-assets.cab

O16 - DPF: Top Down Baseball Challenge by pogo - http://topdown2.pogo.com/applet-5.8.3.20/t...2-ob-assets.cab

O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab

O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.0.4.37/peak...s-ob-assets.cab

O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-6.0.2.21/jum...e-ob-assets.cab

O16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.com/applet-6.0.0.25/turb...1-ob-assets.cab

O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab

O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.1.20/vid...r-ob-assets.cab

O16 - DPF: Win32 Classes -

O16 - DPF: Word Whomp by pogo - http://game5.pogo.com/applet-6.0.1.20/word...p-ob-assets.cab

O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-6.0.4.37/...n-ob-assets.cab

O16 - DPF: WordJong by pogo - http://game5.pogo.com/applet-6.0.4.31/word...g-ob-assets.cab

O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-6.0.4.31/worl...s-ob-assets.cab

O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab

O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab

O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab

O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab

O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab

O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab

O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab

O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab

O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab

O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab

O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab

O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab

O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab

O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cab

O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab

O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb01.pogo.com/game/deluxe/insa...aploader_v6.cab

Domain hijacks

O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46

O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46

Concluding... way too much stuff on your machine just by viewing your log here. I would consider doing a low level format and resinstall your os. Just a TIP do not use yahoo, aim, msn messengers there just a tool for advertising products (DOWNLOAD TRILLIANPRO) if you need a messenger, it combines all types of collaboration. Also NEVER install ActiveX controls from 3rd party sites unless its a well known site requesting it to be installed (i.e. Microsoft, Cisco, Macromedia, etc... etc... NOT sites like fileplanet, google, yahoo, etc... etc...)

Link to comment
Share on other sites
Tarun

Tarun

Posted
Posted

O17 - Domain hijack

No offense, but you're also telling him to stop loading his Multimedia keyboard and more.

I'll reply tomorrow with a log of what to remove.

First, check out my site. Go to the Forums, Hijack This forum, and in the Introduction is a link to cleaning your pc. Click it, Download All Applications, then follow the instructions thoroughly.

Run CWShredder at LEAST twice, then Ad-Aware with the said settings, followed by Spybot.

Also, update Hijack This to 1.99.0! It has improved a lot since 1.98.2.

Link to comment
Share on other sites
Martin Zugec

Martin Zugec

Posted
Posted

2Matrix: SvcHost is hosting process for your services :)

2ColdStone: Heh, long list... Probably it will be better to reinstall computer and stop spyware at entry point...

2epic:

NameServer - dont have nothing with CS, it is DNS address :)

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe - it is MSAS

Link to comment
Share on other sites
epic

epic

Posted
Posted

Basically that was a quick run-down. I noticed his multimedia profiles for his keyboard & a few others. I just noted to disable some of the drivers that load not all.

However with all the added criteria in the list it would be essential to reinstall and eliminate some of the programs he is running. I mainly mention this since most of whats on this list is from yahoo/pogo software. That stuff is bad news and would be fairly time consuming to clean it, but good experience.

ATI Multimedia Center has a lot of unnecessary additions. Only install what is needed.

Multimedia software for keyboards & mice. Watch during the prompts during installation (advanced / custom) make sure to just install the drivers. Unless those 3rd party menu options catch your functionality taste.

AVG/ZA process I noticed as well, IMHO I wouldnt suggest neither of these products to anyone, I would suggest Norton before these and thats is low in my book.

I will revise it in detail when I get some time tomorrow.

Link to comment
Share on other sites
JoeMSFN

JoeMSFN

Posted
Posted

To answer your question on what to keep, (assuming you have one of those 4 extra HDs plugged in) first clean your IE (and other browser) cache for all user accounts, then run disk cleanup wizzard.

Then copy your "Documents and Settings" folder. This will get most stuff (reason for 1st step, is so this maneuver won't take nearly as long :D )

If you use a palm, look for the "Palm" folder. you can copy all of it or just your Palm Desktop profile name subfolder will do. but I like to play it safe and grab it all.

If you use Quicken, (and have your data saved in the program folder like it's default) be sure to run Quicken then do a backup (but tell it to go to a folder on your other HD).

Umm... Of course any download folders that arent in the aforementioned files. and any misc junk you saved in the C: root.

Probably other things, but that's all I can think of... (saw everyone telling you what to remove, but noone suggesting what files to keep) sounds like it's a good time to put all this Unattended Install knowledge to practical use !!

Oh yeah.... I backup "Documents and Settings" like this:

(assuming your other hard drive is "G:" and your default is "C:")

open a command prompt and type...

g:
mkdir c
cd c
xcopy /e /s /c /i /h /k /v c:\ .

and when that's finished you might want to un hide and such with 

g:
cd \
attrib -r -s -h r
attrib -r -s -h r\*.* /s /d

The first snippet is becuase I ALWAYS get failures copying stuff from the Docs'nSettin's folder using the GUI and what it errors on is stuff I've never needed. (also better than doing a move on my live system). The second snippet is the "c" folder always seems to be hidden, so one attrib for that, and to unhide all the "Local Settings" stuff the second attrib is necessary.

Link to comment
Share on other sites
ColdStone

ColdStone

Posted
  • Author
Posted

i booted to safe mode, and ran every spy ware i had, then my virus check...

this is the fresh hijack log..... no problems yet....

( did my spy scans and antivirus scans in safe mode.... turned off system restore, and created a new restore point, the ran another hijack this.

Is this looking better ?

Logfile of HijackThis v1.98.2

Scan saved at 2:30:44 AM, on 1/21/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program Files\Logitech\Video\LogiTray.exe

C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\system32\LVComS.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

D:\Program Files\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Arlink.org LLC...

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm

O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm

O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.0.4.31/aces...s-ob-assets.cab

O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-6.0.0.32/vid...k-ob-assets.cab

O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.4.37/ca...a-ob-assets.cab

O16 - DPF: Dominoes by pogo - http://game4.pogo.com/applet-6.0.4.37/domi...o-ob-assets.cab

O16 - DPF: High Stakes Pool by pogo - http://game4.pogo.com/applet-6.1.0.39/pool...l-ob-assets.cab

O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke.pogo.com/applet-6.0.1.28/vid...d-ob-assets.cab

O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/hold...m-ob-assets.cab

O16 - DPF: Top Down Baseball Challenge by pogo - http://topdown2.pogo.com/applet-5.8.3.20/t...2-ob-assets.cab

O16 - DPF: Win32 Classes -

O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab

O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb01.pogo.com/game/deluxe/insa...aploader_v6.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46

O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5CBF72-C5FE-4482-98AE-C62B7A8DCE55}: NameServer = 209.206.199.16,64.91.3.46

Link to comment
Share on other sites
epic

epic

Posted
Posted

I would go through the first list you posted first (similar to the second). Disable the criteria I suggested with Hijackthis, but use your judgement with a few that I made comments on.

After that re-run Hijackthis.

Link to comment
Share on other sites
ColdStone

ColdStone

Posted
  • Author
Posted

ok, i did everything you suggested, it's running much better...... however, i'm not interested in using trillion..... but i did get a different firewall. now using black ice instead of zonealarm.

and i'm interested in what you consider the best anti virus program i can use. ( payware is ok )

Hopefully this log, will be better. , but i was unsure about this line ( last line )

" O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 "

Thanks again for your help..... additionally 3rd party disabled in IE.

Logfile of HijackThis v1.98.2

Scan saved at 7:35:47 PM, on 1/21/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\ISS\BlackICE\blackd.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\ISS\BlackICE\rapapp.exe

C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe

C:\PROGRA~1\AIM\aim.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE

C:\Program Files\ISS\BlackICE\blackice.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\jhcarter\Desktop\HijackThis.exe

C:\Program Files\Winamp\winamp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Arlink.org LLC...

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"

O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm

O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm

O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU)

O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

Link to comment
Share on other sites
epic

epic

Posted
Posted
i'm interested in what you consider the best anti virus program i can use. ( payware is ok )

Hopefully this log, will be better. ,  but i was unsure about this line ( last line ) 

" O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 "

:thumbup

O16 - Windows Genuine Advantage Validation Tool: When you access Microsoft Download Center, it may perform a validation process, to see whether your Windows is genuine, if so, you can continue to downlod software from download center.

As far as anti-viral protection, I would recommend McAfee Enterprise Edition. However, you may want to do a little research of your own to determine which is best for you.

A topic a few have been debating regarding which is the right AV solution. (Free AV protection is not the answer)

http://www.msfn.org/board/index.php?showtopic=36139

However, I would re-run the latest version of hijackthis again (v1.99, delete the old one) :)

C:\WINDOWS\system32\CTsvcCDA.exe

->Disable

ctsvccda.exe this process was authored by Creative Labs, and is usually installed alongside Soundblaster card drivers or some Creative Labs applications. It assists Windows manage the CD-Rom on Windows 9x and Me systems, however it has no use on faster CD-Rom drives

C:\WINDOWS\system32\pctspk.exe

->Disable

pctspk.exe is a diagnostic tool for PCTEL modems. This is a non-essential process. Disabling or enabling this is down to user preference

C:\WINDOWS\system32\CTHELPER.EXE

->Disable

cthelper.exe is installed with Creative Labs Soundblaster Devices. It's purpose is to aid 3rd party developers create plugins/software for the card. In this way it is a non-essential system process and can be removed from the task-bar/startup.

C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe

->Seems that you are running two versions of MSN messenger, 4.0 is installed by default in XP and still resides there. Remove it using this script in the run prompt.

Start-> Run->

Paste this without the quotes:

"RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove"

C:\WINDOWS\system32\MsPMSPSv.exe

->Disable

mspmspsv.exe is a process which normally comes with a specific update of Windows Media player. It allows for the SDMI protocol (Secure Digital Music Initiative) to be used during dealing with music media. This is a non-essential process. Disabling or enabling this is down to user preference

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

->Disable

Same as above (C:\WINDOWS\system32\CTHELPER.EXE) but in startup folder.

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

->Disable

updreg.exe is a process from Creative Technology Ltd. It is used to reminds users to register for their Creative Labs products. This is a non-essential process. Disabling or enabling this is down to user preference.

After that follow this guide.

http://www.bleepingcomputer.com/forums/ind...t=0entry54989

You are starting to see the light :D

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...