yet another hijackthis log

You definitely have some hijacking and hostile files loading. Hang in there until the moderator takes a look...I'm just now beginning to get better at Hijackthis and while I recognize bad entries in your log I want to see the cleanup procedures Chris suggests. Be patient...even Chris has to sleep. *;-)

Texruss

Download then unzip and run CWShredder to clean up clicking FIX to have it remove all it finds.

cwshredder from here
or from here
or download page from here

please post a new hijackthis log after a reboot.

i ran the CWShredder and then rebooted. here's my hijackthis scan log after rebooting. I still think there's stuff in that log that need to be gotten rid of. for example, i saw something wit bearshare in it. i know bearshare is spyware and i don't want that there. there were at least a couple other things on there that looked suspicious to me. thanks for the help. let me know if there's any more i can do to make it easy on you. i'm starting to understand this stuff some, but i still need help and guidance. thanks again. here's the log.

Logfile of HijackThis v1.97.7
Scan saved at 12:58:59 PM, on 3/30/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\HPZTSB02.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\POPLIB.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb02.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [BearShare] C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE /m
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [rumclftx] C:\WINDOWS\kexslzub.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [Scheduled Maintenance] C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC\Scheduled_Maintenance.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37886.5738425926
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gmu.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = gmu.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 129.174.1.3,129.174.44.12,129.174.1.8

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

The following have randomly named file names, and as such are normally malware, UNLESS you know what they are, and they are from a safe source, please check for removal.

O4 - HKLM\..\Run: [rumclftx] C:\WINDOWS\kexslzub.exe

The following activeX controls will reinstall when(and if) you revisit that website, UNLESS you know they are from a safe source, check to remove.

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab

Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-

Folder > C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\
and this if checked above
File > > C:\WINDOWS\kexslzub.exe

Then Reboot and post a fresh log for me to check.

ok, i've gone through all of the stuff and here's what i'm left with...

when i tried to delete the folder/file you told me to delete, both came back as path invalid. i did this in safe mode by going to a dos prompt through the accessories tab in the start menu. if this is not the proper method, then i don't know how to do it. i ran the hijackthis scan again and it appeared to come back clean, but i am still getting the requests to download random products. the most recent example of this was when i came back in from dinner, i had the window on my screen that said, 'do you want to download and install precision time/date manager?' i probly get 5-10 of those per day all from different products. i have no clue how to stop those, but i am on a college network, so that may have something to do with it. thank you for all of the help so far. here's the latest scan log. also, the musicnotes and the scorch programs are both legit. they allow me to view sheet music online. thanks

Logfile of HijackThis v1.97.7
Scan saved at 4:56:33 PM, on 3/30/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\WINDOWS\SYSTEM\HPZTSB02.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\POPLIB.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb02.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [BearShare] C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE /m
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [Scheduled Maintenance] C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC\Scheduled_Maintenance.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37886.5738425926
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gmu.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = gmu.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 129.174.1.3,129.174.44.12,129.174.1.8

 

>you want to download and install precision time/date manager?

Gator spyware installs those two. Look in Control Panel/Add/Remove and get rid of Precision Time and Date Manager if present. Rescan with Spybot.

To Chris:  What about the Wild Tangent section and Bear Share? While Wild Tangent can have some legitimate game purposes and is installed by some bigtime players, it seems to be a phone-home ET spyware. 

All the best,

Texruss

i was wondering the same thing about the bearshare. i know i'm the one that put wild tangent on my comp, but if it is the problem, i don't use it enough to miss it. about the precision time/date manager, i check my comp for gator on a regular basis. gator is my arch nemesis, and thus i make sure it's not on here as much as possible. unless it's in a spot that i don't know where to look (i'm an IT minor in school), it's not on my comp. i really think i've got something on my comp that is doing some sort of phone home et. i'm on a network at school and thus am connected to the internet 24/7.

i have had a lot of problems lately with spyware and viruses and what not. could that be due to the fact that i'm on the school network? could people be putting stuff out on the network and my comp automatically picks it up somehow?

thanks for all the help chris and tex. i'm interested in learning all this stuff too. as i said, i'm an IT minor and i already have a couple friends here at school that want me to clean their comps too. so in summary, keep 'em coming. thanks again

Look at some of the comments here about location folders and entries for Gator's PT and DM.

As for stuff getting in on your school network automatically...hmm...maybe port attacks on an unpatched machine, but normally the user invites the pests in by some fashion. A good AV and a software and hardware firewall combo works wonders for most of the pests. Scanning with antispyware should get the rest that slip through. Insidious stuff. Try SpywareBlaster also as it's proactive.

I'd whack Bearshare myself. I use WinMX (cautiously of course and with advanced options). *;-) I used to use Kazaa Lite, but quit after I found it was a cracked program.

Texruss

Message Edited by Texruss on 04-05-2004 12:50 PM

yeah, i whacked bearshare a long time ago...i actually ventured and payed for my downloads...now i get as many as i want and no spyware for one time $20 fee. i think i'll have hijackthis whack the bearshare. i think the school has firewalls out the wazoo ciz there's things i can't do, like a live baseball draft due to the firewall. i'm not that worried about other people on the network, but i know that our email system is about as weak as it can get, so i figured you never know.

also, i'm pretty happy with ad-aware and NAV, so i'm not really looking for another spyware hunter...i kinda think i've got enough...hopefully we can get this stuff knocked out though...thanks for the feedback

hey guys, i just noticed something else that might be of interest...

when i was checking all the hiding places for gator (none of which contained it on my comp), i found a link that is listed as damaged. when i opened explore by right clicking on the start button, then went to windows>downloaded program files i found a link that is listed as damaged. that link is DownloadUL Class. is that important? it has the word download in it. is that how this stuff is getting in? just a thought.

once again, thanks for all the feedback and the help.

For anyone interested in learning how to help people with malware - here are links to the two 'schools' on the net - both free.
-----------------------------------
Have you thought of joining one of the anti-malware schools - two available with some 150 people in training.

Classroom at TomCoyotes
http://forums.tomcoyote.com/index.php?showtopic=1421

Bootcamp at Spwareinfo
http://www.spywareinfo.com/forums/index.php?showtopic=32637

With both you need to register first, then follow the directions in those posts above. I teach at Both, but more responcibility at Classroom.
------------------------------------
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
-WT GameChannel (GAMECHANNEL.EXE)
See pacmans link here http://www.sysinfo.org/startuplist.php?filter=GameChannel.exe&count=&type=

O4 - HKLM\..\Run: [BearShare] C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE /m
-BearShare (BEARSHARE.EXE)
See pacmans link here - http://www.sysinfo.org/startuplist.php?filter=BEARSHARE.EXE&count=&type=
and the on link here http://www.cexx.org/adware.htm
----extract---------
OnFlow - Installed by BearShare among others. The company that makes this beastie describes its purpose fairly well on its own :) It is a browser plug-in designed specifically to display advertising, usually of the large, loud and flashing variety.
----end extract--------
So BareShare is not in and of itself malware - and having removed the malware should be OK.

==============

I personally would remove both from any of my systems, but the anti-malware sites (although not liking them) have them as an optional removal.

If you wish to remove, check them in hijackthis and with allwindows closed, fix checked.
===========================
This is my normal post for when you are clear - which you now are:-
------------------------
How on earth did I get infected with all that spyware in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051
Also available from here :- http://www.computercops.biz/postlite7736-.html or http://boards.cexx.org/viewtopic.php?t=957
--------------
Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-

Spybot s&d, Ad-aware Run weekly - or after a heavy internet session.

Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.

Also ie-spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

All those with links from my site. Do remember just like AV they need to be updated regularly, I do mine weekly, AV daily.

With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.

 

that is awesome...thank you so very much for the help...i only have one more problem...when i was running NAV last night, it came back with me having two viruses. these were:

W32.Kwbot.Worm

W32.Kwbot.P.Worm

NAV couldn't even quarrantine them, much less fix them. So i went into the DOSPrompt and tried to delete the files. it came back as file path unknown on one and access denied on the other. do you know of any way to get rid of those? thanks again for all the help, you've been wonderful.

I'll probly sign up at one of the schools soon. are there like regular class sessions i have to attend online?

thanks again, it's been great

The schools are more a self learn - everyone at thier own speed.

I would post a new log - just in case those virus's did infect you.

gmuguy,

In an earlier post, you said, "i think the school has firewalls out the wazoo ciz there's things i can't do, like a live baseball draft due to the firewall. i'm not that worried about other people on the network..."

One of the better ways of spreading worms on a LAN is to bring in an infected laptop. Entire corporate WANs have been disrupted by worms that arrived "over the fence". While Internet firewalls will protect the LAN/WAN from worms arriving from the Internet, they afford no protection at all against things happening inside.

I'd suggest considering the school's network "untrusted", and installing a personal firewall like ZoneAlarm.

Jim

>W32.Kwbot.Worm

>W32.Kwbot.P.Worm

Backdoor Trojans. Follow the instructions for removal at the links.

All the best,

Texruss