please check these logs

please check this log
This log looks clean to me , but when I went into CWShredder today , it said that I had a variation of CWS called Smartsearch ( I belive ) that was attemptiing to close the window .
It said the CWS had not been corrupted and that I had to close all browser windows in order to fix. I am not quite sure what that meant - I had Explorer , AVG and ZOne Alarm running - I am not sure if Explorer means IE or WIndows Explorer although I am assuming IE ? If I click on that , the box to shut down ,restart or cancel comes up. , so I cannot close Explorer or my whole PC shuts .

When I run CWShredder , it now says clean but I am thinking it was not able to fix because when I run scan only, I get a log that I am unable to copy that says something like teengurus and xxx something among others . I tried DL ing the latest version of Spybot 3.1 first but it says there are no newer updates ( I have 2.1) and when I try to update to the latest on CWShredder , it comes as a zip file in AOL which does not show up in my Downloaded AOL porgrams and I cannto unzip it .
Please help and I will try to post back and see exactly what the
scan only says - I will copy by hand .
I suspect my teenage son might have gone to a porn site ?
Logfile of HijackThis v1.97.7
Scan saved at 3:28:19 PM, on 6/3/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\GATOSEC\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/...bin/actxcab.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1.../v6/brix6ie.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...21/cpbrkpie.cab
O16 - DPF: {4A752EEF-26FA-4E8F-8FF0-4EB40FE1D33B} (ACNPlayer2 Class) - http://209.67.146.68/HarrisFiles/ePlayer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8118.2294097222







CWShredder scan
Ok, when I scan CWShredder , it says my system is clean but the scan says :

Hosts file not present
Found CWS.Control( if file size is over 50K) File C:Windows\control.exe (2112 bytes,A)
CWS.Oslogo( if value is 2) RegValue: DOmains*colwebsearch.com(dword:4)
next line same as above
CWS.Googlems:2 ( if val is 2) Regvalueomains xxxtoolbar.com d.word.4
CWS.Googlems:4 ( If value is 2) Regvalue Domains*teensguru.com dword.4
RegValueefaultPrefix (should be http://){http://}
RegValue Mosaic prefix (Should be http://_{mosaic}http://
RegValue: Homeprefix( should be http://){home}http://
FoundWin.ini.file C:Windows\win.ini ( 8540 bytes,A)
Found line in Win.ini run=
Found System.ini.file:C\\Windows\system.ini(2073 bytes,A)
Found line in System.ini shell=explore.exe

I am running 98SE , AVG , Zone Alarm , as the log tells you .
I cannot unzip the update that I am getting from the Merjin site for CWShredder - it comes up as an AOL zip file , but is not supported by AOL ( I Have both Comcast and AOL for broadband) so not sure why it comes up this way and it will not show up in the AOL Dl's while will allow it to be unzipped .

Maybe if I could DL the most current version of Spybot 3.1 this might help? When I went to the site , it gave me different options from sites to DL but not sure which is safest and not a beta version ( from these boards ) .
ALso, should I uninstall 2.1 before installing the new one ?

I know this is very long - thanks for reading .

 

Thanks for your very prompt reply !

Well, when I tried to run the CwShredder initially, I did get that message that
a CWS variant , Smartsearch2, I think it said , was trying to close the CWS program and that they had changed the text file to random letters and numbers and that the program had not been corrupted .

It did tell me to close all programs and my media player before hitting fix .
When I tried to close Explorer , it shuts my computer down .
My media player was not running at all when I got this message either .
I just clicked on FIX without closing anything else since all I had running was AVG , ZoneAlarm and Explorer - could not close the media player - not running ( weird ) . I am still confused as to why if I click on Explorer it shuts my computer down since I don't believe this used to happen ?

Recently , my WMP was infected and it was healed by AVG . Now the WMP is no longer in my Add /Remove programs list as I was thinking it might be safer to just completely uninstall it . I have version 6.4 and have no interest in updating cuz I heard horror stories about Version 9 .

IE 6 is up -to - date with all security patches and I have Spywareblaster installed . So I did not think anything could hijack me again .
Am I correct in thinking that just because Spywareblaster is installed that I am protected ( I have enable all protection checked in quick tools) or do I actually have to open the program each time I use my computer?

Thanks so much for all your help .

 

SpywareBlaster does not have to be running to protect you.

If you do not want to be bothered by WMP anymore I would advise you to install another Media Player and let it take over the file associations.

Regards,

Pieter

 

Hi Pieter

Thanks for the advice - I talked to two people yesterday at a graduation party whose WMP had been infected with trojans and that no longer showed up in their add/remove programs menu either .

If i were to install, say Musicmatch jukebox or Realplayer, how would I go about making one my default player and is there a way to manually get rid of the WMP?

 

If you install any of the other players they will take over the file associations currently "owned" by WMP.

I would not go through the motions you may find on the web about removing WMP as long as it is not bothering you in any way.

Regards,

Pieter