1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

New to the forum, would like to see how my computer looks

Discussion in 'Virus & Other Malware Removal' started by DerekM, Sep 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. DerekM

    DerekM Thread Starter

    Joined:
    Sep 15, 2003
    Messages:
    4
    This is the first time I have posted. I am really learning a lot by browsing around. I downloaded HJT and scanned. I see a few things that need to be erased, but I would like for someone with more knowledge than I to help me out. I am using Yahoo DSL as my browser (didn't know if the MSIE is the same thing.)

    Thanks in advance for the help.

    Logfile of HijackThis v1.97.2
    Scan saved at 10:43:05 PM, on 9/15/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\program files\support.com\bin\tgcmd.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\Program Files\nCase\msbb.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe
    C:\Program Files\Internet Washer Pro\iw.exe
    C:\WINDOWS\FSScrCtl.exe
    C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\PROGRA~1\Yahoo!\PARENT~1\ypc.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\SBC\Connection Manager\CManager.exe
    C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
    C:\Program Files\Yahoo!\browser\YBrowser.exe
    C:\Program Files\Kazaa\kazaa.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Stop-the-Pop-Up Demo\stopthepop.exe
    C:\Program Files\Hotbar\bin\4.3.5.0\HbSrv.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.passthison.com/r4/?vu083...02228333933989000222833393398900022283339.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\host.dll
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
    O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.5.0\HbHostIE.dll
    O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_8_6.dll
    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.5.0\HbHostIE.dll
    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
    O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKLM\..\Run: [msbb] C:\Program Files\nCase\msbb.exe
    O4 - HKLM\..\Run: [MES] C:\WINDOWS\MES.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up Demo\stopthepop.exe" -minimized
    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe /Upgrade
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [Amber Alert Net] C:\Program Files\Webroot\AmberNet\ambernet.exe
    O4 - HKCU\..\Run: [Internet Washer Pro] C:\Program Files\Internet Washer Pro\iw.exe min
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
    O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8106/turbo.cab?id=9010847
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {18B01F09-2965-11D3-9461-00A0C9B1E042} (FunnyVoiceCtl Class) - http://www.kiddonet.com/kiddonet/luvclicks2/FunnyVoice.ocx
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50026/QDow.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
    O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/ssoap/pptproactauthmirror/systemsoappro.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/ActiveXInstallers/306/nCaseInstaller.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://207.182.252.79/activex/AxisCamControl.ocx
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://usa-scripts.downloadv3.com/binaries/DialHTML/EGDHTML_US_pack.cab
    O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37853.7446643518
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
    O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/actmenu/KaraokeAnim/karaokeCom.ocx
    O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
    O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://216.133.83.162/downloads/UGO20.exe
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4288/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E797A2A2-80AC-4228-939E-08301A9D7D33}: NameServer = 151.164.67.201 151.164.1.8
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You have an extremely heavy load of spy and adware there that needs removing. Rather than try to give you manual instructions right off the bat, I'd suggest you install, UPDATE, and run either Spybot or Ad-Aware or both (reboot afterwards) and then post another Scanlog so we can see what remains.

    Spybot Instructions and Download

    Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73

    And since you apparently have no installed antivirus program I would suggest you also run an online scan at one of these sites, after running Ad-Aware or Spybot.

    HouseCall
    Panda
    RAV AntiVirus Online
     
  3. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    First off, you have the MSblast worm. Or at the registry entry if it has already been removed.

    O4 - HKLM\..\Run: [windows auto update] msblast.exe

    Go to this link for information on the latest]/I] Microsoft patch as provided by Rollin’Rog
    http://forums.techguy.org/t163821/s.html

    Once you have your system patched, run a virus scan to rid yourself of this worm.
    Again, links to three good online antivirus scanners have been provided by Rollin’Rog.

    I STRONGLY advise you to get both a good AntiVirus program AND a good firewall. There are many of each out there, both for free and for pay.
     
  4. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Since I already had most of the work of analyzing your HJT log done before I got an interruption, I will go ahead and post the results anyway.


    In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
    Next, close all browser Windows, and have HT fix all checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.passthison.com/r4/?vu083...00022283339.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyd.../search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3....rchPageHome.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

    O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINDOWS\host.dll
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
    O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.5.0\HbHostIE.dll
    O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.3.5.0\HbHostIE.dll
    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
    O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKLM\..\Run: [msbb] C:\Program Files\nCase\msbb.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe /Upgrade
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [Internet Washer Pro] C:\Program Files\Internet Washer Pro\iw.exe min

    O9 - Extra button: WeatherBug (HKCU)

    O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com....cab?id=9010847
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/f...etup1.0.0.5.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50026/QDow.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...porter.cab?RND=



    IF you are running ME or XP Disable SYSTEM RESTORE : Here's How

    Next reboot into Safe Mode and remove the following files and folders that are bolded

    C:\WINDOWS\host.dll

    C:\WINDOWS\System32\btiein.dll
    C:\WINDOWS\System32\stcloader.exe

    Delete the whole bolded folder

    C:\PROGRA FILES\AWS\WEATHE~1\Weather.exe 1
    C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe /Upgrade
    C:\Program Files\Httper\httper.dll
    C:\Program Files\Internet Washer Pro\iw.exe min

    C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
    C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    C:\Program Files\nCase\msbb.exe

    C:\Program Files \SEARCH~1\stoolbar.dll
    C:\Program Files\Common Files\BTLINK\btlink.dll
    C:\Program Files\Common Files\CMEII\CMESys.exe"
    C:\Program Files\Common Files\GMT\GMT.exe

    See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

    Re-enable SYSTEM RESTORE and create a new restore point.

    Reboot into normal mode


    Now download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks
     
  5. DerekM

    DerekM Thread Starter

    Joined:
    Sep 15, 2003
    Messages:
    4
    I noticed that Yahoo was on the list of items to delete. Since we use SBC Yahoo as our ISP and browser, do I still need to delete each item with Yahoo, SBC or DSL in it?

    ie:
    Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyd.../search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com

    I am now in the process of installing both Adaware and SpyBot. But I am confused about your instructions to install UPDATE. What is this and where do I find it?

    Thank you for helping with all of this. All day at work I have looked forward to seeing responses to my post, and you haven't let me down. I will post more later.

    Thanks,
    DerekM
     
  6. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    If you wish to keep Yahoo as your home page and search page, then ignore those lines.

    Once you install SpyBot you will notice a number or "button bars" on the left hand side of the screen. Each of these expands to give more options.

    Click on the "Online" button bar. When it expands, click on "Search for Updates" and once it connects (you have to be online) and finds the updates, click on "Download Updates".

    I have heard of times when the button bars do not show up on the first run. If this is the case, go ahead and run SpyBot with the basic definitions. Click on "Check for Problems" when the scan is done, most of the items it finds in RED will be pre-checked. Look over the list and if you are unsure of an item you can right click on it to get more information. If still unsure, uncheck it. It will be found again in the next scan. Then check Fix Selected Problems.

    You may get a message that SpyBot could not delete one or more files because they were in use. This is not a problem, it is just that the file is open/in use and can not be moved or deleted.

    It will ask you to reboot. Reboot and as your PC starts to come up, SpyBot will delay windoes starting until it can finish it's scan. It will delete the files that it couldn't, and then continut the boot process into windows.

    IF you didn't see the button bars before, you should now and be able to click the Online button and get the latest updates.

    I would suggest running SpyBot again with the latest updates.
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Both programs include tabs to update direct from the web. Before using Spybot's click the Settings tab, then Settings again. In the Web Update section, check "also display beta updates"

    Then click the Online tab and Search for updates. Download them all before running.

    Ad-aware has a similar update "check for updates" (lower right ) tab, just click it and it will prompt you for the rest. You need to be online when doing it.
     
  8. DerekM

    DerekM Thread Starter

    Joined:
    Sep 15, 2003
    Messages:
    4
    OK, I think I might have messed up. I tried to fix what SpyBot found. I didn't uncheck anything thinking that the program had found only bad things. After I scanned again, I see a lot of Windows Registry missing things like

    setup.exe......wrong app path; table30.exe.....wrong app path; yourapp.exe.....wrong path name (this is for my pop up stopper).

    Also things like Adobe Photoshop shows a Registry change.

    I am including an attachment of my last scan after i ran a recovery, but I don't know if anything got fixed. Please let me know something, I am afraid to reboot my computer or close the current SpyBot.

    Thanks,
    DerekM
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You can't use the Preview function after attaching a file.

    Best to just copy/paste the HijackThis Scanlog anyway, it is easier to read and deal with.

    Are these error messages you are getting on startup? Spybot does not target legitimate entries, but it's possible the removal process mal functioned.
     
  10. DerekM

    DerekM Thread Starter

    Joined:
    Sep 15, 2003
    Messages:
    4
    I might be over-reacting. I have yet to restart my computer after I recovered everything that SpyBot fixed. This is the fix log. I am going to go ahead and shut everything down after I post this. If you don't hear back from me for a few days, my fears were correct. If I can get my computer to work, I will check back here and then I will fix what SpyBot finds, then post the results of HJT.

    DerekM


    --- Report generated: 2003-09-16 22:17 ---

    Alexa Related: What's related link (Replace file, fixed)
    C:\WINDOWS\Web\related.htm

    Avenue A, Inc.: Tracking cookie or cookie of tracking site (File, fixed)
    C:\Documents and Settings\Owner.THEMARSDENS\Cookies\[email protected][1].txt

    BonziBuddy: Program group entry (File, fixed)
    C:\WINDOWS\system32\config\systemprofile\Start Menu\Free BonziBUDDY.url

    CarpeDiem Vars: Program directory (Directory, fixed)
    C:\Program Files\Carpe Diem

    CommonName: Temporary directory (Directory, fixed)
    C:\WINDOWS\Temp\Adware

    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    DSO Exploit: Data source object exploit (Registry change, fixed)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

    eAcceleration: Application data file (File, fixed)
    C:\Documents and Settings\Owner.THEMARSDENS\Application Data\Microsoft\Internet Explorer\Quick Launch\eAnthology Manager.lnk

    eAcceleration: Application data file (File, fixed)
    C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch\eAnthology Manager.lnk

    eAcceleration: Desktop icon (File, fixed)
    C:\WINDOWS\system32\config\systemprofile\Desktop\Scan Now for Viruses and Threats.lnk

    eAcceleration: Program directory (Directory, fixed)
    C:\Program Files\Acceleration Software

    eAcceleration: Program group (Directory, fixed)
    C:\Documents and Settings\All Users\Start Menu\Programs\eAnthology

    Gator: Autostart item (File, fixed)
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk

    Gator: Program directory (Directory, fixed)
    C:\Program Files\Common Files\GMT

    Gator: Program directory (Directory, fixed)
    C:\Program Files\Common Files\CMEII

    Gator: Program group (Directory, fixed)
    C:\Documents and Settings\All Users\Start Menu\Programs\PrecisionTime

    Gator: Program group (Directory, fixed)
    C:\Documents and Settings\All Users\Start Menu\Programs\Date Manager

    Gator: Program group (Directory, fixed)
    C:\Documents and Settings\All Users\Start Menu\Programs\GAIN

    Hotbar: Installer (File, fixed)
    C:\WINDOWS\Downloaded Program Files\hotbar.inf

    Httper: Library (File, fixed)
    C:\Program Files\Httper\httper.dll

    Httper: Log (File, fixed)
    C:\Program Files\Httper\INSTALL.LOG

    Httper: Settings (File, fixed)
    C:\Program Files\Httper\httper.ini

    Httper: Browser helper object (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A5483501-070C-41DD-AF44-9BD8864B3015}

    Httper: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\Httper.IEFriendly.1

    Httper: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\Httper.IEFriendly

    Httper: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{A5483501-070C-41DD-AF44-9BD8864B3015}

    Httper: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{7D49A302-3C1C-4706-B6DC-8C8BBB500BA0}

    Httper: Typelib (Registry key, fixed)
    HKEY_CLASSES_ROOT\Typelib\{AB7B627D-B2AF-4B6D-BDA1-4930579FFCD8}

    Httper: Uninstall settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Httper

    HuntBar: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{3C53010D-97BA-4650-84C5-1A6FAA31055E}

    HuntBar: Code store database (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{26E8361F-BCE7-4F75-A347-98C88B418322}

    HuntBar: Protocol handler (Registry key, fixed)
    HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\res\BTLINK.ResProtocol

    HuntBar: User settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\BTLINK

    Huntbar.Stoolbar: User settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Search Toolbar

    InternetWasher: Text file (File, fixed)
    C:\Program Files\Internet Washer Pro\syslog.txt

    InternetWasher: Autorun settings (Registry value, fixed)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Washer Pro

    InternetWasher: Global settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{421A63BA-4632-43E0-A942-3B4AB645BE51}

    InternetWasher: Program directory (Directory, fixed)
    C:\Program Files\Internet Washer Pro

    IPinsight: Executable (File, fixed)
    C:\WINDOWS\ipinsigt.dll

    n-Case: Executable (File, fixed)
    C:\WINDOWS\DKQ.exe

    NewtonKnows: Program directory (Directory, fixed)
    C:\Program Files\Newton Knows

    NewtonKnows: Temporary directory (Directory, fixed)
    C:\WINDOWS\Temp\vupd

    PurityScan: Program group (Directory, fixed)
    C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\PurityScan

    SideStep: Desktop icon (File, nothing done)
    C:\WINDOWS\system32\config\systemprofile\Desktop\SideStep.lnk

    SideStep: Startmenu item (File, nothing done)
    C:\Documents and Settings\Owner.THEMARSDENS\Start Menu\SideStep.lnk

    SideStep: Startmenu item (File, nothing done)
    C:\WINDOWS\system32\config\systemprofile\Start Menu\SideStep.lnk

    SpeedDelivery: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\Vxpspeeddelivery.download.1

    SpeedDelivery: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\Vxpspeeddelivery.download

    SpeedDelivery: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{A7798D6C-C6B5-4F26-9363-F7CDBBFFA607}

    SpeedDelivery: Code storage database (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A7798D6C-C6B5-4F26-9363-F7CDBBFFA607}

    SpeedDelivery: DLL use (1 apps) (Registry value, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\WINDOWS\Downloaded Program Files\vxpspeeddelivery.dll

    SpeedDelivery: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{D7729994-C4D8-480F-B905-291E7694A217}

    SpeedDelivery: Library (File, fixed)
    C:\WINDOWS\Downloaded Program Files\vxpspeeddelivery.dll

    SpeedDelivery: Module usage setting (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/vxpspeeddelivery.dll

    SpeedDelivery: Typelib (Registry key, fixed)
    HKEY_CLASSES_ROOT\Typelib\{6194EEA8-AF20-4844-A422-DE1E64BAF6E3}

    SpyBlast: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\SBFull.SBFullInst

    SpyBlast: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{E6D5237D-A6C7-4C83-A67F-F9F15586FA62}

    SpyBlast: Code storage database (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{E6D5237D-A6C7-4C83-A67F-F9F15586FA62}

    SpyBlast: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{CA26CDDA-510A-4484-9454-2C1B419E9426}

    SpyBlast: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{9963236E-3D9C-41C5-A498-FA33E36005BA}

    SpyBlast: Typelib (Registry key, fixed)
    HKEY_CLASSES_ROOT\Typelib\{3254C568-EE33-4BD0-AF6C-09AB5E07BB82}

    webHancer: Installer (File, fixed)
    C:\WINDOWS\whInstaller.exe

    webHancer: Installer settings (File, fixed)
    C:\WINDOWS\whInstaller.ini

    webHancer: Program files (Directory, fixed)
    C:\Program Files\webHancer

    webHancer: System file (File, fixed)
    C:\WINDOWS\whAgent.inf

    WildTangent: Autorun settings (Registry value, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcmdmgr

    WildTangent: Global settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\WildTangent

    WildTangent: Personal user ID (File, fixed)
    C:\WINDOWS\wt\info.txt

    WildTangent: Uninstall settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wcmdmgr.exe

    WildTangent: Uninstall settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wtwebdriver

    WildTangent: Updater directory (Directory, fixed)
    C:\WINDOWS\wt\updater

    WildTangent: Updates directory (Directory, fixed)
    C:\WINDOWS\wt\wtupdates

    WildTangent: Web driver (File, fixed)
    C:\WINDOWS\wt\webdriver.dll

    WildTangent: Web driver directory (Directory, fixed)
    C:\WINDOWS\wt\webdriver

    ZipClix: IE toolbar (Registry value, fixed)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{319A68DB-06D0-46DA-9F93-A810D5A70836}

    Windows Registry: C:\WINDOWS\Downloaded Program Files\QDow.dll (Missing shared DLL, nothing done)
    QDow.dll

    Windows Registry: C:\DOCUME~1\OWNER~1.THE\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\FTPInstUtils.dll (Missing shared DLL, nothing done)
    FTPInstUtils.dll

    Windows Registry: C:\DOCUME~1\OWNER~1.THE\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\whatsnew.txt (Missing shared DLL, nothing done)
    whatsnew.txt

    Windows Registry: C:\DOCUME~1\OWNER~1.THE\LOCALS~1\Temp\_ISTMP2.DIR\_ISTMP0.DIR\FileGrp\Msvcrt10.dll (Missing shared DLL, nothing done)
    Msvcrt10.dll

    Windows Registry: C:\DOCUME~1\OWNER~1.THE\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\dummy.txt (Missing shared DLL, nothing done)
    dummy.txt

    Windows Registry: C:\WINDOWS\System32\EGDHTML_1017.dll (Missing shared DLL, nothing done)
    EGDHTML_1017.dll

    Windows Registry: C:\WINDOWS\System32\ir50_32.dll (Missing shared DLL, nothing done)
    ir50_32.dll

    Windows Registry: System Soap Pro (Startup file does not exist, nothing done)

    Windows Registry: Amber Alert Net (Startup file does not exist, nothing done)

    Windows Registry: UserFaultCheck (Startup file does not exist, nothing done)

    Windows Registry: BlockTracker (Startup file does not exist, nothing done)

    Windows Registry: yourapp.Exe (Wrong app path, nothing done)
    C:\Program Files\Stop-the-Pop-Up Demo\yourapp.Exe

    Windows Registry: msCMTctrl.exe (Wrong app path, nothing done)
    C:\Program Files\Compaq Computer Corp.\msCMT\msCMTctrl.exe

    Windows Registry: ORUN32.EXE (Wrong app path, nothing done)
    C:\WINDOWS\ORUN32.EXE

    Windows Registry: PCDoctor.exe (Wrong app path, nothing done)
    C:\Program Files\PC-Doctor\PCDoctor.exe

    Windows Registry: setup.exe (Wrong app path, nothing done)


    Windows Registry: table30.exe (Wrong app path, nothing done)


    Windows Registry: winnt32.exe (Wrong app path, nothing done)


    Windows Registry: InterActual Player (Wrong app path, nothing done)


    Windows Registry: EXEtender (Wrong app path, nothing done)
    C:\Program Files\EXEtender\EXEtender

    Windows Registry: insMsCMT.exe (Wrong app path, nothing done)


    Windows Registry: install.exe (Wrong app path, nothing done)


    Windows Registry: D: (Wrong app path, nothing done)


    Windows Registry: CS.EXE (Wrong app path, nothing done)
    C:\Program Files\CompuServe 7.0\CS.EXE

    Windows Registry: cmmgr32.exe (Wrong app path, nothing done)
    C:\WINDOWS\System32\cmmgr32.exe

    Adobe ImageReady 7.0: Last save folder (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Adobe\ImageReady 7.0\Preferences\SaveDir\tlfd=

    Adobe ImageReady 7.0: Recent file list ( (3 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Adobe\ImageReady 7.0\Preferences\RecentFiles

    Adobe ImageReady 7.0: URLs history ( (2 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Adobe\ImageReady 7.0\Preferences\URLHistory

    Adobe ImageReady 7.0: User actions history ( (11 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Adobe\ImageReady 7.0\Preferences\UserActions

    Adobe Photoshop 7.0: Last used folder (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Adobe\Photoshop\7.0\VisitedDirs\STARTUPIMAGEDIRECTORY=

    Common Dialogs: History ( (25 files)) (Registry key, nothing done)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

    Internet Explorer: AutoComplete data ( (2 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Internet Explorer\IntelliForms\SPW

    Internet Explorer: Cookies ( (164 cookies)) (Directory, nothing done)
    C:\Documents and Settings\Owner.THEMARSDENS\Cookies

    Internet Explorer: Download directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Internet Explorer\Download Directory=

    Internet Explorer: Temporary internet files ( (12447 entries)) (Empty cache, nothing done)

    Internet Explorer: User agent (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

    Internet Explorer: User agent (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

    Internet Explorer: User agent (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

    Internet Explorer: User agent (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

    Internet Explorer: User agent (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent=Mozilla/4.0 (compatible; MSIE; Win32)

    Log: Activity: COM+.log (Backup file, nothing done)
    C:\WINDOWS\COM+.log

    Log: Activity: imsins.log (Backup file, nothing done)
    C:\WINDOWS\imsins.log

    Log: Activity: OEWABLog.txt (Backup file, nothing done)
    C:\WINDOWS\OEWABLog.txt

    Log: Activity: SchedLgU.Txt (Backup file, nothing done)
    C:\WINDOWS\SchedLgU.Txt

    Log: Install: Active Setup Log.txt (Backup file, nothing done)
    C:\WINDOWS\Active Setup Log.txt

    Log: Install: comsetup.log (Backup file, nothing done)
    C:\WINDOWS\comsetup.log

    Log: Install: DtcInstall.log (Backup file, nothing done)
    C:\WINDOWS\DtcInstall.log

    Log: Install: ocgen.log (Backup file, nothing done)
    C:\WINDOWS\ocgen.log

    Log: Install: setupact.log (Backup file, nothing done)
    C:\WINDOWS\setupact.log

    Log: Install: setupapi.log (Backup file, nothing done)
    C:\WINDOWS\setupapi.log

    Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\mofcomp.log

    Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\setup.log

    Log: Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\wbemcore.log

    Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\wbemess.lo_

    Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\wbemess.log

    Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\wbemprox.log

    Log: Shutdown: System32\wbem\logs\wbemsnmp.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\wbemsnmp.log

    Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\winmgmt.log

    Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\wmiadap.log

    Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\wmiprov.log

    MS Direct3D: Most recent application (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name=

    MS DirectDraw: Most recent application (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name=

    MS DirectInput: Most recent application (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\DirectInput\MostRecentApplication\Name=

    MS DirectInput: Most recent application ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\DirectInput\MostRecentApplication\Id=

    MS Media Player: Application data file ( ()) (File, nothing done)
    C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db

    MS Paint: Recent file list ( (4 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

    MS Regedit: Recent open key (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey=

    MS Search Assistant: Typed search terms history (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Search Assistant\ACMru

    MS Wordpad: Recent file list ( (4 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

    RealOne Player 2 (aka RealPlayer 6.0): Last login time (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\RealNetworks\RealPlayer\6.0\Preferences\LastLoginTime\=

    RealOne Player 2 (aka RealPlayer 6.0): Last open file directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\RealNetworks\RealPlayer\6.0\Preferences\LastOpenFileDir\=

    RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #1 (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips1\=

    RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #2 (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips2\=

    RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #3 (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips3\=

    RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #4 (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips4\=

    RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #5 (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips5\=

    RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #6 (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips6\=

    RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #7 (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips7\=

    RealOne Player 2 (aka RealPlayer 6.0): Most recent clips #8 (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips8\=

    RealOne Player 2 (aka RealPlayer 6.0): Most recent skins #1 (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentSkins1\=

    Windows Explorer: Last visited history ( (7 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

    Windows Explorer: Program run history ( (1 entries)) (Registry key, nothing done)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

    Windows Explorer: Recent file global history (Registry key, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

    Windows Explorer: Recent file global history (Registry key, nothing done)
    HKEY_USERS\S-1-5-20_Classes\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

    Windows Explorer: Recent file global history (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

    Windows Explorer: Recent file global history (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003_Classes\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

    Windows Explorer: Recent file global history (Registry key, nothing done)
    HKEY_USERS\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

    Windows Explorer: Recent file global history (Registry key, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

    Windows Explorer: Recently opened files ( (65 links)) (Directory, nothing done)
    C:\Documents and Settings\Owner.THEMARSDENS\Recent

    Windows Explorer: Run history ( (2 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

    Windows Explorer: Stream history ( (16 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

    Windows Explorer: User Assistant history files ( (138 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

    Windows Explorer: User Assistant history IE ( (23 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

    Windows Media SDK: Computer name (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName=ComputerName

    Windows Media SDK: Computer name (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows Media\WMSDK\General\ComputerName=ComputerName

    Windows Media SDK: Computer name (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName=ComputerName

    Windows Media SDK: Unique ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID={00000000-0000-0000-0000-000000000000}

    Windows Media SDK: Unique ID (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows Media\WMSDK\General\UniqueID={00000000-0000-0000-0000-000000000000}

    Windows Media SDK: Unique ID (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID={00000000-0000-0000-0000-000000000000}

    Windows Media SDK: Volume serial number (Registry value, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

    Windows Media SDK: Volume serial number (Registry value, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

    Windows Media SDK: Volume serial number (Registry value, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

    Windows.OpenWith: Open with list - .AU extension ( (3 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AU\OpenWithList

    Windows.OpenWith: Open with list - .BMP extension ( (2 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList

    Windows.OpenWith: Open with list - .CAB extension ( (2 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList

    Windows.OpenWith: Open with list - .CHM extension ( (2 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CHM\OpenWithList

    WinZip: Add files directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Nico Mak Computing\WinZip\directories\gzAddDir=

    WinZip: Add files directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Nico Mak Computing\WinZip\directories\AddDir=

    WinZip: Default directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Nico Mak Computing\WinZip\directories\zDefDir=

    WinZip: Default directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Nico Mak Computing\WinZip\directories\DefDir=

    WinZip: Destination directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Nico Mak Computing\WinZip\directories\gzExtractTo=

    WinZip: Destination directory (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Nico Mak Computing\WinZip\directories\ExtractTo=

    WinZip: Number of times run (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Nico Mak Computing\WinZip\rrs\Opened=

    WinZip: Recent created file list ( (5 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Nico Mak Computing\WinZip\filemenu

    WinZip: Recent extracted file list ( (1 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Nico Mak Computing\WinZip\extract

    WinZip: Wizard Extraction folder history ( (1 files)) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-4078709052-2253304069-2430138451-1003\Software\Nico Mak Computing\WinZip\select


    --- Spybot-S&D version: 1.2 ---
    2003-09-05 Includes\Cookies.sbi
    2003-09-09 Includes\Dialer.sbi
    2003-09-08 Includes\Hijackers.sbi
    2003-09-05 Includes\Keyloggers.sbi
    2003-09-08 Includes\Malware.sbi
    2003-03-16 Includes\plugin-ignore.ini
    2003-09-05 Includes\Security.sbi
    2003-09-09 Includes\Spybots.sbi
    2003-08-28 Includes\Temporary.sbi
    2003-09-05 Includes\Tracks.uti
    2003-09-05 Includes\Trojans.sbi
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It seems to me that everything there that it has documented as "fixed" is fair game and shouldn't result in any problems.

    However, what we need to see now is the HijackThis Scanlog.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165157

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice