Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Winstatkeep deletion

Started by blackblt , Mar 29 2005 08:34 AM

  • Please log in to reply

#1
blackblt
Posted 29 March 2005 - 08:34 AM

blackblt

    New Member

  • Member
  • Pip
  • 1 posts
Hi,
This is my first post to geekstogo. I am stuck with Windows AdStatus, Winstat.exe, and winstatkeep. I have read the posts and did a log file with Hijack This. Please analyse and help me with removal and your recommendations. I am using Windows ME (I know... it's a bear). Many thanks for this invaluable service.

Logfile of HijackThis v1.99.1
Scan saved at 9:02:28 AM, on 03/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TBPANEL.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\WINDOWS ADSTATUS\WINSTAT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINDOWS ADSTATUS\WINSTATKEEP.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\TOOLS\YCIII\YANKCLIP.EXE
C:\TOOLS\FLASH2\FLSHSTAT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\TOOLS\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dad.adelphia.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O1 - Hosts: 128.138.236.18 wwwmcb.cs.colorado.edu
O1 - Hosts: 128.183.243.36 www.nasa.gov
O1 - Hosts: 128.196.137.18 www.u.arizona.edu
O1 - Hosts: 128.2.242.152 www.cs.cmu.edu
O1 - Hosts: 128.2.89.13 www.watson.org
O1 - Hosts: 128.250.6.196 www.unimelb.edu.au
O1 - Hosts: 128.252.135.4 wuarchive.wustl.edu
O1 - Hosts: 128.83.199.50 pittsburgh.pa.us.undernet.org
O1 - Hosts: 128.83.40.2 www.utexas.edu
O1 - Hosts: 129.15.2.123 atlas.backbone.ou.edu
O1 - Hosts: 129.15.46.21 wwwcaps.gcn.uoknor.edu
O1 - Hosts: 129.241.190.13 ftpsearch.ntnu.no
O1 - Hosts: 129.79.20.27 ftp.cica.indiana.edu
O1 - Hosts: 129.82.100.64 www.colostate.edu
O1 - Hosts: 130.127.140.234 netwatch.clemson.edu
O1 - Hosts: 130.179.8.48 www.ee.umanitoba.ca
O1 - Hosts: 130.233.26.107 bonnie.tky.hut.fi
O1 - Hosts: 130.244.126.148 home4.swipnet.se
O1 - Hosts: 130.244.126.91 home1.swipnet.se
O1 - Hosts: 131.159.0.51 www.informatik.tu-muenchen.de
O1 - Hosts: 134.134.214.2 mmx.com
O1 - Hosts: 134.134.214.34 www.intel.com
O1 - Hosts: 134.67.99.15 www.epa.gov
O1 - Hosts: 139.102.70.202 papa.indstate.edu
O1 - Hosts: 141.142.3.77 ftp.ncsa.uiuc.edu
O1 - Hosts: 142.75.3.9 www.opentext.net
O1 - Hosts: 143.101.250.20 www.nec.com
O1 - Hosts: 147.178.1.50 www.iomega.com
O1 - Hosts: 147.5.99.49 www.cyrix.com
O1 - Hosts: 148.129.129.31 www.census.gov
O1 - Hosts: 149.17.36.10 www.qdeck.com
O1 - Hosts: 149.174.211.38 www.compuserve.com
O1 - Hosts: 149.174.213.35 ourworld.compuserve.com
O1 - Hosts: 150.108.68.9 trill.cis.fordham.edu
O1 - Hosts: 152.163.202.36 webcrawler.com
O1 - Hosts: 152.2.25.83 www.unc.edu
O1 - Hosts: 152.78.129.129 www.soton.ac.uk
O1 - Hosts: 161.246.10.21 kmitl.ac.th
O1 - Hosts: 162.62.21.9 www.adaptec.com ftp.adaptec.com
O1 - Hosts: 165.121.20.73 www.mayflower.com
O1 - Hosts: 165.21.72.20 www.ctlsg.creaf.com
O1 - Hosts: 165.69.1.2 www.newsclassifieds.com.au
O1 - Hosts: 165.87.194.210 pop01.ny.us.ibm.net
O1 - Hosts: 165.87.194.212 pop03.ca.us.ibm.net
O1 - Hosts: 165.87.194.212 pop3.ibm.net
O1 - Hosts: 165.87.194.214 pop2.ibm.net
O1 - Hosts: 165.87.194.214 pop4.ibm.net
O1 - Hosts: 165.87.194.216 pop5.ibm.net
O1 - Hosts: 165.87.194.237 news2.ibm.net
O1 - Hosts: 165.87.194.249 news1.ibm.net
O1 - Hosts: 165.87.194.249 news-s01.ny.us.ibm.net
O1 - Hosts: 165.87.194.252 smtp1.ibm.net
O1 - Hosts: 165.87.201.252 out2.ibm.net
O1 - Hosts: 165.87.201.252 smtp2.ibm.net
O1 - Hosts: 166.77.12.114 www.mtv.com
O1 - Hosts: 166.78.1.10 www.ping.com
O1 - Hosts: 166.84.58.217 www.supnova.com
O1 - Hosts: 167.142.225.20 des-moines.ia.us.undernet.org
O1 - Hosts: 171.64.78.65 boole.stanford.edu
O1 - Hosts: 192.127.252.10 www.ncr.com
O1 - Hosts: 192.148.160.200 www.whitepages.com.au
O1 - Hosts: 192.156.196.4 www.usa.net
O1 - Hosts: 192.215.216.1 www.qlc.com ftp.qlc.com
O1 - Hosts: 192.215.76.8 www.filemine.com
O1 - Hosts: 192.216.189.10 paramount.com
O1 - Hosts: 192.216.189.10 paramount.com.
O1 - Hosts: 192.216.191.42 www.acer.com
O1 - Hosts: 192.216.46.22 www.webcrawler.com
O1 - Hosts: 192.239.92.112 www.fedworld.gov
O1 - Hosts: 192.41.12.95 www.softseek.com
O1 - Hosts: 192.41.18.106 www.hwg.org
O1 - Hosts: 192.41.24.49 www.metro.com.tw
O1 - Hosts: 192.41.28.232 www.davecentral.com
O1 - Hosts: 192.41.31.176 www.newslinx.com
O1 - Hosts: 192.41.7.165 www.wingate.com
O1 - Hosts: 192.41.71.59 www.konnections.com
O1 - Hosts: 192.41.9.119 www.slaughterhouse.com
O1 - Hosts: 193.12.122.1 mailbox.swipnet.se
O1 - Hosts: 193.128.159.1 www.esi.co.uk
O1 - Hosts: 193.212.1.34 mail.online.no
O1 - Hosts: 193.212.1.34 mail.telepost.no
O1 - Hosts: 193.212.1.36 news.online.no
O1 - Hosts: 193.212.1.36 news.sol.no
O1 - Hosts: 193.212.1.36 news.telepost.no
O1 - Hosts: 193.214.213.254 home.sol.no
O1 - Hosts: 193.214.213.34 www.netshop.no
O1 - Hosts: 193.214.213.46 www.cri.no
O1 - Hosts: 193.214.213.75 internett.telenor.no
O1 - Hosts: 193.215.220.10 www.origo.no
O1 - Hosts: 193.69.224.22 ftp.bitcon.no
O1 - Hosts: 193.69.224.22 www.bitcon.no
O1 - Hosts: 193.90.78.1 www.andresen-data.no
O1 - Hosts: 193.90.78.2 mail.andresen-data.no
O1 - Hosts: 194.143.8.101 snakk.sn.no
O1 - Hosts: 194.143.8.101 snakk.sol.no
O1 - Hosts: 194.143.8.104 kvasir.sn.no
O1 - Hosts: 194.143.8.104 kvasir.sol.no
O1 - Hosts: 194.143.8.105 home.sn.no
O1 - Hosts: 194.143.8.106 irc.sn.no
O1 - Hosts: 194.143.8.142 www.sol.no
O1 - Hosts: 194.143.8.28 ftp.sn.no
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\TOOLS\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~4\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Windows AdStatus] C:\PROGRAM FILES\WINDOWS ADSTATUS\WINSTAT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Yankee Clipper III.lnk = C:\TOOLS\YCIII\YankClip.exe
O4 - Startup: Flashpath Status.lnk = C:\TOOLS\FLASH2\FLSHSTAT.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .hip: C:\WINDOWS\SYSTEM\nphijkjv.dll
O12 - Plugin for .hiv: C:\WINDOWS\SYSTEM\nphijkjv.dll
O12 - Plugin for .wav: C:\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\INTERN~1\Plugins\NPBelv32.dll
O13 - WWW. Prefix: http://
O16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) - http://activex.micro...nt2/tv_enua.exe
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://cs5.cssftware...sses/CFJava.cab
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: {82267FE0-D80D-11D3-B006-00500406C1BC} (AXStub Class) - ftp://plugin:[email protected]/printQuick.cab
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.c...et/src/vscp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://jamescam.meat...sCamControl.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.sc5....v43/yacscom.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk...2567_662592.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish....ishUploader.cab
O16 - DPF: {9AF6E7AE-D248-11D2-BFAA-00805F2392C0} (Smi Class) - http://wwemail.suppo...ts/SysQuery.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O18 - Protocol: lmrt - {A4181901-9A8E-11D1-ADF0-0000F8754B99} - C:\WINDOWS\SYSTEM\CACHEAPP.DLL
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\INTERNET\PCFNACCT\DLJDIRECT\CLIENT\FLOWHOOK.DLL
  • 0

Advertisements

#2
don77
Posted 16 April 2005 - 09:54 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi blackblt and welcome
Sorry for the late reply the board has been really busy lately,
If your still looking to resolve this issue,

Please run through all the steps outlined in this Topic
Post back a fresh log when done please

If you have resolved this issue please let us know.

Thanks and again sorry for the late reply

Don
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP