'HiJack This' and spyware removal, esp. FunwebProducts

From: GORDON (anonymous_at_discussions.microsoft.com)
Date: 02/19/04 

Date: Wed, 18 Feb 2004 17:33:42 -0800

I got rid of them by deleting my smiley.com program which
had with it " my web search" I then went into regedit and
deleted every reference to fun web products and my web
search.
>-----Original Message-----
>Hi,
>
>I've tried using 'HiJack This' to determine what Spyware
>to remove - the program does warn about checking
carefully
>before removing files as it targets hijack methods not
>sites. I still have Funwebproducts;.Net etc etc tied into
>my Browser Identification and have tried various spyware
>programs to remove it - they've got rid of other files,
>folders and registry entries but this one is STILL THERE
>in the Browser (IE6). I've been given links showing
manual
>removal via regedit etc but I'm wary of doing this in
case
>of making a fatal error!
>
>I'm thinking of saving all my Favorites, backing up
>Outlook Express and then uninstalling and reinstalling
>IE6 - any suggestions on a quick fix for FunwebProducts
>instead?
>
>I'm printing out the log in the hope someone might advise
>what I can safely delete (which could be done by deleting
>below what I should NOT remove.
>
>Many thanks!
>
>Logfile of HijackThis v1.97.7
>Scan saved at 11:27:57, on 17/02/2004
>Platform: Windows 2000 SP4 (WinNT 5.00.2195)
>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
>Running processes:
>C:\WINNT\System32\smss.exe
>C:\WINNT\system32\winlogon.exe
>C:\WINNT\system32\services.exe
>C:\WINNT\system32\lsass.exe
>C:\WINNT\system32\svchost.exe
>C:\WINNT\System32\svchost.exe
>C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
>C:\WINNT\system32\MSTask.exe
>C:\WINNT\system32\stisvc.exe
>C:\WINNT\system32\ZoneLabs\vsmon.exe
>C:\WINNT\System32\WBEM\WinMgmt.exe
>C:\Program Files\ORL\VNC\WinVNC.exe
>C:\WINNT\System32\mspmspsv.exe
>C:\WINNT\system32\svchost.exe
>C:\WINNT\Explorer.EXE
>C:\Program Files\Sony\HotKey Utility\HKserv.exe
>C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
>C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
>C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
>C:\Program Files\Grisoft\AVG6\avgcc32.exe
>C:\WINNT\System32\svchost.exe
>C:\Program Files\Common Files\Real\Update_OB\realsched.exe
>C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
>C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
>C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
>C:\Program Files\KeirNet\K9\K9.exe
>C:\Documents and Settings\Administrator\My
>Documents\hijackthis\HijackThis.exe
>
>R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search
>Bar = http://adblock.linkz.com/abho/bandsearch.abs
>R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search
>Page = http://linkz.com/
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
>Page = http://www.google.co.uk/
>R0 - HKLM\Software\Microsoft\Internet
>Explorer\Search,SearchAssistant =
>http://adblock.linkz.com/abho/bandsearch.abs
>R1 -
>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
>Settings,ProxyServer = 62.255.64.6:8080
>R1 -
>HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
>Settings,ProxyOverride = 127.0.0.1;<local>
>O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
>784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
>\Reader\ActiveX\AcroIEHelper.ocx
>O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
>206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
>O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
>00A0C9082467} - C:\WINNT\System32\msdxm.ocx
>O4 - HKLM\..\Run: [Synchronization Manager]
>mobsync.exe /logon
>O4 - HKLM\..\Run: [HKserv.exe] C:\Program
>Files\Sony\HotKey Utility\HKserv.exe
>O4 - HKLM\..\Run: [WinVNC] "C:\Program
>Files\ORL\VNC\WinVNC.exe" -servicehelper
>O4 - HKLM\..\Run: [pdfFactory Dispatcher v1]
>C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
>O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32
>\spool\DRIVERS\W32X86\2\printray.exe
>O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1
>\ZONEAL~1\zlclient.exe
>O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1
>\MYWEBS~1\bar\1.bin\mwsoemon.exe
>O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
>Files\QuickTime\qttask.exe" -atboottime
>O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6
>\avgcc32.exe /startup
>O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
>Files\Real\Update_OB\realsched.exe" -osboot
>O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program
>Files\Microsoft ActiveSync\WCESCOMM.EXE"
>O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
>Messenger\MsnMsgr.Exe" /background
>O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9
>\K9.exe
>O4 - Global Startup: Adobe Gamma Loader.exe.lnk =
>C:\Program Files\Common Files\Adobe\Calibration\Adobe
>Gamma Loader.exe
>O4 - Global Startup: Microsoft Office.lnk = C:\Program
>Files\Microsoft Office\Office\OSA9.EXE
>O4 - Global Startup: PowerPanel.lnk = C:\Program
>Files\PowerPanel\PROGRAM\PcfMgr.exe
>O4 - Global Startup: VAIO Action Setup (Server).lnk =
>C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
>O6 - HKCU\Software\Policies\Microsoft\Internet
>Explorer\Restrictions present
>O6 - HKCU\Software\Policies\Microsoft\Internet
>Explorer\Control Panel present
>O6 - HKLM\Software\Policies\Microsoft\Internet
>Explorer\Control Panel present
>O9 - Extra button: Create Mobile Favorite (HKLM)
>O9 - Extra 'Tools' menuitem: Create Mobile Favorite...
>(HKLM)
>O12 - Plugin for .spop: C:\Program Files\Internet
>Explorer\Plugins\NPDocBox.dll
>O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}
>(PCPitstop Utility) -
>http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
>O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
>http://ak.imgfarm.com/images/nocache/funwebproducts/MySign
a
>tureInitialSetup1.0.0.6.cab
>O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
>(PPSDKActiveXScanner.MainScreen) -
>http://www.pestscan.com/scanner/axscanner.cab
>O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
>(YInstStarter Class) -
>http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yins
t
>0401.cab
>O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office
>Update Installation Engine) -
>http://office.microsoft.com/officeupdate/content/opuc.cab
>O16 - DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B}
>(GreasyPalmInstallHelper Class) -
>http://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
>O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B}
>(InstallShield Setup Player 2K2) -
>http://www.ipswitch.com/_installs/wsftp_le/setup.exe
>O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
>Class) -
>http://207.188.7.150/1414b450338266127e15/netzip/RdxIE601.
c
>ab
>O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF}
>(CScanner Object) -
>http://www.pestscan.com/scanner/ppctlcab.cab
>O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}
>(HouseCall Control) -
>http://a840.g.akamai.net/7/840/537/2003120501/housecall.an
t
>ivirus.com/housecall/xscan53.cab
>O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613}
>(OPInstall Control) -
>http://a14.g.akamai.net/f/14/7141/144000s/download.opistat
.
>com/opistat/activex/opinstall_en_4.1.8.0.cab
>O16 - DPF: {93829908-07C2-44A2-95DB-F78F201A9B48} -
>http://adblock.linkz.com/APHelper.dll
>O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
>Class) -
>http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l
>..CAB?37964.5354282407
>O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF}
>(Live365Player Class) -
>http://www.live365.com/players/play365.cab
>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
>(Shockwave Flash Object) -
>http://active.macromedia.com/flash4/cabs/swflash.cab
>O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB}
>(iTunesDetector Class) -
>http://ax.phobos.apple.com.edgesuite.net/detection/ITDetec
t
>or.cab
>O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}
>(McFreeScan Class) -
http://download.mcafee.com/molbin/iss-
>loc/vso/en-us/tools/mcfscan/1,5,0,4322/mcfscan.cab
>O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
>http://us.dl1.yimg.com/download.companion.yahoo.com/dl/too
l
>bar/yiebio5_1_6_0.cab
>O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
>Curric
>O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
>Curric
>O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
>Curric
>
>
>
>
>.
>