[Element9846]

Thank you it is running now...I realize my posts should probably have more meaning but I kinda like to talk along to ya this time since things which are more serious and mooooore cautious of are taking place

its scanning now and i made sure back up box was check...it felt like i stared at it for 5 minutes trying to understand what the check meant but it wasnt that long in reality lol...Thank you...the registry definately is something you should just flip with...I am sure I wont screw anything up...But ill let you know on the other computer we have at the house (for business) if my pc wont start anymore !!!!

[Advertisements]

Macromedia Dreamweaver MX 2004 (used for Html Websites...and sites in general) opened fine...should I open more or is this all that matters just any program?

[Element9846]

Macromedia Dreamweaver MX 2004 (used for Html Websites...and sites in general) opened fine...should I open more or is this all that matters just any program?

[Michelle]

Whatever programs you regularly use (besides Limewire sorry bad joke)

Then keep rebooting and running it again until the stuff is gone

But, like I said there may be a couple of things that won't go away and that's fine!

[Element9846]

ive ran it twice the second pulled like 300 somethin and the 1st 1000 somethin i beleive

just keep running it till its a really low number?

[Michelle]

Yep just keep running it until there are only a couple of items left. Then try it one more time after that and if they don't go away it's fine, just let me know how many are left. Because if too many are left I'm going to have you download another program to finish it

[Element9846]

40 that time which is #3 ima run it again i doubt there will be much of anything...if I run it and NOTHING is detected....do i still reboot?

[Michelle]

If you run it and it doesn't find anything instead of rebooting right then, follow my previous instructions for deleting the file on reboot with killbox

[Element9846]

I got 4 files on the 4th try...is that fine...i noticed the things that popped up were in all the others

[Element9846]

bah ill just do kilbox cause u said some dont go...if they are repetitive to ingore so i will
they didnt sound like virus stff anyway
just stardock etc...which is a safe company I promise you ... wont get anything from this site....i.e. viruses etc

they make programs to customize windows look

http://stardock.com/

thx for the help ill run killbox now.

[Element9846]

Logfile of HijackThis v1.99.1
Scan saved at 7:39:56 PM, on 6/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Preferred Customer\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ps2.ign.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.c...et/applet_o.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C44AFB17-2647-4A94-8698-A6A730757F46}: NameServer = 204.117.214.10,199.2.252.10
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

there we go! lol

[Michelle]

It certainly looks much better!

Now I need you to go to Start > Control Panel
Double-click the "Java Plug-in" icon. Locate the update button, click it to download the latest updates then reboot. The current version is 1.5, so yours is out of date and more vulnerable.

Next we will try to see about finding some of the CLSIDs in the registry. I'll have you back up your registry first just incase something happens though

[Element9846]

k i am ready...i dled it earlier in the day but never restarted...tryin o get this stuff off my mind some...now that pc been off n such im ready for next step

[Michelle]

I'm going to be busy today so I don't know when I'll be able to get on, but the main stuff is gone, now we just need to see what we can find in the registry that pertains to spyware.

First, I need you to backup your registry.

Go to Start > Run - type:

regedit

Click OK.

When you get into the registry, on the leftside, click My Computer at the top. Then go up to "File > Export" Make sure in that window there is a tick next to "All" under Export Branch. Leave the Save As Type as "Registration Files", then save it as backup to a convenient location. Remember where you put it (I don't recommend putting it on the desktop, though) This is so the registry can be restored to this point should anything be deleted by accident or something else happens. It may take a minute. Just let it do it

[Element9846]

okay..thats done (although i knew how to backup cause ive had viruses before i came here..hehe thx for the walkthrough either way)

[Michelle]

Then it's safe to assume you know how to search the whole registry for an item by using "find next"?

There are a BUNCH of items that you need to search for in the registry. If you find any of the below items (exact matches only), then delete them out of the registry please.

IBIS items that need to be deleted, if found:

26e8361f-bce7-4f75-a347-98c88b418322
87766247-311c-43b4-8499-3d5fec94a183
d6dff6d8-b94b-4720-b730-1c38c7065c3b
63b78bc1-a711-4d46-ad2f-c581ac420d41
339bb23f-a864-48c0-a59f-29ea915965ec
8992b6ca-b8c9-4aed-bf89-0a17f6296a06
1d4db7d0-6ec9-47a3-bd87-1e41684e07bb
1d4db7d1-6ec9-47a3-bd87-1e41684e07bb
1d4db7d2-6ec9-47a3-bd87-1e41684e07bb
1d4db7d3-6ec9-47a3-bd87-1e41684e07bb
bd6f129a-08db-4cc5-a75a-f2ab79e55b6e

Bearshare items that need to be deleted, if found:

bearsharechatnotifymsg
5f95e1af-2620-4f15-bdf9-7fdce4607e17
558ec983-bedb-9168-b2de-31dbf0ee543e
905d0df2-3a0a-4d94-853c-54a12a745905
9f95f736-0f62-4214-a4b4-caa6738d4c07

SideFind items that need to be deleted, if found:

A3FDD654-A057-4971-9844-4ED8E67DBBB8
339D8AFF-0B42-4260-AD82-78CE605A9543
D0288A41-9855-4A9B-8316-BABE243648DA
8CBA1B49-8144-4721-A7B1-64C578C9EED7
A36A5936-CFD9-4B41-86BD-319A1931887F
58634367-D62B-4C2C-86BE-5AAC45CDB671
10E42047-DEB9-4535-A118-B3F6EC39B807
8CBA1B49-8144-4721-A7B1-64C578C9EED7

Altnet items that need to be deleted, if found:

1717a4a5-d63a-4f70-b373-ae4aa46d1236
5c40012d-44ca-11d7-8411-0002a5f9d08e
c809ee32-c648-459b-9a99-5cb20f61dcfc
dae64161-491d-11d5-ab93-00d0b760b4eb
1d3bce37-7834-4579-8169-e67681420a98
9bbcf06c-dcd7-495d-80df-cdd5399d0ff8
c15b7ea2-a360-43e8-a591-5faedc7c4e1d
def37997-d9c9-4a4b-bf3c-88f99eaceec2
e813099d-5529-47f4-9b37-4afafcb00a43
16097036-894c-4c00-a61f-93ca0d49a70e
1b540d44-3f61-4394-ae30-25fdc3649405
258a3625-183b-4477-aee2-ea54df6d878d
29e825aa-13bc-457c-806a-d72e4a25b3c5
2ed5af98-9258-45ba-b79b-06625c92f662
700dc0dd-f409-42e0-9de5-21ee1a2ba9fd
91d91d21-8008-429d-821c-7266aac84a9f
9d4548ce-92fd-4c6c-ae7f-3dbe3bc763d8
ad5bc1f0-72d8-44b3-8e3d-8e8fecce43fb
ce9b37ec-d243-47a2-83db-3a8350175193
d273d427-57c6-4b12-860f-bbb8195f6e2a
e79dadc6-18d0-4a2a-831f-d196d41f8438
e813099d-5529-47f4-9b37-4afafcb00a43
fd42f6d3-7ab1-470c-979b-7996edc99099
1d6711c8-7154-40bb-8380-3dea45b69cbf
80e81a0e-9741-4fbc-8ee3-3b78c04ada1d

DyFuca items that need to be deleted, if found:

00000010-6f7d-442c-93e3-4a4827c2e4c8
8f4e5661-f99e-4b3e-8d85-0ea71c0748e4
a3fdd654-a057-4971-9844-4ed8e67dbbb8
cea206e8-8057-4a04-ace9-ff0d69a92297
f7f808f0-6f7d-442c-93e3-4a4827c2e4c8
40b1d454-9ca4-43cc-86aa-cb175eac52fb
58634367-d62b-4c2c-86be-5aac45cdb671

Ok, whew, I think that's enough for now...you still have a lot more to go! I hate when stuff gets left behind in the registry because it's hard to find!

Edited by bananafanafo, 05 June 2005 - 01:15 AM.