PDA

View Full Version : rogue dialer or not



luckysmum
07-06-2004, 06:22 PM
I have a compaq presario S306Oan and I run windows xp with Norton antivirus 2003, zonealarm, ad aware and spyware guard. Nortons, zonealarm and spyware start automatically when I turn computer on so are on full time.
Twice in the last month I have been able to connect to the net but when I get on I cannot go anywhere and when i bring my isp details up the activity reads sent 350 and received 250 and it does not change. my isp said it was not down to them. I system restored to 2 months ago and I could connect again but I had to reinstall nortons and msn messenger as neither would work both times. My isp said it maybe a rogue dialer
could one of these hid in my computer or my system restore and reappear or is it something else. As I have done scans and have found nothing. Can any body help please.

supergran
07-06-2004, 07:03 PM
I can't help, sorry, but am also curious what software is needed to find dialers or trojans and what keeps them out, if the firewalls don't. Hopefully someone will be able to help both of us.

luckysmum
07-06-2004, 07:20 PM
I just done a port test at shield up and my all service ports came back as perfect all stealth so I don't know how anything can get in.

Jen C
07-06-2004, 08:23 PM
>I system restored to 2 months ago and I could connect again but I had to reinstall nortons and msn messenger as neither would work both times.

So, you can connect fine now?

Is Nortons fully up to date with the latest definitions? The same with Ad-aware, is that fully up to date? It is possible the firewall is blocking programs that require internet access - try disabling it temporarily and see if this makes a difference.

luckysmum
07-06-2004, 08:43 PM
yes when I system restored it was ok.
yes everything is up to date. and no zonealarm seems to be fine I turned everything off nortons, zone alarm and spywareguard when i was having trouble just to see if it was any of them but nothing changed.

Pheonix
07-06-2004, 08:45 PM
Not a good idea to lower the firewall online unless your windows XP, is up-to-date with patches, otherwise you may be saying hello to MSblaster or Sasser worms.

If all up to date then no problems.

luckysmum
07-06-2004, 08:48 PM
yes I know but at the time I waas trying everything. But otherwise it is never off. And yes windows, nortons, and zonealarm are all up to date

andrew93
07-06-2004, 08:52 PM
Is this a periodic thing or all the time? From your original blurb it sounds periodic. If it is all the time then what's changed?

I used to have this sort of problem where I would dial up, connect and periodically nothing would then happen (page not found etc) - I too had ZA, AdAware, AVG & Spybot - the only way I could get around it was to force the disconnect and then reconnect. Sometimes it worked and sometimes it didn't. I reckoned it was an overload situation at the ISP - you know, a wet weekend, heaps of people online, you get connected but nothing happens..... :(

I never resolved the dial up problem coz I got so frustrated that I changed to the entry level JetStream - so sorry I can't help you there.

Susan B
07-06-2004, 08:56 PM
HijackThis is a very good program for weeding out things that can creep onto your computer. Next time you suspect something is going on behind your back grab a copy, run it and post the logfile here. You will need to create a new HijackThis folder to place the file in before running it. Do not try fixing anything yourself without prior advice.

Pheonix
07-06-2004, 08:59 PM
Wouldn't have thought a dialler would have given you those symptoms. To clear your mind, download and scan with Spybot from here (http://www.majorgeeks.com/download2471.html) IOne of it's strengths is picking up diallers.

zqwerty
07-06-2004, 09:00 PM
Get Hijack this from here and then if need be you can run it from a floppy and post the results to this forum so others can see what is going on with your computer.

http://www.spywareinfo.com/~merijn/files/hijackthis.zip


Rob

zqwerty
07-06-2004, 09:04 PM
Hmmmmm,

That last link seems faulty try this one:

http://209.133.47.12/~merijn/files/HijackThis.exe

luckysmum
07-06-2004, 09:04 PM
It happened about a month ago but when I system restored it came right and then on friday it happened again but worse. And yes I tried reconnecting but I would go off line and every hour I would try and connect and it was the same and yes my isp is up to date.

zqwerty
07-06-2004, 09:07 PM
Yes the last one is working fine. D/l the program and post back to us, it is very easy to use. After scan do not delete anything until you are sure of what you are doing!!!!!!!!!

luckysmum
07-06-2004, 09:10 PM
I have never heard of hijack Do I download it and leave it on my computer and when something goes wrong start it up or do I put it on cd disc for later use. And is it xp friendly as I know some things are not.

andrew93
07-06-2004, 09:11 PM
The other thing to check is the Zone Alarm auto lock - depends on your version but I *mistakenly* set mine to shut down or "padlock" everything if there was 20 minutes of inactivity. Unfortunately I forgot about this and would end up swearing at my PC when I couldn't connect to the net ... ooops!

luckysmum
07-06-2004, 09:15 PM
No I checked all that

zqwerty
07-06-2004, 09:19 PM
It is a program which shows your start up programs and such like and then gives you the opportunity to save it to notepad and post to a forum like this so that others can see what is happening on your computer and what programs you have installed on it. It is very unobtrusive and can be used any time you have problems to see if anything has Hijacked your bho 's etc. Look in Misc tools to generate the start up list. Get familiar with the program and don't be tempted to delete anything, it is a powerful program and can damage your registry if used incorrectly.

zqwerty
07-06-2004, 09:23 PM
For instance here are mine:

StartupList report, 7/06/04, 20:22:03
StartupList version: 1.52
Started from : C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222B)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTUPMONITOR.EXE
C:\PROGRAM FILES\DSE USB PRODRIVE\SHWICON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\TRANSPARENTD.EXE
C:\PROGRAM FILES\PLASMATEK SOFTWARE\PROTECTX\PROTECTX.EXE
C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MYIE2\MYIE.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
TransparentD.exe
ProtectX Hacker Defence Suite.lnk = C:\Program Files\Plasmatek Software\ProtectX\protectx.exe
Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE
CacheSentry.exe.lnk = C:\Program Files\EnigmaticSoftware\CacheSentry\CacheSentry.ex e

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\Scanregw.exe /autorun
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Run StartupMonitor = StartupMonitor.exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
ShowIcon_DSE(NZ)Ltd - www.dse.co.nz_DSE USB ProDrive = "C:\Program Files\DSE USB ProDrive\shwicon.exe" -t"DSE(NZ)Ltd - www.dse.co.nz\DSE USB ProDrive"
AVG_CC = C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

FAST Defrag = C:\PROGRA~1\FASTDE~1\FAST2.EXE -tray
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 26/5/2004, 14:37:34)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\STARDO~1\SDIEINT.DLL - {FFFFFEF0-5B30-21D4-945D-000000000000}
(no name) - C:\WINDOWS\SYSTEM\IETie.dll - {9527D42F-D666-11D3-B8DD-00600838CD5F}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\OCCACHE\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37875.837349537

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://pcpitstop.com/pcpitstop/PCPitStop.CAB

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUPML.DLL
CODEBASE = http://ftp.hp.com/pub/automatic/player/isetupML.cab

[DASWebDownload Class]
InProcServer32 = C:\WINDOWS\DASACT.DLL
CODEBASE = http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MESSENGERSTATSCLIENT.DLL
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

[Checkers Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSGRCHKR.DLL
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

[{F5192746-22D6-41BD-9D2D-1E75D14FBD3C}]
CODEBASE = http://download.rfwnad.com/cab/dlexe.CAB

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 6,497 bytes
Report generated in 0.657 seconds

luckysmum
07-06-2004, 09:25 PM
Thank you I will get it and have a look. Is it worth running now that everything is running ok

zqwerty
07-06-2004, 09:27 PM
Always a useful program to have and very small d/l.

luckysmum
07-06-2004, 09:31 PM
I just downloaded it.

zqwerty
07-06-2004, 09:44 PM
Like I said don't delete anything until you know what you are doing.

zqwerty
07-06-2004, 09:48 PM
Good Luck luckysmum.

luckysmum
07-06-2004, 09:52 PM
Once again is it worth running now that everything is running ok. and thanks everybody

zqwerty
07-06-2004, 10:26 PM
Well I guess not, but if you want to, then do so and post back here and I will see if there is anything I don't like the look of.

luckysmum
07-06-2004, 10:37 PM
Ok this is what I got

StartupList report, 7/06/2004, 9:36:00 p.m.
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\My Documents\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\S3tray2.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\ICQPlus\vplus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
hp psc 1000 series.lnk = ?
hpoddt01.exe.lnk = ?
MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
KYE_Showicon = "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
hp Silent Service = C:\Windows\system32\HpSrvUI.exe
hpScannerFirstBoot = c:\hp\drivers\scanners\scannerfb.exe
Share-to-Web Namespace Daemon = c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
CamMonitor = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
KBD = C:\HP\KBD\KBD.EXE
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
WCOLOREAL = "C:\Program Files\Coloreal\coloreal.exe"
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
nwiz = nwiz.exe /install
PS2 = C:\WINDOWS\system32\ps2.exe
mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
S3TRAY2 = S3tray2.exe
updater = C:\Program Files\Common files\updater\wupdater.exe
SAHBundle = C:\DOCUME~1\Owner\LOCALS~1\Temp\bundle.exe
VTPreset = VTPreset.exe
New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PopUpStopperFreeEdition = "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
ICQ Plus = "C:\Program Files\ICQPlus\vplus.exe"
MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\webshots.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - c:\Program Files\Microsoft Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-0B5F309A0E64}
SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
NavErrRedir Class - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - (no file) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 1200 series#1064873909.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1082957611328

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab

[WSDownloader Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\WSDOWN~1.OCX
CODEBASE = http://www.webshots.com/samplers/WSDownloader.ocx

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\NewDotNet\newdotnet6_22.dll
Protocol #1: C:\Program Files\NewDotNet\newdotnet6_22(2)(2).dll
Protocol #2: C:\Program Files\NewDotNet\newdotnet6_22(2)(2).dll
Protocol #18: C:\Program Files\NewDotNet\newdotnet6_22(2)(2).dll
Protocol #19: C:\Program Files\NewDotNet\newdotnet6_22(2)(2).dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,350 bytes
Report generated in 0.453 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

luckysmum
07-06-2004, 10:40 PM
I dont know what this netdotnet is it came up the other day and I ttried to delete it and it said i could not

luckysmum
07-06-2004, 10:41 PM
sorry newdotnet

zqwerty
07-06-2004, 10:49 PM
Yup and is probably your problem:

What is SaveNow and/or New.Net?
SaveNow is a add-on product distributed by Bearshare, DivX player, Imesh, and a few other downloadable programs. Its a product made by a company called WhenU. It tracks what websites a person visits and then pops up separate browser windows with targeted advertisements and special offers. It continuously is downloading updated information about new offers and collects a variety of information.

Go here to read more:

http://www.pchell.com/support/savenow.shtml

Don't do anything hasty I don't think it is too serious. Gather information before attempting to purge it.

zqwerty
07-06-2004, 10:50 PM
Go here:

http://www.newbie.org/firstaid/newdotnet_removal.html

zqwerty
07-06-2004, 11:01 PM
Also luckysmum you might like to look at this:

http://www.free-web-browsers.com/support/remove-mysearch.shtml

luckysmum
07-06-2004, 11:16 PM
Have deleted both and rebooted so should be gone and here is new list

StartupList report, 7/06/2004, 10:12:35 p.m.
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\My Documents\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\ICQPlus\vplus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
hp psc 1000 series.lnk = ?
hpoddt01.exe.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
KYE_Showicon = "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
hp Silent Service = C:\Windows\system32\HpSrvUI.exe
hpScannerFirstBoot = c:\hp\drivers\scanners\scannerfb.exe
Share-to-Web Namespace Daemon = c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
CamMonitor = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
KBD = C:\HP\KBD\KBD.EXE
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
WCOLOREAL = "C:\Program Files\Coloreal\coloreal.exe"
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
nwiz = nwiz.exe /install
PS2 = C:\WINDOWS\system32\ps2.exe
mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
S3TRAY2 = S3tray2.exe
updater = C:\Program Files\Common files\updater\wupdater.exe
SAHBundle = C:\DOCUME~1\Owner\LOCALS~1\Temp\bundle.exe
VTPreset = VTPreset.exe
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PopUpStopperFreeEdition = "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
ICQ Plus = "C:\Program Files\ICQPlus\vplus.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\webshots.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - c:\Program Files\Microsoft Money\System\mnyside.dll - {243B17DE-77C7-46BF-B94B-0B5F309A0E64}
SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
NavErrRedir Class - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - (no file) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 1200 series#1064873909.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1082957611328

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab

[WSDownloader Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\WSDOWN~1.OCX
CODEBASE = http://www.webshots.com/samplers/WSDownloader.ocx

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 8,521 bytes
Report generated in 0.532 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

luckysmum
07-06-2004, 11:18 PM
And thank you very very much for all your help I would not have known what to look for so once again thank you it is very much appreciated.

Pheonix
07-06-2004, 11:48 PM
Remove from startup ..updater = C:\Program Files\Common files\updater\wupdater.exe

See here (http://www.winpatrol.com/db/freesample/wupdater.html)

zqwerty
07-06-2004, 11:50 PM
Check, using Hijack this, every now and again to make sure that there are no hidden instances starting to gain a foot-hold once more.

CU.

Susan B
07-06-2004, 11:50 PM
zqwerty may have been able to make sense of that list but it wasn't what I was hoping to see. After double clicking on hijackthis.exe you click on the Scan button then Save Log. This will produce a text file, the contents of which you can paste in here. What you have pasted is the Startup list which is a little different.

Also, it is good practice to obtain a fresh download of an updated version of HijackThis if you wish to scan your computer another day as new pests are added to the database regularly and using an older version could cause problems.

Pheonix
07-06-2004, 11:55 PM
Also ... SAHBundle = C:\DOCUME~1\Owner\LOCALS~1\Temp\bundle.exe
See here (http://www.pestpatrol.com/pestinfo/s/sahagent.asp).

zqwerty
07-06-2004, 11:55 PM
Yes probably something else you should get rid of as well as Phoenix says.

luckysmum
08-06-2004, 12:01 AM
I thought I had I deleted everything and took it out of add/remove but it is still hidden somewhere and it is not in the file it says it is in as I deleted it out of there about 3 weeks ago

luckysmum
08-06-2004, 01:00 AM
It looks like I have some work to do tomorrow checking all these thanks for everything

Pheonix
08-06-2004, 11:33 AM
It also may pay to heed the advice from Susan B... you have an old version of Hijackthis (1.52) when the latest version is 1.97.

Download the new version from here (http://www.spychecker.com/download/download_hijackthis.html).

Scan , save log and post here. It also has an easier removal method rather than manually doing it in the registry.

luckysmum
08-06-2004, 02:03 PM
Downloaded the new version here is the list

Logfile of HijackThis v1.97.7
Scan saved at 12:59:17 p.m., on 8/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\ICQPlus\vplus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.digitalfan.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1082957611328
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E5D6061-49A4-46F9-974C-6F757F60AE89}: NameServer = 203.96.152.4 203.96.152.12

luckysmum
08-06-2004, 03:23 PM
Am downloading winpatrol now will do another list after I have run it

Susan B
08-06-2004, 03:54 PM
Close ALL running programs then run HijackThis from its own folder like I advised you previously, then put a tick alongside the following boxes to allow it to fix the problems:


R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O1 - Hosts: 216.177.73.139 ieautosearch

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll (file missing)

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorMa niaInitialSetup1.0.0.8.cab

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx


When you have done this, do another scan and post the new log here.

Susan B
08-06-2004, 03:58 PM
Also, you have an awful lot of programs loading at startup that could be removed and started manually when required. Most of them appear to be HP products, eg printer, scanner, camera, etc. There is no need to have them running in the background all the time.

To stop them running at startup go into each program, look in the Tools or Options and see if you can find anything that mentions loading when Windows starts. If you have items in your tasktray over by the clock you can check there for options to disable at startup as well.

If you cannot find an option to disable them you can do it from within Spybot or with msconfig.

zqwerty
08-06-2004, 04:04 PM
Luckysmum already did have the latest version of Hijack This there is confusion over the Start up list version they are different and it is also the latest version.

luckysmum
08-06-2004, 04:27 PM
went off the net turned everything off on my taskbar and did hijack again ticked where you told me to and here is the new file and I ticked pheonix link and got hijack vi.97.7 as he said it was newer.

Logfile of HijackThis v1.97.7
Scan saved at 3:06:02 p.m., on 8/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\S3tray2.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ICQPlus\vplus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.digitalfan.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1082957611328
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

luckysmum
08-06-2004, 04:39 PM
the hp things are a 1200 series all-in-one
and yes i can turn it off it was just that I doing some stuff on it last night and today.

Susan B
08-06-2004, 04:59 PM
Your log looks clean to me. If you have any more problems with your internet connection or whatever, let us know. :-)

luckysmum
08-06-2004, 05:06 PM
thankyou for all your help as I would not have known where to find half of that stuff or what to do so once again a big thanks