1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

please hijack this

Discussion in 'Virus & Other Malware Removal' started by sheila66, Sep 20, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. sheila66

    sheila66 Thread Starter

    Joined:
    Jul 18, 2004
    Messages:
    15
    Could you please guide me through the "hijack process"? I did it a few months ago, but our computer has become very sluggish once again. Could you please let me know how to delete specific files and anything else I need to know to purge my computer of spyware. Thanks so much!

    Logfile of HijackThis v1.98.0
    Scan saved at 9:22:17 AM, on 9/20/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
    C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\WINNT\system32\RUNDLL32.EXE
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\The Learning Company\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
    C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Mike\My Documents\Hijack This\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: dlexpertclick Class - {A6927151-F5B4-11D4-AE7A-00D00925CF52} - C:\PROGRA~1\DLExpert\dll\iehelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB002" /M "Stylus C62"
    O4 - HKLM\..\Run: [hEmRFmiD] C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe
    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Ahm8.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [hEmRFmiD.exe] C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Startup: Mavis Beacon Teaches Typing Deluxe 11.lnk = C:\Program Files\The Learning Company\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Download by DLExpert (Faster) - C:\Program Files\DLExpert\get.htm
    O8 - Extra context menu item: Download &All by DLExpert (Faster) - C:\Program Files\DLExpert\getall.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe
    O9 - Extra button: DLExpert - {4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - C:\Program Files\DLExpert\DLExpert.exe
    O9 - Extra 'Tools' menuitem: &DLExpert - {4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - C:\Program Files\DLExpert\DLExpert.exe
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: AuthenticBrowserEdition - http://www.nanonull.com/cabfiles/AuthenticBrowserEditionUnicode.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - https://support.gateway.com/support/contact/formassist.CAB
    O16 - DPF: {1B1C798E-615B-46B5-B235-A80A3FF44A67} (OutlookMAPI.AddressBook) - http://atlas.eshq.mattel.com/outlook/OutlookMAPI.CAB
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://napdcm20j/dashboard/msddsc.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_03) - http://product.webtrends.com/DOCUTIL/Download/j2re-1_4_1_03-windows-i586-i.exe
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.20/ttinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eshq.mattel.com
    O17 - HKLM\Software\..\Telephony: DomainName = eshq.mattel.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eshq.mattel.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = eshq.mattel.com,matna.mattel.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = eshq.mattel.com,matna.mattel.com
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Your copy of HJT is outdated, please get v 1.98.2
    http://tools.radiosplace.com/HijackThis.exe

    and repost with a new log from that. You do have some things that we can help with and that should be removed as soon as possible.
     
  3. sheila66

    sheila66 Thread Starter

    Joined:
    Jul 18, 2004
    Messages:
    15
    Here it is. I wasn't able to open it from the link you gave me, but I found a "back way" in from a site I found at google. Your link just led me to a blank IE window, a spreadsheet, and an "Add new job" page that wouldn't open. The one that did open was from a "zip" file from another web site (does that make sense?). Anyway, I hope I have the right thing this time. Thanks so much....

    Logfile of HijackThis v1.98.2
    Scan saved at 8:40:18 PM, on 9/21/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
    C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\WINNT\system32\RUNDLL32.EXE
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\The Learning Company\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
    C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\Sheila\LOCALS~1\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: dlexpertclick Class - {A6927151-F5B4-11D4-AE7A-00D00925CF52} - C:\PROGRA~1\DLExpert\dll\iehelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB002" /M "Stylus C62"
    O4 - HKLM\..\Run: [hEmRFmiD] C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe
    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Ahm8.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [hEmRFmiD.exe] C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Startup: Mavis Beacon Teaches Typing Deluxe 11.lnk = C:\Program Files\The Learning Company\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Download by DLExpert (Faster) - C:\Program Files\DLExpert\get.htm
    O8 - Extra context menu item: Download &All by DLExpert (Faster) - C:\Program Files\DLExpert\getall.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe
    O9 - Extra button: DLExpert - {4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - C:\Program Files\DLExpert\DLExpert.exe
    O9 - Extra 'Tools' menuitem: &DLExpert - {4AB89EA8-E2B8-11d4-AE71-00D00925CF52} - C:\Program Files\DLExpert\DLExpert.exe
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: AuthenticBrowserEdition - http://www.nanonull.com/cabfiles/AuthenticBrowserEditionUnicode.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - https://support.gateway.com/support/contact/formassist.CAB
    O16 - DPF: {1B1C798E-615B-46B5-B235-A80A3FF44A67} (OutlookMAPI.AddressBook) - http://atlas.eshq.mattel.com/outlook/OutlookMAPI.CAB
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://napdcm20j/dashboard/msddsc.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_03) - http://product.webtrends.com/DOCUTIL/Download/j2re-1_4_1_03-windows-i586-i.exe
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.20/ttinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eshq.mattel.com
    O17 - HKLM\Software\..\Telephony: DomainName = eshq.mattel.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eshq.mattel.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = eshq.mattel.com,matna.mattel.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = eshq.mattel.com,matna.mattel.com
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, You will find a Thread Tools button at the top of this page- there is a Printable Version tab under that which will let you print a text version of these posts or at least the one with these directions....since you will be working in Safe Mode, you will not have a way to read the steps...you could also copy this reply as a plain text file into Notepad and save it on your desktop to read in lieu of printing it out.


    You need to put Hijackthis into it's own folder so the backups it makes are saved in that folder and not lost or scatterd all over....simply right click an empty spot on the desktop, Select New>Folder and rename that to HJT. You will have to re-download Hijackthis.exe somehow> and change the download location to the HJT folder.
    Since you apparently are using a download manager DLExpert, you might be having trouble doing that...but try.
    If you can part with DLExpert it may help you in the long run...
    These links are direct downloads, so you should see just a file download box, select Save, not Open> and change the download saving location TO the HJT folder.
    Or, you can drag and drop the present copy of hijackthis.exe into a folder you make in My Documents\HJT...whichever you can do.

    You may also try here, this is the .zip form:
    http://www.majorgeeks.com/download3155.html

    You would unzip that TO the HJT folder you made...

    Next:

    You have a variety of baddies. The Peper trojan remover will help get rid of one. Here are two locations to get two uninstallers:

    http://www.bleepingcomputer.com/files/peperremover.php

    http://www.memorywatcher.com/uninst.exe

    When you run the uninstaller, you MUST have an internet connection active for it to work

    This Peper removal tool only works if run twice. To complete each stage of the Peper removal you need to REBOOT to clear the peper infection each time you run the tool, or the infection will remain.

    Run either of them twice as it says.

    Restart and go here and download AdAware SE personal edition and SpyBot Search and Destroy.
    Get CWShredder also. Make a new folder called CWS for it.

    http://www.majorgeeks.com/downloads31.html

    You need just the programs, they both have built in updaters and you will run those later during the install.
    Don't run the installs just yet....

    Now, we will restart the computer to Safe Mode- do this by tapping the F8 key several times as you first start up, select Safe Mode with the down arrow key from the menu, give it plenty of time to reach Safe Mode.

    Go to Add/Remove Programs and uninstall:

    WinTools (any entry for WinTools, Easy Installer, etc)

    maxSpeed (may not have that)

    LimeShop

    NEXT:

    Run Hijackthis.exe again,, with all other windows closed! and put checks next to EACH of these items and when done, click "Fix checked": You may not have all these in HJT to fix, don't worry, do the ones you have:

    C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe
    C:\Program Files\Common Files\WinTools\WToolsA.exe
    C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe

    C:\Program Files\Common Files\WinTools\WSup.exe

    C:\Program Files\Common Files\WinTools\WToolsS.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O4 - HKLM\..\Run: [hEmRFmiD] C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe

    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Ahm8.exe

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

    O4 - HKLM\..\Run: [hEmRFmiD.exe] C:\documents and settings\sheila\local settings\temp\hEmRFmiD.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe

    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    Now run CWSHredder.exe, use the FIX button not the scan only....


    Now, you need to make sure you have these settings done:

    Your temps folder will/may also be under C:\Documents and Settings\Sheila\Local Settings
    Delete just the contents, not the temp folders....

    Now open Windows Explorer and find and delete these FILES, the ones at the end of these lines:

    C:\Program Files\Common Files\WinTools\WToolsA.exe

    C:\Program Files\Common Files\WinTools\WSup.exe

    C:\Program Files\Common Files\WinTools\WToolsS.exe
    and this ---------> WToolsB.dll

    C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

    C:\WINNT\System32\ms.exe

    And these folders:

    C:\Program Files\Common Files\WinTools

    C:\Program Files\LimeShop

    Empty the Recycle Bin and Reboot.

    Install and update the two programs:

    You check for updates even though you are just installing them> before you use them to remove anything.
    it is safe to let them remove all they find, they make backups.

    Run Hijackthis again, and post a new log and we will see what is left to do.
     
  5. sheila66

    sheila66 Thread Starter

    Joined:
    Jul 18, 2004
    Messages:
    15
    I'm getting the same "DL Expert" garbage that I got with your "hijack this" link. A blank window comes up, then "add new job" which brings up a spreadsheet with a bunch of meaningless (to me) statistics and then "finished" appears in the spreadsheet, whatever that means. And that's all that happens. Another interesting thing: I have a shortcut to peperfix.exe ("option explicit peperfix" ??) from several months ago when I first posted at this site, but when I ran the "find and fix", no peper files were detected. I don't know what any of this means or why my computer won't let me access the files you send me to... Can you help? Thanks again... BTW, I was able to copy HJT onto my desktop, as you described. :)
    Ok, more.... I found another peper fix site (through google again) called "peperkiller.zip" that uninstalled "memory watcher", and I ran it twice, while rebooting both times. (It seems like I can only open .zip files.) So, I went on to follow your next instructions and I'm getting the exact same thing as before with everything I try to download: adaware (which I think is already on our computer), cwshredder, and spybot (which I know is on the computer because I use it daily). I get the blank window, etc. Is there another location (or .zip file???) where I can download these files? Very frustrating, and I have no idea why it all doesn't work... Thanks...
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, OK< let's try ALL the Peper removers I know of, one of them is bound to work!

    NOTE: If the directions say you must be ONLINE that means an active Internet connection, have one Internet Explorer window open...when you run the remover. You download them first, usually to the desktop and run from there...I am not sure if they would work if you use the Open when you see the file download box...if you can see the file for download at all that is...
    Can you bear to uninstall that DLExpert? It may be causing you this headache.... You could I suppose set it to not start up when Windows does using MSConfig if it is present on your system....From Start>Run, type in the run line msconfig and hit OK or Enter....hit the Startup tab, and in the list, UNcheck DLExpert and OK to restart...then try downloading some of the removers.

    http://www.subratam.org/?page=removal

    http://www.zerosrealm.com/index.php?page=downloads <-----try first!!!!

    The site above has TWO removers, one for a newer variant, and this may be the one you need...scroll down the page to find them.

    http://computercops.us/downloads-file-330.html

    http://mjc1.com/files/peperpage/uninst.exe

    http://download.broadbandmedic.com/PeperFix.exe

    The usage is the same for those: Be online, run it once, restart and run again. Give them access through the firewall.

    Post a new HJT log....if you want to wait until you see me online, I should be on around 6pm Thursday up till 1 A.M.

    One thing you can try is an online scanner>

    http://www.pandasoftware.com/activescan

    http://housecall.antivirus.com/housecall/start_corp.asp

    http://www.antivirus-online.de/english/online.php
     
  7. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    I am sorry but cannot tell what may be causing that to happen....maybe someone can help with that? I suggest you uninstall DLExpert or use msconfig to keep DLExpert from starting up and try downloading the removers again.

    Try the online scans.
     
  8. sheila66

    sheila66 Thread Starter

    Joined:
    Jul 18, 2004
    Messages:
    15
    I think I did it! :) I think we finally figured out what all that DL stuff was and I was able to do everything else you said. Here's my new hijack log. Let me know how it looks... Thanks! One final note, my kids use "addictinggames.com" and "realonearcade" a lot. Are we getting some of our baddies from them? I need to find a way to be proactive rather than always just "cleaning up" the messes... Any advice you can give would be appreciated. Thanks again!

    Logfile of HijackThis v1.98.2
    Scan saved at 8:46:19 PM, on 9/23/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\WINNT\system32\RUNDLL32.EXE
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\The Learning Company\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\DOCUME~1\Sheila\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB002" /M "Stylus C62"
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Startup: Mavis Beacon Teaches Typing Deluxe 11.lnk = C:\Program Files\The Learning Company\Mavis Beacon Teaches Typing Deluxe 11\MiniMavis.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: AuthenticBrowserEdition - http://www.nanonull.com/cabfiles/AuthenticBrowserEditionUnicode.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - https://support.gateway.com/support/contact/formassist.CAB
    O16 - DPF: {1B1C798E-615B-46B5-B235-A80A3FF44A67} (OutlookMAPI.AddressBook) - http://atlas.eshq.mattel.com/outlook/OutlookMAPI.CAB
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://napdcm20j/dashboard/msddsc.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_03) - http://product.webtrends.com/DOCUTIL/Download/j2re-1_4_1_03-windows-i586-i.exe
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.13.20/ttinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eshq.mattel.com
    O17 - HKLM\Software\..\Telephony: DomainName = eshq.mattel.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eshq.mattel.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = eshq.mattel.com,matna.mattel.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = eshq.mattel.com,matna.mattel.com
     
  9. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Congratulations! Log looks good now.

    I am not familiar with those sites so I cannot comment on them, however someone here may have something for you.

    SpyBot has protection- called Immunize- when you get updates to SS&D, these new protections can be added by clicking Immunize...

    Spywareblaster will keep a lot of bad stuff out:

    http://www.javacoolsoftware.com/

    SpywareGuard will also, but it is an active blocker and will pop up often to ask if you want to allow this or that...sort of like a firewall does. Very good at what it does, it can also prevent some things you need to do from working> but, it's very simple to tell SG what to allow etc or to turn it off temporarily, like you may do with your antivirus program.

    http://www.javacoolsoftware.com/downloads.html

    IE-Spyads is another great tool- I use it and Spywareblaster, AAW and SS&D and have had zero problems even though I test things at less than good sites often...

    https://netfiles.uiuc.edu/ehowes/www/resource.htm

    What you and others using the computer want to watch out for, besides general malwares, are what is known as rogue antispyware "programs"---and you dont always see them as advertisements/popups either!
    Take a look at some of the common knock-off, copycat, downright dishonest, and poorly performing rogue antispyware things here:

    http://www.spywarewarrior.com/rogue_anti-spyware.htm
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/276097

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice