Welcome to Comcast Help & Support Forums
Find solutions, share knowledge, and get answers from customers and experts

New to the Community? Start here.

5,649,647

members

17

online now

1,825,498

discussions

Back to Top

Need help with hijackthis log

Posted by
N/A
  • You have posted 5 replies to the community. Thank you for keeping the conversations going!
  • Thank you contributor for your first reply to the community!
 Posting replies is the best way to get involved.

Message 1 of 11
625 Views
Here is my hijackthis log, please tell me what is safe to remove and what is not. Thank you!
Logfile of HijackThis v1.98.1
Scan saved at 6:09:44 PM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\gearsec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\IMsecure\IMsecure.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mom\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINNT\System32\PDF38fe.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: regsvr32 /s C:\WINNT\System32\pdfupd.dll
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: regsvr32 /s C:\WINNT\System32\PDF38fe.dll
O4 - HKCU\..\Run: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - Startup: IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/287be271d1c864573a03/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
O16 - DPF: {ECB7BFF0-FF65-11D1-9004-00A0C92E6878} (WebEnable Class) - http://hermes/meditech/WebEnable/MWebEnable.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F71D6A7-3ADC-4314-AA01-8A312012AA54}: NameServer = 10.128.100.130,10.129.100.130
10 REPLIES
Posted by
Valued Contributor

Message 2 of 11
625 Views
AnAsko,

1. Please create a permanent folder for HijackThis (I suggest "C:\Program Files\HijackThis") and move the HijackThis program there. HijackThis will create a number of backup files which will be lost if run from a temporary folder.

2. Reboot into Safe Mode - How do I boot into "Safe" mode?

3. Make sure your Windows Explorer Folder Settings are as follows:

(To access them, go "Tools" > "Folder Options" > "View")

a. "Show hidden files and folders" should be checked.
b. "Hide extensions for known file types" should be unchecked.
c. "Hide protected operating system files" should be unchecked.


4. Make sure all application windows are closed. Run another HijackThis scan from its permanent location. Check the below items for removal. Once all are checked, click the "Fix checked" button. When the fix completes, close HijackThis.

Fix these:
---------------------------------------------------

---> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

---> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

---> O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll

O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

---> O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINNT\System32\PDF38fe.dll

---> O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

---> O4 - HKLM\..\Run: regsvr32 /s C:\WINNT\System32\pdfupd.dll

---> O4 - HKLM\..\Run: regsvr32 /s C:\WINNT\System32\PDF38fe.dll

---> O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/287be271d1c864573a03/netzip/RdxIE601.cab

---------------------------------------------------


5. While still in "Safe Mode", remove the following files/folders:

a. The folder "Kontiki" in "C:\Program Files".

b. The folder "Toolbar" in "C:\PROGRA~1\COMMON~1\Real".

c. The file "PDF38fe.dll" in "C:\WINNT\System32".

d. The file "pdfupd.dll" in "C:\WINNT\System32".


6. Reboot into Normal Mode, run another HijackThis scan , and post the new log.
Posted by
Security Expert

Message 3 of 11
625 Views
AnAsko

Do what JohnD said..

I also note that you this is your 2nd issue within about a week..

You need to spend a little time either securing IE or switch to a different more secure browser so
you might want to take a look at some of the reccomendations here (including IE Spyad)
https://netfiles.uiuc.edu/ehowes/www/main.htm
if you are going to continue using IE
Some other places to look are here:
http://www.broadbandreports.com/faq/8463
and here:
http://www.us-cert.gov/cas/tips/

and/or download firefox or mozilla from http://www.mozilla.org
TANSTAAFL!!






Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon

Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon

Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Posted by
N/A
  • You have posted 5 replies to the community. Thank you for keeping the conversations going!
  • Thank you contributor for your first reply to the community!
 Posting replies is the best way to get involved.

Message 4 of 11
625 Views
I followed the directions, and here is the new log. Thank you. CajunTek,I am away from my other computer, thats the reason why I havent been able to do anything. This log is for my other computer, which is just as bad, as you can see. Thank you for all the help. Let me know if there is anything else on there that needs to be removed.

Logfile of HijackThis v1.98.1
Scan saved at 3:16:19 PM, on 8/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\gearsec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\IMsecure\IMsecure.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Mom\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - Startup: IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
O16 - DPF: {ECB7BFF0-FF65-11D1-9004-00A0C92E6878} (WebEnable Class) - http://hermes/meditech/WebEnable/MWebEnable.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F71D6A7-3ADC-4314-AA01-8A312012AA54}: NameServer = 10.128.100.130,10.129.100.130
Posted by
Security Expert

Message 5 of 11
625 Views
I don't really see anything bad here..

Still suggest you go the page I suggested above and get IE-spyad it will give you some protection that you don't have now..
TANSTAAFL!!






Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon

Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon

Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Posted by
N/A
  • You have posted 5 replies to the community. Thank you for keeping the conversations going!
  • Thank you contributor for your first reply to the community!
 Posting replies is the best way to get involved.

Message 6 of 11
625 Views
Ok...I am still having problems with this one file, that I cannot get rid of this one thing that keeps coming up with every Adaware scan! I found the file in Program files, but when i tried removing it, it said: "Cannot delete Cursor. Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use." It is called IBIS Toolbar and its located in c:/program files/toolbar. And here is another Highjackthis log, just incase, let me know if you see anything on there. Other then that one problem , I have not had any others. Thank you for your help!!!!

Logfile of HijackThis v1.98.1
Scan saved at 11:15:08 AM, on 8/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\gearsec.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\IMsecure\IMsecure.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Mom\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {ECB7BFF0-FF65-11D1-9004-00A0C92E6878} (WebEnable Class) - http://hermes/meditech/WebEnable/MWebEnable.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F71D6A7-3ADC-4314-AA01-8A312012AA54}: NameServer = 10.128.100.130,10.129.100.130
Posted by
Valued Contributor

Message 7 of 11
625 Views
Did you try running Ad-aware or deleting the folder in "Safe Mode"?
Posted by
N/A
  • You have posted 5 replies to the community. Thank you for keeping the conversations going!
  • Thank you contributor for your first reply to the community!
 Posting replies is the best way to get involved.

Message 8 of 11
625 Views
Yes..I ran the Ad-Aware scan in safe mod, and then the regular way. Tried removing the file in the safe mode, and it wouldnt allow me to do so. The message that I got was the one I already had posted. I dont know how else to remove it. Every time I run ad-aware the same thing comes up. Please help, i am not sure what to do. Thank you!!!!
Posted by
Valued Contributor

Message 9 of 11
625 Views
>Ok...I am still having problems with this one file, that I
>cannot get rid of this one thing that keeps coming up with
>every Adaware scan! I found the file in Program files, but
>when i tried removing it, it said: "Cannot delete Cursor.
>Access is denied. Make sure the disk is not full or
>write-protected and that the file is not currently in use." >It is called IBIS Toolbar and its located in c:/program
>files/toolbar.

This could be difficult. There is a file named cursor.xml or cursors.xml which is difficult to remove. It could have permissions set which prevent it from being removed. We need to try some DOS commands to find more info on it.

I will be asuming that the file name that Ad-aware is finding is "cursor.xml". If it is not, please enter the proper name in the places where I have used the assumed name.


1. Bring up a "Command Prompt" window. (This is also referred to as a DOS prompt). It should be under "Start" > "All Programs" > "Accessories".

2. Navigate to the folder containing the "cursor.xml" file using a "Change Directory" or "cd" command. For instance, to get to that "toolbar" folder, type:

cd "\program files\toolbar"


3. Once in the folder containing the "cursor.xml" file, type:

dir cursor.xml

This should display the file name, size, and creation date.


4. Then type:

attrib cursor.xml

This should display some permission attributes on the file.


5. Then type:

cacls cursor.xml

This should display the owner(s) of the file.


6. Finally, using your mouse, hilight everything in the DOS window, then hit your "Enter" key. This should transfer the hilighted data to the clipboard.


7. Now start a reply to this post and press the "Ctrl" and "V" keys simultaneously. This should paste the information from the DOS window into the reply box. Enter whatever other comments you wish and post the reply.

If you have any questions, let me know.
Posted by
Connection Expert

Message 10 of 11
436 Views

N/G here Phill.




Community Icon
I am not a Comcast employee, I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help. For information on the program click here.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee. I am a paying customer just like you!
I am an XFINITY Forum Expert and I am here to help.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am not a Comcast employee.

Was your question answered?
Mark it as a solution!solution Icon

Posted by
Official Employee

Message 11 of 11
425 Views

Thanks EG




Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark it as an accepted solution!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark it as a solution!solution Icon