0

I've attempted to clean my system several times to no avail as that Win32 Driver will not go away!!!! :mad:

Here is my HijackLog:

Logfile of HijackThis v1.97.7
Scan saved at 8:51:44 PM, on 10/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\CTsvcCDA.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\smsc.exe
F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
f:\PROGRA~1\mcafee.com\agent\McDash.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wuauclt.exe
F:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.earthlink.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - F:\WINDOWS\System32\ruyavo.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A903BF95-883E-4E70-AEC8-6C27CDC0A6B2} - F:\WINDOWS\System32\taceoaf.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - F:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PvzP.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [McRegWiz] F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] f:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] F:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks in advance!

3
Contributors
15
Replies
16
Views
13 Years
Discussion Span
Last Post by DMR
0

Hi. First of all you need to update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by deleting the file manually. Unzip the new version into the hijackthis folder.

Open Task Manager & end process on the following:
smsc.exe

Then go to F:\WINDOWS\System32 and delete the file manually.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - F:\WINDOWS\System32\ruyavo.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - (no file)
O2 - BHO: (no name) - {A903BF95-883E-4E70-AEC8-6C27CDC0A6B2} - F:\WINDOWS\System32\taceoaf.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - F:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\PvzP.dll

O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] smsc.exe

Search for wuamgrd.exe and delete if found.

Reboot after doing the above, rescan with hijackthis making certain that all instances of Internet Explorer are closed, then post that log here please.

0

Good morning,

I followed the instructions to a tee and here is the new logfile:

Logfile of HijackThis v1.98.2
Scan saved at 8:02:54 PM, on 10/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\CTsvcCDA.exe
f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
F:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\svchost.exe
F:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.earthlink.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [McRegWiz] F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] F:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [SpySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: F:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Questions: I have and use spysweeper. It still indicates that Win32 Driver is present in my register keys. Is there a way to be totally rid of this strain? Also, will my McAfee step up to prevent these viruses from returning? Or is it time to scrap McAfee for Norton Antivirus?

Thanks again!

0

Questions: I have and use spysweeper. It still indicates that Win32 Driver is present in my register keys. Is there a way to be totally rid of this strain? Also, will my McAfee step up to prevent these viruses from returning? Or is it time to scrap McAfee for Norton Antivirus?

The Win 32 Driver and smsc.exe entries indicate an infection by one of the variants of the AGOBOT/FORBOT worm; assuming that you're using current virus definition updates, any of the major AV packages (including McAfee's) should be able to deal with it.

In terms of your log- it now looks clean, except perhaps for the MaxSpeed entries:

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - F:\WINDOWS\System32\ms.exe

At least one anti-virus company (Sophos) links it to a trojan.

0

Well, my McAfee application is 2004, but that may not mean that it's current enough to deal with whatever trojan strain is occupying my computer. By the Win32 Driver evading detection on the McAfee system scan, SpySweeper system scan and HijackThis scan, is there any other application or software that can get rid of it?

As for the MaxSpeed, I will check "fix checked" on my next HJT log.

Thanks!

0

Well, my McAfee application is 2004, but that may not mean that it's current enough to deal with whatever trojan strain is occupying my computer.

It isn't the version of your anti-virus program itself that's important- what's important is that you have downloaded the most current virus definition updates for that program; new definition updates for any of the major AV programs can be released as often as every other day. If you haven't kept current with those updates since installing the program itself, your AV program is pretty much useless at this point. Both McAfee and Norton offer free updates for a certain period of time (which varies by product) after installing the programs. Within that time period you can freely download all of the current product updates, but after the time expires you will have to pay a monthly or yearly fee in order to download the updates.

0

The deletion of those files should have rid you of the virus.

Go here to TrendMicro for an on-line scan & set it to autoclean for you.

Try this scan at Panda as well.

0

Good afternoon,

Crunchie, I'm not sure if this should be placed with Tech Support, but it is in keeping with the aforementioned system listed in the log.

I have attempted to access the internet for the purpose of utilizing the Panda scan, but each and EVERY time I try, I get the "unable to locate server" message. Supposedly my system is free of viruses, but could they have damaged my internet access prior to their removal? I feel like I'm back at square one.

0

could they have damaged my internet access prior to their removal?

Yes, in a couple of different ways.

If you can reach some/most sites, but cannot reach anti-virus, anti-spyware, or other such security-oriented sites:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Navigate to your C:\windows\system32\drivers\etc folder and find the file named "hosts".

- Open that file in Windows Notepad. Aside from the comment lines at the beginning of the file (the lines which begin with a " # "), it should contain only the following entry:

127.0.0.1 localhost

If you find other similar-looking entries below that, delete all of them and save the file.

Important: Notepad will want to add a .txt extention to the newly-saved filename, so after saving the file and closing Notepad you will need to rename the file back to simply "hosts" (that is, remove the .txt from the end of the filename).

If the connection problem occurs with all/any sites you try to reach, let us know that.

0

DMR,

Thanks for that instruction! I was able to do everything but the very last item. My system wouldn't allow the changing of an established format (in this case notebook to service). My intention is to change it on the system here at work and return the file to my home system.

In the process of opening that file, I discovered 728 alternate entries (729 - if you count a duplicate localhost entry at the very end).

I won't know if the system will allow internet access until I return home this evening to give it a shot.

Thanks again.

0

OK- keep us posted.
In terms of not being able to change the file association/extension, you do have to be logged in to an account with administrative rights to make such changes.

If the added entries you found in your hosts file refered to sites such as Panda's, Symantec/Norton, McAfee, etc., you should be able to reach those sites now that you've deleted their entries.


Just FYI:

The entries in the "hosts" file are mappings of host names/URLs to their respective IP addresses. This is essentially like having a small DNS server on your own computer, in that when you type a URL into your browser (or click on a link to a URL on a web page), Windows will look in the hosts file to see if the URL you typed/clicked has a matching IP address there. If so, Windows will direct your browser to that IP address; if not, Windows will then look to your DNS servers to match the URL with an actual IP address. (The use of hosts files was how hostname-to-IP address mapping/resolution was done before DNS was invented.)

The problem with this method is that:

A) By default, Windows will consult the local hosts file before consulting any DNS servers on your network or on the Internet.

B) There is no error checking at all concerning validity of the mappings in your hosts file. You (or someone else) can put any hostname-to-IP mapping entry you want into the hosts file; when your browser encounters that hostname, it will automatically ty to go to the associated IP address listed in hosts.

Just for grins, you can test this yourself.

1. Put the following entry at the end of your hosts file and save the file:

64.233.167.99 www.spooge.com

2. Open a web browser and type this in the location/address box:

www.spooge.com

If your browser took you to Google, congratulations- you've just demonstrated what a huge security hole the hosts file presents. :mrgreen:

*Setting the "read only" attribute on the hosts file can keep viruses, hijackers, etc. from making unwanted changes to the file.

0

Good morning,

After a week's worth of birthday celebration, I've managed to do another HJT logfile. Here it is:

Logfile of HijackThis v1.98.2
Scan saved at 6:05:37 AM, on 11/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
F:\WINDOWS\System32\CTsvcCDA.exe
f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\svchosting.exe
F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
F:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
F:\WINDOWS\surfmonkey\SMProxy.exe
F:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe
F:\WINDOWS\System32\scrgrd.exe
F:\WINDOWS\System32\wuapdate16.exe
F:\WINDOWS\System32\winsys.exe
F:\Program Files\Common Files\AOL\ACS\AOLDial.exe
F:\WINDOWS\System32\rundll32.exe
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\System32\ybeuq.exe
F:\Program Files\EarthLink TotalAccess\TaskPanl.exe
F:\Program Files\America Online 9.0\aoltray.exe
F:\WINDOWS\System32\wuauclt.exe
F:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = F:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - F:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - F:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [McRegWiz] F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] F:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Propel Accelerator] "F:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe"
O4 - HKLM\..\Run: [ELNKProxy] F:\WINDOWS\surfmonkey\smproxy.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [Microsoft 16Bit Update] wuapdate16.exe
O4 - HKLM\..\Run: [Microsoft Update] winsys.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\Run: [AOLDialer] F:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] F:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "F:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TCP/IP PerfManager] ybeuq.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [Microsoft 16Bit Update] wuapdate16.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winsys.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunServices: [TCP/IP PerfManager] ybeuq.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [SpySweeper] F:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper.exe /0
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft Update] winsys.exe
O4 - HKCU\..\Run: [Microsoft 16Bit Update] wuapdate16.exe
O4 - HKCU\..\Run: [TCP/IP PerfManager] ybeuq.exe
O4 - HKCU\..\Run: [E6TaskPanel] "F:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] svchosting.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = F:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - F:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - F:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Thanks,

0

After rereading and applying the information, here is the latest HJT logfile:

Logfile of HijackThis v1.98.2
Scan saved at 7:39:28 PM, on 11/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
F:\WINDOWS\System32\CTsvcCDA.exe
f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\WINDOWS\Explorer.EXE
F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
F:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
F:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
F:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe
F:\WINDOWS\surfmonkey\smproxy.exe
F:\Program Files\Common Files\AOL\ACS\AOLDial.exe
F:\Program Files\Real\RealPlayer\RealPlay.exe
F:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
F:\WINDOWS\System32\rundll32.exe
F:\Program Files\QuickTime\qttask.exe
f:\progra~1\mcafee.com\vso\mcvsescn.exe
F:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
F:\Program Files\EarthLink TotalAccess\TaskPanl.exe
F:\Program Files\America Online 9.0\aoltray.exe
F:\WINDOWS\System32\wuauclt.exe
F:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = F:\Program Files\AOL Toolbar\welcome.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - F:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - F:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [McRegWiz] F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] F:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Propel Accelerator] "F:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe"
O4 - HKLM\..\Run: [ELNKProxy] F:\WINDOWS\surfmonkey\smproxy.exe
O4 - HKLM\..\Run: [AOLDialer] F:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] F:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "F:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] F:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper.exe /0
O4 - HKCU\..\Run: [E6TaskPanel] "F:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = F:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - F:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - F:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - F:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - F:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Thanks!

0

1.Get rid of SurfMonkey. Why? Because it's a bogus program.

2. Can you tell us what exact problems you're still having (if any)? Aside from the SurfMonkey stuff, you're log looks clean.

0

DMR,

To the best of my knowledge, everything (aside from minor glitches such as the increased sizes of the desktop icons that can't be reduced) seems to be running smoothly. I was just posting the latest log to make sure that I had followed the instructions as given. When I get near my system again, I'll delete the 04 entry containing the surfmonkey smproxy.exe.

Thanks

0

You're welcome :)

The desktop icon sizing sounds like it could be a separate (non-spyware issue); is it the entire sceen resolution which has changed, or just the size of the icons themselves?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.