Forum Home
Press F1
 
Thread ID: 46058 2004-06-12 00:59:00 HijackThis Help please, supergran (108) Press F1
Post ID Timestamp Content User
243674 2004-06-12 00:59:00 Here is a copy of the hijack log I have just made, and I would really appreciate some help in understanding it. I did copy the instructions, but don't like to play with too much.

Logfile of HijackThis v1.97.7
Scan saved at 11:46:19 a.m., on 12/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.globalwebsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.websearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzcity.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = search.searchenhancement.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nz3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.searchenhancement.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.xtra.co.nz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.websearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = search.searchenhancement.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = www.websearch.com
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
O2 - BHO: (no name) - {2B3452C5-1B9A-440F-A203-F6ED0F64C895} - C:\WINDOWS\rem00001.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\Support Software\SS2.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.xtra.co.nz
O16 - DPF: JT's Blocks - download.games.yahoo.com
O16 - DPF: Toki Toki Boom - download.games.yahoo.com
O16 - DPF: Tornado 21 - download.games.yahoo.com
O16 - DPF: Video Poker - download.games.yahoo.com
O16 - DPF: Yahoo! Bingo - download.games.yahoo.com
O16 - DPF: Yahoo! Dice - download.games.yahoo.com
O16 - DPF: Yahoo! Gin - download.games.yahoo.com
O16 - DPF: Yahoo! Go - download.games.yahoo.com
O16 - DPF: Yahoo! Literati - download.games.yahoo.com
O16 - DPF: Yahoo! MahJong Solitaire - download.games.yahoo.com
O16 - DPF: Yahoo! Pool 2 - download.games.yahoo.com
O16 - DPF: Yahoo! Pyramids - download.games.yahoo.com
O16 - DPF: Yahoo! Towers 2.0 - download.games.yahoo.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - download.macromedia.com
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - stream1000.babenet.com
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - dst.trafficsyndicate.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - download.yahoo.com
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - mirror.worldwinner.com
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - mirror.worldwinner.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - a840.g.akamai.net
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - www.installengine.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - us.dl1.yimg.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - download.macromedia.com
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - mirror.worldwinner.com
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - xbs.sea.mtree.com
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - lw15fd.law15.hotmail.msn.com
O16 - DPF: {F0AA2376-F073-4E57-86E8-0238F99087C7} (AInst Class) - 216.129.173.30
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - mirror.worldwinner.com

TIA 		supergran (108)
243675 2004-06-12 01:37:00 You have got some nasties on there Supergran. I'm not too up with the play with reading Hijackthis logs but, Websearch, Globalwesearch and Searchenhancement, are browser hijackers/toolbars and likely to slow your system as well. You also have a couple of diallers, at least.

You could post your log on Computer Cops or wait for JM, Jim B, Jen C or Susan B, etc, to intervene on your behalf.

It's fixable.

Cheers Murray P 		Murray P (44)
243676 2004-06-12 01:53:00 Yes, as Murray says, there are a few things that need fixing but I have to run in a minute so I won't be able to check properly until later today .

In the meantime DON'T try fixing anything yourself or your computer could stop working . Did you create a new folder for HijackThis to put the hijackthis . exe file into before running? If you didn't, please do so - preferably in your Program Files folder .

Also, if you have not already done so give Adaware and Spybot a run and post another log here after they have cleaned up your computer .

Incidentally, what problems has your computer been having? 		Susan B (19)
243677 2004-06-12 03:29:00 Slow start up, slow on net, slow (well nearly dead stopped) opening folders, trying to connect at each click of the mouse, etc. This isn't my puter, I am trying to get the son in laws puter useable again. I have run adaware but none of the others yet. Will go back this afternoon and download spybot etc. TIA Had isearch toolbar, but I think I got rid of that earlier. supergran (108)
243678 2004-06-12 08:22:00 After you have scanned the computer with Spybot do the following:

First go to add/remove programs and remove these entries, if present:

P2P Networking2
Search Toolbar
MSIETS

Also check if there is an entry for WinTools . If so, uninstall it . If not then do the following:

Go to Start>Settings>Control Panel>Administrative Tools>Services and look for "WinTools for IE service" in the right pane . If you find it, right click on it . Stop it by pressing the Stop button . Then disable it by clicking on the startup type drop down and select "Disable"

Then right click on the Taskbar and open Taskmanager .
Go to Applications and/or Processes and end task on the following (WToolsS . exe should already be stopped from the above step):
WToolsA . exe
WToolsS . exe
WSup . exe


Now, with HijackThis in its own folder as mentioned previously ensure that all programs are shut down then run HijackThis again and put ticks alongside the following for HJT to fix:


C:\Program Files\Common files\WinTools\WToolsS . exe

C:\WINDOWS\System32\P2P Networking\P2P Networking . exe
C:\Program Files\Common files\WinTools\WToolsA . exe

C:\Program Files\Common files\WinTools\WSup . exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = . websearch . com/ie . aspx?tb_id=50017" target="_blank">www . websearch . com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = . searchenhancement . com/nph-enhanced . cgi?affid=sesm" target="_blank">search . searchenhancement . com &sstring=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = . websearch . com/ie . aspx?tb_id=50017" target="_blank">www . websearch . com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = . searchenhancement . com/nph-enhanced . cgi?affid=sesm" target="_blank">search . searchenhancement . com &sstring=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = . websearch . com/ie . aspx?tb_id=50017" target="_blank">www . websearch . com
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB . dll

O1 - Hosts: 127 . 0 . 0 . 0 localhost
O1 - Hosts: 127 . 0 . 0 . 2 auditmypc . com
O1 - Hosts: 127 . 0 . 0 . 3 boards . cexx . org
O1 - Hosts: 127 . 0 . 0 . 4 bulletproofsoft . net
O1 - Hosts: 127 . 0 . 0 . 5 camtech2000 . net
O1 - Hosts: 127 . 0 . 0 . 6 cexx . org
O1 - Hosts: 127 . 0 . 0 . 7 computercops . us
O1 - Hosts: 127 . 0 . 0 . 8 ct7support . com
O1 - Hosts: 127 . 0 . 0 . 9 doxdesk . com
O1 - Hosts: 127 . 0 . 0 . 20 kellys-korner-xp . com
O1 - Hosts: 127 . 0 . 0 . 21 kephyr . com
O1 - Hosts: 127 . 0 . 0 . 22 lavasoft . de
O1 - Hosts: 127 . 0 . 0 . 23 lavasoftusa . com
O1 - Hosts: 127 . 0 . 0 . 24 lurkhere . com
O1 - Hosts: 127 . 0 . 0 . 25 majorgeeks . com
O1 - Hosts: 127 . 0 . 0 . 26 merijn . org
O1 - Hosts: 127 . 0 . 0 . 27 mjc1 . com
O1 - Hosts: 127 . 0 . 0 . 28 moosoft . com
O1 - Hosts: 127 . 0 . 0 . 29 mvps . org
O1 - Hosts: 127 . 0 . 0 . 30 net-integration . net
O1 - Hosts: 127 . 0 . 0 . 31 noadware . net
O1 - Hosts: 127 . 0 . 0 . 32 no-spybot . com
O1 - Hosts: 127 . 0 . 0 . 33 onlinepcfix . com
O1 - Hosts: 127 . 0 . 0 . 34 pchell . com
O1 - Hosts: 127 . 0 . 0 . 35 pestpatrol . com
O1 - Hosts: 127 . 0 . 0 . 36 safer-networking . org
O1 - Hosts: 127 . 0 . 0 . 37 secure . spykiller . com
O1 - Hosts: 127 . 0 . 0 . 38 secureie . com
O1 - Hosts: 127 . 0 . 0 . 39 security . kolla . de
O1 - Hosts: 127 . 0 . 0 . 40 spybot . info
O1 - Hosts: 127 . 0 . 0 . 41 spychecker . com
O1 - Hosts: 127 . 0 . 0 . 42 spychecker . com
O1 - Hosts: 127 . 0 . 0 . 43 spycop . com
O1 - Hosts: 127 . 0 . 0 . 44 spyguard . com
O1 - Hosts: 127 . 0 . 0 . 45 spykiller . com
O1 - Hosts: 127 . 0 . 0 . 46 spyware . co . uk
O1 - Hosts: 127 . 0 . 0 . 47 spyware-cop . com
O1 - Hosts: 127 . 0 . 0 . 48 spywareinfo . com
O1 - Hosts: 127 . 0 . 0 . 49 spywarenuker . com
O1 - Hosts: 127 . 0 . 0 . 50 spywareremove . com
O1 - Hosts: 127 . 0 . 0 . 51 spywareremove . com
O1 - Hosts: 127 . 0 . 0 . 52 stopzillapro . com
O1 - Hosts: 127 . 0 . 0 . 53 sunbelt-software . com
O1 - Hosts: 127 . 0 . 0 . 54 thiefware . com
O1 - Hosts: 127 . 0 . 0 . 55 tomcoyote . org
O1 - Hosts: 127 . 0 . 0 . 56 unwantedlinks . com
O1 - Hosts: 127 . 0 . 0 . 57 webattack . com
O1 - Hosts: 127 . 0 . 0 . 58 wilders . org
O1 - Hosts: 127 . 0 . 0 . 59 www . auditmypc . com
O1 - Hosts: 127 . 0 . 0 . 60 www . bulletproofsoft . net
O1 - Hosts: 127 . 0 . 0 . 61 www . cexx . org
O1 - Hosts: 127 . 0 . 0 . 62 www . computercops . us
O1 - Hosts: 127 . 0 . 0 . 63 www . ct7support . com
O1 - Hosts: 127 . 0 . 0 . 64 www . doxdesk . com
O1 - Hosts: 127 . 0 . 0 . 65 www . eblocs . com
O1 - Hosts: 127 . 0 . 0 . 66 www . enigmasoftwaregroup . com
O1 - Hosts: 127 . 0 . 0 . 67 www . free-spyware-scan . com
O1 - Hosts: 127 . 0 . 0 . 68 www . free-web-browsers . com
O1 - Hosts: 127 . 0 . 0 . 69 www . grc . com
O1 - Hosts: 127 . 0 . 0 . 70 www . grisoft . com
O1 - Hosts: 127 . 0 . 0 . 71 www . hackfaq . org
O1 - Hosts: 127 . 0 . 0 . 72 www . hazeleger . net
O1 - Hosts: 127 . 0 . 0 . 73 www . javacoolsoftware . com
O1 - Hosts: 127 . 0 . 0 . 74 www . kellys-korner-xp . com
O1 - Hosts: 127 . 0 . 0 . 75 www . kephyr . com
O1 - Hosts: 127 . 0 . 0 . 76 www . lavasoft . de
O1 - Hosts: 127 . 0 . 0 . 77 www . lavasoftusa . com
O1 - Hosts: 127 . 0 . 0 . 78 www . lurkhere . com
O1 - Hosts: 127 . 0 . 0 . 79 www . majorgeeks . com
O1 - Hosts: 127 . 0 . 0 . 80 www . merijn . org
O1 - Hosts: 127 . 0 . 0 . 81 www . mjc1 . com
O1 - Hosts: 127 . 0 . 0 . 82 www . moosoft . com
O1 - Hosts: 127 . 0 . 0 . 83 www . mvps . org
O1 - Hosts: 127 . 0 . 0 . 84 www . net-integration . net
O1 - Hosts: 127 . 0 . 0 . 85 www . noadware . net
O1 - Hosts: 127 . 0 . 0 . 86 www . no-spybot . com
O1 - Hosts: 127 . 0 . 0 . 87 www . onlinepcfix . com
O1 - Hosts: 127 . 0 . 0 . 88 www . pchell . com
O1 - Hosts: 127 . 0 . 0 . 89 www . pestpatrol . com
O1 - Hosts: 127 . 0 . 0 . 90 www . safer-networking . org
O1 - Hosts: 127 . 0 . 0 . 91 www . secureie . com
O1 - Hosts: 127 . 0 . 0 . 92 www . security . kolla . de
O1 - Hosts: 127 . 0 . 0 . 93 www . spybot . info
O1 - Hosts: 127 . 0 . 0 . 94 www . spychecker . com
O1 - Hosts: 127 . 0 . 0 . 95 www . spychecker . com
O1 - Hosts: 127 . 0 . 0 . 96 www . spycop . com
O1 - Hosts: 127 . 0 . 0 . 97 www . spyguard . com
O1 - Hosts: 127 . 0 . 0 . 98 www . spykiller . com
O1 - Hosts: 127 . 0 . 0 . 99 www . spyware . co . uk

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1 . DLL
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper . dll
O2 - BHO: (no name) - {2B3452C5-1B9A-440F-A203-F6ED0F64C895} - C:\WINDOWS\rem00001 . dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1 . DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WinTools\btiein . dll
O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\Support Software\SS2 . DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB . dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink . dll

O4 - HKLM\ . . \Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA . exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - . trafficsyndicate . com/Dnl/T_50016/btiein . cab" target="_blank">dst . trafficsyndicate . com

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - . dl1 . yimg . com/download . yahoo . com/dl/installs/essential" target="_blank">us . dl1 . yimg . com s/ymmapi . dll

O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - . sea . mtree . com/mt/dialers/fc/UniDist . CAB" target="_blank">xbs . sea . mtree . com

O16 - DPF: {F0AA2376-F073-4E57-86E8-0238F99087C7} (AInst Class) - . 129 . 173 . 30/xxxnaughty/activeinstaller . dll" target="_blank">216 . 129 . 173 . 30


There are other things I am unsure about as I do not know what programs your son-in-law wishes to use . For example there are a lot of Yahoo-type of games plug-ins that I am uncertain whether they have installed themselves or whether they are used to play online games . Get your son-in-law to check whether the following look legitimate and if not then have HJT fix them:

O16 - DPF: JT's Blocks - . games . yahoo . com/games/clients/y/blt0_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Toki Toki Boom - . games . yahoo . com/games/clients/y/vtm_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Tornado 21 - . games . yahoo . com/games/clients/y/t21t0_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Video Poker - . games . yahoo . com/games/clients/y/vpt0_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Yahoo! Bingo - . games . yahoo . com/games/clients/y/xt0_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Yahoo! Dice - . games . yahoo . com/games/clients/y/dct0_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Yahoo! Gin - . games . yahoo . com/games/clients/y/nt0_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Yahoo! Go - . games . yahoo . com/games/clients/y/gt1_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Yahoo! Literati - . games . yahoo . com/games/clients/y/tt2_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Yahoo! MahJong Solitaire - . games . yahoo . com/games/clients/y/mjst0_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Yahoo! Pool 2 - . games . yahoo . com/games/clients/y/potc_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Yahoo! Pyramids - . games . yahoo . com/games/clients/y/pyt1_x . cab" target="_blank">download . games . yahoo . com

O16 - DPF: Yahoo! Towers 2 . 0 - . games . yahoo . com/games/clients/y/ywt0_x . cab" target="_blank">download . games . yahoo . com


I assume that the computer is running an up-to-date anti-virus program . If no, then after HijackThis has done its thing you could go to Trendmicro House Call for an online virus check: http://housecall . trendmicro . com/

When all this has been done, let us know the results and post another HJT logfile here .

Note: I have previewed this and the forum has mucked up the formatting and some of the line breaks . Please be careful when selecting which items to tick . 		Susan B (19)
243679 2004-06-12 08:40:00 Looks like son in law enjoys gambling and porn.
Obviously at some one elses expense.
I'd definitely keep that boy off your computer Supergran. 		Capt.Hook (5586)
243680 2004-06-12 09:33:00 He is actually my ex son in law, and he lives in a house with flatmates, all young and male, so I don't really expect anything else from this puter Capt Hook, but as he owns the puter, I can't really complain. LOL I just have to try and clean up after they have nearly stopped the puter. It was try this or completely reformat. And believe me, this hijack log is after I have cleaned out heaps. And no, he isn't allowed on my puter. LOL

Susan, thanks, I will go back tomorrow, and attack it again, and yes, he does run Nortons anti virus, has the XP firewall going, which after I get things working properly, I am going to disable, and run Zone Alarm. Thanks heaps for all your work, and I most likely wont get another log up until Monday. As for the games, I think a lot of those yahoo games are when my daughter used to live there, and it has just never been cleaned out. 		supergran (108)
243681 2004-06-12 10:00:00 > Looks like son in law enjoys gambling and porn .

Although you are probably joking it would be a good idea to be very careful about accusing people of that sort of thing . One does not have to deliberately visit gambling and porn sites for their computer to become infested with such evidence .

This page ( . pcworld . co . nz/thread . jsp?forum=1&thread=46506" target="_blank">pressf1 . pcworld . co . nz) was a rather interesting thread . ;-) 		Susan B (19)
243682 2004-06-12 10:26:00 I know that Susan, as I have been redirected to some very (would I call them Hot?) sites, when I am just normal surfing, and once, even from a cross stitch site. supergran (108)
243683 2004-06-14 05:21:00 New Hijack this report

Logfile of HijackThis v1.97.7
Scan saved at 4:08:00 p.m., on 14/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzcity.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.xtra.co.nz
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\scbar\v2\scbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: &Define - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Look Up in &Encyclopedia - c:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.xtra.co.nz
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - download.macromedia.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - download.yahoo.com
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - mirror.worldwinner.com
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - mirror.worldwinner.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - a840.g.akamai.net
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - www.installengine.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - download.macromedia.com
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - mirror.worldwinner.com
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - lw15fd.law15.hotmail.msn.com
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - mirror.worldwinner.com

It is going faster, thanks, and hopefully everything he uses is still working. LOL 		supergran (108)
1 2