0

Getting popup with the url...

http://fuckyou.00freehost.com/index.html

...also noticed in the popup that...

MediaTicketsInstaller

...was being installed.

In past hijackthis logs I've had instances of...

Tric - C:\WINNT\ICROSOFT.NET\nopdb.exe
Startup Entry Nhkchymj

...which I have deleted but just come back.

I also have this file...

cash**.exe (currently cash8.exe, although it has other file names, the cash part is what seems to be consistant)

...on C:\ that keeps returning even though I've booted in safe mode and deleted it.

I had a couple other hijackthis log entries I've deleted that I don't remember, but these are the things that are the most consistant. And since I have deleted all of these, I'm sure something else I DON'T SEE is actually causing all of this.

Here's my current hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 7:57:51 AM, on 3/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\firefox.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\cash8.exe
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\ICROSO~1.NET\nopdb.exe
C:\Documents and Settings\administrator\My Documents\?dobe\d?dplay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\cash8.exe
C:\Program Files\HiJack This\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: firefox auto update - Unknown owner - C:\WINNT\firefox.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE

...which you can see cash8.exe and some other stuff that I know shouldn't be there running. And if I stay on my pc long enough one or more of the other bad entries will come back, not to mention the popup hasn't gone away.

I'd love for someone to give me a little help with this, as it has gotten really annoying.

Thanks a ton, in advance

4
Contributors
18
Replies
19
Views
11 Years
Discussion Span
Last Post by D3m3nt3d
0

Ran into a problem...

and I know this really doesn't have anything to do with you, but I followed the instructions and I COULD NOT GET WINPFIND TO RUN!

I ran it 3 times yesterday allowing it at least 3 hours. My hard drive activity would never stop but nothing else would happen either. The last time I just let it run all night while I was sleep and when I woke up still the same. Each time I ended up having to just end task.

But let me say this, shortly after I clicked the "Start Scan" button I got a message about my virtual memory being low, I clicked OK as the message said it would increase the size of the file so I thought all would be fine.

I don't know if this is a common problem or not. What I am going to try is manually increasing the size of my virtual memory and seeing if that will help the problem.

If I'm doing anything wrong, you have any suggestions, or some other program that will do the job maybe let me know.

And yeah I know it's not your job to be product support for WinPFind, I just hope maybe I'm doing something boneheaded or you've seen this before and can point me in the right direction.

0

We'll try WinPFind, or some other scans a little later. Just do the Spysweeper scan and remove what it finds, then let me see it and another HijackThis log. :)

0

Got that...

********
2:01 PM: | Start of Session, Tuesday, March 28, 2006 |
2:01 PM: Spy Sweeper started
2:01 PM: Sweep initiated using definitions version 643
2:01 PM: Starting Memory Sweep
2:10 PM: Found Adware: psguard\winhound fakealert
2:10 PM: Detected running threat: C:\WINNT\system32\oleext.dll (ID = 134)
2:11 PM: Found Trojan Horse: trojan downloader matcash
2:11 PM: Detected running threat: C:\Program Files\Common Files\Windows\services32.exe (ID = 184143)
2:12 PM: Found Adware: purityscan
2:12 PM: Detected running threat: C:\WINNT\?icrosoft.NET\nopdb.exe (ID = 230)
2:14 PM: Memory Sweep Complete, Elapsed Time: 00:13:03
2:14 PM: Starting Registry Sweep
2:15 PM: Found Adware: 180search assistant/zango
2:15 PM: HKCR\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135597)
2:15 PM: HKCR\clientax.requiredcomponent\ (5 subtraces) (ID = 135598)
2:15 PM: HKCR\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135599)
2:15 PM: HKCR\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135601)
2:15 PM: HKCR\ncmyb.sabho.1\ (3 subtraces) (ID = 135611)
2:15 PM: HKCR\ncmyb.sabho\ (5 subtraces) (ID = 135612)
2:15 PM: HKLM\software\classes\clientax.requiredcomponent.1\ (3 subtraces) (ID = 135622)
2:15 PM: HKLM\software\classes\clientax.requiredcomponent\ (5 subtraces) (ID = 135623)
2:15 PM: HKLM\software\classes\clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}\ (20 subtraces) (ID = 135624)
2:15 PM: HKLM\software\classes\clsid\{21b4acc4-8874-4aec-aeac-f567a249b4d4}\ (12 subtraces) (ID = 135625)
2:15 PM: HKLM\software\classes\ncmyb.sabho.1\ (3 subtraces) (ID = 135632)
2:15 PM: HKLM\software\classes\ncmyb.sabho\ (5 subtraces) (ID = 135633)
2:15 PM: Found Adware: ist powerscan
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\power scan\ (2 subtraces) (ID = 136826)
2:15 PM: HKCR\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (21 subtraces) (ID = 137128)
2:15 PM: HKCR\clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7}\ (3 subtraces) (ID = 137170)
2:15 PM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137348)
2:15 PM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137349)
2:15 PM: HKCR\mediaticketsinstaller.mediaticketsinstallerctrl.1\ (3 subtraces) (ID = 137352)
2:15 PM: HKLM\software\classes\clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}\ (21 subtraces) (ID = 137470)
2:15 PM: HKLM\software\classes\clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7}\ (3 subtraces) (ID = 137505)
2:15 PM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137678)
2:15 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137679)
2:15 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\ (2 subtraces) (ID = 137680)
2:15 PM: HKLM\software\classes\mediaticketsinstaller.mediaticketsinstallerctrl.1\ (3 subtraces) (ID = 137683)
2:15 PM: HKLM\software\classes\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 137687)
2:15 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137987)
2:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\winnt\downloaded program files\mediaticketsinstaller.ocx (ID = 139078)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\mediatickets\ (12 subtraces) (ID = 139080)
2:15 PM: HKCR\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 139091)
2:15 PM: Found Adware: ist yoursitebar
2:15 PM: HKLM\software\classes\ysb.ysbobj.1\ (3 subtraces) (ID = 147846)
2:15 PM: HKCR\ysb.ysbobj.1\ (3 subtraces) (ID = 147865)
2:15 PM: HKCR\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 147926)
2:15 PM: Found Adware: ist surf accuracy
2:15 PM: HKLM\software\sacc\ (4 subtraces) (ID = 203068)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sacc\ (2 subtraces) (ID = 203070)
2:15 PM: HKLM\software\classes\typelib\{68bf4626-d66b-4383-a6af-62e57e9b6cd4}\ (9 subtraces) (ID = 396447)
2:15 PM: Found Trojan Horse: trojan-backdoor-netpt
2:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_netpt\ (12 subtraces) (ID = 1125342)
2:15 PM: HKLM\system\currentcontrolset\enum\root\legacy_perffont\ (8 subtraces) (ID = 1125354)
2:15 PM: HKLM\system\currentcontrolset\services\netpt\ (11 subtraces) (ID = 1125365)
2:15 PM: HKLM\system\currentcontrolset\services\perffont\ (12 subtraces) (ID = 1128287)
2:15 PM: Found Adware: maxifiles
2:15 PM: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
2:15 PM: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
2:15 PM: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
2:15 PM: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
2:15 PM: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
2:15 PM: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
2:15 PM: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
2:15 PM: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
2:15 PM: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
2:15 PM: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
2:15 PM: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
2:15 PM: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
2:15 PM: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
2:15 PM: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (2 subtraces) (ID = 1156519)
2:15 PM: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
2:15 PM: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
2:15 PM: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
2:16 PM: HKU\S-1-5-21-796845957-152049171-1060284298-500\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\180search assistant\ (1 subtraces) (ID = 972193)
2:16 PM: Registry Sweep Complete, Elapsed Time:00:01:24
2:16 PM: Starting Cookie Sweep
2:16 PM: Found Spy Cookie: 247realmedia cookie
2:16 PM: [email]administrator@247realmedia[1].txt[/email] (ID = 1953)
2:16 PM: Found Spy Cookie: 2o7.net cookie
2:16 PM: [email]administrator@2o7[2].txt[/email] (ID = 1957)
2:16 PM: Found Spy Cookie: yieldmanager cookie
2:16 PM: [email]administrator@ad.yieldmanager[2].txt[/email] (ID = 3751)
2:16 PM: Found Spy Cookie: epilot cookie
2:16 PM: [email]administrator@adcenter.epilot[1].txt[/email] (ID = 2622)
2:16 PM: Found Spy Cookie: hbmediapro cookie
2:16 PM: [email]administrator@adopt.hbmediapro[2].txt[/email] (ID = 2768)
2:16 PM: Found Spy Cookie: adrevolver cookie
2:16 PM: [email]administrator@adrevolver[1].txt[/email] (ID = 2088)
2:16 PM: [email]administrator@adrevolver[3].txt[/email] (ID = 2088)
2:16 PM: Found Spy Cookie: pointroll cookie
2:16 PM: [email]administrator@ads.pointroll[1].txt[/email] (ID = 3148)
2:16 PM: Found Spy Cookie: apmebf cookie
2:16 PM: [email]administrator@apmebf[1].txt[/email] (ID = 2229)
2:16 PM: Found Spy Cookie: ask cookie
2:16 PM: [email]administrator@ask[1].txt[/email] (ID = 2245)
2:16 PM: Found Spy Cookie: belnk cookie
2:16 PM: [email]administrator@belnk[1].txt[/email] (ID = 2292)
2:16 PM: Found Spy Cookie: overture cookie
2:16 PM: [email]administrator@bidtool.overture[1].txt[/email] (ID = 3106)
2:16 PM: Found Spy Cookie: bilbo.counted.com cookie
2:16 PM: [email]administrator@bilbo.counted[2].txt[/email] (ID = 2306)
2:16 PM: Found Spy Cookie: goclick cookie
2:16 PM: [email]administrator@c.goclick[2].txt[/email] (ID = 2733)
2:16 PM: Found Spy Cookie: casalemedia cookie
2:16 PM: [email]administrator@casalemedia[1].txt[/email] (ID = 2354)
2:16 PM: [email]administrator@content.overture[1].txt[/email] (ID = 3106)
2:16 PM: [email]administrator@dist.belnk[2].txt[/email] (ID = 2293)
2:16 PM: Found Spy Cookie: findwhat cookie
2:16 PM: [email]administrator@findwhat[1].txt[/email] (ID = 2674)
2:16 PM: Found Spy Cookie: oinadserve cookie
2:16 PM: [email]administrator@oinadserve[2].txt[/email] (ID = 3091)
2:16 PM: [email]administrator@overture[1].txt[/email] (ID = 3105)
2:16 PM: [email]administrator@perf.overture[1].txt[/email] (ID = 3106)
2:16 PM: Found Spy Cookie: qksrv cookie
2:16 PM: [email]administrator@qksrv[1].txt[/email] (ID = 3213)
2:16 PM: Found Spy Cookie: questionmarket cookie
2:16 PM: [email]administrator@questionmarket[1].txt[/email] (ID = 3217)
2:16 PM: Found Spy Cookie: server.iad.liveperson cookie
2:16 PM: [email]administrator@server.iad.liveperson[2].txt[/email] (ID = 3341)
2:16 PM: Found Spy Cookie: serving-sys cookie
2:16 PM: [email]administrator@serving-sys[2].txt[/email] (ID = 3343)
2:16 PM: Found Spy Cookie: servlet cookie
2:16 PM: [email]administrator@servlet[1].txt[/email] (ID = 3345)
2:16 PM: Found Spy Cookie: statcounter cookie
2:16 PM: [email]administrator@statcounter[2].txt[/email] (ID = 3447)
2:16 PM: Found Spy Cookie: tacoda cookie
2:16 PM: [email]administrator@tacoda[2].txt[/email] (ID = 6444)
2:16 PM: Found Spy Cookie: tribalfusion cookie
2:16 PM: [email]administrator@tribalfusion[1].txt[/email] (ID = 3589)
2:16 PM: Found Spy Cookie: clickxchange adware cookie
2:16 PM: [email]administrator@www.clickxchange[2].txt[/email] (ID = 2409)
2:16 PM: [email]administrator@www.epilot[1].txt[/email] (ID = 2622)
2:16 PM: Found Spy Cookie: portland.co cookie
2:16 PM: [email]administrator@www.portland.co[1].txt[/email] (ID = 3180)
2:16 PM: Found Spy Cookie: adserver cookie
2:16 PM: [email]administrator@z1.adserver[1].txt[/email] (ID = 2142)
2:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:08
2:16 PM: Starting File Sweep
2:16 PM: c:\program files\toolbar888 (9 subtraces) (ID = -2147456311)
2:16 PM: c:\program files\common files\inetget (1 subtraces) (ID = -2147477182)
2:16 PM: Found Adware: winhound
2:16 PM: c:\documents and settings\administrator\application data\winhound.com (11 subtraces) (ID = -2147462035)
2:16 PM: c:\program files\winhound (1 subtraces) (ID = -2147462133)
2:17 PM: mc-110-12-0000344.exe (ID = 246327)
2:18 PM: mc-110-12-0000344.exe (ID = 190798)
2:18 PM: freeprodtb.exe (ID = 244762)
2:18 PM: services32.exe (ID = 184143)
2:25 PM: autoit3.exe (ID = 185254)
2:25 PM: dc12.exe (ID = 258578)
2:25 PM: Found Trojan Horse: sdbot
2:25 PM: rp5[1].exe (ID = 271539)
2:26 PM: mediaticketsinstaller.ocx (ID = 73162)
2:26 PM: basis.xml (ID = 244764)
2:31 PM: backup-20060328-064524-240.inf (ID = 73158)
2:31 PM: launcher[1].exe (ID = 243410)
2:33 PM: netpt.sys (ID = 235796)
2:41 PM: toolbar888.dll (ID = 244763)
2:42 PM: mediaticketsinstaller.inf (ID = 73158)
2:44 PM: win32ssr.exe (ID = 271539)
2:44 PM: tds[2].exe (ID = 258578)
2:50 PM: mediaticketsinstaller.ocx (ID = 73162)
2:50 PM: drdata[1].avi (ID = 190798)
2:53 PM: mc-110-12-0000344.exe (ID = 190798)
2:54 PM: freeprodtb[1].exe (ID = 244762)
2:54 PM: a.exe (ID = 271539)
2:55 PM: tds[1].exe (ID = 258578)
2:56 PM: mediaticketsinstaller.ocx (ID = 73162)
2:58 PM: mediaticketsinstaller.inf (ID = 73158)
2:58 PM: perfont.exe (ID = 258578)
2:58 PM: mediaticketsinstaller.inf (ID = 73158)
2:58 PM: mc-110-12-0000344[1].exe (ID = 246327)
2:59 PM: File Sweep Complete, Elapsed Time: 00:42:38
2:59 PM: Full Sweep has completed. Elapsed time 00:57:23
2:59 PM: Traces Found: 528
3:56 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
3:58 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:00 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:02 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:18 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
4:32 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:33 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
4:34 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:36 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:37 PM: Spy Installation Shield: found: Adware: maxifiles, version 1.0.0.0 -- Execution Denied
4:44 PM: Spy Installation Shield: found: Trojan Horse: trojan downloader matcash, version 1.0.0.0 -- Execution Denied
7:26 PM: Removal process initiated
7:26 PM: Quarantining All Traces: 180search assistant/zango
7:26 PM: Quarantining All Traces: psguard\winhound fakealert
7:27 PM: psguard\winhound fakealert is in use. It will be removed on reboot.
7:27 PM: C:\WINNT\system32\oleext.dll is in use. It will be removed on reboot.
7:27 PM: Quarantining All Traces: purityscan
7:27 PM: Quarantining All Traces: sdbot
7:27 PM: Quarantining All Traces: trojan downloader matcash
7:27 PM: trojan downloader matcash is in use. It will be removed on reboot.
7:27 PM: services32.exe is in use. It will be removed on reboot.
7:27 PM: Quarantining All Traces: maxifiles
7:28 PM: maxifiles is in use. It will be removed on reboot.
7:28 PM: mc-110-12-0000344.exe is in use. It will be removed on reboot.
7:28 PM: Quarantining All Traces: trojan-backdoor-netpt
7:28 PM: Quarantining All Traces: ist powerscan
7:28 PM: Quarantining All Traces: ist surf accuracy
7:28 PM: Quarantining All Traces: ist yoursitebar
7:28 PM: Quarantining All Traces: winhound
7:28 PM: Quarantining All Traces: 247realmedia cookie
7:28 PM: Quarantining All Traces: 2o7.net cookie
7:28 PM: Quarantining All Traces: adrevolver cookie
7:28 PM: Quarantining All Traces: adserver cookie
7:28 PM: Quarantining All Traces: apmebf cookie
7:28 PM: Quarantining All Traces: ask cookie
7:28 PM: Quarantining All Traces: belnk cookie
7:28 PM: Quarantining All Traces: bilbo.counted.com cookie
7:28 PM: Quarantining All Traces: casalemedia cookie
7:28 PM: Quarantining All Traces: clickxchange adware cookie
7:28 PM: Quarantining All Traces: epilot cookie
7:28 PM: Quarantining All Traces: findwhat cookie
7:28 PM: Quarantining All Traces: goclick cookie
7:28 PM: Quarantining All Traces: hbmediapro cookie
7:28 PM: Quarantining All Traces: oinadserve cookie
7:28 PM: Quarantining All Traces: overture cookie
7:28 PM: Quarantining All Traces: pointroll cookie
7:28 PM: Quarantining All Traces: portland.co cookie
7:28 PM: Quarantining All Traces: qksrv cookie
7:28 PM: Quarantining All Traces: questionmarket cookie
7:28 PM: Quarantining All Traces: server.iad.liveperson cookie
7:28 PM: Quarantining All Traces: serving-sys cookie
7:28 PM: Quarantining All Traces: servlet cookie
7:28 PM: Quarantining All Traces: statcounter cookie
7:28 PM: Quarantining All Traces: tacoda cookie
7:28 PM: Quarantining All Traces: tribalfusion cookie
7:28 PM: Quarantining All Traces: yieldmanager cookie
7:29 PM: Removal process completed. Elapsed time 00:02:46
********
1:56 PM: | Start of Session, Tuesday, March 28, 2006 |
1:56 PM: Spy Sweeper started
1:58 PM: Updating spyware definitions
2:01 PM: Your spyware definitions have been updated.
2:01 PM: | End of Session, Tuesday, March 28, 2006 |

Logfile of HijackThis v1.99.1
Scan saved at 10:00:53 AM, on 3/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\cash17.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\FNTS~1\notepad.exe
C:\Documents and Settings\Default User\Application Data\a?sembly\??chost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=5172
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: firefox auto update - Unknown owner - C:\WINNT\firefox.exe
O23 - Service: Internet Explorer Web Browser (Internet Explorer) - Unknown owner - C:\WINNT\iexplore.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE

0

Ok - still a little more to do

Since Spysweeper detected PSGuard, let's make sure we remove it all.

Download smitRem.exe -Save it to your Desktop.
-DoubleClick it to extract the contents to a new smitRem Folder.
-Just leave it for now.

Please Boot to Safe Mode.

Go to Start>Run type Services.msc
-Locate the following two services

firefox auto update
Internet Explorer Web Browser

-Right click and choose Stop if not greyed out
-Choose Properties
-Change Startup Type to disabled

Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and paste the following one at a time and delete them

firefox auto update
Internet Explorer Web Browser

Now scan with HijackThis and check the following if they exist

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTic....cab?refid=5172
O23 - Service: firefox auto update - Unknown owner - C:\WINNT\firefox.exe
O23 - Service: Internet Explorer Web Browser (Internet Explorer) - Unknown owner - C:\WINNT\iexplore.exe

Now close ALL Browsers and choose Fix Checked

Continuing in Safe Mode....

-Open the smitRem Folder
-DoubleClick the RunThis.bat file to run the tool.
-Follow the prompts on screen
-Allow the tool to complete its run and finish the Disk Cleanup.
-Reboot to Normal Mode
-There should be a log at C:\smitfiles.txt.
-Please submit that and one more HijackThis log

Let me know if you are still having any problems..

0

Things seem better now...


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Wed 03/29/2006
The current time is: 10:40:21.22

Running from
C:\Documents and Settings\administrator\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key

WinHound.com key present!

Running WinHound.com fix!

WinHound.com key was successfully removed! :)

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 552 'explorer.exe'
Killing PID 552 'explorer.exe'
Error 0x5 : Access is denied.


Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Remaining Post-run Files


~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

wininet.dll INFECTED!! :( Starting replacement procedure.


~~~~ Looking for C:\WINNT\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINNT\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~

~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINNT\system32\wininet.dll for infection ~~~~


~~~~ C:\WINNT\system32\wininet.dll Clean! :) ~~~~

0

Great! Smitrem cleaned your WinHound infection - so good thing we ran it :)

How about the new HijackThis log?

0

Sorry got it right here...

Logfile of HijackThis v1.99.1
Scan saved at 11:00:36 AM, on 3/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJack This\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE

0

Was that a "I have no idea what I should use" kinda "...", if so may I suggest AVG Free Edition, as you may have guessed it is free, and is very good at what it does, also unlike Norton it is easy on the resources :).

0

Was that a "I have no idea what I should use" kinda "..."

Oh no...the "..." was there because I couldn't post the message without a message. I really just wanted thank D3m3nt3d in the title "I will...thanks again (dno)"

But since I'm here take another look at my hijackthis log.

The last service.. O23 - Service: Windows web messenger - Unknown owner - C:\WINNT\Msnweb.exe shouldn't be there... I don't even have MSN Messenger installed...and if I did, I know it wouldn't be in c:\winnt


Logfile of HijackThis v1.99.1
Scan saved at 8:42:58 AM, on 3/30/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\FRONTPG.EXE
C:\WINNT\system32\cmd.exe
C:\WINNT\Msnweb.exe
C:\Program Files\HiJack This\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
O23 - Service: Windows web messenger - Unknown owner - C:\WINNT\Msnweb.exe

0

No it shouldn't be - and it was not until your most recent log. None of this is going to stop until you install an Antivirus.

Please do so - I use AVG. Scan with it, remove everything it finds, then attach a new HijackThis log.

We will just go in circles until an Antivirus is installed.....

0

Got AVG installed...found all kinds of stuff. You're right it does seemed to be a nice piece of software. This is my backup laptop and not too long ago wiped the hard drive and put 2000 on it. I've just been lazy/cheap about getting a firewall and up to date AV.

Here's the HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 2:33:58 AM, on 3/31/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\Msnweb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
O23 - Service: Windows web messenger - Unknown owner - C:\WINNT\Msnweb.exe

0

Open Task Manager (Ctrl+Alt+Del) and kill the following process

Msnweb.exe

Go to Start>Run type Services.msc
-Locate the following service

Windows web messenger

-Right click and choose Stop if not greyed out
-Choose Properties
-Change Startup Type to disabled

Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and paste the following and delete it

Windows web messenger

Now scan and check the following in HijackThis if it still exists, and choose Fix Checked
O23 - Service: Windows web messenger - Unknown owner - C:\WINNT\Msnweb.exe
After you remove that your log will be clean. :)

0

Here's the latest hjt log...i think you got it D3m3nt3d

Logfile of HijackThis v1.99.1
Scan saved at 5:20:28 AM, on 4/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WS_FTP\WS_FTP95.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE


Thanks a million...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.