|
| If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|||||||
|
|
Thread Tools | Display Modes |
|
#21
June 20th 04, 10:32 PM
|
|||
|
|||
system restore
Noel, here is the lastest chapter of the saga. I just
downloaded shredder and hijack a couple of days ago. thx Kelly Logfile of HijackThis v1.97.7 Scan saved at 5:18:33 PM, on 6/20/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE C:\PROGRAM FILES\MOTIVE\MOTMON.EXE C:\DELL\DRIVERS\498FF\SETUP\PROGRAM\POINT32.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RSRCMTR.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\DESKTOP\NEW\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359- 6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 \READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683- 905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1 \NORTON~2\DEFALERT.EXE O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1 \MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE" O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [POINTER] C:\DELL\Drivers\498FF\Setup\Program\point32.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Startup: RSRCMTR.lnk = C:\WINDOWS\RSRCMTR.EXE O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1 \Plugins\NPBelv32.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Shar...t/sc/bin/cabsa. cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,72/mcinsctl.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37875.8781828704 O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/Oi...GOcCtl_new.cab O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/Oi...e/MGOcFilt.cab O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...oad/tgctlcm.ca b O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,16/mcgdmgr.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss- loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...ent/vc/bin/AvS niff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S...ent/common/bin /cabsa.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab -----Original Message----- OK - seems CWShredder didn't do as much as we hoped it would  ((maybe a new variant? - you did get the latest download (v1.59), didn't you?) OK run HJT again, and this time ask it to fix the following items..... Then reboot, scan with HJT again, and post the new log C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716- B23D- 3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F- C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730- 1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D- 00400515CAAA} - (no file) O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D- 3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O3 - Toolbar: SuperBar - {EA18136F-9840-4C4C-8FAE- FA407C86058B} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0- A59F- 29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (Strictly not a problem - but I've seen it cause problems on my system) O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...rs/MetaStream3. cab?url=http://www.samsungusa.com/cgi- bin/nabc/campaign/voom/b2c_sweeps_voom.jsp -- Noel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/f...2001/Mar01/Mar 27pmvp.asp "Kelly Smith" wrote in message ... Noel, ok ran shredder in safe mode and got a clean report. Uninstalled Norton Virus but not the utilities. Can do if necessary. I can always run it from the CD. Here is the last report on hijack this. Always glad to have mike on board. thx Kelly Logfile of HijackThis v1.97.7 Scan saved at 2:56:11 PM, on 6/20/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE C:\PROGRAM FILES\MOTIVE\MOTMON.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\DELL\DRIVERS\498FF\SETUP\PROGRAM\POINT32.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RSRCMTR.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\DESKTOP\NEW\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {87766247-311C-43B4- 8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D- 00400515CAAA} - (no file) O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359- 6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F- C581AC420D41} - C:\PROGRA~1\COMMON~1\WINTOOLS\BTIEIN.DLL (file missing) O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730- 1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 \READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL O3 - Toolbar: SuperBar - {EA18136F-9840-4C4C-8FAE- FA407C86058B} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4- B683- 905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1 \NORTON~2\DEFALERT.EXE O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1 \MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE" O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [POINTER] C:\DELL\Drivers\498FF\Setup\Program\point32.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Startup: RSRCMTR.lnk = C:\WINDOWS\RSRCMTR.EXE O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1 \Plugins\NPBelv32.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Shar...t/sc/bin/cabsa. cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,72/mcinsctl.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37875.8781828704 O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/Oi...GOcCtl_new.cab O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/Oi...e/MGOcFilt.cab O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...oad/tgctlcm.ca b O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,16/mcgdmgr.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss- loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...ent/vc/bin/AvS niff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S...ent/common/bin /cabsa.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...rs/MetaStream3. cab?url=http://www.samsungusa.com/cgi- bin/nabc/campaign/voom/b2c_sweeps_voom.jsp O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab -----Original Message----- Well - she said that she'd already run it! - I only hope that she hadn't, and we don't have a system so stuffed that it's going to have to be a manual removal of everything -- Noel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/f...2001/Mar01/Mar 27pmvp.asp "Mike M" wrote in message ... I'm waiting to see Kelly's HijackThis log after running CWShredder to see if it does anything about wtoolsa. -- Mike Maltby MS-MVP . . 
|
|
#23
June 20th 04, 10:48 PM
|
|||
|
|||
|
system restore
Mike, sorry must have missed it. Will check it out. I'm
just an amateur. thx Kelly -----Original Message----- May I ask why you didn't at least remove WinTools as suggested by both Noel and myself? -- Mike Maltby MS-MVP Kelly Smith wrote: Noel, here is the lastest chapter of the saga. I just downloaded shredder and hijack a couple of days ago. thx Kelly Logfile of HijackThis v1.97.7 Scan saved at 5:18:33 PM, on 6/20/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE C:\PROGRAM FILES\MOTIVE\MOTMON.EXE C:\DELL\DRIVERS\498FF\SETUP\PROGRAM\POINT32.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RSRCMTR.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\DESKTOP\NEW\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {87766247-311C-43B4- 8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359- 6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 \READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4- B683- 905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1 \NORTON~2\DEFALERT.EXE O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1 \MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE" O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [POINTER] C:\DELL\Drivers\498FF\Setup\Program\point32.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Startup: RSRCMTR.lnk = C:\WINDOWS\RSRCMTR.EXE O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1 \Plugins\NPBelv32.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Shar...t/sc/bin/cabsa. cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,72/mcinsctl.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37875.8781828704 O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/Oi...GOcCtl_new.cab O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/Oi...e/MGOcFilt.cab O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...oad/tgctlcm.ca b O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,16/mcgdmgr.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss- loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...ent/vc/bin/AvS niff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S...ent/common/bin /cabsa.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab -----Original Message----- OK - seems CWShredder didn't do as much as we hoped it would ((maybe a new variant? - you did get the latest download (v1.59), didn't you?) OK run HJT again, and this time ask it to fix the following items..... Then reboot, scan with HJT again, and post the new log C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716- B23D- 3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F- C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730- 1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D- 00400515CAAA} - (no file) O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D- 3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O3 - Toolbar: SuperBar - {EA18136F-9840-4C4C-8FAE- FA407C86058B} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0- A59F- 29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (Strictly not a problem - but I've seen it cause problems on my system) O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...rs/MetaStream3. cab?url=http://www.samsungusa.com/cgi- bin/nabc/campaign/voom/b2c_sweeps_voom.jsp -- Noel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/f...2001/Mar01/Mar 27pmvp.asp "Kelly Smith" wrote in message ... Noel, ok ran shredder in safe mode and got a clean report. Uninstalled Norton Virus but not the utilities. Can do if necessary. I can always run it from the CD. Here is the last report on hijack this. Always glad to have mike on board. thx Kelly Logfile of HijackThis v1.97.7 Scan saved at 2:56:11 PM, on 6/20/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE C:\PROGRAM FILES\MOTIVE\MOTMON.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\DELL\DRIVERS\498FF\SETUP\PROGRAM\POINT32.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RSRCMTR.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\DESKTOP\NEW\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {87766247-311C-43B4- 8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D- 00400515CAAA} - (no file) O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359- 6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F- C581AC420D41} - C:\PROGRA~1\COMMON~1 \WINTOOLS\BTIEIN.DLL (file missing) O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730- 1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 \READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL O3 - Toolbar: SuperBar - {EA18136F-9840-4C4C-8FAE- FA407C86058B} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4- B683- 905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1 \NORTON~2\DEFALERT.EXE O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1 \MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE" O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [POINTER] C:\DELL\Drivers\498FF\Setup\Program\point32.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Startup: RSRCMTR.lnk = C:\WINDOWS\RSRCMTR.EXE O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1 \Plugins\NPBelv32.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Shar...t/sc/bin/cabsa. cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,72/mcinsctl.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37875.8781828704 O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/Oi...GOcCtl_new.cab O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/Oi...e/MGOcFilt.cab O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...oad/tgctlcm.ca b O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,16/mcgdmgr.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss- loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...ent/vc/bin/AvS niff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S...ent/common/bin /cabsa.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...rs/MetaStream3. cab?url=http://www.samsungusa.com/cgi- bin/nabc/campaign/voom/b2c_sweeps_voom.jsp O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab -----Original Message----- Well - she said that she'd already run it! - I only hope that she hadn't, and we don't have a system so stuffed that it's going to have to be a manual removal of everything -- Noel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/f...2001/Mar01/Mar 27pmvp.asp "Mike M" wrote in message ... I'm waiting to see Kelly's HijackThis log after running CWShredder to see if it does anything about wtoolsa. -- Mike Maltby MS-MVP . . .
|
|
#24
June 20th 04, 10:50 PM
|
|||
|
|||
|
system restore
I don't quite understand since you were replying to Noel's post in which he
told you some of what you needed to remove. My post made a few minutes earlier also gave details of what to do to remove WinTools. Ah well, perhaps you could try reading those posts again. :-) -- Mike Maltby MS-MVP Kelly Smith wrote: Mike, sorry must have missed it. Will check it out. I'm just an amateur.
|
|
#25
June 20th 04, 10:59 PM
|
|||
|
|||
|
system restore
Mike, I went back and checked that box but it keeps coming
back. Did you mean to go to add/remove? In there I have wintools easy installer, wintools for internet explorer and wintools for internet explorer v2 thx Kelly -----Original Message----- May I ask why you didn't at least remove WinTools as suggested by both Noel and myself? -- Mike Maltby MS-MVP Kelly Smith wrote: Noel, here is the lastest chapter of the saga. I just downloaded shredder and hijack a couple of days ago. thx Kelly Logfile of HijackThis v1.97.7 Scan saved at 5:18:33 PM, on 6/20/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE C:\PROGRAM FILES\MOTIVE\MOTMON.EXE C:\DELL\DRIVERS\498FF\SETUP\PROGRAM\POINT32.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RSRCMTR.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\DESKTOP\NEW\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {87766247-311C-43B4- 8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359- 6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 \READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4- B683- 905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1 \NORTON~2\DEFALERT.EXE O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1 \MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE" O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [POINTER] C:\DELL\Drivers\498FF\Setup\Program\point32.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Startup: RSRCMTR.lnk = C:\WINDOWS\RSRCMTR.EXE O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1 \Plugins\NPBelv32.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Shar...t/sc/bin/cabsa. cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,72/mcinsctl.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37875.8781828704 O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/Oi...GOcCtl_new.cab O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/Oi...e/MGOcFilt.cab O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...oad/tgctlcm.ca b O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,16/mcgdmgr.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss- loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...ent/vc/bin/AvS niff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S...ent/common/bin /cabsa.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab -----Original Message----- OK - seems CWShredder didn't do as much as we hoped it would ((maybe a new variant? - you did get the latest download (v1.59), didn't you?) OK run HJT again, and this time ask it to fix the following items..... Then reboot, scan with HJT again, and post the new log C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716- B23D- 3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F- C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730- 1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D- 00400515CAAA} - (no file) O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D- 3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O3 - Toolbar: SuperBar - {EA18136F-9840-4C4C-8FAE- FA407C86058B} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0- A59F- 29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (Strictly not a problem - but I've seen it cause problems on my system) O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...rs/MetaStream3. cab?url=http://www.samsungusa.com/cgi- bin/nabc/campaign/voom/b2c_sweeps_voom.jsp -- Noel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/f...2001/Mar01/Mar 27pmvp.asp "Kelly Smith" wrote in message ... Noel, ok ran shredder in safe mode and got a clean report. Uninstalled Norton Virus but not the utilities. Can do if necessary. I can always run it from the CD. Here is the last report on hijack this. Always glad to have mike on board. thx Kelly Logfile of HijackThis v1.97.7 Scan saved at 2:56:11 PM, on 6/20/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE C:\PROGRAM FILES\MOTIVE\MOTMON.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\DELL\DRIVERS\498FF\SETUP\PROGRAM\POINT32.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RSRCMTR.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\DESKTOP\NEW\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {87766247-311C-43B4- 8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D- 00400515CAAA} - (no file) O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359- 6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F- C581AC420D41} - C:\PROGRA~1\COMMON~1 \WINTOOLS\BTIEIN.DLL (file missing) O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730- 1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 \READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL O3 - Toolbar: SuperBar - {EA18136F-9840-4C4C-8FAE- FA407C86058B} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4- B683- 905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1 \NORTON~2\DEFALERT.EXE O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1 \MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE" O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [POINTER] C:\DELL\Drivers\498FF\Setup\Program\point32.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Startup: RSRCMTR.lnk = C:\WINDOWS\RSRCMTR.EXE O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1 \Plugins\NPBelv32.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Shar...t/sc/bin/cabsa. cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,72/mcinsctl.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37875.8781828704 O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/Oi...GOcCtl_new.cab O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/Oi...e/MGOcFilt.cab O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...oad/tgctlcm.ca b O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,16/mcgdmgr.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss- loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...ent/vc/bin/AvS niff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S...ent/common/bin /cabsa.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...rs/MetaStream3. cab?url=http://www.samsungusa.com/cgi- bin/nabc/campaign/voom/b2c_sweeps_voom.jsp O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab -----Original Message----- Well - she said that she'd already run it! - I only hope that she hadn't, and we don't have a system so stuffed that it's going to have to be a manual removal of everything -- Noel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/f...2001/Mar01/Mar 27pmvp.asp "Mike M" wrote in message ... I'm waiting to see Kelly's HijackThis log after running CWShredder to see if it does anything about wtoolsa. -- Mike Maltby MS-MVP . . .
|
|
#26
June 20th 04, 11:02 PM
|
|||
|
|||
|
system restore
Kelly,
If you were to read my earlier message you would find I mentioned: "Now check Add/Remove Programs and uninstall any entry for WinTools". So yes, you need to uninstall all entries that refer to WinTools, this is a parasite that causes problems to users when browsing the web. So uninstall WinTools and then after booting into Safe Mode try carrying out the various other steps I set out. Best of luck. -- Mike Maltby MS-MVP Kelly Smith wrote: Mike, I went back and checked that box but it keeps coming back. Did you mean to go to add/remove? In there I have wintools easy installer, wintools for internet explorer and wintools for internet explorer v2
|
|
#27
June 20th 04, 11:13 PM
|
|||
|
|||
|
system restore
YES - uninstall them, and then try HJT again
-- Noel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/f.../Mar27pmvp.asp "Kelly Smith" wrote in message ... Mike, I went back and checked that box but it keeps coming back. Did you mean to go to add/remove? In there I have wintools easy installer, wintools for internet explorer and wintools for internet explorer v2 thx Kelly -----Original Message----- May I ask why you didn't at least remove WinTools as suggested by both Noel and myself? -- Mike Maltby MS-MVP Kelly Smith wrote: Noel, here is the lastest chapter of the saga. I just downloaded shredder and hijack a couple of days ago. thx Kelly Logfile of HijackThis v1.97.7 Scan saved at 5:18:33 PM, on 6/20/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE C:\PROGRAM FILES\MOTIVE\MOTMON.EXE C:\DELL\DRIVERS\498FF\SETUP\PROGRAM\POINT32.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RSRCMTR.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\DESKTOP\NEW\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {87766247-311C-43B4- 8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359- 6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 \READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4- B683- 905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1 \NORTON~2\DEFALERT.EXE O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1 \MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE" O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [POINTER] C:\DELL\Drivers\498FF\Setup\Program\point32.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Startup: RSRCMTR.lnk = C:\WINDOWS\RSRCMTR.EXE O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1 \Plugins\NPBelv32.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Shar...t/sc/bin/cabsa. cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,72/mcinsctl.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37875.8781828704 O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/Oi...GOcCtl_new.cab O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/Oi...e/MGOcFilt.cab O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...oad/tgctlcm.ca b O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,16/mcgdmgr.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss- loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...ent/vc/bin/AvS niff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S...ent/common/bin /cabsa.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab -----Original Message----- OK - seems CWShredder didn't do as much as we hoped it would ((maybe a new variant? - you did get the latest download (v1.59), didn't you?) OK run HJT again, and this time ask it to fix the following items..... Then reboot, scan with HJT again, and post the new log C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716- B23D- 3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F- C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730- 1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D- 00400515CAAA} - (no file) O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D- 3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O3 - Toolbar: SuperBar - {EA18136F-9840-4C4C-8FAE- FA407C86058B} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0- A59F- 29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (Strictly not a problem - but I've seen it cause problems on my system) O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...rs/MetaStream3. cab?url=http://www.samsungusa.com/cgi- bin/nabc/campaign/voom/b2c_sweeps_voom.jsp -- Noel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/f...2001/Mar01/Mar 27pmvp.asp "Kelly Smith" wrote in message ... Noel, ok ran shredder in safe mode and got a clean report. Uninstalled Norton Virus but not the utilities. Can do if necessary. I can always run it from the CD. Here is the last report on hijack this. Always glad to have mike on board. thx Kelly Logfile of HijackThis v1.97.7 Scan saved at 2:56:11 PM, on 6/20/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE C:\PROGRAM FILES\MOTIVE\MOTMON.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\DELL\DRIVERS\498FF\SETUP\PROGRAM\POINT32.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RSRCMTR.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\DESKTOP\NEW\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=40 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=40 R3 - URLSearchHook: (no name) - {87766247-311C-43B4- 8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D- 00400515CAAA} - (no file) O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359- 6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F- C581AC420D41} - C:\PROGRA~1\COMMON~1 \WINTOOLS\BTIEIN.DLL (file missing) O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730- 1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 \READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {87766247-311C-43B4-8499- 3D5FEC94A183} - C:\PROGRA~1\COMMON~1 \WINTOOLS\WTOOLSB.DLL O3 - Toolbar: SuperBar - {EA18136F-9840-4C4C-8FAE- FA407C86058B} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4- B683- 905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888- 423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1 \NORTON~2\DEFALERT.EXE O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1 \MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE" O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [POINTER] C:\DELL\Drivers\498FF\Setup\Program\point32.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Startup: RSRCMTR.lnk = C:\WINDOWS\RSRCMTR.EXE O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1 \Plugins\NPBelv32.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Shar...t/sc/bin/cabsa. cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,72/mcinsctl.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37875.8781828704 O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/Oi...GOcCtl_new.cab O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/Oi...e/MGOcFilt.cab O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...oad/tgctlcm.ca b O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,16/mcgdmgr.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss- loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...ent/vc/bin/AvS niff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S...ent/common/bin /cabsa.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...rs/MetaStream3. cab?url=http://www.samsungusa.com/cgi- bin/nabc/campaign/voom/b2c_sweeps_voom.jsp O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab -----Original Message----- Well - she said that she'd already run it! - I only hope that she hadn't, and we don't have a system so stuffed that it's going to have to be a manual removal of everything -- Noel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/f...2001/Mar01/Mar 27pmvp.asp "Mike M" wrote in message ... I'm waiting to see Kelly's HijackThis log after running CWShredder to see if it does anything about wtoolsa. -- Mike Maltby MS-MVP . . .
|
|
#28
June 20th 04, 11:56 PM
|
|||
|
|||
|
system restore
Noel and Mike, hopefully I got most of what you said to do.
There were 2 wintools boxes in the startup menu but neither was checked. After the last reboot system restore was available. I sure am not going back. Will send a final log to see if I missed anything. I have been griping about my system resources for a couple of months. Hopefully that will be helped also. thx Kelly Logfile of HijackThis v1.97.7 Scan saved at 6:47:34 PM, on 6/20/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\MOTIVE\MOTMON.EXE C:\DELL\DRIVERS\498FF\SETUP\PROGRAM\POINT32.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RSRCMTR.EXE C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\DESKTOP\NEW\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359- 6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 \READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683- 905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1 \NORTON~2\DEFALERT.EXE O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\McUpdate.exe O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1 \MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE" O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [POINTER] C:\DELL\Drivers\498FF\Setup\Program\point32.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Startup: RSRCMTR.lnk = C:\WINDOWS\RSRCMTR.EXE O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1 \Plugins\NPBelv32.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Shar...t/sc/bin/cabsa. cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,72/mcinsctl.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37875.8781828704 O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/Oi...GOcCtl_new.cab O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/Oi...e/MGOcFilt.cab O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...oad/tgctlcm.ca b O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,16/mcgdmgr.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss- loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...ent/vc/bin/AvS niff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S...ent/common/bin /cabsa.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab -----Original Message----- Kelly, If you were to read my earlier message you would find I mentioned: "Now check Add/Remove Programs and uninstall any entry for WinTools". So yes, you need to uninstall all entries that refer to WinTools, this is a parasite that causes problems to users when browsing the web. So uninstall WinTools and then after booting into Safe Mode try carrying out the various other steps I set out. Best of luck. -- Mike Maltby MS-MVP Kelly Smith wrote: Mike, I went back and checked that box but it keeps coming back. Did you mean to go to add/remove? In there I have wintools easy installer, wintools for internet explorer and wintools for internet explorer v2 .
|
|
#29
June 21st 04, 12:31 AM
|
|||
|
|||
|
system restore
Kelly,
It's late here and I know that Noel won't be posting again until tomorrow so you'll have to make do with me until then. Well, you've got system restore back so that's progress! Well done. The HijackTHis log is looking a lot better than before but there are still a couple of entries I don't like the look of including: O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359- 6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL For more details of this parasite see http://doxdesk.com/parasite/SuperBar.html You could also uncheck the following in MSConfig | Startup as its just a reminder to register your SBLive. O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe Finally, as Noel pointed out, you might want to rid yourself of the following if your PC is now out of warrant as they are only used by Dell when you ask for remote support, O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe Cheers, -- Mike Maltby MS-MVP Kelly Smith wrote: Noel and Mike, hopefully I got most of what you said to do. There were 2 wintools boxes in the startup menu but neither was checked. After the last reboot system restore was available. I sure am not going back. Will send a final log to see if I missed anything. I have been griping about my system resources for a couple of months. Hopefully that will be helped also. thx Kelly Logfile of HijackThis v1.97.7 Scan saved at 6:47:34 PM, on 6/20/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\MOTIVE\MOTMON.EXE C:\DELL\DRIVERS\498FF\SETUP\PROGRAM\POINT32.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RSRCMTR.EXE C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\DESKTOP\NEW\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359- 6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 \READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683- 905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F- 11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsshld.exe" O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1 \NORTON~2\DEFALERT.EXE O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\McUpdate.exe O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1 \MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE" O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [POINTER] C:\DELL\Drivers\498FF\Setup\Program\point32.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1 \MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1 \MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Startup: RSRCMTR.lnk = C:\WINDOWS\RSRCMTR.EXE O9 - Extra button: Real.com (HKLM) O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Dell Home (HKCU) O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1 \Plugins\NPBelv32.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Shar...t/sc/bin/cabsa. cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...cabs/flash/swf lash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,72/mcinsctl.cab O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co.../ansi/iuctl.CA B?37875.8781828704 O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/Oi...GOcCtl_new.cab O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/Oi...e/MGOcFilt.cab O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...oad/tgctlcm.ca b O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50016/btiein.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,16/mcgdmgr.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss- loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...ent/vc/bin/AvS niff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S...ent/common/bin /cabsa.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Please help! Display settings !! | Mitzi | Monitors & Displays | 12 | July 11th 04 05:19 AM |
| "Restore/Temp......."Virus OEM Me | David Oltmann | General | 5 | June 8th 04 09:25 PM |
| me trouble / missing outlook mail folder/ cant restore system | pandy | General | 1 | June 3rd 04 06:35 AM |
| System Restore | Jerry Ross | General | 1 | May 28th 04 11:39 PM |
| deleting virus files from System Restore - admin authority needed | Jim | General | 1 | May 27th 04 06:42 PM |
Linear Mode
