Help - Search - Members - Calendar
Full Version: Hijack this log
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
sbackers
Jul 10 2004, 08:49 PM
Here's my hijack this log. I'm hoping you can provide some insight.

Logfile of HijackThis v1.97.7
Scan saved at 4:28:52 PM, on 07/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\Save\Save.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\uptodate.exe
C:\WINNT\system32\hvcshx.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\PROGRA~1\WEATHE~1\Weather.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Valued Customer\Application Data\uarp.exe
C:\WINNT\system32\NDrv.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\Program Files\Date Manager\DateManager.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Power Scan\powerscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
C:\WINNT\system32\cdonts.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tri-citiesonline.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.preferred.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.goto.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...count_id=137004
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The East Tennessee Network
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.preferred.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\system32\stlbclick.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINNT\System32\btiein.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem300.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho12.dll
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINNT\system32\NDrv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\system32\stlbclick.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WhenUSave] "C:\PROGRA~1\Save\Save.exe"
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\system32\STLBCL~1.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [mcjgttxsspn] C:\WINNT\system32\hvcshx.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
O4 - HKCU\..\Run: [ClockSync] "C:\PROGRA~1\CLOCKS~1\Sync.exe" /q
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Aonp] C:\Documents and Settings\Valued Customer\Application Data\uarp.exe
O4 - HKCU\..\Run: [cdonts] C:\WINNT\system32\cdonts.exe
O4 - HKCU\..\Run: [NDrv] C:\WINNT\system32\NDrv.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm41435
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: SideFind (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...ier/experience/
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1410/ftp.../v7/brix6ie.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www116.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/114a7d7fbc70cb6b3f02/...ip/RdxIE601.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8065.7368171296
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp...20/cpbrxpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/Lig...loadControl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://akweb.whenu.com/WsCsAutoWCCS0017.cab
CalamityJane
Jul 10 2004, 11:59 PM
Hi sbackers Wave.gif

You've got quite a collection of spyware there :o

This will take a number of steps and tools to clean it all up (All of these tools are free)

Our job will be easier if you would please first download and run these two free Antispyware scanners. You can keep these on board as well for recommended weekly updating and scanning to keep your PC clean

Updating them first is very important - please do not skip that step.

Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)

Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)

After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R331 08.07.2004 or higher listed.

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:

Scan within archives

Under Memory & Registry, Check EVERYTHING

In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:

Unload recognized processes during scanning

Include info about ignored objects in logfile, if detected in scan

Include basic Ad-aware settings in logfile

Include additional Ad-aware settings in logfile

Include used command line parameters in logfile

In Cleaning Engine:

XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

Let Windows remove files in use at next reboot

UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.

Now scan with Adaware (use Custom mode) and let it remove all bad files found. Reboot your PC and scan again. Continue that process until no more *bad* files are found
.......................................................
Next
Download Spybot Search and Destroy
http://www.safer-networking.org/

How to Use Spybot
(click on the Tutorial link at the top in the program)

How to Update Spybot

Click on *Search for updates*. It will find and list the updates available, please make sure all are checkmarked and then press *download Updates* button. When they are done you should see a green checkmark beside each update in the list.

Next, close all Internet Explorer windows, Click on *Search and Destroy* in the far left menu and then *Check for Problems*. This will start a scan of your system.

Have SpyBot remove/fix all it finds that are in RED
............................
Now, please reboot once more. Download this free tool to cleanup any leftover coolwebsearch infection:

Download CWShredder here:

http://www.merijn.org/files/cwshredder.zip or
(the unzipped version) http://www.merijn.org/files/CWShredder.exe
http://www.majorgeeks.com/download4086.html
http://www.computercops.biz/downloads-file-349.html
Just download it, and click on it (You will need to have all browsers and any open windows closed). Hit the *Fix* button to run it. Let it fix what it finds. When done, press *next* and you will get the results, and then *exit*

Reboot your PC after cleaning with CWShredder.

Update your HijackThis program. We are now on version 1.98.0

Open HijackThis.exe and press *config* {bottom right corner} and then press *Misc. Tools* at the top. Next press *check for online update* and you should see version 1.98.0 available. Download that.

P.S. If you have any problems getting the update. Simply delete your old version of HijackThis and download the new version from this link.
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

or here:
http://www.majorgeeks.com/downloadget.php?...a8baee6434cfc13

Now, please scan once more with HijackThis and post a fresh log please to see what remains to be done.
sbackers
Jul 11 2004, 06:54 PM
Okay. Thanks so much. Here's the latest log.


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINNT\system32\cdonts.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.preferred.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.goto.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tri-citiesonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.preferred.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The East Tennessee Network
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINNT\system32\NDrv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [mcjgttxsspn] C:\WINNT\system32\hvcshx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [cdonts] C:\WINNT\system32\cdonts.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...ier/experience/
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1410/ftp.../v7/brix6ie.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/114a7d7fbc70cb6b3f02/...ip/RdxIE601.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp...20/cpbrxpie.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/Lig...loadControl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
CalamityJane
Jul 11 2004, 10:46 PM
Good job :)

Scan with HijackThis and checkmark this item, then press *fix checked*

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/114a7d7fbc70cb6b3f02/...ip/RdxIE601.cab

and reboot your PC.

If you did not intentionally install the MyWay and MyWeb Searchbars you can remove them via Add/Remove programs in the Control Panel. It comes with the Smiley Central Fun Web products. You'll need to tell me if you want these removed or if you intend to keep them, as I did not include them in the list of stuff to remove in cleanup. See the discussion here:
Smiley Central, Is it safe to use?
http://forum.gladiator-antivirus.com/index...showtopic=14639
sbackers
Jul 12 2004, 01:01 AM
Again, thanks so much. :)

I really appreciate it.

I do want to get rid of the MyWay and MyWeb Searchbars. I believe that's where the problem started due to my teenager.

One other question. AIM is not working properly since I've been doing my housekeeping. Would it just be easier to re-install?
sbackers
Jul 13 2004, 01:51 PM
We did re-install AIM but we're still having the same problem. It won't let us type a message any ideas?
CalamityJane
Jul 13 2004, 04:22 PM
If you did already remove the MyWay and MyWEb searchbars, please go ahead and scan once more with HijackThis and post a fresh log so I can see what remains :)
sbackers
Jul 13 2004, 05:16 PM
I didn't remove the search bars. Can you tell me exactly what I need to delete before I run another log?
CalamityJane
Jul 13 2004, 07:20 PM
Go to Start > Control Panel > Add/Remove programs. You will see a list. Look for any of these

MyWay Speedbar (searchbar?) It would be begin with MyWay

MyWeb (same as above...name would begin with MyWeb)

Fun Web Products

Highlight the entry and press *remove* and wait while the program is uninstalled from your computer. When you have finished - reboot your PC and scan again with HijackThis and post a fresh log. I can then see if anything is left behind to remove :)
sbackers
Jul 13 2004, 07:46 PM
Here's my latest log. I hope this has gotten everything. At least we're not getting the pop-ups that we were.

Logfile of HijackThis v1.98.0
Scan saved at 3:44:49 PM, on 07/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINNT\system32\cdonts.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.preferred.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.goto.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tri-citiesonline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.preferred.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The East Tennessee Network
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINNT\system32\NDrv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [cdonts] C:\WINNT\system32\cdonts.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...ier/experience/
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1410/ftp.../v7/brix6ie.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp...20/cpbrxpie.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/Lig...loadControl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
CalamityJane
Jul 13 2004, 08:14 PM
There are a few more items and one questionable one.

First, you can uninstall Viewpoint through the Control Panel in add/remove programs just as you did for the MyWay & MyWeb programs. That is a totally useless addon that comes with AIM (not harmful but you don't need it)

Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} -
C:\WINNT\system32\NDrv.dll

O4 - HKCU\..\Run: [cdonts] C:\WINNT\system32\cdonts.exe

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...ier/experience/

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
..........................................
Reboot your PC.

Look for this file: C:\WINNT\system32\cdonts.exe <--- Do you know what this is?

If not, please post the results of your last scan with Adaware which will tell me something about the file. (Adaware logs are in the Lavasoft folder under C:\Program Files\Lavasoft\Ad-aware 6 <---in this folder when you go to *My Computer* and navigate to it. Just copy and paste the text of the latest log back here in a reply :)
sbackers
Jul 14 2004, 12:18 AM
Look for this file: C:\WINNT\system32\cdonts.exe <--- Do you know what this is?


No, I don't recognize it at all.

Here's the log from my last scan this afternoon:


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Tuesday, July 13, 2004 3:15:46 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R331 08.07.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R331 08.07.2004
Internal build : 263
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1300142 Bytes
Signature data size : 1279388 Bytes
Reference data size : 20690 Bytes
Signatures total : 28395
Target categories : 10
Target families : 519

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:42 %
Total physical memory:392688 kb
Available physical memory:163348 kb
Total page file size:942276 kb
Available on page file:715976 kb
Total virtual memory:2097024 kb
Available virtual memory:2053804 kb
OS:Windows 2000

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


07-13-2004 3:15:46 PM - Scan started. (Custom mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 07-13-2004 5:46:44 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:46:49 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:46:50 PM
BasePriority : Normal
FileSize : 87 KB
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/07/1999 4:00:00 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/19/2003 6:05:04 PM

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:46:50 PM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.00.2195.6695
ProductVersion : 5.00.2195.6695
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
OriginalFilename : lsasrv.dll and lsass.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/07/1999 4:00:00 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/19/2003 6:05:04 PM

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:46:54 PM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/07/1999 4:00:00 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 12/07/1999 4:00:00 PM

#:6 [lexbces.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:46:54 PM
BasePriority : Normal
FileSize : 293 KB
FileVersion : 7.1
ProductVersion : 7.1
Copyright : © 1993 - 2001 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 10/26/2002 4:57:42 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 03/08/2002 7:33:10 AM

#:7 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:46:54 PM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 02/10/2002 4:43:25 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/19/2003 6:05:04 PM

#:8 [lexpps.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:46:55 PM
BasePriority : Normal
FileSize : 166 KB
FileVersion : 7.1
ProductVersion : 7.1
Copyright : © 1993 - 2001 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
OriginalFilename : LEXPPS.EXE
ProductName : MarkVision for Windows (32 bit)
Created on : 10/26/2002 4:57:42 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 03/08/2002 7:30:24 AM

#:9 [avgserv.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ThreadCreationTime : 07-13-2004 5:46:56 PM
BasePriority : Normal
FileSize : 16 KB
FileVersion : 6.0.1.696
ProductVersion : 6.0.1.696
Copyright : Copyright © GRISOFT 1998-2004
CompanyName : GRISOFT s.r.o
FileDescription : AvgServ - displays notification message
InternalName : AvgServ
OriginalFilename : AvgServ
ProductName : AVG6
Created on : 07/10/2004 9:16:02 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/22/2004 10:00:00 AM

#:10 [cdac11ba.exe]
FilePath : C:\WINNT\System32\drivers\
ThreadCreationTime : 07-13-2004 5:46:56 PM
BasePriority : Normal
FileSize : 51 KB
FileVersion : 4.16.050
ProductVersion : 4.16.050 Windows NT 2002/04/24
Copyright : Copyright © 1998-2002 Macrovision Corp.
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
OriginalFilename : CDANTSRV.EXE
ProductName : SafeCast Windows NT
Created on : 01/02/2003 8:54:43 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 01/02/2003 8:54:44 PM

#:11 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 07-13-2004 5:47:00 PM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/07/1999 4:00:00 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 12/07/1999 4:00:00 PM

#:12 [ptssvc.exe]
FilePath : C:\Program Files\Kodak\Kodak EasyShare software\bin\
ThreadCreationTime : 07-13-2004 5:47:01 PM
BasePriority : Normal
FileSize : 80 KB
FileVersion : 1, 0, 2, 214
ProductVersion : 3, 0, 0, 220
Copyright : Copyright
CompanyName : KODAK
FileDescription : ptssvc
InternalName : ptssvc
OriginalFilename : ptssvc.exe
ProductName : KODAK PTS service
Created on : 04/06/2003 10:58:36 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 04/06/2003 10:58:36 AM

#:13 [regsvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:47:02 PM
BasePriority : Normal
FileSize : 66 KB
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
OriginalFilename : REGSVC.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 03/20/2004 12:54:30 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/19/2003 6:05:04 PM

#:14 [mstask.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:47:03 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 4.71.2195.6704
ProductVersion : 4.71.2195.6704
Copyright : Copyright © Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 03/20/2004 12:52:14 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/19/2003 6:05:04 PM

#:15 [scsiaccess.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:47:07 PM
BasePriority : Normal
FileSize : 177 KB
Created on : 02/04/2003 12:22:30 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 02/04/2003 12:22:30 PM

#:16 [stisvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:47:07 PM
BasePriority : Normal
FileSize : 60 KB
FileVersion : 5.00.2195.6656
ProductVersion : 5.00.2195.6656
Copyright : Copyright © Microsoft Corp. 1996-1997
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
OriginalFilename : STIMON.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 03/20/2004 12:55:41 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/19/2003 6:05:04 PM

#:17 [vsmon.exe]
FilePath : C:\WINNT\system32\ZONELABS\
ThreadCreationTime : 07-13-2004 5:47:07 PM
BasePriority : Normal
FileSize : 893 KB
FileVersion : 3.7.159
ProductVersion : 3.7.159
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 05/23/2003 6:35:34 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 03/22/2003 4:46:04 AM

#:18 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ThreadCreationTime : 07-13-2004 5:47:08 PM
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
Copyright : Copyright © Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 03/20/2004 12:56:50 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/19/2003 6:05:04 PM

#:19 [mspmspsv.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 07-13-2004 5:47:09 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.10.00.3059
ProductVersion : 7.10.00.3059
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
OriginalFilename : MSPMSPSV.EXE
ProductName : Microsoft ® DRM
Created on : 10/15/2003 6:31:05 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 10/01/2001 11:48:44 PM

#:20 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:47:09 PM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/07/1999 4:00:00 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 12/07/1999 4:00:00 PM

#:21 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 07-13-2004 5:47:19 PM
BasePriority : Normal
FileSize : 237 KB
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 03/20/2004 12:45:01 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/19/2003 6:05:04 PM

#:22 [rundll32.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:47:36 PM
BasePriority : Normal
FileSize : 9 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/07/1999 4:00:00 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 12/07/1999 4:00:00 PM

#:23 [atiptaxx.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:47:37 PM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 6.13.2517
ProductVersion : 6.13.2517
Copyright : Copyright © 1998-2001 ATI Technologies Inc.
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
OriginalFilename : Atiptaxx.exe
ProductName : ATI Desktop Component
Created on : 09/14/2001 12:15:08 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 09/14/2001 12:15:08 PM

#:24 [lxsupmon.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 07-13-2004 5:47:37 PM
BasePriority : Normal
FileSize : 879 KB
FileVersion : 3.1.111.1
ProductVersion : 3.1.111.1
Copyright : Copyright
CompanyName : Lexmark International Inc.
FileDescription : Supplies Monitor
InternalName : LXSUPMON
OriginalFilename : LXSUPMON.RC
ProductName : Lexmark Supplies Monitor
Created on : 10/26/2002 4:57:42 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 03/08/2002 8:02:56 AM

#:25 [tgcmd.exe]
FilePath : C:\Program Files\Support.com\bin\
ThreadCreationTime : 07-13-2004 5:47:38 PM
BasePriority : Normal
FileSize : 1508 KB
FileVersion : 5,5,402,0
ProductVersion : 5,5,402,0
Copyright : Copyright 1997-2069 Support.com
CompanyName : Support.com, Inc.
FileDescription : Support.com Scheduler and Command Dispatcher
InternalName : TGCMD
OriginalFilename : TGCMD.EXE
ProductName : Support.com Scheduler and Command Dispatcher
Created on : 04/24/2002 3:55:54 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 04/24/2002 9:37:44 PM

#:26 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ThreadCreationTime : 07-13-2004 5:47:38 PM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.0.2
ProductVersion : QuickTime 6.0.2
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 08/04/2003 3:20:08 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 08/04/2003 3:20:10 PM

#:27 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 07-13-2004 5:47:40 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 8.20.0130
ProductVersion : 8.20.0130
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
OriginalFilename : mm_tray.exe
ProductName : MUSICMATCH JUKEBOX
Created on : 04/12/2004 4:38:37 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 04/20/2004 8:50:16 PM

#:28 [mwsoemon.exe]
FilePath : C:\PROGRA~1\MYWEBS~1\bar\1.bin\
ThreadCreationTime : 07-13-2004 5:47:40 PM
BasePriority : Normal
FileSize : 24 KB
FileVersion : 1,2,1,0
ProductVersion : 2,0,0,0
Copyright : Copyright
CompanyName : MyWebSearch.com
FileDescription : My Web Search Email Plugin
InternalName : mwsoemon
OriginalFilename : mwsoemon.exe
ProductName : My Web Search Bar for Internet Explorer, email clients, and messenger clients
Created on : 04/16/2004 10:41:51 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 04/16/2004 10:41:52 PM

#:29 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ThreadCreationTime : 07-13-2004 5:47:40 PM
BasePriority : Normal
FileSize : 37 KB
FileVersion : 9.76.046
ProductVersion : 9.76.046
Copyright : © 1987-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
OriginalFilename : Em_Exec.exe
ProductName : MouseWare
Created on : 04/12/2004 4:37:21 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 03/19/2003 1:50:00 PM

#:30 [avgcc32.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ThreadCreationTime : 07-13-2004 5:47:41 PM
BasePriority : Normal
FileSize : 337 KB
FileVersion : 6, 0, 0, 515
ProductVersion : 6, 0, 0, 0
Copyright : Copyright
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC32
OriginalFilename : AvgCC32.EXE
ProductName : AVG Anti-Virus System
Created on : 07/10/2004 9:16:02 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/22/2004 10:00:00 AM

#:31 [ppwebcap.exe]
FilePath : C:\PROGRA~1\ScanSoft\PAPERP~1\
ThreadCreationTime : 07-13-2004 5:47:46 PM
BasePriority : Normal
FileSize : 47 KB
FileVersion : 6.5
ProductVersion : 6.5
Copyright : Copyright
CompanyName : Scansoft Inc.
FileDescription : Web Capture
InternalName : PPWebCap
OriginalFilename : PPWebCap.exe
ProductName : PaperPort
Created on : 02/11/2002 2:18:35 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 03/01/2000 1:37:00 PM

#:32 [wcmdmgr.exe]
FilePath : C:\WINNT\wt\updater\
ThreadCreationTime : 07-13-2004 5:47:47 PM
BasePriority : Idle
FileSize : 148 KB
FileVersion : 1.6.2.3
ProductVersion : 1.6.2.3
Copyright : Copyright
CompanyName : WildTangent, Inc.
FileDescription : wcmdmgr
InternalName : WildTangent Updater Service
OriginalFilename : wcmdmgr.exe
ProductName : WildTangent Updater Service
Created on : 07/13/2004 12:45:56 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 03/12/2004 7:53:48 PM

#:33 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ThreadCreationTime : 07-13-2004 5:47:48 PM
BasePriority : Normal
FileSize : 4572 KB
FileVersion : 6.1.0211
ProductVersion : Version 6.1
Copyright : Copyright © Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : Messenger
Created on : 03/04/2004 7:01:00 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 03/04/2004 7:01:00 PM

#:34 [aim.exe]
FilePath : C:\PROGRA~1\AIM\
ThreadCreationTime : 07-13-2004 5:47:52 PM
BasePriority : Normal
FileSize : 60 KB
FileVersion : 5.5.3595
ProductVersion : 5.5.3595
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
OriginalFilename : AIM.EXE
ProductName : AOL Instant Messenger
Created on : 07/13/2004 5:39:45 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 04/27/2004 10:18:34 PM

#:35 [wzqkpick.exe]
FilePath : C:\Program Files\WinZip\
ThreadCreationTime : 07-13-2004 5:48:03 PM
BasePriority : Normal
FileSize : 104 KB
FileVersion : 1.0 (32-bit)
ProductVersion : 8.1 (4319)
Copyright : Copyright © WinZip Computing, Inc. 1991-2001 - All Rights Reserved
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
OriginalFilename : WZQKPICK.EXE
ProductName : WinZip
Created on : 03/26/2003 9:06:19 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 02/11/2003 12:10:00 PM

#:36 [zonealarm.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ThreadCreationTime : 07-13-2004 5:48:10 PM
BasePriority : Normal
FileSize : 609 KB
FileVersion : 3.7.159
ProductVersion : 3.7.159
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : ZoneAlarm
InternalName : zonealarm
OriginalFilename : zonealarm.exe
ProductName : ZoneAlarm
Created on : 05/23/2003 6:35:36 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 03/22/2003 4:47:04 AM

#:37 [easyshare.exe]
FilePath : C:\Program Files\Kodak\Kodak EasyShare software\bin\
ThreadCreationTime : 07-13-2004 5:48:15 PM
BasePriority : Normal
FileSize : 584 KB
FileVersion : 2, 0, 2, 225
ProductVersion : 3, 0, 0, 221
Copyright : Copyright
CompanyName : Eastman Kodak Company
FileDescription : Kodak EasyShare software
InternalName : EasyShare
OriginalFilename : EasyShare.exe
ProductName : Kodak EasyShare software
Created on : 04/09/2003 10:56:24 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 04/09/2003 10:56:24 AM

#:38 [backweb-7288971.exe]
FilePath : C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\
ThreadCreationTime : 07-13-2004 5:48:19 PM
BasePriority : Normal
FileSize : 16 KB
Created on : 03/13/2002 9:08:34 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 03/13/2002 9:08:34 AM

#:39 [wuauclt.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 5:48:33 PM
BasePriority : Normal
FileSize : 138 KB
FileVersion : 5.4.3630.2554 built by: lab04_n
ProductVersion : 5.4.3630.2554
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
OriginalFilename : wuauclt.exe
ProductName : Microsoft
Created on : 03/20/2004 12:52:42 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/19/2003 6:05:04 PM

#:40 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 07-13-2004 5:52:18 PM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/07/1999 4:00:00 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 12/07/1999 4:00:00 PM

#:41 [msimn.exe]
FilePath : C:\Program Files\Outlook Express\
ThreadCreationTime : 07-13-2004 6:23:22 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Outlook Express
InternalName : MSIMN
OriginalFilename : MSIMN.EXE
ProductName : Microsoft
Created on : 08/29/2002 11:06:02 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 08/29/2002 11:06:02 AM

#:42 [ymsgr_tray.exe]
FilePath : C:\Program Files\Yahoo!\Messenger\
ThreadCreationTime : 07-13-2004 6:44:46 PM
BasePriority : Normal
FileSize : 88 KB
Created on : 04/30/2004 6:59:37 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 06/10/2004 6:14:54 PM

#:43 [cdonts.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 07-13-2004 7:12:42 PM
BasePriority : Normal
FileSize : 51 KB
Created on : 03/17/2004 1:02:03 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 03/17/2004 1:02:04 AM

#:44 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 07-13-2004 7:15:34 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 07/10/2004 8:42:51 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/13/2003 1:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
Type : File
Data : valued customer@ads.adsag[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/13/2004 12:51:53 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/13/2004 12:51:54 AM



Tracking Cookie Object recognized!
Type : File
Data : valued customer@bluestreak[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/11/2004 6:26:13 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/11/2004 6:26:14 PM



Tracking Cookie Object recognized!
Type : File
Data : valued customer@as1.falkag[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/11/2004 5:39:51 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/11/2004 5:39:52 PM



Tracking Cookie Object recognized!
Type : File
Data : valued customer@qksrv[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/11/2004 5:40:16 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/11/2004 5:40:20 PM



Tracking Cookie Object recognized!
Type : File
Data : valued customer@stat.onestat[2].txt
Category : Data Miner
Comment : www.searchtraffic.com
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/11/2004 5:40:19 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/11/2004 5:40:20 PM



Tracking Cookie Object recognized!
Type : File
Data : valued customer@tribalfusion[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/11/2004 6:26:10 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/11/2004 6:26:12 PM



Tracking Cookie Object recognized!
Type : File
Data : valued customer@citi.bridgetrack[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/11/2004 8:15:55 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/11/2004 8:15:56 PM



Tracking Cookie Object recognized!
Type : File
Data : valued customer@zedo[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/13/2004 1:07:12 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/13/2004 1:07:14 AM



Tracking Cookie Object recognized!
Type : File
Data : valued customer@2o7[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/12/2004 12:43:59 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/12/2004 12:44:00 AM



Tracking Cookie Object recognized!
Type : File
Data : valued customer@project1.realtracker[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/12/2004 1:45:29 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/12/2004 1:45:30 PM



Tracking Cookie Object recognized!
Type : File
Data : valued customer@questionmarket[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/13/2004 12:41:01 AM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/13/2004 1:14:30 AM



Tracking Cookie Object recognized!
Type : File
Data : valued customer@edge.ru4[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Valued Customer\Cookies\

Created on : 07/13/2004 5:43:12 PM
Last accessed : 07/13/2004 4:00:00 AM
Last modified : 07/13/2004 5:43:14 PM



Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 12


Scanning Hosts file(C:\WINNT\system32\drivers\etc\hosts)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Hosts file scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
1 entries scanned.
New objects :0
Objects found so far: 12




Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 12


3:30:19 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:14:32:255
Objects scanned :145708
Objects identified :12
Objects ignored :0
New objects :12
CalamityJane
Jul 14 2004, 12:44 AM
Please reboot your PC into safe mode:

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Scan with HijackThis and checkmark this entry, then press *fix checked*

O4 - HKCU\..\Run: [cdonts] C:\WINNT\system32\cdonts.exe

Stay in safe mode and navigate to the file

C:\WINNT\system32\cdonts.exe

(Start >My Computer> C: (local disk) > WINNT > system32 > cdonts.exe <---rename the file from cdonts.exe to cdonts.old (you can rightclick on the file once and choose *rename* - change the file extension letters to .old)

Reboot back into normal mode. Reply here and attach the file cdonts.old to your reply (just type in your text and scroll down to the section *file attachments* - hit the *browse button* and navigate to the file like you did above. Highlight it and press open then hit the *add reply* button
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.