Need some help cleaning up. New user needs help!

uscbizman23 · 12-30-2004, 12:59 AM

Hello to all.

I tried posting my issue in another forum, but I think this is the right one. If I am sounding like a broken record to you the tech guru, I apologize. I tried searching the resolved threads to fix my problem, but I know each CPU has its own fix and I am way too green to this information to do what is right for my computer. So, here it goes:

I am running on Windows 98 and using Spybot S&D for my anti Spyware protection. Like others who have posted here, I am now having pop-up window problems and slow performance to my inability to delete the CoolWWW Search files, plus I am sure many other little buggers in my CPU I have no idea about. So, to follow suit with everyone else, I downloaded HiJack this and will post my log in hope for a response (I have never run this program before):

Logfile of HijackThis v1.99.0
Scan saved at 11:54:25 PM, on 12/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RCCARV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE
C:\WINDOWS\SYSTEM\KALVUKJ32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\2WIRE WIRELESS\CLIENT MANAGER\CMTWO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\rccarv.exe
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVUKJ32.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
O4 - Startup: tiigtk.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O15 - Trusted Zone: *.msn.com
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.upp2ono41xi9rman2.com/ff/inst.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O18 - Protocol: spinware - {B15A890F-1059-11D2-ABF9-DD1614E90B2A} - C:\PROGRAM FILES\SPINWARE\SPINWARE CONNECT\SPINWARE.DLL
O19 - User stylesheet: (file missing)

Any help would be greatly appreciated. Also, I have been having a recurring problem rebooting in which I receive an error message concerning the file HIMEM.SYS missing. I don't know if this is connected or if I could be referred to another area on this forum. In my limited research, I have read this is somehow connected to memory capacity on my computer. Thanks for the time and cheers!

**Pancake** · 12-30-2004, 01:22 AM

Hi

Make sure you close your browser and then run CWShreader and Adaware(check for updates) as these will do a preliminary clean first.Some files below may not be present after running the above programs.

Then....
With your browser window still closed run hjt in safe mode... HOW TO RUN SAFE MODE and have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes and selecting "fix checked".If any EXE files have been selected go into HijackThis/Config/Misc/Tools/ and open process manager. Select the EXE files (if they are there) and click Kill process before deleting.

Folders that have been highlighted RED in the log will need to be uninstalled.Check first as some folders maybe uninstalled via the Add/Remove program.
Files highlighted in BLACK in the log will need to be removed from your hard drive.

Make sure to have your system set to show hidden files and folders.. HOW TO SHOW FILES When done Download Cleanup and run it to clean out the temp folders ..Then please reboot and post a new log when finished...

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\rccarv.exe
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVUKJ32.EXE
O4 - Startup: tiigtk.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O15 - Trusted Zone: *.msn.com
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.upp2ono41xi9rman2.com/ff/inst.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O18 - Protocol: spinware - {B15A890F-1059-11D2-ABF9-DD1614E90B2A} - C:\PROGRAM FILES\SPINWARE\SPINWARE CONNECT\SPINWARE.DLL
O19 - User stylesheet: (file missing)

uscbizman23 · 12-30-2004, 02:27 AM

Thank you for the response. I went through the steps and ran a new log. Just so you know, I was still receiving pop-ups when I loaded IExplorer.

Logfile of HijackThis v1.99.0
Scan saved at 1:34:41 AM, on 12/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\2WIRE WIRELESS\CLIENT MANAGER\CMTWO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O15 - Trusted Zone: *.msn.com
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.upp2ono41xi9rman2.com/ff/inst.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O19 - User stylesheet: (file missing)

Hope to hear from you soon mate! Cheers!

greyknight17 · 12-30-2004, 07:44 AM

It looks like you have one of the newer infections. This will require more than one step to remove.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download Winsock2Fix and unzip it. Then double-click on it to run it.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O15 - Trusted Zone: *.msn.com
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.upp2ono41xi9rman2.com/ff/inst.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O19 - User stylesheet: (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

c:\windows\system\aklsp.dll

Reboot into Normal Mode and run new HijackThis scan. Save the log file and run HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

DO THE FOLLOWING ALSO (POST IT ALONG WITH THE HIJACKTHIS LOG):

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer. If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe
VX2Finder http://www.greyknight17.com/spy/VX2Finder.exe
Hoster http://www.greyknight17.com/spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe
KillBox http://www.greyknight17.com/spy/KillBox.exe
DllCompare http://www.greyknight17.com/spy/DllCompare.exe

Please follow the steps below:

1. Run Kill2Me.

2. Run VX2Finder and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum.

3. Now download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller
IGN Keyword Uninstaller http://www.igetnet.com/downloads/NLNuninstall.exe
ClearSearch Uninstaller http://www.hijackthislogs.com/dl/ClrSchUninstall.exe

4. Run DllCompare now and click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on 'Make a log of what was found'. Post that log here.

5. Go to C:\WINDOWS\SYSTEM\ and sort the files by date. Look for more recent created files and post them here. They are usually random named DLL files.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here.
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.

uscbizman23 · 12-30-2004, 01:42 PM

Thank you for the detailed response. I have a few questions concerning the steps and a few problems I have had. First, the link for the IGNKeyword uninstaller was no good and I could not download that program. Second, for the list of files in C:/WINDOWS, how recent would you like me to post? Do you want just .dll files or all files? Also, and this will help in the last two steps, is there an easy way to make a list of files from the folders so I don't have to manually write each file name out? Can I just copy the file information and save it as a text file? I will leave my computer running until I receive a response. I have already completed the HijackThis Analyzer log, the VM2 log, and the Dllcompare log. Thank you again!!

**Pancake** · 12-30-2004, 05:48 PM

I new I missed an LSP fix in a log somewhere but could not find who had it...glad it got fixed

greyknight17 · 12-31-2004, 10:32 AM

Go to Start->Run and type in command and hit OK. Then type in the following and hit Enter key after each line:

cd c:\windows
dir /O:D >> c:\files.txt
exit

Now go into your C: drive and look for a files.txt file. Open that up and post it here. It will list the contents of your windows folder.

Please post that and all the other logs now.

uscbizman23 · 12-31-2004, 12:22 PM

Here is the HiJack Analyzer log:

Logfile of HijackThis v1.99.0
Scan saved at 12:11:50 PM, on 12/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\2WIRE WIRELESS\CLIENT MANAGER\CMTWO.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe

Here is the VX2 log (the program didn't actually create a log so I copied the information that showed up in the dialog box):

Files Found---

User Agent String---
{DAB04960-4875-11D9-8735-00022DBFC1BC}

Here is the Dll compare log:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\dxlayx.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ioseng.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ctnemast.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\pdtorec.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\sllwid.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\sjp32.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wfvadvd.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\drusic16.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mwrd3x40.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\caral.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\llaadr32.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\llpng62n.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\vir.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\obe2disp.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mgoeacct.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mfbe.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mlidntld.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\afcodc32.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\iysetup.dll Mon Dec 6 2004 11:34:56p ..S.R 217,088 212.00 K
________________________________________________

909 items found: 909 files (19 H/S), 0 directories.
Total of file sizes: 176,741,513 bytes 168.55 M

And finally, the files.txt log from my C: drive:

Volume in drive C has no label
Volume Serial Number is 2265-219C
Directory of C:\WINDOWS

PLAYER EXE 60,992 11-30-94 12:00a PLAYER.EXE
VIEWER EXE 47,712 11-30-94 12:00a VIEWER.EXE
README EXE 172,066 11-30-94 12:00a README.EXE
PLAYENU DLL 16,912 11-30-94 12:00a PLAYENU.DLL
VIEWENU DLL 17,536 11-30-94 12:00a VIEWENU.DLL
SMARTUN INF 543 04-23-96 4:03p SMARTUN.INF
QT32INST EXE 2,058,752 08-26-96 2:12a QT32INST.EXE
QTW32DEL EXE 169,472 08-26-96 2:12a QTW32DEL.EXE
PRNT5_UN INF 409 11-22-96 3:00p PRNT5_UN.INF
UNINST EXE 299,520 04-08-97 8:08p uninst.exe
ARTGALRY CAG 2 08-19-97 12:00a ARTGALRY.CAG
MSO97 ACL 35,262 08-19-97 12:00a MSO97.ACL
NOTE BAT 81 03-29-98 12:33a NOTE.BAT
AVERY INI 91 04-30-98 8:02a AVERY.INI
QFECHECK EXE 36,864 07-27-98 2:48p QFECHECK.EXE
ISUNINST EXE 306,688 10-29-98 4:45p IsUninst.exe
TWAIN DLL 87,392 12-05-98 12:00a TWAIN.DLL
TWAIN_32 DLL 77,312 12-05-98 12:00a TWAIN_32.DLL
TW1632 DLL 17,408 12-05-98 12:00a TW1632.DLL
SETUP1 EXE 82,010 01-26-99 6:57p SETUP1.EXE
UNCS32 EXE 83,968 02-03-99 4:51a UNCS32.EXE
SCHEDULE INI 1,622 02-08-99 5:31a SCHEDULE.INI
NLOGOS SYS 129,078 02-08-99 5:31a NLOGOS.SYS
NLOGOW SYS 129,078 02-08-99 5:31a NLOGOW.SYS
NAVUSTUB EXE 30,208 02-08-99 5:31a NavUStub.exe
NSUNINST EXE 142,336 02-15-99 2:00a nsuninst.exe
DIVIDERS HLP 2,017,299 04-08-99 7:14p Dividers.hlp
LOGOW SYS 129,080 04-23-99 10:22p LOGOW.SYS
1STBOOT BMP 1,518 04-23-99 10:22p 1STBOOT.BMP
PINSTR~1 BMP 578 04-23-99 10:22p Pinstripe.bmp
SETUP BMP 308,280 04-23-99 10:22p Setup.bmp
STRAWM~1 BMP 590 04-23-99 10:22p Straw Mat.bmp
BUBBLES BMP 2,118 04-23-99 10:22p Bubbles.bmp
WAVES BMP 190 04-23-99 10:22p Waves.bmp
WIN COM 24,791 04-23-99 10:22p WIN.COM
WUPDMGR EXE 57,344 04-23-99 10:22p WUPDMGR.EXE
WINUPD ICO 10,134 04-23-99 10:22p WINUPD.ICO
DRVSPACE INF 1,121 04-23-99 10:22p DRVSPACE.INF
IOS INI 12,327 04-23-99 10:22p IOS.INI
SCANREG INI 787 04-23-99 10:22p SCANREG.INI
TRIANG~1 BMP 198 04-23-99 10:22p Triangles.bmp
ASPI2HLP SYS 1,105 04-23-99 10:22p ASPI2HLP.SYS
CMD640X SYS 24,626 04-23-99 10:22p CMD640X.SYS
CMD640X2 SYS 20,901 04-23-99 10:22p CMD640X2.SYS
DBLBUFF SYS 2,614 04-23-99 10:22p DBLBUFF.SYS
IFSHLP SYS 3,708 04-23-99 10:22p IFSHLP.SYS
SFCSYNC TXT 1,735 04-23-99 10:22p SFCSYNC.TXT
CDPLAYER EXE 106,496 04-23-99 10:22p CDPLAYER.EXE
CHARMAP EXE 17,440 04-23-99 10:22p CHARMAP.EXE
CLIPBRD EXE 18,432 04-23-99 10:22p CLIPBRD.EXE
DIALER EXE 68,992 04-23-99 10:22p DIALER.EXE
FREECELL EXE 28,576 04-23-99 10:22p FREECELL.EXE
KODAKIMG EXE 528,384 04-23-99 10:22p KODAKIMG.EXE
UPWIZUN EXE 57,344 04-23-99 10:22p UPWIZUN.EXE
WINREP EXE 438,272 04-23-99 10:22p WINREP.EXE
BACKGRND GIF 103,582 04-23-99 10:22p BACKGRND.GIF
CLOUD GIF 11,306 04-23-99 10:22p CLOUD.GIF
CONTENT GIF 248 04-23-99 10:22p CONTENT.GIF
HLPBELL GIF 1,407 04-23-99 10:22p HLPBELL.GIF
HLPCD GIF 1,492 04-23-99 10:22p HLPCD.GIF
HLPGLOBE GIF 1,603 04-23-99 10:22p HLPGLOBE.GIF
HLPLOGO GIF 1,185 04-23-99 10:22p HLPLOGO.GIF
HLPSTEP1 GIF 1,107 04-23-99 10:22p HLPSTEP1.GIF
HLPSTEP2 GIF 1,154 04-23-99 10:22p HLPSTEP2.GIF
HLPSTEP3 GIF 1,249 04-23-99 10:22p HLPSTEP3.GIF
WINLOGO GIF 1,813 04-23-99 10:22p WINLOGO.GIF
HTMLHELP HTM 520 04-23-99 10:22p HTMLHELP.HTM
README HTM 617 04-23-99 10:22p README.HTM
READM_01 HTZ 609 04-23-99 10:22p READM_01.HTZ
READM_02 HTZ 4,426 04-23-99 10:22p READM_02.HTZ
DELETEFI INI 5,068 04-23-99 10:22p DELETEFI.INI
DOSREP INI 865 04-23-99 10:22p DOSREP.INI
HTMLHELP INI 3,598 04-23-99 10:22p HTMLHELP.INI
MSDFMAP INI 1,405 04-23-99 10:22p MSDFMAP.INI
DOSPRMPT PIF 545 04-23-99 10:22p DOSPRMPT.PIF
EXPLORER SCF 80 04-23-99 10:22p EXPLORER.SCF
CONFIG TXT 17,643 04-23-99 10:22p CONFIG.TXT
DISPLAY TXT 20,821 04-23-99 10:22p DISPLAY.TXT
FAQ TXT 13,236 04-23-99 10:22p FAQ.TXT
GENERAL TXT 41,040 04-23-99 10:22p GENERAL.TXT
HARDWARE TXT 39,715 04-23-99 10:22p HARDWARE.TXT
MOUSE TXT 5,946 04-23-99 10:22p MOUSE.TXT
MSDOSDRV TXT 45,575 04-23-99 10:22p MSDOSDRV.TXT
KODAKPRV EXE 114,688 04-23-99 10:22p KODAKPRV.EXE
MSHEARTS EXE 122,240 04-23-99 10:22p MSHEARTS.EXE
MSNCREAT EXE 45,056 04-23-99 10:22p MSNCREAT.EXE
NETWATCH EXE 73,728 04-23-99 10:22p NETWATCH.EXE
RSRCMTR EXE 32,768 04-23-99 10:22p RSRCMTR.EXE
SOL EXE 171,392 04-23-99 10:22p SOL.EXE
SYSMON EXE 81,920 04-23-99 10:22p SYSMON.EXE
TOUR98 EXE 188,416 04-23-99 10:22p TOUR98.EXE
TWUNK_16 EXE 48,560 04-23-99 10:22p TWUNK_16.EXE
TWUNK_32 EXE 90,112 04-23-99 10:22p TWUNK_32.EXE
WINMINE EXE 24,176 04-23-99 10:22p WINMINE.EXE
SERVICES TXT 5,130 04-23-99 10:22p SERVICES.TXT
COMMAND COM 93,890 04-23-99 10:22p COMMAND.COM
SANDST~1 BMP 32,854 04-23-99 10:22p Sandstone.bmp
DOSSTART AGO 1,404 04-23-99 10:22p DOSSTART.AGO
PROTOCOL 800 04-23-99 10:22p PROTOCOL
SERVICES 6,007 04-23-99 10:22p SERVICES
SNMPAPI DLL 32,768 04-23-99 10:22p SNMPAPI.DLL
NETWORK TXT 35,121 04-23-99 10:22p NETWORK.TXT
PRINTERS TXT 25,422 04-23-99 10:22p PRINTERS.TXT
PROGRAMS TXT 47,829 04-23-99 10:22p PROGRAMS.TXT
RECOVER TXT 4,083 04-23-99 10:22p RECOVER.TXT
TIPS TXT 12,668 04-23-99 10:22p TIPS.TXT
SMARTDRV EXE 45,379 04-23-99 10:22p SMARTDRV.EXE
HIMEM SYS 33,191 04-23-99 10:22p HIMEM.SYS
RAMDRIVE SYS 12,663 04-23-99 10:22p RAMDRIVE.SYS
LOGOS SYS 129,078 04-23-99 10:22p LOGOS.SYS
ADDLFNPR REG 115 04-23-99 10:22p ADDLFNPR.REG
MSDOS SYS 1,646 04-23-99 10:22p MSDOS.SYS
HWINFO EXE 110,592 04-23-99 10:22p HWINFO.EXE
NETDET INI 7,885 04-23-99 10:22p NETDET.INI
LICENSE TXT 32,424 04-23-99 10:22p LICENSE.TXT
SUPPORT TXT 845 04-23-99 10:22p SUPPORT.TXT
MPLAYER EXE 159,744 04-23-99 10:22p MPLAYER.EXE
RUNHELP CAB 6,325 04-23-99 10:22p RUNHELP.CAB
NDDEAPI DLL 14,032 04-23-99 10:22p NDDEAPI.DLL
NDDENB DLL 10,976 04-23-99 10:22p NDDENB.DLL
SCRIPT DOC 38,400 04-23-99 10:22p SCRIPT.DOC
DOSREP EXE 89,147 04-23-99 10:22p DOSREP.EXE
DRWATSON EXE 139,264 04-23-99 10:22p DRWATSON.EXE
EXPLORER EXE 180,224 04-23-99 10:22p EXPLORER.EXE
FONTVIEW EXE 49,152 04-23-99 10:22p FONTVIEW.EXE
MSNMGSR1 EXE 65,536 04-23-99 10:22p MSNMGSR1.EXE
NETDDE EXE 56,880 04-23-99 10:22p NETDDE.EXE
PIDSET EXE 40,960 04-23-99 10:22p PIDSET.EXE
SIGVERIF EXE 131,072 04-23-99 10:22p SIGVERIF.EXE
TUNEUP EXE 110,592 04-23-99 10:22p TUNEUP.EXE
CONFDENT CPE 4,357 04-23-99 10:22p CONFDENT.CPE
FYI CPE 4,473 04-23-99 10:22p FYI.CPE
GENERIC CPE 5,935 04-23-99 10:22p GENERIC.CPE
URGENT CPE 4,345 04-23-99 10:22p URGENT.CPE
MORICONS DLL 84,416 04-23-99 10:22p MORICONS.DLL
MSOWS409 DLL 122,936 04-23-99 10:22p MSOWS409.DLL
ASD EXE 61,440 04-23-99 10:22p ASD.EXE
CALC EXE 94,208 04-23-99 10:22p CALC.EXE
CLEANMGR EXE 131,072 04-23-99 10:22p CLEANMGR.EXE
CONTROL EXE 2,112 04-23-99 10:22p CONTROL.EXE
CVT1 EXE 114,688 04-23-99 10:22p CVT1.EXE
CVTAPLOG EXE 77,824 04-23-99 10:22p CVTAPLOG.EXE
DEFRAG EXE 253,952 04-23-99 10:22p DEFRAG.EXE
DRVSPACE EXE 404,880 04-23-99 10:22p DRVSPACE.EXE
EMM386 EXE 125,495 04-23-99 10:22p EMM386.EXE
REGEDIT EXE 118,784 04-23-99 10:22p REGEDIT.EXE
MM2ENT EXE 32,768 04-23-99 10:22p MM2ENT.EXE
NOTEPAD EXE 53,248 04-23-99 10:22p NOTEPAD.EXE
PACKAGER EXE 77,824 04-23-99 10:22p PACKAGER.EXE
PBRUSH EXE 20,480 04-23-99 10:22p PBRUSH.EXE
PROGMAN EXE 113,456 04-23-99 10:22p PROGMAN.EXE
RG2CATDB EXE 40,960 04-23-99 10:22p RG2CATDB.EXE
RUNDLL EXE 4,960 04-23-99 10:22p RUNDLL.EXE
RUNDLL32 EXE 24,576 04-23-99 10:22p RUNDLL32.EXE
SCANDSKW EXE 4,896 04-23-99 10:22p SCANDSKW.EXE
SCANREGW EXE 86,016 04-23-99 10:22p SCANREGW.EXE
SNDREC32 EXE 110,592 04-23-99 10:22p SNDREC32.EXE
SNDVOL32 EXE 69,632 04-23-99 10:22p SNDVOL32.EXE
DEFAULT SFC 230 04-23-99 10:22p DEFAULT.SFC
NETWORKS 407 04-23-99 10:22p NETWORKS
ARP EXE 28,672 04-23-99 10:22p ARP.EXE
FTP EXE 45,056 04-23-99 10:22p FTP.EXE
HOSTS SAM 736 04-23-99 10:22p HOSTS.SAM
LMHOSTS SAM 3,717 04-23-99 10:22p LMHOSTS.SAM
NETSTAT EXE 32,768 04-23-99 10:22p NETSTAT.EXE
PING EXE 24,576 04-23-99 10:22p PING.EXE
ROUTE EXE 32,768 04-23-99 10:22p ROUTE.EXE
TELNET EXE 77,824 04-23-99 10:22p TELNET.EXE
TRACERT EXE 20,480 04-23-99 10:22p TRACERT.EXE
WINIPCFG EXE 53,248 04-23-99 10:22p WINIPCFG.EXE
IPCONFIG EXE 53,248 04-23-99 10:22p IPCONFIG.EXE
NBTSTAT EXE 34,543 04-23-99 10:22p NBTSTAT.EXE
INETMIB1 DLL 53,248 04-23-99 10:22p INETMIB1.DLL
TASKMAN EXE 49,152 04-23-99 10:22p TASKMAN.EXE
TASKMON EXE 28,672 04-23-99 10:22p TASKMON.EXE
VCMUI EXE 45,056 04-23-99 10:22p VCMUI.EXE
WELCOME EXE 278,528 04-23-99 10:22p WELCOME.EXE
WINFILE EXE 155,424 04-23-99 10:22p WINFILE.EXE
WINHELP EXE 2,416 04-23-99 10:22p WINHELP.EXE
WINHLP32 EXE 319,488 04-23-99 10:22p WINHLP32.EXE
WININIT EXE 41,973 04-23-99 10:22p WININIT.EXE
WINVER EXE 3,648 04-23-99 10:22p WINVER.EXE
WRITE EXE 20,480 04-23-99 10:22p WRITE.EXE
CIRCLES BMP 190 04-23-99 10:22p Circles.bmp
FOREST BMP 66,146 04-23-99 10:22p Forest.bmp
METALL~1 BMP 36,182 04-23-99 10:22p Metal Links.bmp
TILES BMP 578 04-23-99 10:22p Tiles.bmp
CLOUDS BMP 307,514 04-23-99 10:22p Clouds.bmp
MS-DOS~1 PIF 3,181 04-23-99 10:22p MS-DOS Mode for Games.pif
MS-DOS~2 PIF 3,372 04-23-99 10:22p MS-DOS Mode for Games with EMS and XMS Support.pif
CARVED~1 BMP 582 04-23-99 10:22p Carved Stone.bmp
HOUNDS~1 BMP 470 04-23-99 10:22p Houndstooth.bmp
BLUERI~1 BMP 194 04-23-99 10:22p Blue Rivets.bmp
BLACKT~1 BMP 182 04-23-99 10:22p Black Thatch.bmp
REDBLO~1 BMP 2,754 04-23-99 10:22p Red Blocks.bmp
GOLDWE~1 BMP 32,850 04-23-99 10:22p Gold Weave.bmp
STITCHES BMP 4,678 04-23-99 10:22p Stitches.bmp
NET MSG 109,196 04-23-99 10:22p NET.MSG
HIMEM OLD 33,191 04-23-99 10:22p HIMEM.OLD
NETH MSG 73,275 04-23-99 10:22p NETH.MSG
WINPOPUP EXE 27,600 04-23-99 10:22p WINPOPUP.EXE
NET EXE 356,134 04-23-99 10:22p NET.EXE
CHANNE~1 SCR 91,888 04-24-99 12:22a Channel Screen Saver.SCR
MSBATCH INF 5,551 05-20-99 8:37a MSBATCH.INF
WINSOCK DLL 21,504 05-20-99 8:46a WINSOCK.DLL
PIDGEN DLL 27,616 05-20-99 8:46a PIDGEN.DLL
HIDCI DLL 3,216 05-20-99 8:53a HIDCI.DLL
SETVER EXE 18,939 05-20-99 8:53a SETVER.EXE
MSOFFICE INI 26 05-20-99 8:54a MSOFFICE.INI
WPLOG TXT 0 05-20-99 9:00a wplog.txt
MOE'SB~1 BMP 921,654 06-02-99 1:05p moe's bar.bmp
GWHOTKEY EXE 66,560 06-18-99 1:48p GWHotKey.exe
GWNET CFG 24 08-31-99 12:52p GWNET.CFG
. <DIR> 08-31-99 12:52p .
.. <DIR> 08-31-99 12:52p ..
STARTM~1 <DIR> 08-31-99 12:53p Start Menu
CATROOT <DIR> 08-31-99 12:53p CATROOT
COMMAND <DIR> 08-31-99 12:53p COMMAND
DESKTOP <DIR> 08-31-99 12:53p Desktop
SENDTO <DIR> 08-31-99 12:53p SendTo
OPTIONS <DIR> 08-31-99 12:53p OPTIONS
SYSTEM <DIR> 08-31-99 12:57p SYSTEM
TEMP <DIR> 08-31-99 12:59p TEMP
HELP <DIR> 08-31-99 1:00p HELP
SYSTEM32 <DIR> 08-31-99 1:00p SYSTEM32
CURSORS <DIR> 08-31-99 1:00p CURSORS
JAVA <DIR> 08-31-99 1:00p JAVA
DRWATSON <DIR> 08-31-99 1:01p DRWATSON
CONFIG <DIR> 08-31-99 1:01p CONFIG
MEDIA <DIR> 08-31-99 1:01p MEDIA
PIF <DIR> 08-31-99 1:01p PIF
SAMPLES <DIR> 08-31-99 1:01p SAMPLES
MSAPPS <DIR> 08-31-99 1:01p MsApps
APPLIC~1 <DIR> 08-31-99 1:01p Application Data
TSI32 <DIR> 08-31-99 1:03p TSI32
PROTOCOL INI 120 08-31-99 1:10p PROTOCOL.INI
TELEPHON INI 225 08-31-99 1:11p TELEPHON.INI
DOSSTART BAT 1,420 08-31-99 1:11p DOSSTART.BAT
ALLUSE~1 <DIR> 08-31-99 1:12p All Users
FAVORI~1 <DIR> 08-31-99 1:13p Favorites
ESLOGS <DIR> 08-31-99 1:13p ESLogs
EZSMART INI 0 08-31-99 1:28p EZSMART.INI
REGTLIB EXE 40,960 08-31-99 4:55p REGTLIB.EXE
WIN QTW 6,846 09-03-99 6:55p WIN.QTW
SYSTEM QTW 2,162 09-03-99 6:55p SYSTEM.QTW
DIRDIB DRV 30,544 09-03-99 6:59p dirdib.drv
MACROMIX DLL 38,252 09-03-99 6:59p macromix.dll
DEFAULT ACL 35,262 09-06-99 3:20p Default.acl
TWAIN32 <DIR> 09-08-99 1:55p Twain32
MSAGENT <DIR> 09-08-99 1:57p Msagent
VBADDIN INI 35 09-08-99 2:09p vbaddin.ini
ODBCINST INI 1,821 09-08-99 2:10p ODBCINST.INI
ODBC INI 895 09-08-99 2:10p ODBC.INI
USER NSW 323,616 09-08-99 2:18p USER.NSW
SYSTEM NSW 5,292,064 09-08-99 2:19p SYSTEM.NSW
SIREGIST LOG 1,420 09-08-99 2:25p SIREGIST.LOG
CONTROL INI 899 09-08-99 8:54p CONTROL.INI
LOCALS~1 <DIR> 09-08-99 8:54p Local Settings
CD32 EXE 633,536 09-15-99 4:56p cd32.exe
EREG072 DAT 301 10-14-99 1:37a EReg072.dat
UNVISE~1 EXE 86,016 11-10-99 12:05p unvise32qt.exe
AIM95 <DIR> 11-29-99 4:44p aim95
STI_TR~1 LOG 0 12-06-99 9:59p Sti_Trace.log
TWAIN LOG 547 12-06-99 9:59p TWAIN.LOG
TWUNK003 MTX 0 12-06-99 9:59p TWUNK003.MTX
TWAIN001 MTX 2 12-06-99 9:59p Twain001.Mtx
TWUNK002 MTX 0 12-06-99 9:59p Twunk002.MTX
HPDSKJTB P0B 8,923 12-10-99 12:45p HPDSKJTB.P0B
TMPDELIS BAT 122 12-11-99 6:31p tmpdelis.bat
JAVA~1 <DIR> 02-26-00 8:52p .java
GWHOTKEY INI 18 02-29-00 3:54p gwhotkey.ini
MSOPREFS 232 10,304 04-25-00 9:25p MSOPrefs.232
MSOCLIP 232 45,120 04-25-00 9:25p MSOClip.232
MSINFO32 INI 0 04-26-00 10:09p MSINFO32.INI
NETSCAPE INI 232 04-28-00 1:30a NETSCAPE.INI
MDACSET LOG 46 05-01-00 1:00a MDACSET.log
BINDLI~1 TXT 21,588 05-01-00 1:01a Bind List Log.txt
ADVPAC~1 LOG 54,860 05-01-00 1:01a AdvpackExt.log
PROGMAN INI 36 05-01-00 1:18a progman.ini
CANONBJ <DIR> 06-21-00 11:33p CANONBJ
VPPLAYS INI 100 08-08-00 11:03p VPPLAYS.INI
RESMNGR INI 0 10-19-00 5:17p RESMNGR.INI
HPPCL5MS X04 2,635 10-25-00 11:36p HPPCL5MS.X04
LEXHBP INI 206 10-26-00 12:25a LEXHBP.INI
MOZVER DAT 4,862 11-27-00 6:52p mozver.dat
MOZREG~1 DAT 543 11-27-00 7:05p mozregistry.dat
NETSCA~1 BMP 404,418 02-19-01 11:35p Netscape Wallpaper.bmp
GSC1 TXT 161 04-26-01 12:20a gsc1.txt
GSC0 TXT 1,026 04-26-01 12:20a gsc0.txt
NSREG DAT 35,869 05-15-01 10:53p nsreg.dat
NSCAL INI 35 05-18-01 4:58p Nscal.ini
RESULT QTW 30 10-12-01 1:11p RESULT.QTW
SB REG 2,023 11-25-01 9:01p sb.reg
QTW INI 372 12-17-01 12:03a QTW.INI
VIVOPLAY INI 41 02-02-02 1:04a VIVOPLAY.INI
HH EXE 10,752 06-10-02 12:56p hh.exe
SOL INI 25 07-20-02 11:53a SOL.INI
YACS LOG 794 08-01-02 11:37a yacs.log
HH DAT 8,898 08-04-02 12:57a hh.dat
EXTRAC32 EXE 132,608 08-29-02 12:00a EXTRAC32.EXE
GRPCONV EXE 38,160 08-29-02 12:00a GRPCONV.EXE
MDM INI 124 10-14-02 2:56p mdm.ini
JORDAN~1 SCR 474,612 10-16-02 10:44p Jordan_pc_public.scr
JORDAN~1 DLL 40,960 10-16-02 10:44p Jordan_pc_public.dll
JORDAN~1 EXE 529,261 10-16-02 10:44p Jordan_pc_public.exe
HOSTS2~1 BAC 65 10-25-02 3:40a hosts.20040828-010114.backup
NSREX INI 88 11-24-02 12:42p NSREX.INI
JAUTOEXP DAT 6,550 02-28-03 4:35p JAUTOEXP.DAT
CLSPACK EXE 49,424 02-28-03 6:26p CLSPACK.EXE
JVIEW EXE 172,304 02-28-03 6:26p JVIEW.EXE
SETDEBUG EXE 46,352 02-28-03 6:26p SETDEBUG.EXE
WJVIEW EXE 171,792 02-28-03 6:26p WJVIEW.EXE
IEUNINST EXE 33,792 03-03-03 10:24a ieuninst.exe
IEUNIN~1 TXT 66,374 03-19-03 3:25a IE Uninstall Log.Txt
OFFLIN~1 <DIR> 03-19-03 3:28a Offline Web Pages
WINDOW~1 <DIR> 04-13-03 10:21p Windows Update Setup Files
MSIMGSIZ DAT 16,384 04-13-03 10:22p MSIMGSIZ.DAT
IESETU~1 TXT 99,773 04-13-03 11:41p IE Setup Log.Txt
WSCRIPT EXE 118,834 04-13-03 11:42p wscript.exe
ACTIVE~1 TXT 39,721 04-14-03 12:46a Active Setup Log.txt
RUNONC~1 TXT 21,487 04-14-03 1:55a RunOnceEx Log.txt
BRNDLOG TXT 10,313 04-14-03 1:56a brndlog.txt
OEUNINST EXE 33,792 07-07-03 12:41p oeuninst.exe
PATCH EXE 34,816 07-14-03 3:30p patch.exe
PATCHW32 DLL 197,120 07-14-03 3:30p patchw32.dll
VGXUNI~1 EXE 33,792 11-06-03 5:14p vgxuninst.exe
TINYBAR EXE 12,800 11-25-03 10:53p tinybar.exe
MUNINST EXE 33,280 06-18-04 2:40p muninst.exe
CONSCORR EXE 69,632 06-28-04 12:43a CONSCORR.EXE
LOCALNRD DLL 143,360 07-27-04 2:10p LOCALNRD.DLL
MAPIUID INI 105 08-21-04 12:34p mapiuid.ini
CMINST~1 LOG 470 08-25-04 11:43a CMinstall.log
WININIT SAV 8,568 08-25-04 12:05p WININIT.SAV
DIRECTX LOG 98,309 08-25-04 12:14p DirectX.log
VMINST LOG 2,097 08-25-04 12:23p vminst.log
DAHOTFIX LOG 6,663 08-25-04 12:23p dahotfix.log
WMSYSPR9 PRX 316,640 08-28-04 1:55a WMSysPr9.prx
UNENG EXE 57,344 08-28-04 1:57a uneng.exe
SMDAT32M SYS 10 08-28-04 3:39a smdat32m.sys
LEXSTAT INI 1,307 09-01-04 11:22a LEXSTAT.INI
PREINSLN EXE 36,864 09-02-04 6:23a PREINSLN.EXE
RESTREG BAT 765 09-10-04 11:28a RESTREG.BAT
DEFAULT PWL 1,166 09-11-04 2:19p DEFAULT.PWL
OEWABLOG TXT 4,239 09-12-04 11:14p OEWABLog.txt
SYSTEM SYD 2,627 09-13-04 11:09p SYSTEM.SYD
SCHEDLOG TXT 32,704 09-15-04 4:57p SCHEDLOG.TXT
BANNER DLL 90,112 10-07-04 4:54p banner.dll
IEPATC~1 BAK 492 10-21-04 7:59p IEPatchUninstall.BAK
IEPATC~1 LOG 475 10-21-04 7:59p IEPatchUninstall.log
REGSAV~1 TXT 2,201 10-28-04 10:52a Reg Save Log.txt
REMTM2 EXE 70,144 11-09-04 11:47a REMTM2.EXE
MULTIMPP DLL 172,032 11-11-04 12:12p MULTIMPP.DLL
ACROREAD INI 2,485 11-23-04 9:08p ACROREAD.INI
SATMAT EXE 26,624 11-24-04 10:15a SATMAT.EXE
SATMAT INI 219 11-24-04 10:43a SATMAT.INI
REDIR TXT 1,550 11-29-04 6:53p redir.txt
SYSTB EXE 189,992 11-29-04 6:53p systb.exe
KWV2 DAT 5,460 11-29-04 6:59p kwv2.dat
180AXH~1 DLL 57,344 11-29-04 7:24p 180axhook.dll
SYSTEM RSC 7,446,560 12-02-04 4:27p system.rsc
USER RSC 1,142,816 12-02-04 4:27p user.rsc
WIN INI 8,655 12-03-04 1:07p WIN.INI
CONSCORR INI 358 12-06-04 9:57p CONSCORR.INI
VT00 EXE 27,648 12-06-04 11:34p VT00.exe
THIN-1~1 EXE 307 12-06-04 11:34p thin-114-1-x-x.exe
HOSTS2~2 BAC 0 12-07-04 8:00a hosts.20041207-080023.backup
HOSTS2~3 BAC 524 12-07-04 8:00a hosts.20041207-080121.backup
EJCGJFN INI 45 12-07-04 8:23a EJCGJFN.ini
HOSTS2~4 BAC 489 12-07-04 8:25a hosts.20041207-082513.backup
HOSTS2~5 BAC 454 12-07-04 8:25a hosts.20041207-082515.backup
HOSTS2~6 BAC 524 12-07-04 8:25a hosts.20041207-082539.backup
HOSTS2~7 BAC 524 12-07-04 8:26a hosts.20041207-082603.backup
HOSTS2~8 BAC 524 12-07-04 8:26a hosts.20041207-082609.backup
HOSTS2~9 BAC 552 12-07-04 10:07a hosts.20041207-152606.backup
DIGITA~1 HTM 305 12-07-04 10:18a Digital Signature 20041207.htm
HOSTS~10 BAC 636 12-07-04 3:27p hosts.20041207-152724.backup
HOSTS~11 BAC 601 12-07-04 3:27p hosts.20041207-152725.backup
OQQAOL DLL 5,632 12-07-04 5:19p oqqaol.dll
PNNRPI DLL 24,576 12-07-04 5:20p pnnrpi.dll
OQQUOL DLL 5,632 12-07-04 5:20p oqquol.dll
APPSETUP EXE 35,840 12-07-04 5:36p appsetup.exe
SYSFIT EXE 70,144 12-08-04 8:57a SYSfit.exe
WOINST~1 EXE 127,763 12-08-04 8:58a woinstall.exe
HOSTS~12 BAC 636 12-08-04 9:19a hosts.20041208-091912.backup
HOSTS~13 BAC 636 12-08-04 9:19a hosts.20041208-091957.backup
HOSTS~14 BAC 573 12-08-04 9:36a hosts.20041208-093634.backup
HOSTS~15 BAC 608 12-08-04 9:36a hosts.20041208-093646.backup
HOSTS~16 BAC 580 12-08-04 9:38a hosts.20041208-093829.backup
ICONW EXE 55,008 12-08-04 12:38p iconw.exe
OUUPOI DLL 25,088 12-09-04 12:06a ouupoi.dll
QTFONT FOR 1,308 12-09-04 1:50a QTFont.for
BKKUBW DAT 32,768 12-10-04 10:13p bkkubw.dat
RCCARV EXE 32,768 12-10-04 10:13p rccarv.exe
WAAUWL EXE 3,072 12-10-04 10:13p waauwl.exe
MINIPC~1 LOG 1,418 12-13-04 6:54p MINI PCI type 3B Data Fax Modem by 3Com.log
ICONT EXE 42,736 12-15-04 12:35a icont.exe
ELITET~1 <DIR> 12-15-04 6:50a EliteToolBar
HOSTS~17 BAC 825 12-16-04 3:08a hosts.20041216-030843.backup
HOSTS~18 BAC 790 12-16-04 3:08a hosts.20041216-030849.backup
HOSTS~19 BAC 832 12-16-04 3:14a hosts.20041216-033530.backup
HOSTS~20 BAC 832 12-16-04 3:35a hosts.20041216-033632.backup
HOSTS~21 BAC 832 12-16-04 3:36a hosts.20041216-033650.backup
HOSTS~22 BAC 797 12-16-04 3:36a hosts.20041216-033651.backup
HOSTS~23 BAC 804 12-16-04 3:37a hosts.20041216-033712.backup
HOSTS~24 BAC 804 12-16-04 3:37a hosts.20041216-033728.backup
HOSTS~25 BAC 832 12-17-04 7:37a hosts.20041217-082946.backup
HOSTS~26 BAC 832 12-17-04 8:29a hosts.20041217-083038.backup
HOSTS~27 BAC 804 12-17-04 8:30a hosts.20041217-083101.backup

12-30-2004, 12:59 AM	#1 (permalink)
uscbizman23 Registered User Join Date: Dec 2004 Posts: 16 OS: Win98	Need some help cleaning up. New user needs help! Hello to all. I tried posting my issue in another forum, but I think this is the right one. If I am sounding like a broken record to you the tech guru, I apologize. I tried searching the resolved threads to fix my problem, but I know each CPU has its own fix and I am way too green to this information to do what is right for my computer. So, here it goes: I am running on Windows 98 and using Spybot S&D for my anti Spyware protection. Like others who have posted here, I am now having pop-up window problems and slow performance to my inability to delete the CoolWWW Search files, plus I am sure many other little buggers in my CPU I have no idea about. So, to follow suit with everyone else, I downloaded HiJack this and will post my log in hope for a response (I have never run this program before): Logfile of HijackThis v1.99.0 Scan saved at 11:54:25 PM, on 12/29/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RCCARV.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE C:\WINDOWS\SYSTEM\KALVUKJ32.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\2WIRE WIRELESS\CLIENT MANAGER\CMTWO.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 auto.search.msn.com O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\rccarv.exe O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVUKJ32.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE O4 - Startup: tiigtk.exe O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O15 - Trusted Zone: *.msn.com O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.upp2ono41xi9rman2.com/ff/inst.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O18 - Protocol: spinware - {B15A890F-1059-11D2-ABF9-DD1614E90B2A} - C:\PROGRAM FILES\SPINWARE\SPINWARE CONNECT\SPINWARE.DLL O19 - User stylesheet: (file missing) Any help would be greatly appreciated. Also, I have been having a recurring problem rebooting in which I receive an error message concerning the file HIMEM.SYS missing. I don't know if this is connected or if I could be referred to another area on this forum. In my limited research, I have read this is somehow connected to memory capacity on my computer. Thanks for the time and cheers!

12-30-2004, 01:22 AM	#2 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,405 OS: XP Pro SP3	Hi Make sure you close your browser and then run CWShreader and Adaware(check for updates) as these will do a preliminary clean first.Some files below may not be present after running the above programs. Then.... With your browser window still closed run hjt in safe mode... HOW TO RUN SAFE MODE and have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes and selecting "fix checked".If any EXE files have been selected go into HijackThis/Config/Misc/Tools/ and open process manager. Select the EXE files (if they are there) and click Kill process before deleting. Folders that have been highlighted RED in the log will need to be uninstalled.Check first as some folders maybe uninstalled via the Add/Remove program. Files highlighted in BLACK in the log will need to be removed from your hard drive. Make sure to have your system set to show hidden files and folders.. HOW TO SHOW FILES When done Download Cleanup and run it to clean out the temp folders ..Then please reboot and post a new log when finished... R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 auto.search.msn.com O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\rccarv.exe O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVUKJ32.EXE O4 - Startup: tiigtk.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.ht m (file missing) (HKCU) O15 - Trusted Zone: .msn.com O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.upp2ono41xi9rman2.com/ff/inst.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx O18 - Protocol: spinware - {B15A890F-1059-11D2-ABF9-DD1614E90B2A} - C:\PROGRAM FILES\SPINWARE\SPINWARE CONNECT\SPINWARE.DLL* O19 - User stylesheet: (file missing) __________________ An Australian Member of Eddy Last edited by Pancake : 12-30-2004 at 01:25 AM.

12-30-2004, 07:44 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	It looks like you have one of the newer infections. This will require more than one step to remove. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download Winsock2Fix and unzip it. Then double-click on it to run it. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 auto.search.msn.com O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O15 - Trusted Zone: .msn.com O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.upp2ono41xi9rman2.com/ff/inst.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx O19 - User stylesheet: (file missing) Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: c:\windows\system\aklsp.dll* Reboot into Normal Mode and run new HijackThis scan. Save the log file and run HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. DO THE FOLLOWING ALSO (POST IT ALONG WITH THE HIJACKTHIS LOG): Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer. If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Please download the following programs required for the removal process: Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe VX2Finder http://www.greyknight17.com/spy/VX2Finder.exe Hoster http://www.greyknight17.com/spy/Hoster.exe CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe KillBox http://www.greyknight17.com/spy/KillBox.exe DllCompare http://www.greyknight17.com/spy/DllCompare.exe Please follow the steps below: 1. Run Kill2Me. 2. Run VX2Finder and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum. 3. Now download/run the following uninstallers: Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller IGN Keyword Uninstaller http://www.igetnet.com/downloads/NLNuninstall.exe ClearSearch Uninstaller http://www.hijackthislogs.com/dl/ClrSchUninstall.exe 4. Run DllCompare now and click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on 'Make a log of what was found'. Post that log here. 5. Go to C:\WINDOWS\SYSTEM\ and sort the files by date. Look for more recent created files and post them here. They are usually random named DLL files. We also need a list of files in the following folders: C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here. C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

12-31-2004, 10:32 AM	#7 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Go to Start->Run and type in command and hit OK. Then type in the following and hit Enter key after each line: cd c:\windows dir /O:D >> c:\files.txt exit Now go into your C: drive and look for a files.txt file. Open that up and post it here. It will list the contents of your windows folder. Please post that and all the other logs now. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

12-30-2004, 02:27 AM	#3 (permalink)
uscbizman23 Registered User Join Date: Dec 2004 Posts: 16 OS: Win98	Thank you for the response. I went through the steps and ran a new log. Just so you know, I was still receiving pop-ups when I loaded IExplorer. Logfile of HijackThis v1.99.0 Scan saved at 1:34:41 AM, on 12/30/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\2WIRE WIRELESS\CLIENT MANAGER\CMTWO.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R3 - Default URLSearchHook is missing O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 auto.search.msn.com O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - Startup: 2Wire Wireless Client Manager.lnk = C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll O15 - Trusted Zone: *.msn.com O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.upp2ono41xi9rman2.com/ff/inst.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O19 - User stylesheet: (file missing) Hope to hear from you soon mate! Cheers!

12-30-2004, 01:42 PM	#5 (permalink)
uscbizman23 Registered User Join Date: Dec 2004 Posts: 16 OS: Win98	Thank you for the detailed response. I have a few questions concerning the steps and a few problems I have had. First, the link for the IGNKeyword uninstaller was no good and I could not download that program. Second, for the list of files in C:/WINDOWS, how recent would you like me to post? Do you want just .dll files or all files? Also, and this will help in the last two steps, is there an easy way to make a list of files from the folders so I don't have to manually write each file name out? Can I just copy the file information and save it as a text file? I will leave my computer running until I receive a response. I have already completed the HijackThis Analyzer log, the VM2 log, and the Dllcompare log. Thank you again!!

12-30-2004, 05:48 PM	#6 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,405 OS: XP Pro SP3	I new I missed an LSP fix in a log somewhere but could not find who had it...glad it got fixed