Help !! bi.exe, myway etc,etc

[motivated]

I'm having some problems here !

I've all these connections going on, so I ran Spybot-s&d and found a few things but nothing more than usual, so I downloaded Ad-Ware and that found a few more (97).

Problem is every time after I visit a site if I run Ad-ware it finds a tracking cookie. I'm not sure if that has anything to do with just finding a programme in my root directory called bi.exe and a folder called My Way.

A dear friend (or was) downloaded a programme and installed it called Direct Connect which if I go: start/settings/panel control/add remove programmes doesn't remove it so I just put it in the trash for now.

I dont know what all the connections are in task manager so I'll just post everything from Ad-Ware and hope some-one can help from there. Please if you can help, make your instructions simple, I have never worked with my registry or Regedit.

Thanks in advance


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Sunday, 18 April 2004 10:36:34 p.m.
Created with Ad-aware Personal, free for private use.
Using reference-file :01R296 16.04.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


18-04-2004 10:36:35 p.m. - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 17-04-2004 9:50:24 p.m.
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 17-04-2004 9:50:25 p.m.
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 17-04-2004 9:50:25 p.m.
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 18/08/2001
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 18/08/2001

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 17-04-2004 9:50:25 p.m.
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 18/08/2001
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 29/08/2002 11:41:26 a.m.

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 17-04-2004 9:50:26 p.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 18/08/2001

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 17-04-2004 9:50:26 p.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 18/08/2001

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 17-04-2004 9:50:27 p.m.
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 27/12/2002 9:46:48 a.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 29/08/2002 11:41:24 a.m.

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 17-04-2004 9:50:28 p.m.
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 18/08/2001
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 18/08/2001

#:9 [avgcc32.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ThreadCreationTime : 17-04-2004 9:50:29 p.m.
BasePriority : Normal
FileSize : 396 KB
FileVersion : 6, 0, 0, 427
ProductVersion : 6, 0, 0, 0
Copyright : Copyright
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC32
OriginalFilename : AvgCC32.EXE
ProductName : AVG Anti-Virus System
Created on : 25/12/2002 11:09:16 p.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 12/02/2003 9:55:34 p.m.

#:10 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 17-04-2004 9:50:29 p.m.
BasePriority : Normal
FileSize : 1476 KB
FileVersion : 4.7.0041
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2001
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 27/12/2002 10:14:46 a.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 29/08/2002 11:41:26 a.m.

#:11 [wzqkpick.exe]
FilePath : C:\Program Files\WinZip\
ThreadCreationTime : 17-04-2004 9:50:29 p.m.
BasePriority : Normal
FileSize : 104 KB
FileVersion : 1.0 (32-bit)
ProductVersion : 8.1 (4319)
Copyright : Copyright (c) WinZip Computing, Inc. 1991-2001 - All Rights Reserved
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
OriginalFilename : WZQKPICK.EXE
ProductName : WinZip
Created on : 26/12/2002 4:19:28 a.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 21/11/2002 8:10:00 p.m.

#:12 [apache.exe]
FilePath : C:\Program Files\Apache Group\Apache\
ThreadCreationTime : 17-04-2004 9:50:34 p.m.
BasePriority : Normal
FileSize : 20 KB
Created on : 17/06/2002 11:44:42 p.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 17/06/2002 11:44:42 p.m.

#:13 [avgserv.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ThreadCreationTime : 17-04-2004 9:50:34 p.m.
BasePriority : Normal
FileSize : 20 KB
FileVersion : 6.0.1.9
ProductVersion : 6.0.1.9
Copyright : Copyright (c) GRISOFT(c) SOFTWARE 1998-2001
CompanyName : GRISOFT(c) SOFTWARE s.r.o
FileDescription : AvgServ - displays notification message
InternalName : AvgServ
OriginalFilename : AvgServ
ProductName : AVG6
Created on : 25/12/2002 11:09:16 p.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 16/12/2002 6:00:00 p.m.

#:14 [mysqld-nt.exe]
FilePath : C:\mysql\bin\
ThreadCreationTime : 17-04-2004 9:50:34 p.m.
BasePriority : Normal
FileSize : 1836 KB
Created on : 31/12/2002 6:17:19 a.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 11/12/2002 12:04:34 a.m.

#:15 [apache.exe]
FilePath : C:\Program Files\Apache Group\Apache\
ThreadCreationTime : 17-04-2004 9:50:35 p.m.
BasePriority : Normal
FileSize : 20 KB
Created on : 17/06/2002 11:44:42 p.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 17/06/2002 11:44:42 p.m.

#:16 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 17-04-2004 9:50:35 p.m.
BasePriority : Normal
FileSize : 60 KB
FileVersion : 6.13.10.3100
ProductVersion : 6.13.10.3100
Copyright : (c) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 31.00
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 31.00
Created on : 23/12/2002 11:59:11 p.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 30/07/2002 11:50:00 a.m.

#:17 [outpost.exe]
FilePath : C:\PROGRA~1\AGNITUM\OUTPOS~1.0\
ThreadCreationTime : 17-04-2004 9:50:35 p.m.
BasePriority : Normal
FileSize : 77 KB
FileVersion : 1.0.228
ProductVersion : 1.0
Copyright : (C) Agnitum, 1999-2001
CompanyName : Agnitum
FileDescription : Outpost Firewall main module
InternalName : Outpost Firewall
OriginalFilename : outpost.exe
ProductName : Outpost Firewall
Created on : 25/12/2002 11:24:07 p.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 20/02/2002 1:50:46 a.m.

#:18 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 17-04-2004 9:50:39 p.m.
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 18/08/2001
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 18/08/2001

#:19 [mailwasher.exe]
FilePath : C:\Program Files\MailWasher\
ThreadCreationTime : 18-04-2004 8:39:08 a.m.
BasePriority : Normal
FileSize : 1956 KB
FileVersion : 1.32.8.1231
ProductVersion : 1.0.0.0
Copyright : 2001
CompanyName : eCOSM
FileDescription : MailWasher
InternalName : MailWasher
OriginalFilename : MailWasher.exe
ProductName : MailWasher
Created on : 26/12/2002 1:33:44 a.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 3/04/2002 2:31:26 a.m.

#:20 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 18-04-2004 8:41:25 a.m.
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 27/12/2002 9:50:20 a.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 29/08/2002 11:41:26 a.m.

#:21 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 18-04-2004 10:28:51 a.m.
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 17/04/2004 11:18:45 a.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 12/07/2003 10:00:20 a.m.

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New.Net Object recognized!
Type : File
Data : ndnuninstall4_88.exe
Object : C:\WINDOWS\
FileSize : 43 KB
Created on : 2/06/2003 4:37:34 p.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 2/06/2003 4:37:36 p.m.



Tracking Cookie Object recognized!
Type : File
Data : jas@adtech[1].txt
Object : C:\Documents and Settings\jas\Local Settings\Temp\Cookies\

Created on : 15/04/2004 7:19:00 p.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 15/04/2004 7:19:02 p.m.



Tracking Cookie Object recognized!
Type : File
Data : jas@cgi-bin[1].txt
Object : C:\Documents and Settings\jas\Local Settings\Temp\Cookies\

Created on : 15/04/2004 9:03:43 p.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 15/04/2004 9:03:46 p.m.



Cydoor Object recognized!
Type : File
Data : cd_clint.dll
Object : C:\Documents and Settings\jas\Local Settings\Temp\
FileSize : 151 KB
FileVersion : 3, 2, 1, 0
ProductVersion : 3, 2, 1, 0
Copyright : Copyright (C) Cydoor Technologies, Inc. 1999-2001
CompanyName : Cydoor Technologies, Inc.
FileDescription : Cydoor Technologies ad-system
InternalName : CD_Clint.dll
OriginalFilename : CD_Clint.dll
ProductName : Cydoor Technologies ad-system
Created on : 7/06/2003 6:57:30 a.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 14/01/2002 1:57:00 a.m.



Tracking Cookie Object recognized!
Type : File
Data : jas@qksrv[1].txt
Object : C:\Documents and Settings\jas\Cookies\

Created on : 18/04/2004 8:41:36 a.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 18/04/2004 8:41:38 a.m.



Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 5


Deep scanning and examining files (D
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for D:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 5

Possible Browser Hijack attempt Object recognized!
Type : File
Data : heritage.url
Object : C:\Documents and Settings\jas\Favorites\Jas\
FileSize : 1 KB
Created on : 5/03/2004 6:24:03 a.m.
Last accessed : 17/04/2004 12:00:00 p.m.
Last modified : 5/03/2004 6:24:08 a.m.




Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 6




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 6


10:44:53 p.m. Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:08:18:126
Objects scanned :180012
Objects identified :6
Objects ignored :0
New objects :6

 

[Lobos]

Please do this. Click here: http://www.sherrylynn.us/HijackThis.exe to download Hijack This. Save it to it’s own folder (not temporary files or the desktop).
Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

 

[motivated]

Thanks for the reply

Here we go:

Logfile of HijackThis v1.97.7
Scan saved at 10:48:02 p.m., on 19/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.athleticstockexchange.com/exchange.html?sort=sport
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37617.0124537037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05F6FCE2-2B56-4766-8CF3-56B0B66AACC8}: NameServer = 203.96.152.12,203.96.152.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C24426A-7FA7-4730-896D-C5A3D169E8F2}: NameServer = 203.96.152.12,203.96.152.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{05F6FCE2-2B56-4766-8CF3-56B0B66AACC8}: NameServer = 203.96.152.12,203.96.152.4

 

[motivated]

Would also appreciate knowing how to delete windows messenger permanently.

Thanks again

 

[motivated]

I forgot to say earlier:

I went into System Volume Information folder /system_restore as my anti-virus was telling me I had something like 27gig on my hd when I knew I should only have about 10gig. There were several folders over 1gig and 1 @ 6gig and 1 @ 4gig, most were 27.8 mb.

I removed all the folders with the exception of a restore point I knew (thought) to be good (one I created) and left one other restore point. When I went back later they had gone.

Any ideas ??

 

[motivated]

bump

 

[Lobos]

ok run hjt put a check next to these close all browsers and hit fix

R3 - Default URLSearchHook is missing



now for windows messenger

Make sure your Internet Explorer, Outlook Express, Windows Messenger and other programs are closed before doing this

1) Click on Start, Run
2) Type the following (or cut and paste it) into the Run line

RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove

3) Click on OK


now for the windows messener service

1. Click Start->Settings ->Control Panel
2. Click Performance and Maintenance
3. Click Administrative Tools
4. Double click Services Scroll
5. down and highlight "Messenger"
6. Right-click the highlighted line and choose Properties.
7. Click the STOP button.
8. Select Disable or Manual in the Startup Type scroll bar
9. Click OK

 

[motivated]

Thanks for your reply Lobos, much appreciated.

You say: ok run hjt put a check next to these close all browsers and hit fix

I note you use "these", then you listed: R3 - Default URLSearchHook is missing

One Item ???

I deleted it anyway, but I still have something, but not as much (I think). Anyway Ad-Ware is still finding tracking cookies, so heres my NEW log from HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 8:40:36 p.m., on 21/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.athleticstockexchange.com/exchange.html?sort=sport
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37617.0124537037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05F6FCE2-2B56-4766-8CF3-56B0B66AACC8}: NameServer = 203.96.152.12,203.96.152.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C24426A-7FA7-4730-896D-C5A3D169E8F2}: NameServer = 203.96.152.12,203.96.152.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{05F6FCE2-2B56-4766-8CF3-56B0B66AACC8}: NameServer = 203.96.152.12,203.96.152.4

 

[motivated]

bump again

 

[motivated]

With every scan using Ad-Ware or Spybot I find these tracking cookies from Commission Junction.

If I clean them out, as soon as I visit another site they are back.

Any help ??

 

[Lobos]

your log looks clean

http://forums.techguy.org/t208517.html

for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

 

[allen2680]

sounds like you have the same problem that i had/have. I think what you need to do is after you run ad-aware, find the exact location of each and every file no matter if you need to print it out or write it down. After you have this info, you need to delete all files and registry keys associated with the files. DO NOT delete file from the registry if you do not know what they are.

 

[Couriant]

The cookies reminds the site of your preference, username and password (ie this site) that needs to be remembered etc. These cookies will always be there if you go to a site that uses cookies.

What exactly is the problem? Bi.exe is a problem, but it should have been in the logfile

Regarding the Windows Messenger, do you mean MSN Messenger or the annoying Windows Messenging Services that makes ad pop-ups?

If the latter, it's found in Control Panel > Administrative Tools > Services.

Scroll down to Messenger and right click > properties. Select Disabled for Startup type and you can also press Stop.. Apply and those messages will be stopped.

 

[Lobos]

in post 7

will tell you how to get rid of windows messenger the chat service ( not msn messenger)
and messenger services with the pop-ups

the first one is windows messenger the chat service

and the second one is the pop-ups

and tidas is correct bi.exe is not a good file delete if you have it
and the my way folder id say delete it

 

[motivated]

Thanks guys.

I removed the pop-ups long ago, it was the chat service I wanted to remove (done, thanks Lobos)