I am trying to help someone get some of this spyware/adware stuff off of his computer, but am having a few problems. I ran adaware and spybot search and destroy, and then ran a hijackthis log....I am going to post it here, and any help you can provide will be GREATLY appreciated!! Thanks!!!


Logfile of HijackThis v1.97.7
Scan saved at 12:18:51 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\USERBL~1\WindowChic.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Sprint Virtual Assistant\bin\mpbtn.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Documents and Settings\Larry\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.sprint.com/earthlinkregistration
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink Pop-Up Blocker\Pnel.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Flap store - {DC13E1A1-91D7-6A53-7AFC-52EDBA26569B} - C:\PROGRA~1\COMPSO~1\log dent.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Funk Show] C:\PROGRA~1\USERBL~1\WindowChic.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...8150.701099537
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

Wintools removal here.

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O3 - Toolbar: Flap store - {DC13E1A1-91D7-6A53-7AFC-52EDBA26569B} - C:\PROGRA~1\COMPSO~1\log dent.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Funk Show] C:\PROGRA~1\USERBL~1\WindowChic.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\PROGRA~1\COMPSO~1< folder
C:\Program Files\Viewpoint< folder
C:\PROGRA~1\USERBL~1< folder
C:\Program Files\VBouncer< folder

Reboot normally.

Can you download the following app & run it, making sure to have one internet exploder window open. Save the log & paste the results back here.
VX2Finder

I looked over your response, and tonight or tomorrow night we are going to do what you suggested and see what happens. I am hesitant to do much without advice on his computer, because it is Windows XP and mine is 98. I had a couple of other quick questions, that hopefully will be solved with the other suggestions, but until I can get back up with him to help him, I thought I'd ask.....last night, he called and said he received a run-time error, which had never happened before. Also, he keeps have the dialup box appear when he first cuts on his computer, which shouldn't happen because he has DSL and doesn't need to dialup. Could this be caused by the other stuff, or is it just something easy to fix to stop that box from coming up? Just curious. Also, you said in your post to run hijackthis from a perm. folder, not from the desktop or from my hard drive. It is save to My Documents on his computer....if that's not a good place, how do I get him to save it the other way? Sorry for the stupid questions.....I'm learning slowly! lol!!

The reason for keeping HJT in it's own folder is that it will create backup files when you run it and will store them in that folder. That way, if you mistakenly delete something you shouldn't have with HJT, you can recover from the mistake with the backup files. You can create a folder for HJT in any location by opening Windows Explorer and:

- navigating to the location where you want to create the folder
- right-clicking in the right-hand Explorer window. Choose New->Folder in the menu that pops up.
- Name the folder HijackThis

The dialer issue might be something in the system settings, or perhaps in the settings of the AOL or Sprint programs that seem to be installed; hard to say for sure, but it isn't necessarilly something malicious.

As for the runtime error, if you can give us the specific error message we'd be better able to offer advice.

Thanks to you both for your suggestions....it was actually a family member I was trying to help out some, but in the end he's decided to take his computer in to a shop to have it fixed. Since you were all such a great help to me for straightening out my computer, personally I would have tried what you suggested first. But thanks again!

You're welcome.

In terms of taking the computer to a shop, maybe you should remind your family member that we don't charge for our services... :mrgreen:

That's exactly what I told him! I think the fact that he hasn't had his computer very long and understands even less than I do (and that would be VERY little, lol!) is a big factor on why he wants to take it in somewhere. I thought I was going to have to do the same thing, until I found this website....it's been awesome! I pretty much got my computer running better, and am still learning along the way, and it's all been free, and getting to talk to very nice people. One quick question, if its ok....I ran a scan of a program called NoAdware, and it found a few things, but in order to delete them, I have to purchase the full version. Do you think that would be a waste of money? The things it picked up Adaware and Spybot S&D didn't when I ran them this morning. Just curious. Thanks!

Yes it would be a waste of money ,as these Fake programs are adding the Stuff it's finding on you computer ,its not reall bad stuff thats why spybot and adaware don't list it .,so you have to pay to get it cleaned,The one you mentioned is on the list of fake programs .
http://www.netrn.net/archives2/000550.html

Thanks for the info!!

NoAdware is highly suspected to be a scam. General concensus is that it returns false-positives to entice you to buy the retail version, and there is also some speculation that it may actually contain spyware itself.

Here's a list of dodgy and/or outright bogus "Anti-Spyware" programs and sites:

http://www.netrn.net/archives2/000571.html