Hijack This Log

  1. 25-10-2004  #1
    t_rex_132
    t_rex_132 is offline Newbie

    Hijack This Log

    Bear said to post this here so here it is........

    Logfile of HijackThis v1.98.2
    Scan saved at 6:18:12 PM, on 10/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
    C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
    C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
    C:\WINDOWS\System32\msawindows.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    C:\Program Files\Common Files\WinTools\WSup.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Toolbar\TBPS.exe
    C:\PROGRA~1\Toolbar\PIB.exe
    C:\WINDOWS\system32\appce32.exe
    C:\WINDOWS\system32\javaqo.exe
    C:\WINDOWS\ipfp32.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Mike\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rxcad.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rxcad.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rxcad.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rxcad.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rxcad.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rxcad.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rxcad.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://broadband.suscom.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {874EF24A-B4A2-BCC9-AF32-1C5D6A1522B7} - C:\WINDOWS\system32\addhz.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
    O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
    O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
    O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft Update] msawindows.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [sysmh.exe] C:\WINDOWS\system32\sysmh.exe
    O4 - HKLM\..\Run: [appce32.exe] C:\WINDOWS\system32\appce32.exe
    O4 - HKLM\..\Run: [EI7d] C:\documents and settings\nic\local settings\temp\EI7d.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [crxn32.exe] C:\WINDOWS\system32\crxn32.exe
    O4 - HKLM\..\Run: [apint32.exe] C:\WINDOWS\system32\apint32.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKLM\..\RunServices: [Kernel32] Kernel32.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe
    O4 - HKLM\..\RunOnce: [sysrz32.exe] C:\WINDOWS\system32\sysrz32.exe
    O4 - HKLM\..\RunOnce: [wincs.exe] C:\WINDOWS\system32\wincs.exe
    O4 - HKLM\..\RunOnce: [winml32.exe] C:\WINDOWS\winml32.exe
    O4 - HKLM\..\RunOnce: [msly.exe] C:\WINDOWS\system32\msly.exe
    O4 - HKLM\..\RunOnce: [mfckk.exe] C:\WINDOWS\mfckk.exe
    O4 - HKLM\..\RunOnce: [netjg.exe] C:\WINDOWS\netjg.exe
    O4 - HKLM\..\RunOnce: [apici.exe] C:\WINDOWS\apici.exe
    O4 - HKLM\..\RunOnce: [crys32.exe] C:\WINDOWS\crys32.exe
    O4 - HKLM\..\RunOnce: [msww.exe] C:\WINDOWS\msww.exe
    O4 - HKLM\..\RunOnce: [d3fg32.exe] C:\WINDOWS\d3fg32.exe
    O4 - HKLM\..\RunOnce: [sdkwy.exe] C:\WINDOWS\system32\sdkwy.exe
    O4 - HKLM\..\RunOnce: [ntql32.exe] C:\WINDOWS\system32\ntql32.exe
    O4 - HKLM\..\RunOnce: [netsf.exe] C:\WINDOWS\netsf.exe
    O4 - HKLM\..\RunOnce: [appvt.exe] C:\WINDOWS\system32\appvt.exe
    O4 - HKLM\..\RunOnce: [ipfp32.exe] C:\WINDOWS\ipfp32.exe
    O4 - HKCU\..\Run: [SpyBlast] C:\Program Files\SpyBlast\SpyBlast.exe /autorun
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffer s_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096053794156
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

    If you need more info please let me know.
  2. 26-10-2004  #2
    t_rex_132
    t_rex_132 is offline Newbie
    I should have added this data:

    The computer that generated this log has at the very least the following problems:

    Cool Web Search
    about:blank
    Home Search Assistant
    Purity Scan
    Gain Advertising
    W32/sdbot.worm.gen.l - removed by McAfee AVERT Stinger supposedly

    Also, I bought McAfee Internet Security Suite to install and it fails every time with "Internal error 2738". What that means I have no idea. I'm trying to work through McAfee to figure that one out.
  3. 26-10-2004  #3
    Bear
    Bear is offline D-A-L Elite Member
    Owen or one of the other HJT experts will get to your log ASAP, have you downloaded, installed, updated and ran both Adaware and Spybot Search and Destroy? If not I would suggest that you do and then reboot and make sure all browsers are closed and run HJT again and post a fresh log.
  4. 26-10-2004  #4
    owen
    owen is offline D-A-L Team Member (UK)
    Hiya,
    This is quite a messy log so we'll deal with it Step by Step.

    Hello,
    Please download LSPFix from here. Unzip it and run LSPFix.exe.

    1) When LSPFix has started, put a checkmark in "I know what I am doing"
    2) In the Keep column, select all inetadpt.dll entries and click the arrow to move them into the remove column.
    3) Click the Finish button to remove them.

    Then Boot into Safe Mode

    Delete the following files:
    inetadpt.dll

    Reboot

    Then follow the instructions in the next post to remove your WinTools infection...
  5. 26-10-2004  #5
    owen
    owen is offline D-A-L Team Member (UK)
    How to remove Wintools infections.
    1. Disable System restore as per the instructions here.
    2. Reboot into safe mode - How do I boot into "Safe" mode?
    3. Click on "Start" => "Control Panel" => "Administrative Tools" => "Services".
    4. Look for a service called "Wintools for IE Service" => Double-click it to open, then click on the Stop button and change the "Startup type" to Disabled. Do not worry if the service is not listed.
    5. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "WtoolsA.exe", "WToolsS.exe" and "WSup.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.
    6. Go into "Add/Remove Programs" in the "Control Panel" and look for any Wintools entry. Uninstall it.
    7. Open a command prompt by clicking on "Start" => "Run" and type in "cmd" and click on "OK". At the prompt, type regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll" (Quotation marks must be typed in on the preceeding command) then <ENTER>.
    8. Type exit to close the command prompt window.
    9. Delete the following directories:
      • C:\Program Files\Common Files\WinTools
      • C:\Program Files\Toolbar
    10. Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
      • R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
        R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=enc
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
        R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
        R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=enc
        R3 - Default URLSearchHook is missing
        O2 - BHO: (no name) - {874EF24A-B4A2-BCC9-AF32-1C5D6A1522B7} - C:\WINDOWS\system32\addhz.dll
        O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
        O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
        O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
        O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
    11. Reenable System restore as per the instructions here.
    12. Reboot and sign in as per normal and post a new HijackThis log for further review.
  6. 30-10-2004  #6
    t_rex_132
    t_rex_132 is offline Newbie
    OK Owen.

    I did what you instructed in both the previous replies that you posted. Everything went fairly well with a few minor exceptions. When doing the Wintools removal I couldn't completely do step 9. Both the Wintools and Toolbar directories had TEMP directories that I was unable to remove. They were empty so I figured that would be no big deal. I removed everything else.

    Also, since I was in Safe Mode the system wouldn't let me re-enable System Restore so I just rebooted and haven't re-enabled it yet.

    Otherwise here is the latest Hijack This log file:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:29:40 PM, on 10/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
    C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
    C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
    C:\WINDOWS\System32\msawindows.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\WINDOWS\system32\sysmh.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\AWS\WeatherBug\Weather.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Mike\Desktop\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rvgwo.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rvgwo.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rvgwo.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rvgwo.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://broadband.suscom.net/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {3B74CD36-ABD6-0CF3-3934-7E8BD58C733B} - C:\WINDOWS\system32\winmu32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
    O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
    O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
    O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Microsoft Update] msawindows.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [sysmh.exe] C:\WINDOWS\system32\sysmh.exe
    O4 - HKLM\..\Run: [appce32.exe] C:\WINDOWS\system32\appce32.exe
    O4 - HKLM\..\Run: [EI7d] C:\documents and settings\nic\local settings\temp\EI7d.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [crxn32.exe] C:\WINDOWS\system32\crxn32.exe
    O4 - HKLM\..\Run: [apint32.exe] C:\WINDOWS\system32\apint32.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
    O4 - HKLM\..\RunServices: [Kernel32] Kernel32.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe
    O4 - HKLM\..\RunOnce: [crys32.exe] C:\WINDOWS\crys32.exe
    O4 - HKLM\..\RunOnce: [msly.exe] C:\WINDOWS\system32\msly.exe
    O4 - HKLM\..\RunOnce: [ipfp32.exe] C:\WINDOWS\ipfp32.exe
    O4 - HKCU\..\Run: [SpyBlast] C:\Program Files\SpyBlast\SpyBlast.exe /autorun
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffer s_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096053794156
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab


    I can't thank you enough. I'll await your next set of instructions.

    Thanks again!!!!
  7. 30-10-2004  #7
    t_rex_132
    t_rex_132 is offline Newbie
    Owen,

    I have a few other questions. When I try to remove things like Search Extender and Home Shopping Assistant I get directed to a website that asks for my reason and then asks me to download another program to actually remove the one I was trying to get rid of in the first place. I haven't done it because I'm afraid that by doing that I'll install something else so do you have any advice regarding these issues?

    Are these things that you can help me remove as well?

    Thanks!
  8. 30-10-2004  #8
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Certainly are and thats what we are going to do next. The uninstaller will not be trustworthy and you did right not to use it.

    What I need now is a New Hijack This Log and a GetActiveService's log (see below). Once you have posted these logs, do not reboot or logoff on your PC. Doing so will almost certainly make the fix fail. If you reboot or logoff, you will need to post new logs so ammend your previous posts and leave a note.
    1. ActiveServices ...
      • Please download GetService.zip
      • Extract it to a new folder in the desktop. Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder. It will then open getservice.txt for you.
      • getservice.txt will list all active Services. Copy and paste the contents of getservice.txt in your next reply here.
    From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work
+ Reply to Thread
« probs with ad intelligence & more | New Ad-Aware? »