This is my first post to geekstogo. I am stuck with Windows AdStatus, Winstat.exe, and winstatkeep. I have read the posts and did a log file with Hijack This. Please analyse and help me with removal and your recommendations. I am using Windows ME (I know... it's a bear). Many thanks for this invaluable service.
Logfile of HijackThis v1.99.1
Scan saved at 9:02:28 AM, on 03/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TBPANEL.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\WINDOWS ADSTATUS\WINSTAT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINDOWS ADSTATUS\WINSTATKEEP.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\TOOLS\YCIII\YANKCLIP.EXE
C:\TOOLS\FLASH2\FLSHSTAT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\TOOLS\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dad.adelphia.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O1 - Hosts: 128.138.236.18 wwwmcb.cs.colorado.edu
O1 - Hosts: 128.183.243.36 www.nasa.gov
O1 - Hosts: 128.196.137.18 www.u.arizona.edu
O1 - Hosts: 128.2.242.152 www.cs.cmu.edu
O1 - Hosts: 128.2.89.13 www.watson.org
O1 - Hosts: 128.250.6.196 www.unimelb.edu.au
O1 - Hosts: 128.252.135.4 wuarchive.wustl.edu
O1 - Hosts: 128.83.199.50 pittsburgh.pa.us.undernet.org
O1 - Hosts: 128.83.40.2 www.utexas.edu
O1 - Hosts: 129.15.2.123 atlas.backbone.ou.edu
O1 - Hosts: 129.15.46.21 wwwcaps.gcn.uoknor.edu
O1 - Hosts: 129.241.190.13 ftpsearch.ntnu.no
O1 - Hosts: 129.79.20.27 ftp.cica.indiana.edu
O1 - Hosts: 129.82.100.64 www.colostate.edu
O1 - Hosts: 130.127.140.234 netwatch.clemson.edu
O1 - Hosts: 130.179.8.48 www.ee.umanitoba.ca
O1 - Hosts: 130.233.26.107 bonnie.tky.hut.fi
O1 - Hosts: 130.244.126.148 home4.swipnet.se
O1 - Hosts: 130.244.126.91 home1.swipnet.se
O1 - Hosts: 131.159.0.51 www.informatik.tu-muenchen.de
O1 - Hosts: 134.134.214.2 mmx.com
O1 - Hosts: 134.134.214.34 www.intel.com
O1 - Hosts: 134.67.99.15 www.epa.gov
O1 - Hosts: 139.102.70.202 papa.indstate.edu
O1 - Hosts: 141.142.3.77 ftp.ncsa.uiuc.edu
O1 - Hosts: 142.75.3.9 www.opentext.net
O1 - Hosts: 143.101.250.20 www.nec.com
O1 - Hosts: 147.178.1.50 www.iomega.com
O1 - Hosts: 147.5.99.49 www.cyrix.com
O1 - Hosts: 148.129.129.31 www.census.gov
O1 - Hosts: 149.17.36.10 www.qdeck.com
O1 - Hosts: 149.174.211.38 www.compuserve.com
O1 - Hosts: 149.174.213.35 ourworld.compuserve.com
O1 - Hosts: 150.108.68.9 trill.cis.fordham.edu
O1 - Hosts: 152.163.202.36 webcrawler.com
O1 - Hosts: 152.2.25.83 www.unc.edu
O1 - Hosts: 152.78.129.129 www.soton.ac.uk
O1 - Hosts: 161.246.10.21 kmitl.ac.th
O1 - Hosts: 162.62.21.9 www.adaptec.com ftp.adaptec.com
O1 - Hosts: 165.121.20.73 www.mayflower.com
O1 - Hosts: 165.21.72.20 www.ctlsg.creaf.com
O1 - Hosts: 165.69.1.2 www.newsclassifieds.com.au
O1 - Hosts: 165.87.194.210 pop01.ny.us.ibm.net
O1 - Hosts: 165.87.194.212 pop03.ca.us.ibm.net
O1 - Hosts: 165.87.194.212 pop3.ibm.net
O1 - Hosts: 165.87.194.214 pop2.ibm.net
O1 - Hosts: 165.87.194.214 pop4.ibm.net
O1 - Hosts: 165.87.194.216 pop5.ibm.net
O1 - Hosts: 165.87.194.237 news2.ibm.net
O1 - Hosts: 165.87.194.249 news1.ibm.net
O1 - Hosts: 165.87.194.249 news-s01.ny.us.ibm.net
O1 - Hosts: 165.87.194.252 smtp1.ibm.net
O1 - Hosts: 165.87.201.252 out2.ibm.net
O1 - Hosts: 165.87.201.252 smtp2.ibm.net
O1 - Hosts: 166.77.12.114 www.mtv.com
O1 - Hosts: 166.78.1.10 www.ping.com
O1 - Hosts: 166.84.58.217 www.supnova.com
O1 - Hosts: 167.142.225.20 des-moines.ia.us.undernet.org
O1 - Hosts: 171.64.78.65 boole.stanford.edu
O1 - Hosts: 192.127.252.10 www.ncr.com
O1 - Hosts: 192.148.160.200 www.whitepages.com.au
O1 - Hosts: 192.156.196.4 www.usa.net
O1 - Hosts: 192.215.216.1 www.qlc.com ftp.qlc.com
O1 - Hosts: 192.215.76.8 www.filemine.com
O1 - Hosts: 192.216.189.10 paramount.com
O1 - Hosts: 192.216.189.10 paramount.com.
O1 - Hosts: 192.216.191.42 www.acer.com
O1 - Hosts: 192.216.46.22 www.webcrawler.com
O1 - Hosts: 192.239.92.112 www.fedworld.gov
O1 - Hosts: 192.41.12.95 www.softseek.com
O1 - Hosts: 192.41.18.106 www.hwg.org
O1 - Hosts: 192.41.24.49 www.metro.com.tw
O1 - Hosts: 192.41.28.232 www.davecentral.com
O1 - Hosts: 192.41.31.176 www.newslinx.com
O1 - Hosts: 192.41.7.165 www.wingate.com
O1 - Hosts: 192.41.71.59 www.konnections.com
O1 - Hosts: 192.41.9.119 www.slaughterhouse.com
O1 - Hosts: 193.12.122.1 mailbox.swipnet.se
O1 - Hosts: 193.128.159.1 www.esi.co.uk
O1 - Hosts: 193.212.1.34 mail.online.no
O1 - Hosts: 193.212.1.34 mail.telepost.no
O1 - Hosts: 193.212.1.36 news.online.no
O1 - Hosts: 193.212.1.36 news.sol.no
O1 - Hosts: 193.212.1.36 news.telepost.no
O1 - Hosts: 193.214.213.254 home.sol.no
O1 - Hosts: 193.214.213.34 www.netshop.no
O1 - Hosts: 193.214.213.46 www.cri.no
O1 - Hosts: 193.214.213.75 internett.telenor.no
O1 - Hosts: 193.215.220.10 www.origo.no
O1 - Hosts: 193.69.224.22 ftp.bitcon.no
O1 - Hosts: 193.69.224.22 www.bitcon.no
O1 - Hosts: 193.90.78.1 www.andresen-data.no
O1 - Hosts: 193.90.78.2 mail.andresen-data.no
O1 - Hosts: 194.143.8.101 snakk.sn.no
O1 - Hosts: 194.143.8.101 snakk.sol.no
O1 - Hosts: 194.143.8.104 kvasir.sn.no
O1 - Hosts: 194.143.8.104 kvasir.sol.no
O1 - Hosts: 194.143.8.105 home.sn.no
O1 - Hosts: 194.143.8.106 irc.sn.no
O1 - Hosts: 194.143.8.142 www.sol.no
O1 - Hosts: 194.143.8.28 ftp.sn.no
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\TOOLS\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~4\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Windows AdStatus] C:\PROGRAM FILES\WINDOWS ADSTATUS\WINSTAT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Yankee Clipper III.lnk = C:\TOOLS\YCIII\YankClip.exe
O4 - Startup: Flashpath Status.lnk = C:\TOOLS\FLASH2\FLSHSTAT.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .hip: C:\WINDOWS\SYSTEM\nphijkjv.dll
O12 - Plugin for .hiv: C:\WINDOWS\SYSTEM\nphijkjv.dll
O12 - Plugin for .wav: C:\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\INTERN~1\Plugins\NPBelv32.dll
O13 - WWW. Prefix: http://
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.micro...nt2/tv_enua.exe
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://cs5.cssftware...sses/CFJava.cab
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: {82267FE0-D80D-11D3-B006-00500406C1BC} (AXStub Class) - ftp://plugin:[email protected]/printQuick.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://jamescam.meat...sCamControl.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5....v43/yacscom.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk...2567_662592.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish....ishUploader.cab
O16 - DPF: {9AF6E7AE-D248-11D2-BFAA-00805F2392C0} (Smi Class) - http://wwemail.suppo...ts/SysQuery.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O18 - Protocol: lmrt - {A4181901-9A8E-11D1-ADF0-0000F8754B99} - C:\WINDOWS\SYSTEM\CACHEAPP.DLL
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\INTERNET\PCFNACCT\DLJDIRECT\CLIENT\FLOWHOOK.DLL