# How Can I Remove This Program?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

#### rstoddard

First of all, let me begin by saying that my computer is well-protected. I have AVG, Adaware, Adwatch, Spybot, and Zone Alarm. This morning while surfing, Adwatch suddenly recorded 1,350 attempts to alter my start menu! Zone Alarm quickly followed by saying that the download module was trying to access the internet; I denied it access several times. After this incident, I ran AVG, Adaware and Spybot. They found a few things and deleted them. Now, after all of this, it appears that one thing got through, and I can't get rid of it.
A folder was installed in my program files called Windows Ad Status. Within this folder is a program called WinStatKeep.exe. My system is Windows XP and it is set up so each member of my family has a seperate user account. All the accounts open fine, with seemingly no effect from this program. I went looking for the program, however, when my daughter attempted to log in. When she logs in, a box comes up and says that the WinStatKeep.exe program failed to initialize and to click o.k. to terminate it. However, if you click o.k., it just keeps popping back up. It won't go away. My theory was that maybe Spybot or Adaware removed some of the program, but that it was still in my daughter's start up menu. So, I tried to run MS/config, but received the message that there are not enough resources to run it.
So, I did a search for WinStatKeep.exe and found the folder mentioned above. I know that it is a result of the incident mentioned at the beginning of this post because the date and time of creation of the files coincides with the time of the attack. Next, I went in manually and located this folder. I attempted to delete it. I received a message saying that it was either in use or copy protected and that access was denied. So, I did a control, alt, delete, and the programs were running, so I closed them. I then tried to delete them. Same message. I want these out of my system. How do I get rid of them, short of reformatting the hard drive? Oh, and I did try System Restore and was told that there are no restore points! Never saw that before. It seems that this program is covering all the bases...except it can't initialize. Any suggestions will be greatly appreciated.

#### rstoddard

Well, I'm going to answer myself here: try Ad/Remove programs! (Duh!) Yup, it was there and I removed it. No problem now. And, it tried to sell me some anti-spy program before it left too! However, I am still confused as to why System Restore has no restore points. Could this be related to the program, or is there some other reason? Perhaps someone can enlighten me there?

#### Byteman

##### Gone but Never Forgotten
Hi, (I just read your second post...I think you should still post a log, as these things never uninstall all the way...)

Would like to have you post a log from HijackThis, a program (very tiny) that we use to see what problems exist.

There are directions here to do it: There are .zip form and .exe form, take your pick.

Or here.

Basically, you create a new folder, the desktop is OK provided you make a folder, name it something like HJT, and download TO that folder, run hijackthis.exe from there. If there are users of the computer who might start HJT and use it, hide the program in a folder elsewhere!

Run Hijackthis.exe, and
Select the "Scan and save a log" button...

When it is done scanning> the Save box will become available, save the log as hijackthis.txt which will open with Notepad. Hit the EDIT> Select All then the EDIT>Copy button at the top of your log, Go back to TSG, and click once in the blank reply space, then go to the top of your browser window and select EDIT>Paste.
Please do NOT use HJT yourself to remove anything, most of what it shows is good and needed by the system.

We have been seeing quite a bit of DeskAdService,
AdStausService, and similar this past week...yours sounds new, which is to be expected with these types of malwares.

System Restore> You don't really want it turned on now until you are sure there is no part of the latest attack on there... If System Restore has been affected by this malware I'm pretty sure there is a way to put it back. Something may have turned off, or you may have, PC Health (Help and Support) I should be able to see it in the log (another reason to send one in)

#### rstoddard

Thanks for your response. You are right. It came back. Before I read your post, I uninstalled it again, so maybe this will have an effect on the log. But, if there is some part of it that keeps reinstalling, you probably will see it, right? Any way, I can post another log when and if it comes back again. Here it is:

Logfile of HijackThis v1.99.0
Scan saved at 4:23:50 PM, on 1/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\HAUPPA~1\Hardware\DglSvcMain.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HAUPPA~1\Hardware\HcwSms.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bob\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://masslive.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Coupons - {FB986A68-EAE4-11D4-9BD1-0080C6F60B6A} - C:\WINDOWS\CouponBar.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Memorex Autorun.lnk = F:\autorun.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D8A63E5-F219-11D4-9BD1-000039051213} (CouponTBInst Control) - http://a19.g.akamai.net/7/19/7125/4051/ftp.coupons.com/CouponBar/CouponBar.cab
O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} - http://www.sitetracking.info/cttdl.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MVPMedia - Hauppauge Computer Works - C:\PROGRA~1\HAUPPA~1\MVPMedia.exe
O23 - Service: MVPMediaSvc - Hauppauge Computer Works, Inc. - C:\PROGRA~1\HAUPPA~1\Hardware\DglSvcMain.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O.K., I see it on the list, and it is still in my Program Files folder, eventhough it no longer shows up in Add/Remove programs. Just sitting there waiting to activate again. So, how do I remove it? Thanks for your help.

#### Byteman

##### Gone but Never Forgotten
Hi,

Restart or start the computer to Safe Mode> to do that, when you restart and first see text on screen, quickly tap the F8 key several times and when you see the startup menu, select Safe Mode (only) with arrow key, and hit Enter key once...give it plenty of time to reach the desktop.

First, uninstall from Control Panel>Add/Remove Programs:

Coupons and Savings, or whatever it shows up as...

Run Hijackthis again, put checks next to these items, when you have all of these> Click "Fix checked":

O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL
O3 - Toolbar: Coupons - {FB986A68-EAE4-11D4-9BD1-0080C6F60B6A} - C:\WINDOWS\CouponBar.dll
O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} - http://www.sitetracking.info/cttdl.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://www.couponsavingscenter.com/...bin/actxcab.cab

Now, you must have the ability to see hidden files:

flrman1 said:
Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Next: find and delete these files> navigate in Windows Explorer to the folders that hold them, delete the files shown:

C:\Program Files\SEARCH~2\SEARCH~1.DLL <I cannot tell the exact filename but it will contain these letters etc

C:\WINDOWS\CouponBar.dll

Restart you will be back in normal? Windows...(If there is such a thing).

Run AdAware SE, check for online updates, run full scan and let it remove what if finds. Same with SpyBot or whatever remover programs you have.

Post a new log when you are ready.

#### rstoddard

Hello. Followed your instructions, but encountered the following problems: 1. The programs did not appear in Add/Remove Programs. 2. The only one I could locate using Explorer was C;\Windows\CouponBar.dll; the others did not appear, even though I had changed to "show hidden files and folders" and "search system subfolders." When I restarted, ad-watch blocked two attempts by Admanager. Evidently, these programs are well hidden. Follows the latest log. Admanager and Windows AdStatus are still there, as you can see. Checking them to be removed does not remove them. Any further suggestions?

Logfile of HijackThis v1.99.0
Scan saved at 11:22:17 PM, on 1/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\HAUPPA~1\Hardware\DglSvcMain.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HAUPPA~1\Hardware\HcwSms.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Bob\Desktop\Security\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://masslive.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Memorex Autorun.lnk = F:\autorun.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D8A63E5-F219-11D4-9BD1-000039051213} (CouponTBInst Control) - http://a19.g.akamai.net/7/19/7125/4051/ftp.coupons.com/CouponBar/CouponBar.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MVPMedia - Hauppauge Computer Works - C:\PROGRA~1\HAUPPA~1\MVPMedia.exe
O23 - Service: MVPMediaSvc - Hauppauge Computer Works, Inc. - C:\PROGRA~1\HAUPPA~1\Hardware\DglSvcMain.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#### rstoddard

A recap on this: the programs show up only in the Hijack This scan. They are not in Ad/Remove programs, nor do they show up in Explorer when I go into Program Files. AVG is removing one virus once a day. I don't know if this virus is related to the programs, but AVG is catching it and deleting it. There does not seem to be any other adverse effect on the system right now. Do you think they're gone? If so, why do they still show up in the scan?

#### rstoddard

Well, no additional help on this one. Guess I'll re-format my hard drive.

#### Byteman

##### Gone but Never Forgotten
Hi, Sorry I have had to be out of town for a few days.

KewlBar> from what I gather, it should be removed...
If anyone has a good spin on KewlBar, post it!

I believe Ad-Watch will prevent you from making the changes you have to make, but as I do not use that version of AdAware , I'm not sure...

If you still need help with this, and have not formatted, these are the items to fix with Hijackthis:

O8 - Extra context menu item: &KewlBar Search - res://C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML

To see hidden files, set things this way:

Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Navigate using Windows Explorer, find and delete these files:

C:\Program Files\KewlBar 5.0\toolbar.dll/SEARCH.HTML

Folders to delete:

C:\Program Files\KewlBar 5.0\toolbar.dll

C:\Program Files\KewlBar 5.0

They must be there!

Restart- run scans with AdAware and SpyBot. Get updates for the programs and run scan, reboot between them.

Post a new log from HJT when you are ready.

#### rstoddard

Hi. Sorry for being impatient. No, I haven't reformatted yet. I'm going to turn off AdAware. Maybe that's what's preventing the removal of these programs (ironic, isn't it?) I'll give the whole thing a try again after work tonight. Thanks for your help.

#### Byteman

##### Gone but Never Forgotten
hi, You may want to look this thread over for some tips.

http://www.lavasoftsupport.com/index.php?showtopic=56508

http://www.lavasoftsupport.com/index.php?showtopic=56533

That second post has a long discussion about the settings in AdWatch...that you can try and use as a guide.
A lot of people have trouble with the settings for it.

I would say there are some folks here that use it and could help you with it...seems that even if you turn it off, the changes will be undone when you turn it back on... read for your self, before doing anything.

#### rstoddard

O.K., I went through the process again. I turned off AdWatch, but then I realized that all I had to do was take it off automatic. If AdWatch were blocking my changes, it would register "events" in its log. No such "events" are registered. From the HijackThis log which follows you will see that I was successful in removing KewlBar but Admanager and Windows AdStatus are still there. That's because I absolutely could not find them in the Program Files. If I put in the path that HijackThis indicates, I get a message that the path cannot be found. I made the settings in Search and in My Computer as you indicated in your instructions. This is indeed strange. In addition, I went in to the Recycle Bin to see if any files were there. I saw nothing. This was odd because I had just deleted the KewlBar file, so it should have been there. When I clicked on Empty Recycle Bin, I got a message that indicated that there were eight files to be deleted. But, I see nothing in the bin! I tried all the views, and nothing shows up. So, could this be related? Why are these files hidden? This seems to be something totally new, no?

Logfile of HijackThis v1.99.0
Scan saved at 9:30:52 PM, on 2/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\HAUPPA~1\MVPMedia.exe
C:\PROGRA~1\HAUPPA~1\Hardware\DglSvcMain.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HAUPPA~1\Hardware\HcwSms.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Bob\Desktop\Security\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://masslive.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Memorex Autorun.lnk = F:\autorun.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D8A63E5-F219-11D4-9BD1-000039051213} (CouponTBInst Control) - http://a19.g.akamai.net/7/19/7125/4051/ftp.coupons.com/CouponBar/CouponBar.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MVPMedia - Hauppauge Computer Works - C:\PROGRA~1\HAUPPA~1\MVPMedia.exe
O23 - Service: MVPMediaSvc - Hauppauge Computer Works, Inc. - C:\PROGRA~1\HAUPPA~1\Hardware\DglSvcMain.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#### Byteman

##### Gone but Never Forgotten
Hi,
I'm sorry this is such a pain....I think even with AdWatch set not automatic, the items will return when you restart. All I can tell you is to re-read the info at the links, as there is some discrepancy about how you set AdWatch when removing things...I do not use AdWatch and cannot help you with that part. I think that as well as having Automatic turned off, you also have to check the "Lock Start-up sections": It says at one link I posted>:"The start up (run) sections of the registry will be locked. No changes will be permitted " Try looking for that setting and I would say there should be a check to take out of that setting, to allow changes to be made by Hijackthis or Killbox.

We can try this way, too, but you will have to still do the setting work to AdWatch.

Unzip the file to your desktop. We will use it later.

You will need to disconnect physically from the Internet--

Remove any network cable from either the cable/DSL modem or router for the next part, after all is done, remember to plug it back in again.

Run Hijackthis.exe again- have ALL other windows closed.

Put checks by these items, then click "Fix checked":

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/do...bin/actxcab.cab

Start Killbox.exe> Select the Delete on Reboot option.
In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, click NO.):

Next,:
In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, click Yes:

Your computer will restart and check if the file was deleted.

Navigate yourself, do not use Search, to the Program Files folder, and look for a folder called Windows AdStatus that holds WinStat.exe, the .exe should not be there.

Look for AdManager Controller folder that held AdManCtl.exe, the .exe should not be there. Delete the folder AdManager Controller. Restart.

Run Hijackthis scan again, and see if it is gone now!

Run a full scan with AdAware, check for updates, etc. Post what I hope will be the final log from HJT.

#### rstoddard

Logfile of HijackThis v1.99.0
Scan saved at 12:19:31 AM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HAUPPA~1\Hardware\DglSvcMain.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HAUPPA~1\Hardware\HcwSms.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Bob\Desktop\Security\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://masslive.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Memorex Autorun.lnk = F:\autorun.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D8A63E5-F219-11D4-9BD1-000039051213} (CouponTBInst Control) - http://a19.g.akamai.net/7/19/7125/4051/ftp.coupons.com/CouponBar/CouponBar.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MVPMedia - Hauppauge Computer Works - C:\PROGRA~1\HAUPPA~1\MVPMedia.exe
O23 - Service: MVPMediaSvc - Hauppauge Computer Works, Inc. - C:\PROGRA~1\HAUPPA~1\Hardware\DglSvcMain.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#### Byteman

##### Gone but Never Forgotten
Hi, As long as it's fixed- we are all happy. I knew you were using the older pay for version, and didn't know that one expired like the free version of 6.0...sorry for that!
Your last step would be turning off System Restore to remove infected Restore Points...you would only bring back the things you have removed if it became neccessary to run an XP System Restore:

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

If you know all that good stuff just follow through and create a new Restore Point> here are the short steps to do that:

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Wait for hourglass to stop and it says
"Turned Off"

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

You may have to turn off AdWatch for that too!

Good work! Stop by anytime. After running things awhile, and if nothing turns up you can mark your thread solved if you like by using the Thread Tools button at the top of the page. We can't mark the thread, only you can.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

As Seen On