New HJT log, pls help me to clean up

Hi,

I have seen couple of hjt requests. Actually it is fairly simple to analyse your HJT log using www.castlecops.com/HijackThis.html .
Simply go to the site and for each entry in your HJT log identify to which category it belongs. e.g. if O2 then follow the next step on the site --- TonyK's BHO & Toolbar List --
Using this you can yourself analyze your HJT log.

cheers,
aj.wh.ca

Go to C:\Program Files\BitComet and right-click on BitComet.exe and choose 'Scan for viruses'

Do you know what this is for?
O4 - HKCU\..\Run: [Ball Peak] C:\DOCUME~1\Yuyin\APPLIC~1\OBJCOR~1\ACTIVE TEST POKE.exe
If not, see if you can find what folder it is in, then right-click on the .exe file, go to Properties, and post whatever info you can find on it

If you didn't put these in your 'Trusted Zone,' have HJT fix them:

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

Reboot, close all browser windows, scan with HJT, post a new log, and describe what problem(s) you are having.

Thanks dlh6213,

There is no virus in BitComet.exe

Properties of ACTIVE TEST POKE.exe:
File Type: Application
ACTIVE TEST POKE
Size: 236 KB
Created: 15 January 2005
Modified 24 March 2005

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
Already fixed with HJT

Are these enough infor for you?

New HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:18:23 p.m., on 25/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Download\Spyware & Anti-virus Programmes\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ad Annihilator Kernel - {D880FC15-AF5D-4929-9FB5-F06D01CDF70C} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Ad Annihilator - {B2A8E0D7-5764-433D-A89B-2332B9D9BE00} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Bin Two Mode Upload] C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo\DEBUG PHONE.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ball Peak] C:\DOCUME~1\Yuyin\APPLIC~1\OBJCOR~1\ACTIVE TEST POKE.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: [Add to organizer] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3250
O8 - Extra context menu item: [Block this banner] Ctrl+Alt+B - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3245
O8 - Extra context menu item: [Block this popup] Ctrl+Alt+K - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3256
O8 - Extra context menu item: [Find blocking filter] Ctrl+Alt+F - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3254
O8 - Extra context menu item: [Find this resource in resource list] Ctrl+Alt+L - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3253
O8 - Extra context menu item: [Locate target document] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3255
O8 - Extra context menu item: [Open all links] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3247
O8 - Extra context menu item: [Resume resource loading] Ctrl+Alt+R - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3251
O8 - Extra context menu item: [Show/hide menu and toolbars] Ctrl+Alt+M - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3252
O8 - Extra context menu item: [Unblock this banner] Ctrl+Alt+U - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3246
O8 - Extra context menu item: [Unblock this popup] Ctrl+Alt+A - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3257
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra button: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I can't find any info on Ball Peak or ACTIVE TEST POKE, which leads me to believe it's not a legit program. If you don't think you installed anything related to this, I would suggest removing it, but you may wish to do more research yourself or wait for confirmation from someone else here one way or the other. What folder is this in, by the way?

I also see you are using DAP which is not technically malware, but it may allow it into your system. I would strongly recommend uninstalling it.

Scan with HJT and have it fix the following entries:

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Bin Two Mode Upload] C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo\DEBUG PHONE.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

Be sure all windows are closed, other the HJT, before hitting the Fix button

Go to the following and remove the highlighted folder (if found):

C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo
(That All Users.WINDOWS is an unusual folder, you may want to have a look to see what else is in there; it could be that whole folder should be deleted)

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Reboot, close any open browser windows, scan with HJT and post a new log please.

Thanks dlh6213.
I have run HJT and fixed :
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Bin Two Mode Upload] C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo\DEBUG PHONE.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
But the last two still appear when I run HJT again. Should they be there?

I checked and found under the folder All Users.WINDOWS:
Application:
+Adobe Acrobat 7.0
+Ahead NeroDigital
+CyberLink
+Hypebar
+locksbowsstupidextra
+Microsoft
+Microsoft Help
+MSN Messenger7.0.0429
+QuickTime
+Spybot - Search&Destroy
+Trymedia
+WebFunkBinTwo
Destop:
Favorites:
Shared Documents:
Start Menu:
Templates:
Can I delete all contents and not affecting my operations of the computer?

There is also a Default User.WINDOWS folder in Documents & Settings folder, together with other folders which I believe I didn't create. Is is safe to delete all those folders? I open the User Accounts in Control Panel but can only see three accounts namely Games, JK and Guest. I see more in Documents & Settings. Can you explain?

Pls comment and I will do the rest and report back with new HJT log.

Fox

just a note ,bitcomet is a torrent download tool !Safe

There is also a Default User.WINDOWS folder in Documents & Settings folder, together with other folders which I believe I didn't create. Is is safe to delete all those folders? I open the User Accounts in Control Panel but can only see three accounts namely Games, JK and Guest. I see more in Documents & Settings. Can you explain?

Has the computer ever been part of a domain (as opposed to just a workgroup)? When you set up user accounts in a domain environment, the individual user folders under Documents and Settings that get created in the process use the "dotted" naming convention that your folders have. The word before the dot in the username, and the word after the dot will be either the domain name or the name of local computer.

1. Delete the following two folders entirely; they were created as part of the infection:

C:\DOCUME~1\Yuyin\APPLIC~1\OBJCOR~1
C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo

2. You'll probably have to edit your Registry to get rid of the "crazywinnings" entries; they'll just keep reappearing if you don't.

- First, remove the site from your Trusted Zone:
Start Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab. Click Trusted Sites, and then click Sites. Click the "crazywinnings" site, and then click Remove

- Click on the "Run..." option under your Start menu, type "regedit" (omit the quotes) in the resulting "Open:" window, and hit OK. This will open the Registry Editor program.

- In the editor, press F3 to bring up the Find window, type crazywinnings in the find box, and hit enter. There may be more than one "crazywinnings" entry, so you need to keep repeating the find until you get the message "finished searching through the registry". Delete all instances of "crazywinnings" entries you find.

Do not deleteor modify anything else in the registry!!!

I can't delete C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo, it says it is being used by another person or program. But I can't see what program is using this DEBUG.PHONE

This is my new HJT log. Is there anything I need to fix?

Logfile of HijackThis v1.99.1
Scan saved at 10:09:44 a.m., on 4/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Spyware & Anti-virus Programmes\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ad Annihilator Kernel - {D880FC15-AF5D-4929-9FB5-F06D01CDF70C} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O3 - Toolbar: &Ad Annihilator - {B2A8E0D7-5764-433D-A89B-2332B9D9BE00} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ball Peak] C:\DOCUME~1\Yuyin\APPLIC~1\OBJCOR~1\ACTIVE TEST POKE.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: [Add to organizer] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3250
O8 - Extra context menu item: [Block this banner] Ctrl+Alt+B - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3245
O8 - Extra context menu item: [Block this popup] Ctrl+Alt+K - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3256
O8 - Extra context menu item: [Find blocking filter] Ctrl+Alt+F - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3254
O8 - Extra context menu item: [Find this resource in resource list] Ctrl+Alt+L - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3253
O8 - Extra context menu item: [Locate target document] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3255
O8 - Extra context menu item: [Open all links] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3247
O8 - Extra context menu item: [Resume resource loading] Ctrl+Alt+R - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3251
O8 - Extra context menu item: [Show/hide menu and toolbars] Ctrl+Alt+M - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3252
O8 - Extra context menu item: [Unblock this banner] Ctrl+Alt+U - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3246
O8 - Extra context menu item: [Unblock this popup] Ctrl+Alt+A - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3257
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra button: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm

First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm

I have run LOPREMOVER and all lop removal completed. Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:35:38 p.m., on 6/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Spyware & Anti-virus Programmes\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ad Annihilator Kernel - {D880FC15-AF5D-4929-9FB5-F06D01CDF70C} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O3 - Toolbar: &Ad Annihilator - {B2A8E0D7-5764-433D-A89B-2332B9D9BE00} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: [Add to organizer] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3250
O8 - Extra context menu item: [Block this banner] Ctrl+Alt+B - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3245
O8 - Extra context menu item: [Block this popup] Ctrl+Alt+K - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3256
O8 - Extra context menu item: [Find blocking filter] Ctrl+Alt+F - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3254
O8 - Extra context menu item: [Find this resource in resource list] Ctrl+Alt+L - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3253
O8 - Extra context menu item: [Locate target document] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3255
O8 - Extra context menu item: [Open all links] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3247
O8 - Extra context menu item: [Resume resource loading] Ctrl+Alt+R - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3251
O8 - Extra context menu item: [Show/hide menu and toolbars] Ctrl+Alt+M - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3252
O8 - Extra context menu item: [Unblock this banner] Ctrl+Alt+U - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3246
O8 - Extra context menu item: [Unblock this popup] Ctrl+Alt+A - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3257
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: (no name) - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {5300D45F-2512-49DB-80D2-804A75E65664} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra button: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {8131EDD7-9F34-4F7E-8B18-708D21B32888} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Log looks good, but I do not recognise these entries;

O2 - BHO: Ad Annihilator Kernel - {D880FC15-AF5D-4929-9FB5-F06D01CDF70C} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL
O3 - Toolbar: &Ad Annihilator - {B2A8E0D7-5764-433D-A89B-2332B9D9BE00} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL

What can you tell me about them?

Hey Chris,

Those are components of yet another ad blocking, etc. program called Ad Annihilator. I don't know how good it actually is, but from what I've read it's at least legit.

Thanks Dave.

Welcome.

I wasn't able to get to spywarewarrior earlier (connection refused) to check the rogue/suspect list, but I just went there now and found no listing for Ad Annihilator, so I guess that's a Good Thing.

First of all could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm

I am running avast! on another computer which stops me from downloading Lop Remover. I shut the anti-virus down and download the Lop Remover, but when I tried to run lopremover.exe, it warns me that it is a malware by the name of Win32: Trojan-gen Virus/Worm. Pls let me know what should I do.

foxkueh

It sounds as though one of your anti-virus/anti-spyware programs is still active in some way and is blocking your attempt to run the LOP removal utility, perhaps because the utility itself contains the word "lop".

You'll need to find out which program is stopping you from runnning the utility and make sure that program is entirely shut down; just choosing "Disable" from a program's options doesn't always completely turn it off if the program is already up and running.

Hi DMR,
Sorry I didn't explain clearly. After I downloaded lopremover.exe, I turn avast! back on again before running the utility. I guess my question should be: is it safe to run the utility even avast! warns it contains a malware by the name of Win32: Trojan-gen Virus/Worm? I want to be sure it will not harm my security.
foxkueh

I have recommended the use of the uninstaller countless times and have not had one user return saying that it caused problems with their PC :).

I have recommended the use of the uninstaller countless times and have not had one user return saying that it caused problems with their PC :).

Agreed. The LOP removal utility is entirely legit, but as I said before- one of your other detection/protection tools my be warning you simply because its name contains "lop".

I have recommended the use of the uninstaller countless times and have not had one user return saying that it caused problems with their PC :).

Agreed but avast! seems to think lopremover.exe is a virus. I ran the utility on another computer using 'avwinsfx' anti-virus and it is ok. No problem, but every time I ran the utility on this computer using avast! the warning keeps popping up. I may have to disable the avast! first before running the utility.

foxkueh

Yep :).......

Yes, disable Avast. Different malware detection and removal utilities don't always coexist peacefully. Sometimes one utility will incorrectly interpret the actions of a second utility as abnormal/viral behaviour and will (or will attempt to) keep the second utility from doing its job.

Thanks guys for your advice. I have done as suggested. Even more, I disabled the internet connection in case some opportunistic hackers get in when the door is open.
foxkueh

Even more, I disabled the internet connection in case some opportunistic hackers get in when the door is open.
foxkueh

Good thinking.

Did the LOP remover have anything informative to say? How are things running now?

Good thinking.

Did the LOP remover have anything informative to say? How are things running now?

I don't think I notice any LOP been removed. No information. Things are running alright now, but Adaware SE can always pick up some minor things, the tracking type. Is there a way to stop them from coming in?

foxkueh

In internet options you need to change your cookie handling to 'prompt' whenever a site wants to install a cookie on your PC. The ones you want you accept and tick the box to remember the answer. Same for the bad, but you don't accept them.