1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijack this log

Discussion in 'Virus & Other Malware Removal' started by king_02891, Sep 10, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. king_02891

    king_02891 Thread Starter

    Joined:
    Jul 4, 2001
    Messages:
    277
    could you tell me what is garbage and what i shouldn't delete, please?


    Logfile of HijackThis v1.90.0
    Scan saved at 6:09:30 AM, on 9/10/03
    Platform: Windows 9x 4.10.2222
    MSIE version: 6.0.2800.1106

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.ewebsearch.net/sp.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=www.iwon.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://%6f%75%74%2e%74%72%75%65%2d%63%6f%75%6e%74%65%72%2e%63%6f%6d/%61/?%38%34%30%38%32%38
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://%6f%75%74%2e%74%72%75%65%2d%63%6f%75%6e%74%65%72%2e%63%6f%6d/%62/?%38%34%30%38%32%38
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://%6f%75%74%2e%74%72%75%65%2d%63%6f%75%6e%74%65%72%2e%63%6f%6d/%62/?%38%34%30%38%32%38
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://home.netscape.com/home/winsearch200.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.netscape.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.ramgo.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.ramgo.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Cox High Speed Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=<local>
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=<local>
    R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM FILES\XUPITER\XTSEARCH.DLL (file missing)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.address.com"); (C:\Program Files\Netscape\Users\User00\prefs.js)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_3_0.DLL (file missing)
    O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.DLL__BHODemonDisabled (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX__BHODemonDisabled (file missing)
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL__BHODemonDisabled (file missing)
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {3dcf0160-99f6-11d7-b01e-0050ba07764d} - C:\WINDOWS\APPLICATION DATA\BLKEECKAEAQU.DLL
    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM213.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Add to &WebMap Favorites - file:///C:\Program Files\WebMap\html\extmenu.html
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: &Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: &Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF &Toolbar (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: &Fill Forms (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: &Save Forms (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://webfor.ccri.cc.ri.us/CFIDE/classes/CFJava.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www109.coolsavings.com/download/cscmv4X.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
    O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://directplugin.com/dialers/110307.exe
    O16 - DPF: {77460D96-3DB1-11D6-B121-004005E35DF1} (Ctrl_ibi Control 1.3) - http://software.ibi-tec.net/ibi-xs.ocx
    O16 - DPF: {FFFF0017-0001-101A-A3C9-08002B2F49FB} - http://www.aziendeumbre.it/23a26414.exe
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe
    O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.thepaymentcentre.com/build/preload.cab
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TUR38106/turbo.cab
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TUR38106/payload2.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/CGA38106/clean.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/GrlNt0i.cab
    O18 - Protocol: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6}
    O18 - Protocol: cmtp - {DB112C95-0A22-11D4-A600-005004BFAC1E}
    O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571}

    thank you
     
  2. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Start off by going to this site , download and install Spybot Search & Destroy (3.5Mb Freeware)

    Once Installed, Go to Start | Programs | Spybot | Spybot (Easy Mode) Open It, click Update | Search for Updates | Download Updates (if required)

    Now go to Search and Destroy
    Click check for problems
    Wait it for it to finish scanning

    When done, put a check mark against all RED and GREEN entries and click Fix Selected Problems

    Repost a fresh Hijack this log here when you've done
     
  3. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
    I might also suggest updating Hijackthis to 1.97
     
  4. BlueSpruce

    BlueSpruce

    Joined:
    Jul 24, 2003
    Messages:
    420
    Hi King 02891 ,

    Follow all of the above recommendations and add this to your to do list ,

    Download and run CWShredder www.spywareinfo.com/~merijn/files/cwshredder.zip


    Also post a complete Hijack This1.97 follow-up log for review

    Good luck
     
  5. king_02891

    king_02891 Thread Starter

    Joined:
    Jul 4, 2001
    Messages:
    277
    thank you for your responsees, I updated spybot and ran it, downloaded cw shredder, but haven't used it yet, here is the revised hijack this log, by the way i'm running windows 98 se/ if it matters.


    Logfile of HijackThis v1.90.0
    Scan saved at 4:34:53 AM, on 9/11/03
    Platform: Windows 9x 4.10.2222
    MSIE version: 6.0.2800.1106

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.iwon.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://home.netscape.com/home/winsearch200.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.netscape.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Cox High Speed Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=<local>
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=<local>
    R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM FILES\XUPITER\XTSEARCH.DLL (file missing)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.address.com"); (C:\Program Files\Netscape\Users\User00\prefs.js)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_3_0.DLL (file missing)
    O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.DLL__BHODemonDisabled (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX__BHODemonDisabled (file missing)
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL__BHODemonDisabled (file missing)
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {3dcf0160-99f6-11d7-b01e-0050ba07764d} - C:\WINDOWS\APPLICATION DATA\BLKEECKAEAQU.DLL
    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM213.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Add to &WebMap Favorites - file:///C:\Program Files\WebMap\html\extmenu.html
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: &Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: &Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF &Toolbar (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: &Fill Forms (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: &Save Forms (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://webfor.ccri.cc.ri.us/CFIDE/classes/CFJava.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www109.coolsavings.com/download/cscmv4X.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
    O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://directplugin.com/dialers/110307.exe
    O16 - DPF: {77460D96-3DB1-11D6-B121-004005E35DF1} (Ctrl_ibi Control 1.3) - http://software.ibi-tec.net/ibi-xs.ocx
    O16 - DPF: {FFFF0017-0001-101A-A3C9-08002B2F49FB} - http://www.aziendeumbre.it/23a26414.exe
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe
    O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.thepaymentcentre.com/build/preload.cab
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TUR38106/turbo.cab
    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TUR38106/payload2.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/CGA38106/clean.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/GrlNt0i.cab
    O18 - Protocol: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6}
    O18 - Protocol: cmtp - {DB112C95-0A22-11D4-A600-005004BFAC1E}
    O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571}

    thank you
     
  6. king_02891

    king_02891 Thread Starter

    Joined:
    Jul 4, 2001
    Messages:
    277
    P.S. i also ran an update on hijack this and it said i had the latest version???
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    latest version is 1.97 from here:http://www.tomcoyote.org/hjt/

    no problem,we can run that one later,lets trim things a bit 1st.
    some of these items will not be there after you run the cwshredder(which you should run 1st)

    run hijackthis again and put a checkmark against these entries....
    .....then,close all browser and outlook windows and "fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.iwon.com/
    NOTE: IF IWON.COM IS YOUR PREFERED STARTPAGE,LEAVE THIS ONE.

    R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM FILES\XUPITER\XTSEARCH.DLL (file missing)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_3_0.DLL (file missing)
    O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.DLL__BHODemonDisabled (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX__BHODemonDisabled (file missing)
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL__BHODemonDisabled (file missing)
    O2 - BHO: (no name) - {3dcf0160-99f6-11d7-b01e-0050ba07764d} - C:\WINDOWS\APPLICATION DATA\BLKEECKAEAQU.DLL
    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM213.DLL


    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

    are you using LimeShop?

    O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://directplugin.com/dialers/110307.exe
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...38106/turbo.cab

    O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...06/payload2.cab
    O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.co...38106/clean.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalO...MO1/GrlNt0i.cab

    re-boot after and if you want to post another H/T logfile using the 1.97 version we can check its ok.

    ;)
     
  8. king_02891

    king_02891 Thread Starter

    Joined:
    Jul 4, 2001
    Messages:
    277
    Thank you Steve for your help, you guys are the best, don't know what we would do without you.
    Okay; ran CW shredder and got this:

    - 0 registry values were killed
    - Hostsfile was OK
    - Bootconf.exe was not present
    - Trusted Zone was OK
    - User stylesheet was OK
    - Oemsyspnp.inf was not present
    - Svchost32.exe was not present
    - Msspi.dll Winsock hook was not present
    - Msinfo.exe was not present
    - Winshow.dll BHO was not present


    ran H/T after checking the things you told me to check, and got this:

    Logfile of HijackThis v1.90.0
    Scan saved at 4:36:59 PM, on 9/11/03
    Platform: Windows 9x 4.10.2222
    MSIE version: 6.0.2800.1106

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.iwon.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://home.netscape.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://home.netscape.com/home/winsearch200.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://home.netscape.com/home/winsearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://home.netscape.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://home.netscape.com/home/winsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Cox High Speed Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://keyword.netscape.com/keyword/%s
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=<local>
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=<local>
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.address.com"); (C:\Program Files\Netscape\Users\User00\prefs.js)
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Add to &WebMap Favorites - file:///C:\Program Files\WebMap\html\extmenu.html
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: &Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: &Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF &Toolbar (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: &Fill Forms (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: &Save Forms (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://webfor.ccri.cc.ri.us/CFIDE/classes/CFJava.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www109.coolsavings.com/download/cscmv4X.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
    O16 - DPF: {77460D96-3DB1-11D6-B121-004005E35DF1} (Ctrl_ibi Control 1.3) - http://software.ibi-tec.net/ibi-xs.ocx
    O16 - DPF: {FFFF0017-0001-101A-A3C9-08002B2F49FB} - http://www.aziendeumbre.it/23a26414.exe
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe
    O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.thepaymentcentre.com/build/preload.cab
    O18 - Protocol: ms-its50 - {F8606A00-F5CF-11D1-B6BB-0000F80149F6}
    O18 - Protocol: cmtp - {DB112C95-0A22-11D4-A600-005004BFAC1E}
    O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571}

    Does everything seem allright now? and yes i use iwon.com as my start page, and no i don't use Limeshop anymore.

    One more thing, when I run (Spybot) I always get this: (c2loop
    application data) and it says it can't get rid of it, restart and it will destroy on the next startup, but it never does it's always there when i run my next (Spybot).

    But thanks a million for your help, you're really great!
     
  9. king_02891

    king_02891 Thread Starter

    Joined:
    Jul 4, 2001
    Messages:
    277
    one other thing this is the startup list i got from H/T


    StartupList report, 9/11/03, 4:53:51 PM
    StartupList version: 1.52
    Started from : C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\RUNESCAPE TOOLKIT\RSTOOLKIT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    Shell folders Common Startup:
    [C:\WINDOWS\SYSTEM\mlcb]
    ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    washindex = C:\Program Files\Washer\washidx.exe "king brown"

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    washindex = C:\Program Files\Washer\washidx.exe "king brown"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Washer = C:\Program Files\Washer\washer.exe /0

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    washindex = C:\Program Files\Washer\washidx.exe "king brown"

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 10/9/2003, 15:29:50)

    [rename]
    NUL=c:\windows\TEMP\GLB1A2B.EXE
    NUL=C:\PROGRA~1\AWS\WEATHE~1\UNWISE.EXE
    NUL=C:\PROGRA~1\AWS\WEATHE~1\UNWISE.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    path C:\WINDOWS;C:\WINDOWS\COMMAND
    SET CLASSPATH=C:\PROGRA~1\PHOTOD~1.0TO\ADOBEC~1;C:\PROGRA~1\PHOTOD~1.1\ADOBEC~1
    PATH=%PATH%;"C:\Program Files\Mts"
    C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\scan.exe c:\
    IF ERRORLEVEL 1 PAUSE

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll - {724d43a9-0d85-11d4-9908-00400523e39a}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    ScanDisk.job
    Tune-up Application Start.job
    Disk Cleanup.job
    Disk Defragmenter.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [CFForm Runtime]
    InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
    CODEBASE = http://webfor.ccri.cc.ri.us/CFIDE/classes/CFJava.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab

    [{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]

    [CMV4 Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CSCMV4X.DLL
    CODEBASE = http://www109.coolsavings.com/download/cscmv4X.cab

    [ExentInf Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EXENTCTL_0_0_0_0.OCX
    CODEBASE = http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx

    [Yahoo! Companion]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_3_0.DLL
    CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab

    [Ctrl_ibi Control 1.3]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\IBI-XS.OCX
    CODEBASE = http://software.ibi-tec.net/ibi-xs.ocx

    [{FFFF0017-0001-101A-A3C9-08002B2F49FB}]
    CODEBASE = http://www.aziendeumbre.it/23a26414.exe

    [GSDACtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GSDA.DLL
    CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

    [{13197ACE-6851-45C3-A7FF-C281324D5489}]
    CODEBASE = http://www.2nd-thought.com/files/install011.exe

    [preload control]
    InProcServer32 = C:\WINDOWS\SYSTEM\preload.ocx
    CODEBASE = http://www.thepaymentcentre.com/build/preload.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 6,215 bytes
    Report generated in 25.166 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    How does this look to you?
    Thanks again
     
  10. BlueSpruce

    BlueSpruce

    Joined:
    Jul 24, 2003
    Messages:
    420
    King 02891 ,

    Scan Hijack This , put a check in , and fix the following ,

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www109.coolsavings.com/download/cscmv4X.cab

    O16 - DPF: {FFFF0017-0001-101A-A3C9-08002B2F49FB} - http://www.aziendeumbre.it/23a26414.exe

    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe

    Shutdown & Reboot your computer


    Download and install Ad-aware 6.0 Personal , Build 6.181 www.lavasoftusa.com Open Ad-aware , Click check for updates now , Click connect , update to reference file 01R217.08.2003 , Click Start , Click perform smart system scan , put a check in Activate in-depth scan. Click Settings (Gear wheel), put a check in the following , Automatically save log file , Automatically quarantine objects prior to removal , Safe mode ( Always request confirmation ). Click scanning , put a check in the following , Scan within archives , Scan active processes , Scan registry , Scan my IE favorites for banned URL's , Scan my Host file. Click Tweak , Scanning engine , put a check in Unload recognized processes during scanning. Click Cleaning engine , put a check in the following , Automatically try to unregister objects prior to deletion , Let windows remove files in use at next reboot. Click proceed , Run Ad-aware and remove every entry Ad-aware returns.

    Shutdown & Reboot your computer

    Good luck
     
  11. king_02891

    king_02891 Thread Starter

    Joined:
    Jul 4, 2001
    Messages:
    277
    WOW!!!
    that was unbelievable the crap that was on my pc, 241 objects, most of lop.com
    thanks a lot for all your help
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/163663

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice