Tip: Run a free scan for common Windows errors ad

re: Hijak This file scan--need advice Friday, December 5, 2003 at 3:52 pm Posted by Ms. Eagle (33507 messages posted) You have a variant of the CoolWebSearch hijacker, for one thing. Download and run CoolWebShredder 1.38.0 on this page: Spychecker.com/ Be sure to close all browser windows before running it. It may execute again after rebooting. It would be good to keep it on hand. He updates it VERY frequently, so check for an update often. P.S. If you get a message saying 'A required dll, MSVBVM60.DLL, was not found', install the VB 6 Runtime Libraries. Direct download: VB 6 Runtime Libraries If you have NOT ran SpybotSD already, download and run it after running the Shredder: Spybot S&D Close all running programs, install then reboot. Start it and go online and press the 'search for updates' tab. Download all updates that aren't optional. Close all browser windows, then start it in Easy mode and run the scan. Then click 'Check All', and fix everything SpybotSD labels in red. Reboot. Then if you feel it's necessary to run Hijack This again, PLEASE choose this Option below the message window before posting the log, so it's formatted properly!: Check this box to preserve your spacing.... [Reply or follow-up to this message] re: Hijak This file scan--need advice Friday, December 5, 2003 at 4:32 pm Posted by worm (792 messages posted) Hi Frank, Good advice from Carol. In case you're interested, there's some useful background info here on how CoolWebSearch works. One of the other things you have to do though is to purge all the previous System Restore points. This is because Win ME creates backups of all system files and anything you've installed which includes all that spyware of course. You'll find an illustrated tutorial on how to purge the System Restore cache here On Friday, December 5, 2003 at 3:52 pm, Carol wrote: > >You have a variant of the CoolWebSearch hijacker, for one thing. Download and run >CoolWebShredder 1.38.0 on this page: color="FF69B4">Spychecker.com/ > >Be sure to close all browser windows before running it. It may execute again after >rebooting. It would be good to keep it on hand. He updates it VERY frequently, so >check for an update often. > >P.S. If you get a message saying 'A required dll, MSVBVM60.DLL, was not found', install >the VB 6 Runtime Libraries. Direct download: color="FF69B4">VB 6 Runtime Libraries > >If you have NOT ran SpybotSD already, download and run it after running the Shredder: >color="FF69B4">Spybot S&D Close all running programs, install then >reboot. Start it and go online and press the 'search for updates' tab. Download all >updates that aren't optional. > >Close all browser windows, then start it in Easy mode and run the scan. Then click >'Check All', and fix everything SpybotSD labels in red. Reboot. > >Then if you feel it's necessary to run Hijack This again, PLEASE choose this Option >below the message window before posting the log, so it's formatted properly!: Check >this box to preserve your spacing.... > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Friday, December 5, 2003 at 5:26 pm Posted by Frank (27 messages posted) Thanks to you both. I got and did what you both said. Found lots of goodies. Noticable change in system speed, however I'm still getting the same message about restrictions on my computer when trying to access msconfig or starting my Black Ice. Very odd. On Friday, December 5, 2003 at 4:32 pm, worm wrote: >Hi Frank, > Good advice from Carol. In case you're interested, there's some useful background >info here >on how CoolWebSearch works. > One of the other things you have to do though is to purge all the previous System >Restore points. This is because Win ME creates backups of all system files and anything >you've installed which includes all that spyware of course. You'll find an illustrated >tutorial on how to purge the System Restore cache here > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Friday, December 5, 2003 at 7:35 pm Posted by Ms. Eagle (33507 messages posted) Frank, you're welcome. You say you still have problems. That's why you need to run SpybotSD and Hijack This again. There may be something else going on, also. [Reply or follow-up to this message] re: Hijak This file scan--need advice Friday, December 5, 2003 at 7:58 pm Posted by Frank (27 messages posted) Carol, thanks. I ran SpyBotSD again and ran Hijak This again. Here is what it lists. Do you need to see the start up info too? R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = , F1 - win.ini: run=LXDBOXCP.EXE O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing) O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [Excite Platform] C:\PROGRA~1\EXCITE\PLATFORM\ExLaunch.exe O4 - HKLM\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE" O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe" O4 - HKLM\..\Run: [ATTRedUpate] C:\PROGRAM FILES\COMMON FILES\INSIGHT\MIGCFG\PROGRAMS\AutoUpdate.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s O4 - HKLM\..\Run: [SysInit] wininit32.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE" O4 - HKLM\..\RunServices: [SysInit] wininit32.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [SysInit] wininit32.exe O4 - HKLM\..\RunOnce: [WU2_RegSvr] c:\windows\SYSTEM\regsvr32.exe /s c:\windows\SYSTEM\WUAUPD98.DLL O4 - HKLM\..\RunOnce: [UpdateHook] c:\windows\rundll32.exe AUHKNEW.DLL,RenameDll O4 - HKLM\..\RunOnce: [WU4_RegSvr] c:\windows\SYSTEM\regsvr32.exe /s c:\windows\SYSTEM\AUHOOK.DLL O4 - HKCU\..\RunOnce: [ICQ] C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot O4 - Startup: CORELCENTRAL ALARMS.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: OFFICE STARTUP.LNK = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: MICROSOFT OFFICE SHORTCUT BAR.LNK = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE O4 - Startup: MICROSOFT FIND FAST.LNK = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Startup: BlackICE Utility.lnk = C:\Program Files\ISS\BlackICE\blackice.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://64.154.221.61/ads/lsdialer.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: Yahoo! MLB StatTracker - http://aud7.sports.yahoo.com/java/y/mlbst8298_x.cab O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud12.sports.yahoo.com/java/y/nflgcst1008_x.cab O16 - DPF: Yahoo! NBA StatTracker - http://aud3.sports.yahoo.com/java/y/nbast8264_x.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37960.6022800926 On Friday, December 5, 2003 at 7:35 pm, Carol wrote: > >Frank, you're welcome. You say you still have problems. That's why you need to run >SpybotSD and Hijack This again. There may be something else going on, also. > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Friday, December 5, 2003 at 11:15 pm Posted by Ms. Eagle (33507 messages posted) Did you put any restrictions on this system, are you the sole user of this computer? Get back to me on that, and let me know how things go after you do these things. For one thing you system's infected with the "W32.Xabot.Worm" (SysInit - wininit32.exe). It's listed in your startups in at least a few places according to this log. After you fix the entries in Hijack This, you'll need to clear out your System Restore folder. You can check instr. on this site: http://securityresponse.symantec.com/avcenter/venc/data/w32.xabot.worm.html Run Hijack This again and select these. Have them fixed. Reboot. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InsightBB.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = , F1 - win.ini: run=LXDBOXCP.EXE O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing) O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [SysInit] wininit32.exe O4 - HKLM\..\RunServices: [SysInit] wininit32.exe O4 - HKCU\..\Run: [SysInit] wininit32.exe O4 - Startup: OFFICE STARTUP.LNK = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: MICROSOFT FIND FAST.LNK = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://64.154.221.61/ads/lsdialer.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: Yahoo! MLB StatTracker - http://aud7.sports.yahoo.com/java/y/mlbst8298_x.cab O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud12.sports.yahoo.com/java/y/nflgcst1008_x.cab O16 - DPF: Yahoo! NBA StatTracker - http://aud3.sports.yahoo.com/java/y/nbast8264_x.cab [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 4:36 am Posted by worm (792 messages posted) Hi Frank, Don't have Hijack This fix these two entries! O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab They will contain your passwords for the multiplayer games you play. Hope it's not too late. On Friday, December 5, 2003 at 11:15 pm, Carol wrote: > >Did you put any restrictions on this system, are you the sole user of this computer? >Get back to me on that, and let me know how things go after you do these things. > >For one thing you system's infected with the "W32.Xabot.Worm" (SysInit - wininit32.exe). >It's listed in your startups in at least a few places according to this log. After >you fix the entries in Hijack This, you'll need to clear out your System Restore >folder. You can check instr. on this site: > >http://securityresponse.symantec.com/avcenter/venc/data/w32.xabot.worm.html > >Run Hijack This again and select these. Have them fixed. Reboot. > >R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = >R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet >Explorer provided by InsightBB.com >R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = , >F1 - win.ini: run=LXDBOXCP.EXE >O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL >(file missing) >O4 - HKLM\..\Run: [LexStart] Lexstart.exe >O4 - HKLM\..\Run: [LoadQM] loadqm.exe >O4 - HKLM\..\Run: [SysInit] wininit32.exe >O4 - HKLM\..\RunServices: [SysInit] wininit32.exe >O4 - HKCU\..\Run: [SysInit] wininit32.exe >O4 - Startup: OFFICE STARTUP.LNK = C:\Program Files\Microsoft Office\Office\OSA.EXE >O4 - Startup: MICROSOFT FIND FAST.LNK = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE >O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cab >O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB >O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://64.154.221.61/ads/lsdialer.cab >O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab >O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab >O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab >O16 - DPF: Yahoo! MLB StatTracker - http://aud7.sports.yahoo.com/java/y/mlbst8298_x.cab >O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab >O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - >http://64.124.45.181/downloads/ccpm_0237.cab >O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB >O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud12.sports.yahoo.com/java/y/nflgcst1008_x.cab >O16 - DPF: Yahoo! NBA StatTracker - http://aud3.sports.yahoo.com/java/y/nbast8264_x.cab > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 6:44 am Posted by Frank (27 messages posted) Thank you both! Carol, yes I'm the only person who uses this computer. I fixed what you said to in Hijak This. I had the System Restore off. I went to that link you sent about the worm and thay wanted me to go into Regedit. Off course it won't let me. It says :registry editing has been disabled by the administrator. And Black Ice still isn't allowed to start. Anyway, we're making progress if I could just get in and edit the registries. On Saturday, December 6, 2003 at 4:36 am, worm wrote: >Hi Frank, > Don't have Hijack This fix these two entries! > >O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab >O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab >They will contain your passwords for the multiplayer games you play. > >Hope it's not too late. > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 7:37 am Posted by worm (792 messages posted) Hi Frank, You don't need to get into the Registry. Use Hijack This to checkmark the entries Carol mentioned, then click "Fix". To restore access to the Registry though, go to Start > Search > Files & Folders, type regedit.exe and click Search Now. Right click that file and choose "Rename" from the menu. Click once to remove the highlight and then place the cursor at the end of the file name and delete the "exe". Next, type "com" (without quotes) and click anywhere outside the field. It should now show as regedit.com. If, when you search for regedit.exe you find a file, but can't see the "exe" extension, double click the My Computer icon, click the word "Tools", choose "Folder Options" from the menu. Click the "View" tab and in the list, checkmark the option "Show Hidden Files & Folder". Remove the checkmark from "Hide file extensions for known file types". Click Apply/OK. After you've renamed the regedit file, go to Start > Run, type regedit.com and click OK. It should launch the Registry editor in the same way. On Saturday, December 6, 2003 at 6:44 am, Frank wrote: >Thank you both! Carol, yes I'm the only person who uses this computer. I fixed what >you said to in Hijak This. I had the System Restore off. I went to that link you >sent about the worm and thay wanted me to go into Regedit. Off course it won't let >me. It says :registry editing has been disabled by the administrator. And Black Ice >still isn't allowed to start. Anyway, we're making progress if I could just get in >and edit the registries. > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 10:11 am Posted by Frank (27 messages posted) Yes, I did exactly as Carol instructed. I also renamed my regedit and still am being blocked by administrator(which is me and I did nothing). How can I lift this administrator block? I probably never would've noticed it except when it disabled my Black Ice. BTW, Worm, thanks for your help and patience. Do you need to see another Hijak file? On Saturday, December 6, 2003 at 7:37 am, worm wrote: >Hi Frank, > You don't need to get into the Registry. Use Hijack This to checkmark the entries >Carol mentioned, then click "Fix". > To restore access to the Registry though, go to Start > Search > Files & Folders, >type regedit.exe and click Search Now. Right click that file and choose "Rename" >from the menu. Click once to remove the highlight and then place the cursor at the >end of the file name and delete the "exe". Next, type "com" (without quotes) and >click anywhere outside the field. It should now show as regedit.com. > If, when you search for regedit.exe you find a file, but can't see the "exe" >extension, double click the My Computer icon, click the word "Tools", choose "Folder >Options" from the menu. Click the "View" tab and in the list, checkmark the option >"Show Hidden Files & Folder". Remove the checkmark from "Hide file extensions for >known file types". Click Apply/OK. > After you've renamed the regedit file, go to Start > Run, type regedit.com >and click OK. It should launch the Registry editor in the same way. > > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 10:33 am Posted by Frank (27 messages posted) Here is a fresh Hijak file scan ; Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\SETI@HOME\SETI@HOME.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\HIJAK THIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [Excite Platform] C:\PROGRA~1\EXCITE\PLATFORM\ExLaunch.exe O4 - HKLM\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE" O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe" O4 - HKLM\..\Run: [ATTRedUpate] C:\PROGRAM FILES\COMMON FILES\INSIGHT\MIGCFG\PROGRAMS\AutoUpdate.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: CORELCENTRAL ALARMS.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: MICROSOFT OFFICE SHORTCUT BAR.LNK = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE O4 - Startup: BlackICE Utility.lnk = C:\Program Files\ISS\BlackICE\blackice.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37960.6022800926 On Saturday, December 6, 2003 at 10:11 am, Frank wrote: >Yes, I did exactly as Carol instructed. I also renamed my regedit and still am being >blocked by administrator(which is me and I did nothing). How can I lift this administrator >block? I probably never would've noticed it except when it disabled my Black Ice. >BTW, Worm, thanks for your help and patience. >Do you need to see another Hijak file? > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 10:53 am Posted by worm (792 messages posted) Hi Frank, This is the Registry entry which has disabled your Registry access. O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 In the past, it's always been possible to have Hijack This! fix this. Are you saying, you've tried that and it hasn't worked? On Saturday, December 6, 2003 at 10:33 am, Frank wrote: >Here is a fresh Hijak file scan ; > >Running processes: >C:\WINDOWS\SYSTEM\KERNEL32.DLL >C:\WINDOWS\SYSTEM\MSGSRV32.EXE >C:\WINDOWS\SYSTEM\mmtask.tsk >C:\WINDOWS\SYSTEM\MPREXE.EXE >C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE >C:\WINDOWS\SYSTEM\MSTASK.EXE >C:\WINDOWS\EXPLORER.EXE >C:\PROGRAM FILES\SETI@HOME\SETI@HOME.EXE >C:\WINDOWS\SYSTEM\SPOOL32.EXE >C:\WINDOWS\SYSTEM\QTTASK.EXE >C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE >C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE >C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE >C:\WINDOWS\SYSTEM\DDHELP.EXE >C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE >C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE >C:\WINDOWS\SYSTEM\LEXBCES.EXE >C:\WINDOWS\SYSTEM\RPCSS.EXE >C:\HIJAK THIS\HIJACKTHIS.EXE > >R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ >O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} >- C:\WINDOWS\SYSTEM\MSDXM.OCX >O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun >O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s >O4 - HKLM\..\Run: [Excite Platform] C:\PROGRA~1\EXCITE\PLATFORM\ExLaunch.exe >O4 - HKLM\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min >O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe >O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE" >O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe" >O4 - HKLM\..\Run: [ATTRedUpate] C:\PROGRAM FILES\COMMON FILES\INSIGHT\MIGCFG\PROGRAMS\AutoUpdate.exe >O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime >O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize >O4 - HKLM\..\Run: [nwiz] nwiz.exe /install >O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE >/AUTOSTART >O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points >manager.exe -s >O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme >O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE" >O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme >O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe >O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe >O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background >O4 - Startup: CORELCENTRAL ALARMS.LNK = C:\Program Files\Corel\WordPerfect Office >2000\programs\alarm.exe >O4 - Startup: MICROSOFT OFFICE SHORTCUT BAR.LNK = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE >O4 - Startup: BlackICE Utility.lnk = C:\Program Files\ISS\BlackICE\blackice.exe >O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present >O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 >O9 - Extra button: Real.com (HKLM) >O9 - Extra button: ICQ Pro (HKLM) >O9 - Extra 'Tools' menuitem: ICQ (HKLM) >O9 - Extra button: Messenger (HKLM) >O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) >O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll >O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab >O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37960.6022800926 > > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 11:06 am Posted by Frank (27 messages posted) I did like Carol told me. I had Hijak "fix" all the files she listed. The link she sent me regarding the worm she saw says you need to get into regedit and change some things. (I know Hijak is supposed to fix it as well). But....something is still restricting my Black Ice from launching and even when I renamed regedit like you said, it still says it's restricted by the administrator. On Saturday, December 6, 2003 at 10:53 am, worm wrote: >Hi Frank, > This is the Registry entry which has disabled your Registry access. >O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 > In the past, it's always been possible to have Hijack This! fix this. Are you >saying, you've tried that and it hasn't worked? > > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 12:13 pm Posted by worm (792 messages posted) Hi Frank, I just checked the items Carol recommended here that you allow Hijack This to fix and note that she didn't include the one I mentioned in my last post. So here it is again to save you looking for it O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 Checkmark that when you run the scan again and hopefully things will work properly afterwards. A cautious note about Black Ice though. It's not renowned in the firewall industry as a good firewall and has a lot of security holes in it which lets spyware through (as you've discovered). You'd be much better off with Zone Alarm which is free without tech support, but free support on their forums. Click here You should make sure you uninstall Black Ice first though. On Saturday, December 6, 2003 at 11:06 am, Frank wrote: >I did like Carol told me. I had Hijak "fix" all the files she listed. The link she >sent me regarding the worm she saw says you need to get into regedit and change some >things. (I know Hijak is supposed to fix it as well). But....something is still restricting >my Black Ice from launching and even when I renamed regedit like you said, it still >says it's restricted by the administrator. > > [Reply or follow-up to this message] That's not a big deal! Saturday, December 6, 2003 at 2:25 pm Posted by Ms. Eagle (33507 messages posted) Those are ActiveX Controls, and any or ALL of those can be safely removed. They'll be downloaded/installed again as necessary. Those can really pile up and can cause problems, but it's won't hurt ONE thing either way. Many times, those are a one-time only install, because the person won't even use it again. Thanks for your help. :( [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 2:34 pm Posted by Ms. Eagle (33507 messages posted) Frank, I wanted to know whether or not you applied any restrictions yourself, since Regedit was disabled. On a multiple user system, many times a parent or whoever will apply restrictions themselves. That's the reason I didn't include these items and asked you what I did. I've never seen DisableRegedit in a log before. As for this item 06, I intentionally have that set that way to lock my homepage, so we usually ask first. I had every intention to get back to you about it. Have both these entries fixed, if you haven't already. O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 Additionally, any and all DPF (Downloaded Program files = ActiveX Controls can be safely removed. They'll be downloaded again as needed. An example is Shockwave Flash. It's recommended to clear those out occassionally, and some you may never use again. The other poster should have stayed out, and I'd think it would be obvious, that I know what I'm doing!! Nothing I've advised you to do, is going to cause problems. In fact, check out this post for more info. on what you can do that will be very beneficial. (Note: I had you removed Taskmon in the Hijack This reply. That one is done.) Jack Gulley's is a VERY knowledgeable regular on this forum. His advice is, "Remove PCHealth and TuneUp from Scheduled tasks, and PCHealth and TaskMonitor from Startup tab in MSCONFIG." There's other good advice in this post. Windows ME Fixes [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 3:58 pm Posted by Ms. Eagle (33507 messages posted) Frank, I just realized I posted this recent response to "worm" instead of you. Sorry about that, but it confuses matters when someone else takes over for me. In a serious situation like this, it's confusing to the original posters too. I'm glad I noticed it. http://www.annoyances.org/exec/forum/winme/r1070750074 [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 4:50 pm Posted by worm (792 messages posted) Hi Carol, With all due respect, I also know what I'm doing. You've only got to look at any of my other posts to see that. So I think your criticism is totally unjustified especially in the manner in which it was written. As for PC health and Tuneup, you can disable those via the Scheduled Tasks menu in System Tools although I would advise Frank to run PCHealth on startup. A single tuneup on startup does no harm at all. On Saturday, December 6, 2003 at 2:34 pm, Carol wrote: > >Frank, I wanted to know whether or not you applied any restrictions yourself, since >Regedit was disabled. On a multiple user system, many times a parent or whoever will >apply restrictions themselves. > >That's the reason I didn't include these items and asked you what I did. I've never >seen DisableRegedit in a log before. As for this item 06, I intentionally have that >set that way to lock my homepage, so we usually ask first. I had every intention >to get back to you about it. Have both these entries fixed, if you haven't already. > >O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present >O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 > >Additionally, any and all DPF (Downloaded Program files = ActiveX Controls can be >safely removed. They'll be downloaded again as needed. An example is Shockwave Flash. >It's recommended to clear those out occassionally, and some you may never use again. > >The other poster should have stayed out, and I'd think it would be obvious, that >I know what I'm doing!! Nothing I've advised you to do, is going to cause problems. >In fact, check out this post for more info. on what you can do that will be very >beneficial. (Note: I had you removed Taskmon in the Hijack This reply. That one is >done.) > >Jack Gulley's is a VERY knowledgeable regular on this forum. His advice is, "Remove >PCHealth and TuneUp from Scheduled tasks, and PCHealth and TaskMonitor from Startup >tab in MSCONFIG." There's other good advice in this post. > >Windows ME Fixes > [Reply or follow-up to this message] re: Hijak This file scan--need advice Saturday, December 6, 2003 at 5:50 pm Posted by Ms. Eagle (33507 messages posted) The point is, this is already a complicated enough issue we're dealing with here. Then towards the end of the thread, you post a message "warning him", UNnecessarily, not to fix something, that I said was alright to remove! Which it was... [Reply or follow-up to this message] re: Hijak This file scan Saturday, December 6, 2003 at 6:27 pm Posted by Ms. Eagle (33507 messages posted) Hi worm, my apologies, if you misunderstood me and took my comments as a put down. I honestly wasn't questioning your expertise or anything like that. I have read your posts, and you definitely know what you're doing and are very helpful and thorough. I surely wasn't suggesting that I know-it-all, or that I always know what I'm doing. That's definitely debateable! As far as, my... "I know what I'm doing". I was only referring to dealing with Frank's hijacking problem. Thanks for assisting him with that Regedit business. I should have brought those items to his attention and included an explanation in the first place. Different time zones can be a problem on these forums. [Reply or follow-up to this message] re: Hijak This file scan Sunday, December 7, 2003 at 3:32 am Posted by worm (792 messages posted) Hi Carol, OK, no harm done...just a misunderstanding :) On Saturday, December 6, 2003 at 6:27 pm, Carol wrote: > >Hi worm, my apologies, if you misunderstood me and took my comments as a put down. >I honestly wasn't questioning your expertise or anything like that. > >I have read your posts, and you definitely know what you're doing and are very helpful >and thorough. I surely wasn't suggesting that I know-it-all, or that I always know >what I'm doing. That's definitely debateable! > >As far as, my... "I know what I'm doing". I was only referring to dealing with Frank's >hijacking problem. Thanks for assisting him with that Regedit business. I should >have brought those items to his attention and included an explanation in the first >place. Different time zones can be a problem on these forums. > > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Sunday, December 7, 2003 at 3:38 am Posted by worm (792 messages posted) Hi again Carol, I agree with you that people jumping in and adding to a thread can cause confusion and perhaps as you've already remarked, it would be better if others refrained from adding comments to certain circumstances. But on the subject of the Registry entries in Frank's log pertaining to Ubisoft and Gamespy, I suspect these are the necessary components that enables registered users to play on their gaming networks. I don't play multiplayer games on either of those, but I am an ardent online gamer and I know that Gamespy in particular requires registration in order to access their servers. One thing that users have to be wary of with Gamespy though is that it tries to persuade you to install "Gator" and we all know what that does. However, I didn't see any evidence of the latter mentioned anywhere in Frank's log. I suppose though that there's no harm in removing them just to see whether my supposition is correct or not. If they're not necessary, Frank will be able to continue playing. If they are, then I'm sure he'll be able to obtain the necessary data from both companies in order to regain access to their networks. It would be interesting to see whether those entries reappear in those circumstances. On Saturday, December 6, 2003 at 5:50 pm, Carol wrote: > >The point is, this is already a complicated enough issue we're dealing with here. >Then towards the end of the thread, you post a message "warning him", UNnecessarily, >not to fix something, that I said was alright to remove! Which it was... > > [Reply or follow-up to this message] re: That's not a big deal! Sunday, December 7, 2003 at 9:18 am Posted by Frank (27 messages posted) Thank you both so very much. You are both very knowledgable, more so than I'll ever be. Both your recommendations(sp?) worked and saved my system from a possible reformat. I am no longer restricted from accessing anything, and have since installed Zone Alarm. My IP is static and I've always feared, more open to hackers and whatnot . I feel so much better having found the worm and guided by you two in correcting my situation. My many thanks again and I hope you both have a great safe holiday. I don't know what I would'vw done without you both! On Saturday, December 6, 2003 at 2:25 pm, Carol wrote: > >Those are ActiveX Controls, and any or ALL of those can be safely removed. They'll >be downloaded/installed again as necessary. Those can really pile up and can cause >problems, but it's won't hurt ONE thing either way. > >Many times, those are a one-time only install, because the person won't even use >it again. Thanks for your help. :( > > > > [Reply or follow-up to this message] re: Hijak This file scan--need advice Sunday, December 7, 2003 at 9:27 am Posted by Frank (27 messages posted) Whoops, I just replied to the "it's not a big deal thread". Curse my computer disfunctional brain. Please, Carol/Worm read. On Saturday, December 6, 2003 at 3:58 pm, Carol wrote: > >Frank, I just realized I posted this recent response to "worm" instead of you. Sorry >about that, but it confuses matters when someone else takes over for me. In a serious >situation like this, it's confusing to the original posters too. I'm glad I noticed >it. > >http://www.annoyances.org/exec/forum/winme/r1070750074 > [Reply or follow-up to this message] re: Hijak This file scan--need advice Monday, December 8, 2003 at 3:02 pm Posted by Ms. Eagle (33507 messages posted) You're welcome, and my apologies for not letting you know about the reason for my question and the registry restriction entries. I should have added to include those, if applicable. I forget about time zones, and that we may not make contact again that soon. I shouldn't have taken offense to worm's assisting you with that. After all, you needed to get it fixed! [Reply or follow-up to this message] Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows Me Discussion Forum