Will you tell me what to fix?

[skydixon]

Hi Tony,

I had somehow acquired the Lop.com parasite...
passthrough/popupbaropener. In my search to find
something to clean it out, I found a post by Dance mom
and followed your directions to her about getting the
Hijack program. Below is my log...would you please
tell me what I need to clean out and what I don't. While
I tend to be fairly PC literate...I'm new at this one and
don't have time for mistakes.

Thanks.
Have fun.
Sky


Logfile of HijackThis v1.97.7
Scan saved at 11:12:50 PM, on 4/4/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\FLAP TWO\BIB DOES FLAW.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://amazingautossearch.com/passthrough/index.html?http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://amazingautossearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://amazingautossearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [Link Ball] C:\PROGRA~1\FLAPTW~1\Bib Does Flaw.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\PROGRAM FILES\GIANT COMPANY SOFTWARE INC\POPUP INSPECTOR\POPUPINSPECTOR.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab

 

[Nok1]

1. Download Ad-Aware 6.181 from http://www.lavasoftusa.com/
2. Install the program, open it check to make sure you have the latest reference file by clicking on webupdate. Make sure that your reference file reads [COLOR=red
   ]01R279 31.03.2004[/COLOR] (or higher number/date). If it does not, then click here and install the file manually.
3. Make sure the following settings are turned to ON
   -From the main window click on Start then Activate in-depth scan.
   -Click on Use custom scanning options>Customize and make sure the following options are turned on:
   Scan within archives
   Scan active processes
   Scan registry
   Scan my IE Favorites for banned URL
   Scan my host-files
4. Click on Settings and make sure the following are enabled:
   Unload recognized processes during scanning
5. Click on Cleaning engine and make sure that Let windows remove files in use at next reboot is on.
6. Finally Click Proceed to save your settings.
7. Click on Scan Now from the main window and select Use Custom Scanning options and click scan.
8. When scan completes, remove all items, then run another scan but this time select the Perform Smart-System Scan option and then also remove all items it finds.

then

1. Download Spyboy S&D from this page
2. Open and install the program then click here and follow the instructions for updating the program. Download all available updates.
3. Run a scan by clicking on Spybot S&D and then clicking Search & Destroy and then Check for problems
4. When scan completes, remove all items in red by making sure that they are checked and then click Fix selected problems

Follow up with another log.

 

[skydixon]

Hi Nok1,

I scanned with both of these prior to writing to you. All the settings were as you indicated...but I ran the scan again...you will see the logs below. I got this passthrough popup bar when my son went on line to find MP3's. Anyway, I've had and used spyblaster, spybot and ad-aware 6 regularly...as well as McAfee Anti-virus and McAfee Stinger. I keep everything updated weekly...so all I had to do was run all the scans again.
Ad-aware found 16 objects when I ran it in the customized mode, and nothing in the Smart system mode...see below. Spybot found nothing either...nor did stinger. You may also like to know that before I wrote you initially, I had gone into regedit and searched for the things with the popup bar path names in them and cleaned them out by hand.
Not to worry...if I don't know what something is, I leave it alone. I'm also fairly
familiar with DOS and going into the setup program from a boot up, and I've also used a start-up disk to get into my restore files to clean viruses out by hand...so if you end up needing me to do any of that, I'm familiar enough to be talked through the steps.

My machine usually runs quite well until one of these annoying little anomalies "pops up". Then I get to enjoy another new learning curve by asking the experts, such as
yourself for help. You're skills are appreciated by this "learned it by doing it" amateur.

Anyway...here's the first Ad-aware log after using the custom scan...


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, April 05, 2004 2:22:17 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R279 31.03.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


4-5-2004 2:22:17 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4287586005
Threads : 8
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294911117
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294935673
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:4 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294935229
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:5 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294948085
Threads : 14
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 6/8/2000 9:00:00 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:6 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294711905
Threads : 2
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:7 [vsstat.exe]
FilePath : C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\
ProcessID : 4294748117
Threads : 1
Priority : Normal
FileSize : 240 KB
FileVersion : 7.03.6000
ProductVersion : 7.03.6000
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : VirusScan System Tray
InternalName : VsStat
OriginalFilename : VsStat.exe
ProductName : VirusScan Home Edition
Created on : 6/3/2003 11:03:00 AM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/3/2003 11:03:00 AM

#:8 [bib does flaw.exe]
FilePath : C:\PROGRAM FILES\FLAP TWO\
ProcessID : 4294797601
Threads : 1
Priority : Normal
FileSize : 234 KB
Created on : 4/3/2004 2:57:42 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 4/3/2004 2:57:40 PM

#:9 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294826829
Threads : 3
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:10 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294108249
Threads : 5
Priority : Realtime
FileSize : 32 KB
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 4/16/2003 8:20:21 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 12/12/2002 4:14:32 AM

#:11 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294110793
Threads : 9
Priority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:07:38 AM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 8/29/2002 11:07:38 AM

#:12 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294110493
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 7/29/2003 4:38:35 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 7/13/2003 2:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

WildTangent Object recognized!
Type : File
Data : a0014620.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 44 KB
FileVersion : 1.6.1.2
ProductVersion : 1.6.1.2
Copyright : Copyright
CompanyName : WildTangent, Inc.
FileDescription : wtcpl
InternalName : wtcpl
OriginalFilename : wtcpl.cpl
ProductName : Wild Tangent wtcpl
Created on : 2/16/2004 10:36:32 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 9/23/2003 10:48:48 PM



Dialer-Offline Object recognized!
Type : File
Data : a0014623.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 73 KB
FileVersion : 1, 0, 0, 53
ProductVersion : 1, 0, 0, 53
Copyright : Copyright 2001
FileDescription : DialerOffline Module
InternalName : DialerOffline
OriginalFilename : DialerOffline.DLL
ProductName : DialerOffline Module
Created on : 7/24/2003 4:02:51 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 7/24/2003 4:02:52 PM



Dialer-Offline Object recognized!
Type : File
Data : a0014626.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 35 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2001
FileDescription : GirlControlCom Module
InternalName : GirlControlCom
OriginalFilename : GirlControlCom.DLL
ProductName : GirlControlCom Module
Created on : 7/24/2003 4:02:51 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 7/24/2003 4:02:52 PM



VX2.BetterInternet Object recognized!
Type : File
Data : a0014629.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 524 KB
Created on : 6/30/2003 8:10:02 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/30/2003 8:10:02 PM



WildTangent Object recognized!
Type : File
Data : a0014632.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 100 KB
FileVersion : 1.0.0.28
ProductVersion : 1.0.0.28
Copyright : Copyright (C) 2003
CompanyName : Wild Tangent
FileDescription : AIM WD installer
InternalName : 1.0.0.28
OriginalFilename : 1.0.0.28
ProductName : 1.0.0.28
Created on : 2/16/2004 10:35:59 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 1/12/2004 7:29:28 PM



WildTangent Object recognized!
Type : File
Data : a0014635.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 100 KB
FileVersion : 1.0.0.28
ProductVersion : 1.0.0.28
Copyright : Copyright (C) 2003
CompanyName : Wild Tangent
FileDescription : AIM WD installer
InternalName : 1.0.0.28
OriginalFilename : 1.0.0.28
ProductName : 1.0.0.28
Created on : 2/16/2004 10:35:52 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 1/12/2004 7:29:28 PM



WildTangent Object recognized!
Type : File
Data : a0014638.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 24 KB
FileVersion : 3.2.0.19
ProductVersion : 3.2.0.19
Copyright : All Rights Reserved
CompanyName : WildTangent Inc
FileDescription : Java Native Interface layer for DRM3
InternalName : Jni/Rni DRM3
OriginalFilename : Jni/Rni DRM3
ProductName : WildTangent Inc DRM3
Created on : 2/16/2004 10:36:24 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 9/4/2003 10:13:58 PM



WildTangent Object recognized!
Type : File
Data : a0014641.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 36 KB
Created on : 2/16/2004 10:36:28 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 10/27/2003 3:42:46 PM



WildTangent Object recognized!
Type : File
Data : a0014644.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 48 KB
FileVersion : 3, 0, 2, 0
ProductVersion : 3, 0, 2, 0
Copyright : Copyright 2002
FileDescription : wtdmmpv Module
InternalName : wtdmmpv
OriginalFilename : wtdmmpv.DLL
ProductName : wtdmmpv Module
Created on : 2/16/2004 10:36:29 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 11/10/2003 9:38:26 PM



Lop.com Object recognized!
Type : File
Data : a0014647.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 192 KB
Created on : 4/3/2004 2:57:44 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 4/3/2004 2:57:46 PM



PeopleOnPage Object recognized!
Type : File
Data : a0014650.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 56 KB
Created on : 4/3/2004 2:57:57 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 4/3/2004 2:57:58 PM



Ebates MoneyMaker Object recognized!
Type : File
Data : a0014653.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 44 KB
Created on : 9/15/2003 9:38:32 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 9/15/2003 9:38:32 PM



TopMoxie Object recognized!
Type : File
Data : a0014656.cpy
Object : C:\_RESTORE\TEMP\
FileSize : 24 KB
Created on : 4/3/2004 3:04:40 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 4/3/2004 3:04:42 PM



Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Object : C:\WINDOWS\Cookies\

Created on : 4/4/2004 11:11:32 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 4/4/2004 11:11:34 PM



Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Object : C:\WINDOWS\Cookies\

Created on : 4/4/2004 11:14:54 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 4/4/2004 11:14:56 PM



Tracking Cookie Object recognized!
Type : File
Data : [email protected][2].txt
Object : C:\WINDOWS\Cookies\

Created on : 4/4/2004 11:32:31 PM
Last accessed : 4/4/2004 4:00:00 AM
Last modified : 4/4/2004 11:32:32 PM



Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 16


Scanning Hosts file(C:\WINDOWS\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
0 entries scanned.
New objects :0
Objects found so far: 16




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 16


2:34:29 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:12:10:950
Objects scanned :126980
Objects identified :16
Objects ignored :0
New objects :16


Here's the second Ad-aware log after using the Smart scan....


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, April 05, 2004 2:39:30 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R279 31.03.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


4-5-2004 2:39:30 PM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4287585961
Threads : 8
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294911217
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:3 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294934885
Threads : 2
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:4 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294947221
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:5 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294713865
Threads : 15
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 6/8/2000 9:00:00 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:6 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294764953
Threads : 2
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:7 [vsstat.exe]
FilePath : C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\
ProcessID : 4294723493
Threads : 1
Priority : Normal
FileSize : 240 KB
FileVersion : 7.03.6000
ProductVersion : 7.03.6000
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : VirusScan System Tray
InternalName : VsStat
OriginalFilename : VsStat.exe
ProductName : VirusScan Home Edition
Created on : 6/3/2003 11:03:00 AM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/3/2003 11:03:00 AM

#:8 [bib does flaw.exe]
FilePath : C:\PROGRAM FILES\FLAP TWO\
ProcessID : 4294796469
Threads : 1
Priority : Normal
FileSize : 234 KB
Created on : 4/3/2004 2:57:42 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 4/3/2004 2:57:40 PM

#:9 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294822253
Threads : 3
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:10 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294816769
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 7/29/2003 4:38:35 PM
Last accessed : 4/5/2004 4:00:00 AM
Last modified : 7/13/2003 2:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Scanning Hosts file(C:\WINDOWS\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
0 entries scanned.
New objects :0
Objects found so far: 0



2:41:51 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:02:21:480
Objects scanned :39649
Objects identified :0
Objects ignored :0
New objects :0


My second question for you after we get all this popup bar stuff cleaned out is....do you know of a free popup blocker I can download? If so, where can I get it? I haven't
used the firewall because my kids play online games and have clans, and so on....if you
have any ideas of what to use that won't interfere with my installed software, there gaming and will block popups....(freeware would be best) please tell me. That would be a wonderful thing, indeed.

Thanks ever so much,
Sky

 

[winchester73]

I should think you would want to remove the objects that the custom Ad-Aware scan found ...

The "smart scan" uses a pre-defined set of options that is adequate for routine cleaning, but the full custom scan does do a better job of examining the computer. I run the custom scan whenever a new reference file is released, and a smart scan in between.

I have other security measures, but many people on this board use the Google toolbar with the pop-up blocking feature: http://toolbar.google.com/

 

[skydixon]

Hello Winchester,

You wrote...>>I should think you would want to remove the objects that the custom Ad-Aware scan found ...<<

My reply;
>>Well of course. And I did exactly that, immediately upon saving a copy of
the scan log. As I said in my last thread...Ad-aware found 16 objects when I ran it in the customized mode, and nothing in the Smart system mode...<<

You wrote...>>I have other security measures, but many people on this board use the Google toolbar with the pop-up blocking feature: http://toolbar.google.com/<<

My reply;
>>I use the google search page as my IE browser start page. Alas, this poor amateur does not have the time to learn how to surf the internet and become better acquainted with "what is out there". Too many non-computing related "irons in the fire" to take the time. Thanks for the tip.
Will get right on the job of setting that up.

My original question was according to the HijackThis program. The tech's had told Dance Mom (her dad had the same issue) to send them a log of what the Hijack program had found so they could tell her which files should be cleaned/fixed and which ones to keep. That is what I did...I scanned with the Hijack program as well as all the others, and I am still waiting to hear back on that question, in my original post. I think I've been pretty clear in the information I've given so far.

Thanks again.

Sky

 

[Nok1]

Okay, good that you fixed the items with Adaware, but I didnt see a new HJT log - I guess I forgot to mention for you to do so, I appologize. From your old log, I can tell you to remove this entry, and the others might've changed

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

 

[skydixon]

Hi Nok,

Oversight has been overlooked. D
It's easy enough to do. Earlier today,
I did install the google toolbar in
order to use the popup blocker.
Here's the HJT log...I just did it.
Looking forward to hearing from
you. Thanks for your reply.

Later,
Sky

Logfile of HijackThis v1.97.7
Scan saved at 10:22:18 PM, on 4/5/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\FLAP TWO\BIB DOES FLAW.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://amazingautossearch.com/passthrough/index.html?http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://amazingautossearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [Link Ball] C:\PROGRA~1\FLAPTW~1\Bib Does Flaw.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\PROGRAM FILES\GIANT COMPANY SOFTWARE INC\POPUP INSPECTOR\POPUPINSPECTOR.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab

 

[winchester73]

Perhaps a fresh HJT log would be useful ...

I should think this Alset Help Express item was removed already:

O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

This item needs some looking into:

O4 - HKLM\..\Run: [Link Ball] C:\PROGRA~1\FLAPTW~1\Bib Does Flaw.exe

 

[Nok1]

Remove these items from you HJT log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://amazingautossearch.com/passt...www.google.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://amazingautossearch.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

O4 - HKLM\..\Run: [Link Ball] C:\PROGRA~1\FLAPTW~1\Bib Does Flaw.exe

Next, click on the following URL and upload the file below, then post results back here:
C:\PROGRA~1\FLAPTW~1\Bib Does Flaw.exe (the directory should be C:\Program Files\FLAPTW* where the * is any number/letter.)

http://www.kaspersky.com/remoteviruschk.html

Next, delete the following file in safe mode (hidden/system files may need to be on, instuctions for both bottom of post)
C:\WINDOWS\emsw.exe

show hidden and system files - http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Safe Mode - http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

After doing all of that, it's a good idea to post one more log.

EDIT:
The directory for the odd file is C:\Program Files\FLAP TWO

 

[skydixon]

Hi Winchester,
My post at 10:48 (#7) was a fresh HJT log.
Will take those files out...a.s.a.p.
Thanks.
sky

You wrote;
Perhaps a fresh HJT log would be useful ...

I should think this Alset Help Express item was removed already:

O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

This item needs some looking into:

O4 - HKLM\..\Run: [Link Ball] C:\PROGRA~1\FLAPTW~1\Bib Does Flaw.exe
********************************************************

Hi Nok1,
Will get back to you soon.
Thanks.
sky

 

[Nok1]

winchester: different time zones

In fact, I think it may be the east coast if I'm not mistakened

 

[skydixon]

I'm on the east coast...florida to be exact.

should I take this out too?
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab

sky

 

[Nok1]

You can if you'd like. Its not anything harmful. Oh, and the timezone thing, I was just proving to myself I was an arrogant self-proclaimed genius . Don't mind me. Just post a log once done with the instructions i have posted.

 

[skydixon]

I'm sorry...please break this down...it's not making sense...which file below do I upload.
be specific. Is the Bib does flaw. exe something to keep or get rid of? I thought it needed to be gotten rid of. Or is that the file to upload. I'm not sure what you are referencing.

sky

You wrote;
Next, click on the following URL and upload the file below, then post results back here:
C:\PROGRA~1\FLAPTW~1\Bib Does Flaw.exe (the directory should be C:\Program Files\FLAPTW* where the * is any number/letter.) Are you wanting me to get a file
from (upload the file below) there or use their virus scan?

http://www.kaspersky.com/remoteviruschk.html

 

[skydixon]

never mind....I figured it out. I'll get back to you
soon with my findings log.

sky