Why Yahoo site says this

**COPO** · April 16th, 2004, 08:39 AM

ok crunchie, I'll do that....thx for the Startup Appl List link.

**COPO** · April 16th, 2004, 05:24 PM

Ok what's up with both of these links?
This says Connection to SysInfo.org database server not possible! CGI-limits reached, please try again later!

http://www.sysinfo.org/startuplist....ount=&type=
at work and at home, it did work at work for a few times.

CWShredder, this must be a slow link cause I wait and wait and finally stop cause I can't take waiting forever, why? http://209.133.47.200/~merijn/files/CWShredder.exe

**A31Chris** · April 16th, 2004, 05:38 PM

These sites are usually under attack by the creators and partners of the parasite/trojan that infected your system. It's usually very hard to get through.

Do you need the CW Shredder, or do you already have that?

**COPO** · April 16th, 2004, 06:06 PM

I still need the CWShredder

**A31Chris** · April 16th, 2004, 06:56 PM

Originally posted by COPO
I still need the CWShredder

PM me your E-mail and I can send you version 1.56.1, of CW Shredder which is fairly recent.

**crunchie** · April 16th, 2004, 09:11 PM

Here's a different link for you.
Download CWShredder from http://www.computercops.biz/downloads-file-349.html & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs & windows, including IE, before running CWShredder.

Sysinfo is getting a lot of use lately. I'm having a problem too. I find that I just keep refreshing the page & I eventually get it. They obviously only have so much bandwidth to use & the lmits keep being reached.

**COPO** · April 17th, 2004, 12:32 AM

I ran CWShredder and cleaned up stuff and saved the results in a word file.
I ran HijackThis again and here is what I got. Do I need to delete anything? Thx in advance guys and thx crunchie for the CWS new link.

Logfile of HijackThis v1.97.7
Scan saved at 12:55:49 AM, on 4/17/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\INORT9X.EXE
C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\INORPC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOGWAT95.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\REALMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZAFILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.broadband.rogers.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {87EAE153-EE10-4E96-B920-93CFE9B64808} - C:\WINDOWS\SYSTEM\QLBLUAA.DLL
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST\ANTIVI~1\REALMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust\Antivirus\InoRT9x.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\zafiles\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs2.chat.yahoo.com/v43/yacscom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8842C6C0-E428-11D5-A74F-0008C7DA2EA8} (prjRogersMail.ctlMail) - http://www.rogershelp.com/addemail.cab
O16 - DPF: {6D655755-EB1B-11D5-A74F-0008C7DA2EA8} (prjRemMail.ctlRemMail) - http://www.rogershelp.com/remmail.cab
O16 - DPF: {2CDA4FA9-4A2B-4925-8EB4-61BDDE935A84} (OutlookVerification.vOutlook) - http://www.rogershelp.com/smtp/voutlook.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.82.221.103/30a238b56ba5f9...tzip/RdxIE.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...862.2939351852
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/247b0e9b912680f...p/RdxIE601.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/compan.../bin/imvid.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O19 - User stylesheet: (file missing)

**crunchie** · April 17th, 2004, 08:08 AM

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder & not on the desktop). Close all (browser) windows & have HJT fix these entries by placing a check in the appropriate box=

O2 - BHO: (no name) - {87EAE153-EE10-4E96-B920-93CFE9B64808} - C:\WINDOWS\SYSTEM\QLBLUAA.DLL

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.82.221.103/30a238b56ba5f...etzip/RdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/247b0e9b912680...ip/RdxIE601.cab

O19 - User stylesheet: (file missing)

Just those & then Your next step is to go here & install ALL critical updates required for your system.
http://windowsupdate.microsoft.com/

I have to ask if you rebooted after running CWShredder & B4 posting this log to be sure that nothing came back.

**COPO** · April 17th, 2004, 11:52 AM

ok,
Windows media player keeps loosing his location and showing up on the spybot and getting RED flagged. So I'm downloading another file. I'll post my HijackThis soon.

**COPO** · April 17th, 2004, 02:57 PM

I've ran adaware, Spybot and CWS with no errors. I've done my windows update with this one

Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB832894)
Download size: 2.8 MB, < 1 minute
Identified security issues in Internet Explorer could allow an attacker to compromise a Windows-based system. For example, an attacker could run programs on your computer while you view a Web page. This affects all computers with Internet Explorer installed (even if you don’t run Internet Explorer as your Web browser). After you install this item, you may need to restart your computer. Read more...

and it's causing me a problem and in the past I've left this one out because of this, read on.

After the load when I do a right mouse click on Start and select Explorer, then a left click on My Documents, or My Network Places or My Computer it doesn’t take me there but just turns green from blue. If I do a restore back before the patch it’s ok. Anyone have a fix for this? I really need to keep this patch on.

I did notice before the patch was on that Spyboy trapped Windows Media Player. I couldn't find a deinstall feature for this, it's not in the control panel or the Start Menu. So should it have one? I downloaded a new version of Win Media Player 7.1 cause on Win Me Verison 9 sound jumps.

Anyhow after another reboot I ran adaware, Spybot and they were clean. Below is my HijackThis log. Please check it out and see if I'm clean now.

Logfile of HijackThis v1.97.7
Scan saved at 3:09:04 PM, on 4/17/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\INORT9X.EXE
C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\INORPC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOGWAT95.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CA\ETRUST\ANTIVIRUS\REALMON.EXE
C:\PROGRAM FILES\ZAFILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.broadband.rogers.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST\ANTIVI~1\REALMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust\Antivirus\InoRT9x.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\zafiles\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs2.chat.yahoo.com/v43/yacscom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8842C6C0-E428-11D5-A74F-0008C7DA2EA8} (prjRogersMail.ctlMail) - http://www.rogershelp.com/addemail.cab
O16 - DPF: {6D655755-EB1B-11D5-A74F-0008C7DA2EA8} (prjRemMail.ctlRemMail) - http://www.rogershelp.com/remmail.cab
O16 - DPF: {2CDA4FA9-4A2B-4925-8EB4-61BDDE935A84} (OutlookVerification.vOutlook) - http://www.rogershelp.com/smtp/voutlook.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...862.2939351852
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/compan.../bin/imvid.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

Just ran Spybot after surfing a bit and got this:
Avenue A, Inc. : Track!ng cookie or cookie of tracking site (File, nothing done)
C : \ WINDOWS\Cookies\default@atdmt[1] .txt
DoubleClick: Tracking cookie or cookie of tracking site (File, nothing done)
C :\ WINDOWS\Cookies\default@doubleclick[ 1] .txt
MediaPlex: Tracking cookie or cookie of tracking site (File, nothing done)
C:\WINDOWS\Cookies\default@mediaplex[1].txt

Anything to worry about? I removed it. But it will probably return, is that normal when you surf the Net?

Thread: Why Yahoo site says this

Thread Tools

Search Thread

Display

Thread Information

Users Browsing this Thread

Posting Permissions