Jump to content


Photo

can't dowload cwshredder or hijack this...


  • Please log in to reply
42 replies to this topic

#1 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 18 May 2004 - 02:46 PM

what do i do now? this prosearching.com/outhost.info shit is killing me.

#2 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 18 May 2004 - 04:16 PM

What problems are you having with the downloads?

Try here, about a third of the way down the list Merijn has provided some alternative download locations if you are unable to download.

If this doesn't work for you then PM me your email address and I will email the programs to you.

#3 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 18 May 2004 - 11:40 PM

hey thanks for your help...yeah i've tried the alternative merijn downloads and they don't work either. when select open file, nothing happens. when i select save, it says cannot copy file: cannot read from the source file or disk.

my address is *********@hotmail.com....thanks again. <-- email edited for privacy (Daemon)

Edited by Daemon, 19 May 2004 - 01:45 PM.


#4 lafrentz06

lafrentz06

    Member

  • New Member
  • Pip
  • 1 posts

Posted 19 May 2004 - 12:49 AM

The same exact thing happens to me..Any help anybody?

Thanks,
Neil

#5 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 19 May 2004 - 01:04 PM

xboarder13 I have sent you the files, I will ask a mod to edit your post and remove your email address. Please post back to this thread with a hijack log if you can.

lafrentz06, I realise it can be frustrating waiting for help.... but please start your own thread and don't post in some one elses!
Thanks :)

#6 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 19 May 2004 - 08:04 PM

hey i didn't receive the files. not sure if it went through or not. try sending them again. hopefully i'll get them. thanks.

#7 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 May 2004 - 09:07 PM

xboarder13: be patient. They now have the fix . I am totally cured as of this morning.

I had the outhost infestation plus I couldn't access antispyware sites, download Cwshredder, Hijackthis or spybot because of hacker defender.

You have a bad infection like I had but i am totally cured. See my posts but wait for the experts before taking this on. Good luck. These people will fix you.

http://www.spywarein...hacker defender


http://www.spywarein...p?showtopic=647

Edited by duke9106, 19 May 2004 - 09:10 PM.


#8 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 20 May 2004 - 02:26 PM

xboarder13, forget about those files... duke9106 is right... I've been away on holiday and this problem popped up whilst I was away... you can't leave this stuff for a minute! :rolleyes:

Go to Start | Run (type) cmd (click Ok)
From The "Command Prompt" (type)

NET STOP HACKERDEFENDER100 (press Enter)

Note: (that's) NET<space>STOP<space>HACKERDEFENDER100

If successful you should see: (wait 30 sec.)

"The service is not responding to the control function."


See if "winunins.ini" exists and open in Notepad
Paste the contents of "winunins.ini".

#9 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 20 May 2004 - 04:31 PM

net stop hackerdefender100 command was successful. here's the contents of "winunins.ini".


[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*

[Root Processes]
svhost.exe
trj4j6js.exe
winunins.exe

[Hidden Services]
HackerDefender*

[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[Hidden RegValues]

[Startup Run]
C:\WINDOWS\svhost.exe -sr -0

[Free Space]

[Hidden Ports]

[Settings]
Password=qweqwe
BackdoorShell=ddd.exe
FileMappingName=_.-=[PokuS]=-._
ServiceName=HackerDefender100
ServiceDisplayName=Windows System Uninstaller
ServiceDescription=Microsoft System Service
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

[Comments]

#10 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 20 May 2004 - 04:54 PM

Hello again xboarder13

1) Restart in safe mode
2) hidden files and folders
Locate and delete the following:

hxdefdrv.sys
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
(not "svchost.exe")
trj4j6js.exe
ddd.exe


Open Regedit and click Edit > Find
(enter) "HackerDefenderDrv100" (no quotes)
Click Find Now

Highlight and delete all references found.
Click "F3" to continue searching, repeat until you see the "Completed Search" message.

Next, do the same steps for each of the above files.

Note: If you cannot delete the registry keys (Access Denied) then Right-click key and click Permissions.. Set Full Control to Allow everyone rights

While still in Safe Mode: Run a full system scan with McAfee
Restart normally and post a fresh HijackThis log.

Note: if for some reason "hxdefdrv.sys" seems to be running again in Safe Mode, repeat the "net stop" command again and then delete the files.

#11 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 21 May 2004 - 01:20 AM

hi there, the only files i could find and delete were:

inatjoy.dll
winunins.exe
winunins.ini
svhost.exe

as for the regedit references, i was to delete all except one titled (default)

i don't have mcafee but i ran norton antivirus and i had hxdefdrv.sys and svhost.exe on the system so i quarantined and deleted them.

i can't post a hijackthis log because i don't have it and can't download it.

lemme know what my next step is. thank you.

#12 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 21 May 2004 - 03:45 PM

Sorry for leaving you in the middle of things last night, I'm afraid it couldn't be avoided on my part. Have you tried downloading hijackthis since we ran the fix?

http://www.spywarein.../HijackThis.exe


I have sent you the files again, just incase you are still having download problems. Check the junk folder in your hotmail incase the email has gone there.

#13 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 21 May 2004 - 04:27 PM

that's ok. i was working on things late anyways. i was able to download hijackthis from the link. here's my log...


Logfile of HijackThis v1.97.7
Scan saved at 5:26:40 PM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\INTERN~2\Send Build.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\gabe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.viplegal.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://findloss.com/srchasst.html
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [Option Joy] C:\PROGRA~1\INTERN~2\Send Build.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O19 - User stylesheet: C:\WINDOWS\system32\lnzmzv.bp3

#14 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 21 May 2004 - 04:35 PM

great.... downloading ability is back!! :) Can you download CWShredder from here, extract it to its own folder and then run it hitting 'fix' as opposed to 'scan only' and then reboot and post a fresh log.

#15 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 21 May 2004 - 06:09 PM

yeah i downloaded cwshredder and ran it. here's the new log.

Logfile of HijackThis v1.97.7
Scan saved at 7:07:41 PM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\INTERN~2\Send Build.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\gabe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....ellnet.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.viplegal.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [Option Joy] C:\PROGRA~1\INTERN~2\Send Build.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O19 - User stylesheet: C:\WINDOWS\system32\lnzmzv.bp3

#16 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 22 May 2004 - 08:36 AM

ok.. we are nearly there!! B)

You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the copy of hijackthis that you have on your desktop.

Then run hijackthis again, make sure all browsers and windows are closed except hijackthis. Put a check against the following and click 'fix checked'

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....ellnet.msn.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.viplegal.com/search

O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

O19 - User stylesheet: C:\WINDOWS\system32\lnzmzv.bp3

then reboot and post a fresh hijack log.

Do you know what this is?

O4 - HKLM\..\Run: [Option Joy] C:\PROGRA~1\INTERN~2\Send Build.exe

Is it something you have installed?

#17 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 22 May 2004 - 06:29 PM

i moved hijackthis to a new folder and deleted what you said. here's the new log.

Logfile of HijackThis v1.97.7
Scan saved at 7:25:13 PM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\INTERN~2\Send Build.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\gabe\Local Settings\Temp\Temporary Directory 2 for hjt.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....ellnet.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {510B58E7-0D10-CC9C-565B-8F9A34235240} - C:\PROGRA~1\THUNKC~1\okayooze.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: DriveTimeAim - {3E5699B3-EEDD-D91E-752C-961DE561A523} - C:\PROGRA~1\THUNKC~1\okayooze.dll
O4 - HKLM\..\Run: [Option Joy] C:\PROGRA~1\INTERN~2\Send Build.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx




as for this...

O4 - HKLM\..\Run: [Option Joy] C:\PROGRA~1\INTERN~2\Send Build.exe

not sure what it is, but i don't think it's important. i'll double check. lemme know what my next step is. thanks.

#18 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 23 May 2004 - 08:34 AM

Hello again!

First of all, you are running hijackthis out of a temporary directory. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create backup files whilst it is being run from a temporary folder.

You now have a BHO and a Toolbar that I can't identify, however I am positive that they are bad.

Before we do anything can you find and zip the following folders and send them to me at this email address. I will get them anylised and if you have something new then the experts will be able to start working on updating the various spyware fighting programs to deal with it.

C:\PROGRA~1\THUNKC~1\ <--- this will be in your program files folder and will begin with THUNKC......

C:\PROGRA~1\INTERN~2 <---- same here, except it wil begin INTERN...

I am still cautious over fixing and deleting the Option Joy program, so for now can you rename the exe to Send Build.old That should stop it running on startup ...... if you have any problems you can always rename it back to exe.

For now, run hijackthis again (after you have extracted it to its own folder) and fix the following in the same way as you did before.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....ellnet.msn.com/

O2 - BHO: (no name) - {510B58E7-0D10-CC9C-565B-8F9A34235240} - C:\PROGRA~1\THUNKC~1\okayooze.dll

O3 - Toolbar: DriveTimeAim - {3E5699B3-EEDD-D91E-752C-961DE561A523} - C:\PROGRA~1\THUNKC~1\okayooze.dll

Then reboot and delete this folder, after you have sent me a copy

C:\PROGRA~1\THUNKC~1

Post a fresh log...... we are getting there... albiet a bit slowly! :)

#19 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 23 May 2004 - 01:36 PM

sorry things are going so slow....not able to be around my computer all the time. thanks again for the help though. hopefully you got all the files i sent. here's the new log.


Logfile of HijackThis v1.97.7
Scan saved at 2:34:47 PM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\INTERN~2\Send Build.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gabe\My Documents\hijack\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....ellnet.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [Option Joy] C:\PROGRA~1\INTERN~2\Send Build.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx

#20 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 23 May 2004 - 01:53 PM

Run hijackthis again and fix the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....ellnet.msn.com/

O4 - HKLM\..\Run: [Option Joy] C:\PROGRA~1\INTERN~2\Send Build.exe

Reboot and delete this file

C:\PROGRA~1\INTERN~2

Post a fresh log when done!

#21 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 23 May 2004 - 06:44 PM

here's the new log. my computer is running extra slow now. is it because of this problem?

Logfile of HijackThis v1.97.7
Scan saved at 5:07:14 PM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\gabe\My Documents\hijack\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....p://about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx

#22 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 24 May 2004 - 03:25 PM

xboarder13 I'm still with you on this one.... but I need find out what it is I've missed. I will be back as soon as I have been able to discuss this and get some feedback.

#23 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 24 May 2004 - 07:05 PM

thanks for the reply. just lemme know when you figure things out. also my computer seems to be running at normal speed now. thanks.

#24 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 25 May 2004 - 03:16 PM

Me again... thanks for sending me those files, they seem to be a new variant of LOP see here for info.

could you have a good look at your desktop and see if there are any strange/new icons there. If you do right click on it and see if there is an uninstall option.

Failing that... boot into safe mode and run hijackthis again and fix this

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....p://about:blank

Also... do you need two pop up stoppers? The google toolbar is free and very effective.

Can you post a fresh log when done.

#25 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 25 May 2004 - 05:50 PM

hi, yeah there was something strange on my desktop a couple days ago, but i ran it through norton anti-virus and then deleted it. i'm pretty sure there was no uninstall option on it. also would you reccomend getting rid of the sunbelt software package. i bought it specifically for this problem when it started, thinking it would help, but it was already way past that point. is the google one better than the ones i have? if so, where can i get it?

i rebooted in safe mode and that file didn't turn up in the log. but it did when i ran it in normal mode so i deleted it...? i still seem to be getting the request to change my startup page to prosearching.com though. anyways, here's the new log.

Logfile of HijackThis v1.97.7
Scan saved at 6:51:00 PM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Documents and Settings\gabe\My Documents\hijack\hjt\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx

#26 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 25 May 2004 - 06:32 PM

xboarder13..... your logfile is clean!!! Yay!! If the smileys were working on this board at the minute then I would post one or two!! Well done and thanks for being so patient and working through this one with me.

If you have paid for the software then as long as it is doing the job for you then I see no reason to uninstall it.

I asked because you seem to be running two antipop up programs, the sunbelt one and the panicware one. Sometimes running two programs that are designed to do the same job can cause conflicts.

You can get the google toolbar from here.... it does a lot more than just stop pop ups.
http://toolbar.google.com/

Post back to this thread if you have any more problems and it was nice getting to know you!

#27 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 25 May 2004 - 06:47 PM

well i rebooted my computer and ran another log and it seems to still be there. should i just do the same and delete the prosearching file? here's the log.


Logfile of HijackThis v1.97.7
Scan saved at 7:44:26 PM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gabe\My Documents\hijack\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....p://about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx

#28 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 25 May 2004 - 06:58 PM

Oh well that'll teach me.... it is very late where I am, I need to go to bed now. The file that was on your desktop.. is it still in your recycle bin? If yes can you restore it and then do another log?

I will have a bit more of a think about this and get back to you tomorrow.... well it is already tomorrow where I am.... later on then!!

#29 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 25 May 2004 - 07:26 PM

unfortunately, i deleted the file already. but if it pops up again i'll definitely let you know. talk to you soon.

#30 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 26 May 2004 - 02:52 PM

Do any of your pop up programs have an option to set your home page? If yes can you disable it.

Could you also generate and post a start up list. Run hijackthis, click on config then misc tools.

Thanks

#31 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 26 May 2004 - 08:18 PM

neither of those programs have that option, but one has the option of preventing websites from changing my homepage....here's the start up list.


StartupList report, 5/26/2004, 9:15:20 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\gabe\My Documents\hijack\hjt\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\gabe\My Documents\hijack\hjt\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

PestPatrol Control Center = C:\PROGRA~1\PESTPA~1\PPControl.exe
PPMemCheck = C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
CookiePatrol = C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
iHatePopups.exe = "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
siService.exe = "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
BCMSMMSG = BCMSMMSG.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PopUpStopperCompanion = "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssbezier.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

CCHelper - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll - {0CF0B8EE-6596-11D5-A98E-0003470BB48E}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#Deskjet#5550.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[iNotes Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\inotes.dll
CODEBASE = http://wbdc-com.wood...j.us/iNotes.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{D27CDB6E-AE6D-0000-0000-000000000000}]
CODEBASE = http://download.macr...ash/swflash.cab

[EPSImageControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EPScontrol.dll
CODEBASE = http://tools.ebayimg...ol_v1-0-3-0.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcaf...356/mcfscan.cab

[Yahoo! Companion]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ycomp5_1_3_0.dll
CODEBASE = http://us.dl1.yimg.c...ebio5_1_3_0.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://lw10fd.law10....ex/HMAtchmt.ocx

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,920 bytes
Report generated in 0.109 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#32 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 27 May 2004 - 04:17 PM

If you have that option turned on, can you turn it off for now.

Then fix the prosearching line in the hijackthis log again, reboot and post another log!

I shall get some fresh eyes to look at your startup list.

#33 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 27 May 2004 - 06:37 PM

ok, i turned that option off, fixed the prosearching line and restarted. also, i share my computer w/ another user and there seems to be the same problem under their user name but it's searchexe.com instead of prosearching.com. should i post a new topic or could we fix this here? lemme know. thanks. here's the new log...


Logfile of HijackThis v1.97.7
Scan saved at 7:31:47 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Sunbelt Software\iHateSpam\siMailProxyServer.exe
C:\Documents and Settings\gabe\My Documents\hijack\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx

#34 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 27 May 2004 - 06:39 PM

oh yeah, here's the log from the other user if you want to take a look at it.....


Logfile of HijackThis v1.97.7
Scan saved at 7:16:49 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\PestPatrol\PestPatrol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gabe\My Documents\hijack\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchexe.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching....://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yqowaa.outhost.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://213.159.118.226/sp.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?351418 (obfuscated)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O4 - HKCU\..\Run: [Network Service] C:\WINDOWS\services.exe -sr -0
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx
O19 - User stylesheet: C:\WINDOWS\system32\nk8gqu.gd4

#35 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 28 May 2004 - 06:20 AM

Thanks, I'm on my lunch at work at the minute so I will come back and take a look at user no.2 tonight.

With regards to user no.1 I think we have finally cracked it. I suggest you empty your temp files and reboot and then you can reset your homepage fixer if you wish!!

#36 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 28 May 2004 - 04:26 PM

ok well we will start with Outhost again

Go to Start | Run (type) cmd (click Ok)
From The "Command Prompt" (type)

NET STOP HACKERDEFENDER100 (press Enter)

Note: (that's) NET<space>STOP<space>HACKERDEFENDER100

If successful you should see: (wait 30 sec.)

"The service is not responding to the control function."

See if "winunins.ini" exists and open in Notepad
Paste the contents of "winunins.ini".

#37 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 28 May 2004 - 06:49 PM

ok so i typed NET STOP HACKERDEFENDER in the command prompt and it just says "the specified service does not exist as an installed service"

and i looked up "winunins.ini" but nothing came up. this was all done under the second users name.

#38 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 30 May 2004 - 03:49 PM

Hi... sorry for the delay, having a holiday weekend here in the UK! B)

Can you download CWShredder for user 2. Unzip it to its own folder and run it hitting fix as opposed to scan only.

Then download and Install Spybot S&D, accepting the Default Settings
(Please ensure you have versin 1.3 final.)
Home - The home of Spybot-S&D!: http://www.safer-networking.org/
Here is a nice Tutorial http://www.safer-net...p?page=tutorial

Go to Start > Programs >Spybot – Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D

Click the button to ‘Search for Updates’ and download and install the Updates.

Next click the button ‘Check for Problems’

When Spybot is complete, it will be showing ‘RED’ entries ‘BLACK’ entries and ‘GREEN’ entries in the window

Put a check mark beside theRED [/COLOR] entries ONLY.

Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED (RED) entries.

REBOOT

================================================
Scanning in Ad-Aware:
(please ensure you have version 6 build 6. 181)
Downloads - Support - Lavasoft#free: http://www.lavasoftu.../download/#free

The following explains how to set Ad-aware's settings to perform a "Full Scan."
And some settings that should be made prior to using the first time.

In Ad-aware click the Gear to go to the Settings area.
The following items should be on a green check, not on a red X.
Under the Scanning button:
Scan within archives

Under Memory & Registry, Check EVERYTHING

In Check Drives & Folders, make sure all of your hard drives are selected

Under the Tweak button...
Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot

UNCHECK Automatically try to unregister objects prior to deletion

Click Proceed to save these settings.
Now press "check for updates Now" Always check before scanning.
Click start [x] choose use default scanning options
click next and let it fix anything it finds

Reboot
http://www.lavahelp....scan/index.html

When done run hijackthis again and post a fresh log please, thanks

#39 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 31 May 2004 - 05:58 PM

hello, everything ran pretty smoothly except that i couldn't fix a file called "domestic germany" with spybot....but here's my new log.


Logfile of HijackThis v1.97.7
Scan saved at 6:54:06 PM, on 5/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gabe\My Documents\hijack\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx

#40 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 31 May 2004 - 06:00 PM

hello, everything ran pretty smoothly except that i couldn't fix a file called "domestic germany" with spybot....but here's my new log.


Logfile of HijackThis v1.97.7
Scan saved at 6:54:06 PM, on 5/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gabe\My Documents\hijack\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx

#41 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 01 June 2004 - 06:32 AM

Everything is looking rather nice in there now!! :D

You just need to fix the following with HJT and then we are done

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://

:wave:

#42 xboarder13

xboarder13

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 01 June 2004 - 11:24 AM

ok everything should be fine now. thanks a bunch for your time and effort! my computer thanks you as well! here's a new log just in case....but everything looks fine.



Logfile of HijackThis v1.97.7
Scan saved at 12:21:14 PM, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Sunbelt Software\iHateSpam\siService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Sunbelt Software\iHateSpam\siSpamFilterEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gabe\My Documents\hijack\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [iHatePopups.exe] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\Sunbelt Software\iHateSpam\siService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector] "C:\Program Files\Sunbelt Software\iHatePopups\iHatePopups.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\allowsite.htm
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\Sunbelt Software\iHatePopups\denysite.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: iHatePopups (HKCU)
O9 - Extra 'Tools' menuitem: iHatePopups (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://wbdc-com.wood...j.us/iNotes.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...356/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx

#43 nellie2

nellie2

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 651 posts

Posted 01 June 2004 - 11:32 AM

looking good xboarder13 :bounce:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button