Here's another one for ya guys

Silven · 07-07-2005, 01:30 PM

Alrighty, here's a log for you. Nothing to difficult, at least, it shouldnt be. Good luck and thanks for your time.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:01:05 PM, on 7/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINNT\System32\freecell.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Documents and Settings\Administrator\My Documents\Mics\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SS1HelperStartUp] C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE /partner SS1
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxmk500YYUS
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.reciperewards.com/bundles/reciperewards.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Alrighty, an apprentice should be able to handle this one. Good luck guys, and i await removal instructions!

oddjob · 07-08-2005, 06:28 AM

Hi Silven

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p.

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

When you next reply could you please let me have a summary of any problems experienced on this PC (including onscreen error messages, operation difficulties and so on). Thanks.

OJ

oddjob · 07-08-2005, 01:44 PM

Hi again Silven

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

BroadJump & Support.com

If you have one of these you will most likely have the other. Either way, here is some information on them.

BroadJump - Newer name for BroadJump Foundation Client (BJCFD) - from BroadJump.com - now Motive.

The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit.

Support.com - Spyware from SupportSoft provided to manufacturers, such as Sony (Vaio Support Agent) and Toshiba (Virtual Tech), and ISPs, such as Comcast, Cox and Charter (Pipeline Support Agent), that allows them to offer on-line support. This part ensures that software is installed correctly. Regarded as spyware as it has the ability to retrieve user information.

I would ask your ISP on how to remove it and why they installed it in the first place. Please do not uninstall the program, since it looks like it is required for your internet connection. This especially applies to those who use SBC as their ISP (Internet Service Provider). If they can't/won't resolve this problem for you, then it's time to switch to another provider that don't embed this spyware in their program. You will most likely also have BroadJump installed. The same situation applies here also. Try to find out how to remove it from your ISP. Don't uninstall it yourself.

Expose hidden files

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Kazaa

One reason why you may be having problems on this computer is because Kazaa is installed. I appreciate KazaaLite is marketed as “reverse engineered” and without malware but removal is still advised.

Download KazaaBegone here…

http://www.greyknight17.com/spy/KazaaBegone.zip.

This uninstaller will remove all elements from all Kazaa versions as well as all of the bundled software that comes with it.

FunWebProducts & MyWebSearch

Download ScanSpyware here…

http://www.scanspyware.net/info/FunWebProducts.htm

Run the trial version and let it remove all it finds of FunWebProducts and related apps.

Other downloads

Download CWShredder here. Run it and instruct it to “fix” anything it finds.

Download Spybot Search & Destroyand install it. Please run it, click "Search for Updates" then "Check for Problems". If it finds something, check/tick all items in RED and hit the “Fix Selected Problems” button. Exit Spybot.

Download Ad-aware SE latest updates and run the program.

Download CleanUp! by going here. Do not run it yet.

HijackThis fix procedure

Reboot the PC into safe mode<<< Click Here for instructions

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one IF they are running (You must kill them one at a time):

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\Program Files\Kazaa Lite K++\KazaaLite.kpp

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs IF FOUND:

Viewpoint

MyWebSearch (Smiley Central or FWP product as applicable)

MyWebSearch Email Plugin

My Way Speedbar (AOL and Yahoo Messengers) (beta users only) (Outlook, Outlook Express and IncrediMail)

Search Assistant - My Way

Open HijackThis and click on Scan. Check the following entries (make sure you do not miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [SS1HelperStartUp] C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE /partner SS1

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZNxmk500YYUS

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab

O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.reciperewards.com/bundles/reciperewards.cab

Please remember to close all other windows, including browsers, before clicking “Fix checked”.

Delete the following File indicated in RED and Folders indicated in BLUE if they still exist:

C:\Program Files\Viewpoint

C:\PROGRA~1\SEASID~1
NOTE >> I can’t see the full name of this folder. Please check your procgram folder and delete the file whose name begins with the 6 characters SEASID

C:\Program Files\Kazaa Lite K++

C:\Program Files\MyWebSearch

C:\Program Files\Windows Media Player\wmplayer.exe

Reboot your System in normal mode.

Final cleanup

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

There will be some minor orphaned registry entries left behind by the uninstalls in the Add/Remove Programs part of the fix. These can be cleaned up by running SpyBot Search and Destroy or Ad-Aware SE again or left alone.

If you have a fast internet connection (Broadband), run online scans at Panda Activescan and Housecall.

Housecall has now been upgraded. Please run ALL the free scans offered at these sites.

Make sure they both perform a full system scans and please use the “Autoclean” option when running Housecall.

If either/both scans find something they cannot fix - perhaps because the infected files are "in use" - please make a note of the file(s) concerned and post the details back to this thread.

Please post a fresh HijackThis log so that we can check if your system is clean.

MOST IMPORTANT…..

Please also give us an update on how the system is operating now.

OJ

Silven · 07-18-2005, 05:36 PM

Alright OJ, time for your review.

Overall grade: Not bad.

I went ahead and skipped all the things previous to the HijackThis Instructions, either because I already know about it or its already done.

Were you a little unsure as to what the SEASID process was? Then you should ask the user if they know what it is before instructing them to remove it. In this case, it was a screensaver.

The next thing is that when you give step by step instructions,( ie. "Go into Hijack This->Config->Misc. Tools->Open process manager"), make sure you include EVERY step. In that paticular instruction, you missed the "click dont do anything" step, and when moving to instruct to remove programs, you missed Click>Start>Settings>Control Panel.
It just prevents confusion.

Moving along, again, when you got to removing files and folders, ask the user if they recogize the program/file before instructing to remove, and tell them to let you know.(C:\PROGRA~1\SEASID~1)

Other than that, not to bad. Here is your Second Log, so good luck, and try again

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 5:22:11 PM, on 7/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Documents and Settings\Administrator\My Documents\Mics\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab34120.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab36107.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

**POADB** · 07-19-2005, 12:36 AM

Quote:

Alright OJ, time for your review.

Overall grade: Not bad.

I went ahead and skipped all the things previous to the HijackThis Instructions, either because I already know about it or its already done.

Were you a little unsure as to what the SEASID process was? Then you should ask the user if they know what it is before instructing them to remove it. In this case, it was a screensaver.

The next thing is that when you give step by step instructions,( ie. "Go into Hijack This->Config->Misc. Tools->Open process manager"), make sure you include EVERY step. In that paticular instruction, you missed the "click dont do anything" step, and when moving to instruct to remove programs, you missed Click>Start>Settings>Control Panel.
It just prevents confusion.

Moving along, again, when you got to removing files and folders, ask the user if they recogize the program/file before instructing to remove, and tell them to let you know.(C:\PROGRA~1\SEASID~1)

Other than that, not to bad. Here is your Second Log, so good luck, and try again

Silven
Oddjob has used his free time in order to help YOU. Do Not under any circumstances critize any of the voluntary analysts or staff at this forum, in an open thread. If you we're in some way concerned about advice you should of contacted a Moderator, Manager or Administrator. You could have even placed your questions and concerns, in an appropriate manner, to the analyst helping you.

Silven · 07-20-2005, 12:59 AM

Lol. Let me humbly apoligize to both you and OJ. I didnt mean to hurt anyones feelings. I was simply trying to give some tips. Again, I humbly apologize. I thank both of you for your time. No hard feelings?

Silven · 07-20-2005, 01:53 PM

Can I get a second log overlook though please? I am sorry....

Thanks for your time.

07-20-2005, 02:10 PM

just curiousity. WHY ?

**POADB** · 07-20-2005, 02:24 PM

Hi Silven.

Oddjob is reviewing your new log.

Meanwhile, do you have any further problems to report, that may help OddJob with his analysis??

Silven · 07-20-2005, 07:14 PM

Quote:

Originally Posted by PurpleSky

just curiousity. WHY ?

Why what? there is a lot you could be refering too.

Quote:

Originally Posted by POADB

Hi Silven.

Oddjob is reviewing your new log.

Meanwhile, do you have any further problems to report, that may help OddJob with his analysis??

No, not much. Other than the computer is a little slower than normal, nothing out of the ordinary.

thanks again guys.

**Horse** · 07-21-2005, 11:35 PM

Hi Silven

We at TSF appreciate and welcome all attempts to assist users in the forum. You chose to assist an Apprentice, who with all respect to yourself, is miles ahead of you in terms of knowledge in this area and more than that, is supervised by an Analyst who is miles ahead of the Apprentice. I am sure you can appreciate the imbalance I am alluding to here.

Nevertheless the issue is resolved and I appreciate the manner in which it was done. I see you are a registered member of the Academy. Drop by if you are inclined to help people with spyware removal.

Silven · 07-22-2005, 01:47 PM

Wow. I REALLY pissed you guys off huh? You are the third person to "inform" me of what I did as being wrong. I realize what i did was wrong, and I already apolgized for it. Let it be known that my intentions were good, but nonetheless, I will apologize, AGAIN. How many more Admins have to yell at me before we can get over this?

07-07-2005, 01:30 PM	#1 (permalink)
Silven Registered User Join Date: Feb 2005 Location: Arizona Posts: 57 OS: Win XP	Here's another one for ya guys Alrighty, here's a log for you. Nothing to difficult, at least, it shouldnt be. Good luck and thanks for your time. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\NavNT\defwatch.exe C:\Program Files\NavNT\rtvscan.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 1:01:05 PM, on 7/7/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINNT\System32\freecell.exe C:\Program Files\Kazaa Lite K++\KazaaLite.kpp C:\Documents and Settings\Administrator\My Documents\Mics\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [SS1HelperStartUp] C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE /partner SS1 O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxmk500YYUS O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.reciperewards.com/bundles/reciperewards.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== Alrighty, an apprentice should be able to handle this one. Good luck guys, and i await removal instructions!

07-08-2005, 06:28 AM	#2 (permalink)
oddjob Registered User Join Date: Jan 2005 Location: London, UK Posts: 305 OS: WinXP SP2/98/98SE	Hi Silven I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p. Please be patient with me during this time. We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". When you next reply could you please let me have a summary of any problems experienced on this PC (including onscreen error messages, operation difficulties and so on). Thanks. OJ Last edited by oddjob; 07-08-2005 at 06:31 AM.

07-08-2005, 01:44 PM	#3 (permalink)
oddjob Registered User Join Date: Jan 2005 Location: London, UK Posts: 305 OS: WinXP SP2/98/98SE	Hi again Silven Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. BroadJump & Support.com If you have one of these you will most likely have the other. Either way, here is some information on them. BroadJump - Newer name for BroadJump Foundation Client (BJCFD) - from BroadJump.com - now Motive. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit. Support.com - Spyware from SupportSoft provided to manufacturers, such as Sony (Vaio Support Agent) and Toshiba (Virtual Tech), and ISPs, such as Comcast, Cox and Charter (Pipeline Support Agent), that allows them to offer on-line support. This part ensures that software is installed correctly. Regarded as spyware as it has the ability to retrieve user information. I would ask your ISP on how to remove it and why they installed it in the first place. Please do not uninstall the program, since it looks like it is required for your internet connection. This especially applies to those who use SBC as their ISP (Internet Service Provider). If they can't/won't resolve this problem for you, then it's time to switch to another provider that don't embed this spyware in their program. You will most likely also have BroadJump installed. The same situation applies here also. Try to find out how to remove it from your ISP. Don't uninstall it yourself. Expose hidden files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Kazaa One reason why you may be having problems on this computer is because Kazaa is installed. I appreciate KazaaLite is marketed as “reverse engineered” and without malware but removal is still advised. Download KazaaBegone here… http://www.greyknight17.com/spy/KazaaBegone.zip. This uninstaller will remove all elements from all Kazaa versions as well as all of the bundled software that comes with it. FunWebProducts & MyWebSearch Download ScanSpyware here… http://www.scanspyware.net/info/FunWebProducts.htm Run the trial version and let it remove all it finds of FunWebProducts and related apps. Other downloads Download CWShredder here. Run it and instruct it to “fix” anything it finds. Download Spybot Search & Destroyand install it. Please run it, click "Search for Updates" then "Check for Problems". If it finds something, check/tick all items in RED and hit the “Fix Selected Problems” button. Exit Spybot. Download Ad-aware SE latest updates and run the program. Download CleanUp! by going here. Do not run it yet. HijackThis fix procedure Reboot the PC into safe mode<<< Click Here for instructions Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one IF they are running (You must kill them one at a time): C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe C:\Program Files\Kazaa Lite K++\KazaaLite.kpp Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs IF FOUND: Viewpoint MyWebSearch (Smiley Central or FWP product as applicable) MyWebSearch Email Plugin My Way Speedbar (AOL and Yahoo Messengers) (beta users only) (Outlook, Outlook Express and IncrediMail) Search Assistant - My Way Open HijackThis and click on Scan. Check the following entries (make sure you do not miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [SS1HelperStartUp] C:\PROGRA~1\SEASID~1\SS1HEL~1.EXE /partner SS1 O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZNxmk500YYUS O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.reciperewards.com/bundles/reciperewards.cab *Please remember to close all other windows, including browsers, before clicking “Fix checked”.* Delete the following File indicated in RED and Folders indicated in BLUE if they still exist: C:\Program Files\Viewpoint C:\PROGRA~1\SEASID~1 NOTE >> I can’t see the full name of this folder. Please check your procgram folder and delete the file whose name begins with the 6 characters SEASID C:\Program Files\Kazaa Lite K++ C:\Program Files\MyWebSearch C:\Program Files\Windows Media Player\wmplayer.exe Reboot your System in normal mode. Final cleanup Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. There will be some minor orphaned registry entries left behind by the uninstalls in the Add/Remove Programs part of the fix. These can be cleaned up by running SpyBot Search and Destroy or Ad-Aware SE again or left alone. If you have a fast internet connection (Broadband), run online scans at Panda Activescan and Housecall. Housecall has now been upgraded. Please run ALL the free scans offered at these sites. Make sure they both perform a full system scans and please use the “Autoclean” option when running Housecall. If either/both scans find something they cannot fix - perhaps because the infected files are "in use" - please make a note of the file(s) concerned and post the details back to this thread. Please post a fresh HijackThis log so that we can check if your system is clean. MOST IMPORTANT….. Please also give us an update on how the system is operating now. OJ Last edited by oddjob; 07-08-2005 at 01:46 PM.

07-20-2005, 02:24 PM	#9 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,422 OS: XP SP2	Hi Silven. Oddjob is reviewing your new log. Meanwhile, do you have any further problems to report, that may help OddJob with his analysis?? __________________

07-21-2005, 11:35 PM	#11 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,214 OS: WIN XP PRO My System Blog Entries: 1	Hi Silven We at TSF appreciate and welcome all attempts to assist users in the forum. You chose to assist an Apprentice, who with all respect to yourself, is miles ahead of you in terms of knowledge in this area and more than that, is supervised by an Analyst who is miles ahead of the Apprentice. I am sure you can appreciate the imbalance I am alluding to here. Nevertheless the issue is resolved and I appreciate the manner in which it was done. I see you are a registered member of the Academy. Drop by if you are inclined to help people with spyware removal. __________________ Please Read Before You Post A Log Hijack This v2.02 :: Adaware :: Spybot Search & Destroy :: SpywareBlaster To Donate Please Click Here PROUD MEMBER OF ASAP SINCE NOVEMBER 2004

07-18-2005, 05:36 PM	#4 (permalink)
Silven Registered User Join Date: Feb 2005 Location: Arizona Posts: 57 OS: Win XP	Alright OJ, time for your review. Overall grade: Not bad. I went ahead and skipped all the things previous to the HijackThis Instructions, either because I already know about it or its already done. Were you a little unsure as to what the SEASID process was? Then you should ask the user if they know what it is before instructing them to remove it. In this case, it was a screensaver. The next thing is that when you give step by step instructions,( ie. "Go into Hijack This->Config->Misc. Tools->Open process manager"), make sure you include EVERY step. In that paticular instruction, you missed the "click dont do anything" step, and when moving to instruct to remove programs, you missed Click>Start>Settings>Control Panel. It just prevents confusion. Moving along, again, when you got to removing files and folders, ask the user if they recogize the program/file before instructing to remove, and tell them to let you know.(C:\PROGRA~1\SEASID~1) Other than that, not to bad. Here is your Second Log, so good luck, and try again ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\NavNT\defwatch.exe C:\Program Files\NavNT\rtvscan.exe C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 5:22:11 PM, on 7/18/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Documents and Settings\Administrator\My Documents\Mics\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab34120.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab36107.cab O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab35645.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ====================================================================

07-20-2005, 12:59 AM	#6 (permalink)
Silven Registered User Join Date: Feb 2005 Location: Arizona Posts: 57 OS: Win XP	Lol. Let me humbly apoligize to both you and OJ. I didnt mean to hurt anyones feelings. I was simply trying to give some tips. Again, I humbly apologize. I thank both of you for your time. No hard feelings?

07-20-2005, 01:53 PM	#7 (permalink)
Silven Registered User Join Date: Feb 2005 Location: Arizona Posts: 57 OS: Win XP	Can I get a second log overlook though please? I am sorry.... Thanks for your time.

07-20-2005, 02:10 PM	#8 (permalink)
PurpleSky Guest Posts: n/a OS:	just curiousity. WHY ?

07-22-2005, 01:47 PM	#12 (permalink)
Silven Registered User Join Date: Feb 2005 Location: Arizona Posts: 57 OS: Win XP	Wow. I *REALLY* pissed you guys off huh? You are the third person to "inform" me of what I did as being wrong. I realize what i did was wrong, and I already apolgized for it. Let it be known that my intentions were good, but nonetheless, I will apologize, AGAIN. How many more Admins have to yell at me before we can get over this?