Please support our Viruses, Spyware and other Nasties advertiser: 64-bit Windows Community
 |
•
•
Join Date: Mar 2006
Posts: 6
Reputation: 
Rep Power: 0
Solved Threads: 0
Newbie Poster
I attached my hijackthis log file. I don't know why but I cannot right click and paste my log in this section. The only way I can do it is to add it as an attachment. This goes with my thread on desktop background. Thank You.
•
•
Join Date: Feb 2006
Location: NC
Posts: 238
Reputation:
Rep Power: 3
Solved Threads: 11
Posting Whiz in Training
Hello Kerrin
Please post all replies in this thread instead of starting a new thread. This way, no one gets confused
Sounds like a case for Smitrem...
Download smitRem.exe -Save it to your Desktop.
-DoubleClick it to extract the contents to a new smitRem Folder.
-Just leave it for now.
Please Boot to Safe Mode.
Continuing in Safe Mode,
-Open the smitRem Folder
-DoubleClick the RunThis.bat file to run the tool.
-Follow the prompts on screen
-Allow the tool to complete its run and finish the Disk Cleanup.
-Reboot to Normal Mode
-There should be a log at C:\smitfiles.txt.
-Please submit that with a new HijackThis log
Please post all replies in this thread instead of starting a new thread. This way, no one gets confused
Sounds like a case for Smitrem...
Download smitRem.exe -Save it to your Desktop.
-DoubleClick it to extract the contents to a new smitRem Folder.
-Just leave it for now.
Please Boot to Safe Mode.
Continuing in Safe Mode,
-Open the smitRem Folder
-DoubleClick the RunThis.bat file to run the tool.
-Follow the prompts on screen
-Allow the tool to complete its run and finish the Disk Cleanup.
-Reboot to Normal Mode
-There should be a log at C:\smitfiles.txt.
-Please submit that with a new HijackThis log
Proud Member of ASAP (Alliance of Security Analysis Professionals)
•
•
Join Date: Jul 2005
Location: FL.
Posts: 1,536
Reputation:
Rep Power: 7
Solved Threads: 98
Hi and welcome to DaniWeb. First I think your Internet eplorer is out of date. You can run Windows Update to fix that.
Ok, you have a fair amount of nasties on your system. Lets boot into safe mode, and have windows show hidden files or folders. To do this:
1 Click the Start Button
2 In the Start menu click Control Panel
3 In the Control panel Window click the Folder Options Icon
4 The folder Options Window will now Open
5 Click the View Tab
6 In the view tab window look down the list for a section marked Hidden Files and Folders
7 Enable the option Show Hidden Files and Folders by left clicking the radio button on the left of the option with your mouse. Then uncheck Hide protected operating system files. CLick yes to the dialog.
8 Press the Apply button
9 On the next screen press OK to exit
10 You should now be able to view the hidden files and folders.
------------------------
1. If the computer is running, shut down Windows, and then turn off the power
2. Wait 30 seconds, and then turn the computer on.
3. When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
4. Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default.
5. Press Enter. The computer then begins to start in Safe mode.
Then while in safe mode Run HJT again and put a check next to the following items.
O4 - HKLM\..\Run: [bauggva] c:\windows\system32\hjsawed.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [wuozsrr] C:\WINDOWS\System32\pzegua.exe r
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm082YYUS
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...WBInitialSetup 1.0.0.15.cab
Click Fix Checked
Then please Uninstall the following (Start>Control Panel>Add/Remove Programs)
Newdotnet
My Web Search
Also if you see any of these, uninstall them as well
My Web Search
My Way Speedbar
My Way Speedbar
My Way Speedbar
Search Assistant - My Way
Then please go to Start>My Computer>Program Files
Delete the following folders
Then while your still in safe mode, delete the following files.
C:\WINDOWS\System32\pzegua.exe
c:\windows\system32\hjsawed.exe
C:\WINDOWS\dinst.exe
----------------------------------------------------------------
Reboot Computer Normally
Then please download ewido - www.ewido.net - Install. Update. Scan. Remove anything it finds.
Post a new HJT log, and the ewido log
EDIT: Do what Demented said, quicker and probally more effective
Ok, you have a fair amount of nasties on your system. Lets boot into safe mode, and have windows show hidden files or folders. To do this:
1 Click the Start Button
2 In the Start menu click Control Panel
3 In the Control panel Window click the Folder Options Icon
4 The folder Options Window will now Open
5 Click the View Tab
6 In the view tab window look down the list for a section marked Hidden Files and Folders
7 Enable the option Show Hidden Files and Folders by left clicking the radio button on the left of the option with your mouse. Then uncheck Hide protected operating system files. CLick yes to the dialog.
8 Press the Apply button
9 On the next screen press OK to exit
10 You should now be able to view the hidden files and folders.
------------------------
1. If the computer is running, shut down Windows, and then turn off the power
2. Wait 30 seconds, and then turn the computer on.
3. When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
4. Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default.
5. Press Enter. The computer then begins to start in Safe mode.
Then while in safe mode Run HJT again and put a check next to the following items.
O4 - HKLM\..\Run: [bauggva] c:\windows\system32\hjsawed.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [wuozsrr] C:\WINDOWS\System32\pzegua.exe r
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm082YYUS
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O13 - DefaultPrefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O13 - WWW Prefix: http://103.nowfind.biz/gall.php?url=
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...WBInitialSetup 1.0.0.15.cab
Click Fix Checked
Then please Uninstall the following (Start>Control Panel>Add/Remove Programs)
Newdotnet
My Web Search
Also if you see any of these, uninstall them as well
My Web Search
My Way Speedbar
My Way Speedbar
My Way Speedbar
Search Assistant - My Way
Then please go to Start>My Computer>Program Files
Delete the following folders
•
•
•
•
FunWebProducts
MyWebSearch
Then while your still in safe mode, delete the following files.
C:\WINDOWS\System32\pzegua.exe
c:\windows\system32\hjsawed.exe
C:\WINDOWS\dinst.exe
----------------------------------------------------------------
Reboot Computer Normally
Then please download ewido - www.ewido.net - Install. Update. Scan. Remove anything it finds.
Post a new HJT log, and the ewido log
EDIT: Do what Demented said, quicker and probally more effective
Firefox
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
•
•
Join Date: Feb 2006
Location: NC
Posts: 238
Reputation:
Rep Power: 3
Solved Threads: 11
Posting Whiz in Training
You will still need to do Tayspens suggestions as you have some infection, I would just like to see the smitfiles log, and see if it helps unlock the desktop.
If not, after everything evident in the log is removed, we can do a registry patch
If not, after everything evident in the log is removed, we can do a registry patch
Proud Member of ASAP (Alliance of Security Analysis Professionals)
•
•
Join Date: Mar 2006
Posts: 6
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
First of all, I tried to add to the old thread but I couldn't figure out how. I could not get to where it lets you edit a previous thread. So I am posting a new thread because I don't know what else to do.
I am posting the ewido log and hijackthis log that you requested. I also performed all the actions that you listed. I hope this helps. Thanks. :!:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 9:22:27 AM, 3/27/2006
+ Report-Checksum: 5433F2D5
+ Scan result:
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkikidpilo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkoopajggq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmyopd5iko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4chajmdo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4wmdzwap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlisid5sgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmikldpkho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnycldzckp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyencjsho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\3G8RJWOV\just-plumbers[1].html -> Downloader.Inor.a : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP447\A0034712.exe -> Downloader.Agent.aeh : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 9:49:33 AM, on 3/27/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\PROGRA~1\QUICKENW\QAGENT.EXE
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Palm\HOTSYNC.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [QAGENT] C:\PROGRA~1\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm082YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
O16 - DPF: ConferenceRoom Java Client - http://techchat.bright.net/java/cr.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
I am posting the ewido log and hijackthis log that you requested. I also performed all the actions that you listed. I hope this helps. Thanks. :!:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 9:22:27 AM, 3/27/2006
+ Report-Checksum: 5433F2D5
+ Scan result:
C:\Documents and Settings\Owner\Cookies\owner@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkikidpilo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkoopajggq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmyopd5iko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4chajmdo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjk4wmdzwap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlisid5sgp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmikldpkho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnycldzckp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyencjsho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\3G8RJWOV\just-plumbers[1].html -> Downloader.Inor.a : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP447\A0034712.exe -> Downloader.Agent.aeh : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 9:49:33 AM, on 3/27/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\PROGRA~1\QUICKENW\QAGENT.EXE
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Palm\HOTSYNC.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [QAGENT] C:\PROGRA~1\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm082YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
O16 - DPF: ConferenceRoom Java Client - http://techchat.bright.net/java/cr.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
•
•
Join Date: Feb 2006
Location: NC
Posts: 238
Reputation:
Rep Power: 3
Solved Threads: 11
Posting Whiz in Training
All you have to do is simply scroll down to the bottom of the page and type your response in the box, then click Post Quick Reply or click the Quick Reply bottom located right under my post to the left.
http://www.daniweb.com/techtalkforum...quickreply.gif
Did you run the Smitrem tool? If so could you paste the contents of C:\smitfiles.txt
I see some other things we need to address as well, but would like to see the log. Also, is your background still locked?
http://www.daniweb.com/techtalkforum...quickreply.gif
Did you run the Smitrem tool? If so could you paste the contents of C:\smitfiles.txt
I see some other things we need to address as well, but would like to see the log. Also, is your background still locked?
Proud Member of ASAP (Alliance of Security Analysis Professionals)
•
•
Join Date: Mar 2006
Posts: 6
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Ok, here is my smitrem log. And, Yes! My desktop is finally back to normal! I can actually change the picture now! Thank you so much! Please let me know if I still have files/infections, etc., that need to be remove. Thanks.
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 03/27/2006
The current time is: 14:15:36.18
Running from
C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{03B1C4D9-BC71-8916-38AD-9DEA5D213614}"="OLE Module"
"{DABB03E9-AC0D-3740-E3E5-4B37C80837E5}"="DDE Module"
"{38D4D5D0-423E-4220-B6F9-30918C2AE4A4}"=""
"{303F44D5-5FEA-4509-ABDE-5E00C3F2125A}"="DDE Module"
"{FB153DCE-822E-47ec-8D00-2706E7864B37}"=""
"{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}"="DDE Module"
"{0BC9BC01-54D4-4CCE-2B7D-955164314CD4}"="OLE Module"
"{F33812FB-F35C-4674-90F6-FD757C419C51}"="DDE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
atmtd.dll._
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
desktop.html
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1472 'explorer.exe'
Killing PID 1472 'explorer.exe'
Starting registry repairs
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 03/27/2006
The current time is: 14:15:36.18
Running from
C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{03B1C4D9-BC71-8916-38AD-9DEA5D213614}"="OLE Module"
"{DABB03E9-AC0D-3740-E3E5-4B37C80837E5}"="DDE Module"
"{38D4D5D0-423E-4220-B6F9-30918C2AE4A4}"=""
"{303F44D5-5FEA-4509-ABDE-5E00C3F2125A}"="DDE Module"
"{FB153DCE-822E-47ec-8D00-2706E7864B37}"=""
"{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}"="DDE Module"
"{0BC9BC01-54D4-4CCE-2B7D-955164314CD4}"="OLE Module"
"{F33812FB-F35C-4674-90F6-FD757C419C51}"="DDE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
atmtd.dll._
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
desktop.html
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1472 'explorer.exe'
Killing PID 1472 'explorer.exe'
Starting registry repairs
•
•
Join Date: Jan 2006
Location: Tennessee
Posts: 1,567
Reputation:
Rep Power: 7
Solved Threads: 103
Actually could ya post a new HJT log?
Thanks.
Thanks.
Now if ya like the help ya could always raise our reputation...
•
•
Join Date: Mar 2006
Posts: 6
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Ok, here is the hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 3:50:50 PM, on 3/27/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\PROGRA~1\QUICKENW\QAGENT.EXE
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Palm\HOTSYNC.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\hijackthis\HijackThis.exe
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [QAGENT] C:\PROGRA~1\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm082YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
O16 - DPF: ConferenceRoom Java Client - http://techchat.bright.net/java/cr.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logfile of HijackThis v1.99.1
Scan saved at 3:50:50 PM, on 3/27/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\PROGRA~1\QUICKENW\QAGENT.EXE
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Palm\HOTSYNC.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\hijackthis\HijackThis.exe
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [QAGENT] C:\PROGRA~1\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm082YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
O16 - DPF: ConferenceRoom Java Client - http://techchat.bright.net/java/cr.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
•
•
Join Date: Jan 2006
Location: Tennessee
Posts: 1,567
Reputation:
Rep Power: 7
Solved Threads: 103
Awsome, several things to fix. Begin by uninstalling WeatherBug via Add/Remove Programs. Although it helps sometimes, it's a major data hog. Next, follow the directions for removing MyWaySA here (its the last post on the bottom of the page):
http://www.daniweb.com/techtalkforums/thread28196.html
After this, fix the following in the log:
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZUxdm082YYUS
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
Lastly after this, reboot into safe mode and delete this file if found:
C:\Program Files\newdotnet
After this, restart the computer and post a new log
http://www.daniweb.com/techtalkforums/thread28196.html
After this, fix the following in the log:
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZUxdm082YYUS
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O13 - Home Prefix: http://103.nowfind.biz/gall.php?url=
O13 - Mosaic Prefix: http://103.nowfind.biz/gall.php?url=
Lastly after this, reboot into safe mode and delete this file if found:
C:\Program Files\newdotnet
After this, restart the computer and post a new log
Now if ya like the help ya could always raise our reputation...
|
Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
- Desktop background now white and unable to change (Viruses, Spyware and other Nasties)
- Desktop background locked out (Viruses, Spyware and other Nasties)
- For maraniba: Desktop background locked out (Viruses, Spyware and other Nasties)
- desktop background hacked(hackthis,log) (Viruses, Spyware and other Nasties)
- Desktop background hijacked-NEW Problem (Web Browsers)
- Desktop Background Hijacked-NEW Problem(! Smart Security) (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Same Spyware Returns Right Away
- Next Thread: Please Help with Winfix Pro 2006 virus
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
