I have run AdAware SE
Spybot S & D
and HJT

This is a new build pc Win XP SP 2
80 Gig h/d
512 RAM
1.49 GHz
ADM pentium XP

I have had this PC since Feb 22. My 14 y/o son was looking for.... you know what . I installed cybersitter version 9.0 on the 3rd of Mar.

Before installation, I ran adaware and spybot s&d

I have a copy of all the activity on my pc. I KNOW that I DID NOT go to these sites. Yet it clearly shows that these sites are there and that someone tried to access them. I was on the pc all day yesterday...it shows someone trying to access when I was on.

Here is the lastest run of HJT. Does it show anything that the other 2 missed?

Thanks!!

I can not use the proper word for what I mean. Cybersitter won't let me. I hope you can figure out what I mean. It starts with the letter P. :o


Logfile of HijackThis v1.99.1
Scan saved at 1:39:35 PM, on 3/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\CYB2K.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vinu.edu/PageWorks/servlet/PageMill
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\CYB2K.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109002217328
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {9C3E8350-5873-4D8E-A1D4-DCB9E885E86D} (CYBSnoop Control) - http://www.cybersitterhelp.com/snooper/activex/AXSnoop.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Your log appears to be clean... If you are talking about erasing history files, you can use the Advanced mode of Spybot to do that... Run a full scan in the Advanced mode and it will give you a list of different histories and caches to clean out... You can select them all or only the ones that you are most concerned about... If I am not understanding, post back with more detail about what you are wanting... And I do get what the "P" word is... ;)

Your log appears to be clean... If you are talking about erasing history files, you can use the Advanced mode of Spybot to do that... Run a full scan in the Advanced mode and it will give you a list of different histories and caches to clean out... You can select them all or only the ones that you are most concerned about... If I am not understanding, post back with more detail about what you are wanting... And I do get what the "P" word is... ;)



On the advanced mode of Spybot...what do I click to have it check? I didn't know that was even there. :o

Do I run the "Browser Pages" only or all of them? What happens if I delete something I shouldn't? Can I post my results here?

Thanks for figuring out what the P word is :) Quite embarrassing not being able to post what I mean.

Thanks!!

Thanks for figuring out what the P word is Quite embarrassing not being able to post what I mean.
Rhymes with "corn".

To do S&D in Advanced mode, just click Mode and select Advanced. When it scans there will be additional items in Green you can select and Fix.

On the advanced mode of Spybot...what do I click to have it check? I didn't know that was even there. :o

Do I run the "Browser Pages" only or all of them? What happens if I delete something I shouldn't? Can I post my results here?

Thanks for figuring out what the P word is :) Quite embarrassing not being able to post what I mean.

Thanks!!
I am not really sure what you are asking... If you mean to get into Advanced mode, do as PrntRhd said... If you mean to do the scan, just click on the regular button for scanning... I am not sure what you mean by "Browser Pages" either... Please explain...

As for deleting things by mistake, you may be able to restore from Spybot, but it usually isn't that big a deal... It is mostly recent history of pages visited and such, so it just means that you may take a bit longer to reach things since the locations and images are not cached... I have fixed it all at times and it is no more than a minor inconvenience to restore whatever was removed...

Hi Karen,
You might consider getting rid of the weatherbug. That does some wierd stuff by itself. If you can't evern write the p word, I guess you have that cybersitter turned all the way up...

Is there any way to remove the "corn" tracks? I keep getting aminal *** sites showing up in my cyber report!! Is it ok to post the report here? Its kinda long.

Here is a small part of the report:

03/08/05 01:21:29 PM Wagner FILTERED UBID
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS.YAHOO.COM
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS.YAHOO.COM
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS.YAHOO.COM
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS.YAHOO.COM
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS
03/08/05 01:21:29 PM Wagner FILTERED +THUMBNAIL
03/08/05 01:21:29 PM Wagner FILTERED GLAMOUR
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS.YAHOO.COM
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS.YAHOO.COM
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS
03/08/05 01:21:29 PM Wagner FILTERED BULL****
03/08/05 01:21:29 PM Wagner FILTERED ANIMALSEX
03/08/05 01:21:29 PM Wagner FILTERED PERSONALS
03/08/05 01:21:29 PM Wagner FILTERED AUCTIONS
03/08/05 01:21:29 PM Wagner FILTERED CLASSIFIEDS
03/08/05 01:21:29 PM Wagner FILTERED UBID

It continually repeats from UBID . Notice the time. These all happened AT THE SAME TIME!!!!

Keep in mind that I AM ONLINE NOT my kids...cybersitter is active and I still get this junk.

I have done EVERYTHING recommendend in this thread. I downloaded and installed a squared this morning...there was NO malware!! :D


Any ideas...short of reformating?

Thanks!!

Download and run the 30-day trial of Trojan Hunter. Those P*** sites are likely to have loaded something.
Trojan Hunter (http://www.misec.net/)

Also do an online scan with TrendMicro's Housecalls (http://housecall-beta.trendmicro.com/en/start_corp.asp)

OK...We don't care if a person wants to surf porn, yeah I typed it...that's their business. If you don't want your kids to go there, that's completely understandable, and I doubt if anyone here would disagree. Don't worry about us seeing the word porn, we see it all the time around here and it's not usually considered an objectionable term. If you don't want to use that term, that's fine too, we're easy to get along with...

To help stop it, you can use the hosts file built into windows, but you might have to do a bit of surfing yourself that you might not like a lot...I'll post a link or two on how to use the hosts file later, what it does is redirect a URL back to your "local loopback" that's built into Windows (and Linux and MAC OS as far as I can find out.) I'm using it on a Linux machine for one of my customers.

Your local loopback IP is 127.0.0.1. Any URL placed in the hosts file in this format

127.0.0.1 www . anysite . com

will make the machine think that URL is the machine itself and will not go there. I put spaces in that so it will show as a regular line instead of a link. Use Google (http://www.google.com) to search for the keywords porn, adult pictures, whatever else you can think of that might bring up links to adult sites. Each result will have the url printed in text form below the direct link, it's in green text in my browser. Copy that URL, go to your hosts file and type 127.0.0.1 then hit the [Tab] key, then paste the URL you just copied. ONe of the hosts files I looked at used two spaces instead of [Tab], either should work. No need to actually go to the site, so you won't have to see anything you might not want to see such as NEKKID WOMEN!! :D

OK had to joke around a bit there...once you copy a pretty good long list of URLs into the hosts file you save it as "hosts" with NO EXTENSION and any site in that list will now be redirected back to your own machine, in other words it will not even look for the actual website, the computer thinks it IS that website. You can also block ad sites and tracking sites such as doubleclick using the hosts file.

Mike's Ad Blocking Hosts File (http://www.everythingisnt.com/hosts.html)
Windows, Linux and MAC hosts File (http://practice.chatserve.com/hosts.html)
Blocking Ads (http://pgl.yoyo.org/adservers/index.php)
Castle Cops Hosts File (http://castlecops.com/article-5660-nested-0-0.html)

Those sites will show you the format and the location of the hosts file, and some pretty good instructions on using it. Once you are familiar with the format it's easy, just a matter of knowing how to find the links you want to block and use copy & paste. If you decide to download one of the ad blocking hosts files, it will show you the format once you copy it into your existing (empty) hosts file, which starts off with only your local loopback address. Simply ad sites to it in the same format and reboot, those sites will never load again. You can also use the hosts.sam file as a template then save it as hosts.

If you know how to go through your history and cookies, you can copy a lot of links that way too, from sites your computer has already visited, that way you can shut down the known sites easily. I've used the hosts file for about 3 years, it works quite well. The only websites it will not block are those having only an IP address. IP addrersses are numerical computer addresses such as the local loopback, 127.0.0.1. Those you would have to block some other way.

Don't put the http:// part of a URL into the hosts file, the URL can be either domainname . com or www . domainname . com but http:// will not work.

How do I get to the host files on my machine? I went into search and there were none.

I was talking to the people at cybersitter and they said the things I posted above are running in the background. That I am not acatually going to the sites.

Is there a hard drive scrubber/browser cleaner out there that I can use to get these sites off my machine?

Thanks!!

Well here is another approach that might work... Run this MWavScan and post the log:

http://www.mwti.net/antivirus/free_utilities.asp

You will need to use Ctrl-C to copy the log in the lower right hand corner and then paste it here...

I clicked everything I could click for this scan.

Options Selected by User:
Wed Mar 09 21:16:36 2005 => Memory Check: Enabled
Wed Mar 09 21:16:36 2005 => Registry Check: Enabled
Wed Mar 09 21:16:36 2005 => StartUp Folder Check: Enabled
Wed Mar 09 21:16:36 2005 => System Folder Check: Enabled
Wed Mar 09 21:16:36 2005 => System Area Check: Disabled
Wed Mar 09 21:16:36 2005 => Services Check: Enabled
Wed Mar 09 21:16:36 2005 => Drive Check: Disabled
Wed Mar 09 21:16:36 2005 => All Drive Check :Enabled
Wed Mar 09 21:16:36 2005 => Folder Check: Enabled
Wed Mar 09 21:16:36 2005 => Folder Selected = C:\WINDOWS


It ran for 45 min. Here is the log:

File C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Wagner\LOCALS~1\Temp\MiniBug.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\WIN98\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Wagner\Local Settings\Temp\MiniBug.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.



I also got 12 errors but I can only find these:

Wed Mar 09 21:17:06 2005 => ERROR!!! Invalid Entry \??\D:\INSTALL\GMSIPCI.SYS. Removing SYSTEM\CurrentControlSet\Services\GMSIPCI...

Wed Mar 09 21:17:07 2005 => ERROR!!! Invalid Entry \??\D:\NTACCESS.sys. Removing SYSTEM\CurrentControlSet\Services\NTACCESS...

Wed Mar 09 21:17:08 2005 => ERROR!!! Invalid Entry \??\D:\NTGLM7X.sys. Removing SYSTEM\CurrentControlSet\Services\SetupNTGLM7X...


Thanks!!

Are you saying you got the 12 errors running MWavScan??

I don't see anything in that log that could be causing the problem you are seeing... However, if that scan was blocked, there may be something blocking it that may be the problem...

It does sound like you have a HOSTS file highjack... Here is a page with tools and instructions for finding and fixing that... The best bet may be to simply replace it... It may be more than you want to know, but it does have a lot of good info...

http://www.mvps.org/winhelp2002/hosts.htm

[QUOTE=Budfred]Are you saying you got the 12 errors running MWavScan??

No, I'm saying that MWavScan found 12 errors. I copied 3 of them from the log. I couldn't find anymore.

Do I have viruses? What is the one for Win98 CAB and the one for DOS?

Will run the other scan this morning and post it here too.

Thanks!

[QUOTE=Paleo Pete]OK...We don't care if a person wants to surf porn, yeah I typed it...that's their business. If you don't want your kids to go there, that's completely understandable, and I doubt if anyone here would disagree. Don't worry about us seeing the word porn, we see it all the time around here and it's not usually considered an objectionable term. If you don't want to use that term, that's fine too, we're easy to get along with...

No need to actually go to the site, so you won't have to see anything you might not want to see such as NEKKID WOMEN!! :D

OK had to joke around a bit there...once you copy a pretty good [QUOTE]

Pete,

I don't mind saying Porn, the problem is cybersitter doesn't like the word. I am having a heck of a time getting to this thread because you used the word porn. This word will show up in this post because I have cybersitter set to inactive. That is the ONLY way I can view this thread. :mad:

Anyway, if cybersitter was on right now and I typed that word, when I post to the site the word will be gone and the sentence will not make sense!! The orginial topic was "Trying to remove PORN tracks from my PC" You can see the result. The word Porn is missing.

I hope this explains why no one would type the word 'porn' in this thread!!

Thanks!!

That is the problem with most filters like Cybersitter, the word "porn" is not the problem, it is the other stuff it describes that is the problem, and the sites don't have to have the P-word there to show the pics.
Back to the real problem, did you reply to Budfred's requests? Did the HOSTS replacement help?

On a totally unrelated matter...:) I've been following the thread and it appears that you've been trying to edit using "Quote" and have not been successful.

When you close Quote, you need to put a / before the word Quote to do so. Example, [/Quote] Don't know if this was an inadvertent error or you were unaware of its necessity. ;)

Are you saying you got the 12 errors running MWavScan??

I don't see anything in that log that could be causing the problem you are seeing... However, if that scan was blocked, there may be something blocking it that may be the problem...

It does sound like you have a HOSTS file highjack... Here is a page with tools and instructions for finding and fixing that... The best bet may be to simply replace it... It may be more than you want to know, but it does have a lot of good info...

http://www.mvps.org/winhelp2002/hosts.htm


I have gone to the site, but I'm a little confused. Do I open To view the HOSTS file in plain text form? If I do, it that the stuff that is on my PC? Or is it generic? Can you lead through this step by step?

Thanks!!

I'd suggest that you just download one of the HOSTS tools at the bottom of that page and use it to fix your HOSTS file... It is pretty straightforward, but you may have another file hidden that is making it change back... We will need to see...

I couldn't get much info on those files in the MWavScan... From what I could tell, they seem to be okay.... You could certainly get rid of MiniBug though...

I'd suggest that you just download one of the HOSTS tools at the bottom of that page and use it to fix your HOSTS file... It is pretty straightforward, but you may have another file hidden that is making it change back... We will need to see...

I couldn't get much info on those files in the MWavScan... From what I could tell, they seem to be okay.... You could certainly get rid of MiniBug though...

Ok, I downloaded HOSTS file Manager, but I don't know how to put the list into the hosts file. Do I put it in wordpad then merge it into the HOSTS file? If so, How do I do that?

Can I use the log from cybersitter to block the sites shown above?

Thanks!!

Pete/Budfred etc.
If there are hidden items could - Rootkit Revealer - by Sysinternals - find anything that is hidden? See link below for download and details. I have never used the program. I discovered it a couple of weeks ago see the quote below from the Sysinternals. Maybe in a case like this it could be of some help.

Quote from the site below
What is a Rootkit?
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Karen do not go here until you have had the OK from more knowledgeable folks than myself.
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

I imagine you could use the log from CyberSitter to create a list of things to block, but there are a number of ones already created that you could simply replace yours with too...

The RootKitRevealer is what I was thinking of as the next step if we don't get some progress with the HOSTS file fix... You can go ahead and try it/post it if you would like....

I am away from my pc at this time. I should be able to do this when I get home.

How Do I import the files into the HOST file?

Thanks!!

The HOSTS file is just a text file, so follow the directions on that website to copy/paste the bad sites into a list with the default loopback as Paleo Pete illustrated here:

Your local loopback IP is 127.0.0.1. Any URL placed in the hosts file in this format

127.0.0.1 www . anysite . com

I DID IT!! FINALLY!! :D I also ran the ROOTKIT thingy. It came back clean!! :D

We will see what the next cybersitter report says. I will keep you posted.

THANKS for all your help!!

Well durn!! Just when I think I have things cleaned up, I get more crap like this:

http://isapi60.wxbug.com/WxAlertISAPI/WxAlertIsapi.cgi?GetAlert60&Magic=160&ZipCode=47591&StationID=VNCNS&Units=0&RegNum=65279566&Version=6.04&t=1111553735&lv=0
03/23/05 12:09:39 AM Wagner FILTERED +THUMBNAIL
03/23/05 12:09:39 AM Wagner FILTERED CLIT
03/23/05 12:09:39 AM Wagner FILTERED BODYART
03/23/05 12:09:39 AM Wagner FILTERED PIERCINGS
03/23/05 12:09:39 AM Wagner FILTERED +GIRL
03/23/05 12:09:39 AM Wagner FILTERED BODYART
03/23/05 12:09:39 AM Wagner FILTERED PIERCINGS
03/23/05 12:09:39 AM Wagner FILTERED +GIRL
03/23/05 12:09:39 AM Wagner FILTERED BODYART
03/23/05 12:09:39 AM Wagner FILTERED PIERCINGS
03/23/05 12:09:39 AM Wagner FILTERED BODYART
03/23/05 12:09:39 AM Wagner FILTERED PIERCINGS
03/23/05 12:09:39 AM Wagner FILTERED BODYART
03/23/05 12:09:39 AM Wagner FILTERED PIERCINGS
03/23/05 12:09:39 AM Wagner FILTERED +GIRL
03/23/05 12:09:39 AM Wagner FILTERED BODYART
03/23/05 12:09:39 AM Wagner FILTERED PIERCINGS
03/23/05 12:09:39 AM Wagner FILTERED PORNSTAR
03/23/05 12:09:39 AM Wagner FILTERED BODYART
03/23/05 12:09:39 AM Wagner FILTERED PIERCINGS
03/23/05 12:09:39 AM Wagner FILTERED PORNSTAR
03/23/05 12:09:39 AM Wagner FILTERED BODYART
03/23/05 12:09:39 AM Wagner FILTERED PIERCINGS
03/23/05 12:09:39 AM Wagner FILTERED PORNSTAR
03/23/05 12:09:39 AM Wagner FILTERED BODYART
03/23/05 12:09:39 AM Wagner FILTERED PIERCINGS
03/23/05 12:09:39 AM Wagner FILTERED HOTBOY
03/23/05 12:09:39 AM Wagner COMMENT Could not send report. TO:
03/23/05 12:10:24 AM Wagner ACCESSED http://isapi60.wxbug.com/WxAlertISAPI/WxAlertIsapi.cgi?GetAlert60&Magic=160&ZipCode=47591&StationID=VNCNS&Units=0&RegNum=65279566&Version=6.04&t=1111553735&lv=0

I conducted my own experiment because I was suspicious of WeatherBug. I shut the bug down for several hours [overnight] and low and behold NOT ONE of these things were listed!!!

Now I need some help from the pros. I ran Spy bot, AdAware, Trogan Horse Hunter, and MWAV. All came back clean EXCEPT MWAV.

Here is the log for it:

File C:\WIN98\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0BF8FF75-4E5F-49B8-B326-17684F5E2468}\RP78\A0006556.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.


I ran CCLEANER after I ran MWAV. I want to know how to get rid of the D***** BUG!!?

I uninstalled it [before I ran MWAV] from Add/Remove programs, but obviously its still here.

Alos what are the other items listed as viruses? How do I remove them; or should I just leave them alone.

Any advice would be greatly appreciated!!

WeatherBug is supposed to be legit now, but this is usually still labeled malware... You can see if it is still there in your HJT log and fix it:

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?

It might be a good idea to post a fresh log so we can make sure it is clean...

Most of the items in that MWavScan seem to be MiniBug... If you updated to WinXP from Win98, it might explain where this came from... It doesn't seem to be malware:

C:\WIN98\WIN98_66.CAB

The other things look legit as well.... One of the MiniBug items is in System Restore, so you can get rid of that by turning it off and then turning it back on again... I would delete this first though:

C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll

Here is the Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:00:48 AM, on 3/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\abelhadigital.com\HostsMan\hm.exe
C:\Program Files\Quick Lookup\QuickLookup.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vinu.edu/PageWorks/servlet/PageMill
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [HostsMan] C:\Program Files\abelhadigital.com\HostsMan\hm.exe -s
O4 - HKLM\..\Run: [QuickLookup] C:\Program Files\Quick Lookup\QuickLookup.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: eDexter.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109002217328
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {9C3E8350-5873-4D8E-A1D4-DCB9E885E86D} (CYBSnoop Control) - http://www.cybersitterhelp.com/snooper/activex/AXSnoop.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe



Thanks!!

Did you already try to fix this??

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?

Use HJT to fix this also:

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

And delete this folder:

C:\Program Files\AWS\WeatherBug\Weather.exe

And this is from a company that only recently reformed their product from Rogue status... I would be careful about trusting what it tells you, although it is supposed to be okay now...

C:\Program Files\Pyrenean\eDexter\eDexter.exe

Did you already try to fix this??

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?

Use HJT to fix this also:

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

And delete this folder:

C:\Program Files\AWS\WeatherBug\Weather.exe

And this is from a company that only recently reformed their product from Rogue status... I would be careful about trusting what it tells you, although it is supposed to be okay now...

C:\Program Files\Pyrenean\eDexter\eDexter.exe


How do I delete this one:?

C:\Program Files\AWS\WeatherBug\Weather.exe

eDexter is gone along with the others HJT fixed them.

On the one mentioned above, I went into add/remove its not there. Went to find files not there either. So where is it? I can't find it under program files either. HELP!!

Thanks!!

Never mind, I found it.....HOWEVER, I can NOT uninstall it!! I keep getting this message:

Could not execute the external program unwise.exe

So now I have an uninstall folder AND an install folder under

C:\Program Files\AWS\WeatherBug\Weather.exe

When I searched for unwise.exe on my pc I found these:

UNWISE c:\tutor 125 KB application 5-24-2001
UNWISE.EXE-38e5e526. C:\WINDOWS\Prefetch 13KB PF file 3-24-05

There are 3 more listed one for ADAWARE, one for Webshots and one for The Weather channel

My new question is how do I get rid of the one with all the numbers if my pc can't fine the external program?

Thanks!!

Never mind, I found it.....HOWEVER, I can NOT uninstall it!! I keep getting this message:

Could not execute the external program unwise.exe

So now I have an uninstall folder AND an install folder under

C:\Program Files\AWS\WeatherBug\Weather.exe

When I searched for unwise.exe on my pc I found these:

UNWISE c:\tutor 125 KB application 5-24-2001
UNWISE.EXE-38e5e526. C:\WINDOWS\Prefetch 13KB PF file 3-24-05

There are 3 more listed one for ADAWARE, one for Webshots and one for The Weather channel

My new question is how do I get rid of the one with all the numbers if my pc can't fine the external program?

Thanks!!
I am sorry, but I can't sort out what you are saying here... I still can't tell if you did the HJT fixes I suggested and I am not sure what you are saying about the folder I suggested deleting... You refer to uninstalling it and I am suggesting that you simply delete it since you indicated that you already uninstalled WeatherBug.... You can safely clean out the prefetch folder, so you can empty the whole folder here if you would like:

C:\WINDOWS\Prefetch

If I am missing something, please explain in more detail....

I'm sorry, I said eDexter is gone along with the others HJT fixed them I just thought that by saying HJT fixed them that you would understand that I DID get rid of them.

I also deleted the prefetch folder.

Thanks again for your help and sorry for the confusion. I will let you know if getting rid of the weather bug helped!!

eDexter is gone along with the others HJT fixed them. I am afraid I didn't understand that because eDexter was something that you would need to uninstall or delete rather than fixing it in HJT... I actually couldn't figure out what you were saying about HJT... It probably would be a good idea to post another fresh log to see if anything has changed significantly since you fixed the other items... Also note if there has been any change from removing MiniBug...

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:34:07 AM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\abelhadigital.com\HostsMan\hm.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\a2\a2guard.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vinu.edu/PageWorks/servlet/PageMill
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [HostsMan] C:\Program Files\abelhadigital.com\HostsMan\hm.exe -s
O4 - HKLM\..\Run: [QuickLookup] C:\Program Files\Quick Lookup\QuickLookup.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109002217328
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {9C3E8350-5873-4D8E-A1D4-DCB9E885E86D} (CYBSnoop Control) - http://www.cybersitterhelp.com/snooper/activex/AXSnoop.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


Thanks!!

Your log looks clean... Are you still having any problems??

Yes, I am still having problems!! I reinstalled weatherbug because I couldn't get desktop weather from weather.com to install on my d/t.

I did run HJT again and got rid of minibug though. What I am about to post came up BEFORE I reinstalled weatherbug.

Also, the website before and after is my university website. The very beginning is their live help. I had to keep shortening the link to figure it out.

As usual it keeps repeating.

Here is the partial log from cybersitter:

03/28/05 12:03:54 AM Wagner ACCESSED http://jstancz0.u24.speedypuppy.net/phplive/image_tracker.php?l=justin&x=1&page=http%3A//www.vinu.edu/PageWorks/servlet/PageMill&unique=1111986234203
03/28/05 12:04:01 AM Wagner FILTERED ****
03/28/05 12:04:01 AM Wagner FILTERED YAHOOKA.COM
03/28/05 12:04:01 AM Wagner FILTERED SCIENTOLOGY
03/28/05 12:04:01 AM Wagner FILTERED OCCULT
03/28/05 12:04:01 AM Wagner FILTERED SCIENTOLOGY
03/28/05 12:04:01 AM Wagner FILTERED OCCULT
03/28/05 12:04:01 AM Wagner FILTERED SCIENTOLOGY
03/28/05 12:04:01 AM Wagner FILTERED OCCULT
03/28/05 12:04:01 AM Wagner FILTERED SATANIC
03/28/05 12:04:01 AM Wagner FILTERED LOTTO
03/28/05 12:04:01 AM Wagner COMMENT Could not send report.
03/28/05 12:04:01 AM Wagner ACCESSED http://jstancz0.u24.speedypuppy.net/phplive/image_tracker.php?l=justin&x=1&page=http%3A//www.vinu.edu/PageWorks/servlet/PageMill&unique=1111986241312

Here is a new HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:13:42 AM, on 3/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\abelhadigital.com\HostsMan\hm.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\a2\a2guard.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vinu.edu/PageWorks/servlet/PageMill
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [HostsMan] C:\Program Files\abelhadigital.com\HostsMan\hm.exe -s
O4 - HKLM\..\Run: [QuickLookup] C:\Program Files\Quick Lookup\QuickLookup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109002217328
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {9C3E8350-5873-4D8E-A1D4-DCB9E885E86D} (CYBSnoop Control) - http://www.cybersitterhelp.com/snooper/activex/AXSnoop.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


Thanks!!

I am afraid that I don't know how to read that log, but it looks like it is saying those things were blocked... If so, I am not sure what the problem is...

The only thing I can think of to do now is to run a trojan scan... I don't think we have done that yet (I didn't read back through the whole thread)... You can use the trial version of TrojanHunter or TDS3... When you install, allow them to update or you will have to manually update later... Run the scan and fix whatever is found (if anything)... Post back results...

http://www.trojanhunter.com/

or

http://tds.diamondcs.com.au/

I installed and ran TrojanHunter about a week ago or more. I guess my question is:

How do I keep getting the stuff that shows up in the log when no one is surfing the net?

I have used Shield's Up to see if there are any ports up and there aren't. I have AVG and ZA running all the time. AVG updates daily. I have A-squared in the task bar and it alerts me to programs and such trying to access my computer. I have my HOSTS file in the taskbar and add to it daily. I also run AdAware and SpyBot S&D.

Would it help if I just shut down every night? I really would like to stop these things from coming in at all.

Is it possible that it is coming in via my ISP?

Thanks!!

I don't know that I can answer your questions...

Are you sure that one of your kids isn't online at those times??

Are you sure that the log is not indicating that these are intrusions that are blocked, much like a firewall report of blocked intrusions??

I don't know enough about the program to tell you much more or even what that log means... If you shut down the computer, nothing will be coming in, so that is an option...

I'm back again. Same junk. I have several questions I hope you can answer.

I did not leave any windows open, just my outlook express. Cybersitter was active and I didn't get ANY of the crap posted above in my log. This is a good thing, because I am narrowing down the problem. I think :)

Now I'm thinking out loud to all of you experts.

1. If IE isn't open, I don't get the stuff that is filtered by Cybersitter. To me this implies that it is my ISP bouncing the junk through my connection.

2. Cybersitter states that they filter WORDS that are offensive. So I am wondering if there is a program like HOSTS that would allow anyone to filter WORDS. If there is such a program how would I search for it using a search engine? [This way, I could block my own offensive words]

3. I don't understand how these words keep showing up in the log from cybersitter if the website I am viewing doesn't have any ads on it. Where are they coming from and how do I figure it out?

Anybody have any ideas?

Thanks!!

Have you visited Cybersitter support?? They also have a forum where the software techs handle questions on line...

Here's one thought: http://www.cybersitterhelp.com/KB/XcIBViewItem.asp?ID=38

I haven't reread the thread, but are you routinely dumping your Temporary Internet Files cache?

I believe Windoze XP has a setting where you can dump the cache each time you reboot.

Also, in my cursory review of the Sybersitter site, it appears there could be something in the Custom settings where you may have a "questionable" site that is in the Allowable...

I noticed that Spyware Blaster also has a tool for creating backups of the HOSTS file. I didn't see where it lets you view the contents, though.