0

I am having trouble removing Update.exe Spyware/Adware.

I don't know how it arrived ... I am very careful where I browse and what I download, but unfortunately, I am not the only one who uses this computer.

I have provided some behavior details because I know there are many different Update.exe infections.

Update.exe runs from registry key HKLM\..\Run:
"C:\Program Files\Common Files\{CC4978D5-0327-1033-0226-010507990001}\Update.exe" te-110-12-0000213

I have used Ad-Aware SE by Lavasoft to remove Update.exe. It deletes the key and the file but they return on reboot.

For a while Update.exe tried to connect to:
http://dr32.mcboo.XXXX (com)

It was prevented by my firewall and I blocked it but somehow, it must have connected somewhere.

Now I am getting popup ads. I assume they are caused by Update.exe but I suppose it is possible that there are multiple problems.

When I open a browser page for most any legitimate site, I get just 1, or sometimes many popups. They are usually content related. If I am on Google or browsing Download.com looking at Anti-Spyware or Anti-Virus items, I get a ton of popups related to Anti-Spyware/Anti-Virus. Sometimes though, I can browse for a long time with no popups.

Sometimes It can seriously effect performance/stability but usually not.

Popup ads are mostly from http://ad.oinadserver.XXXX/... (com).

Here is my hijacklog, I hope it helps.

Thanks to all who reads this.

Kevin Fegan

(P.S. I am aware of Gator/GMT but the ads I am seeing are not from Gator. I've been using Gator for a long time, without problems and I like it, and for now I am willing to put up with its occasional interruptions.)


Logfile of HijackThis v1.99.1
Scan saved at 11:23:09 AM, on 1/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchosts.exe
F:\Program Files\WS_FTP Pro\ftpsched.exe
F:\Program Files\Norton\SystemWorks2003\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton\SystemWorks2003\Norton Utilities\NPROTECT.EXE
F:\PROGRA~1\Norton\SYSTEM~2\SPEEDD~1\nopdb.exe
F:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
F:\PROGRA~1\ALLUME~1\StuffIt\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\LMSXXD.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
F:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\{CC4978D5-0327-1033-0226-010507990001}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\WNSXS~1\services.exe
C:\PROGRA~1\COMMON~1\mwrk\mwrkm.exe
C:\Program Files\??crosoft\?xplorer.exe
F:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
F:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
F:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\Gator.com\Gator\Gator.exe
F:\Program Files\Creative Element Power Tools\Startup.exe
C:\Program Files\Common Files\GMT\GMT.exe
F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
F:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\COMMON~1\mwrk\mwrka.exe
J:\IBIN\A-Temp-17\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - URLSearchHook: (no name) - {3ADB627F-8EB4-8C4F-C52F-8BCD5F63D7CF} - C:\WINDOWS\System32\rmx.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ADB627F-8EB4-8C4F-C52F-8BCD5F63D7CF} - C:\WINDOWS\System32\rmx.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - F:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton\SystemWorks2003\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - F:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton\SystemWorks2003\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LMSXXD] LMSXXD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [ftpqueue] F:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{CC4978D5-0327-1033-0226-010507990001}] "C:\Program Files\Common Files\{CC4978D5-0327-1033-0226-010507990001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Asme] "C:\WINDOWS\System32\WNSXS~1\services.exe" -vt yazr
O4 - HKCU\..\Run: [mwrk] C:\PROGRA~1\COMMON~1\mwrk\mwrkm.exe
O4 - HKCU\..\Run: [Vkczkp] C:\Program Files\??crosoft\?xplorer.exe
O4 - Startup: Creative Element Power Tools Startup.lnk = F:\Program Files\Creative Element Power Tools\Startup.exe
O4 - Startup: Eudora 6-GMspam.lnk = F:\Program Files\Qualcomm\Eudora\Eudora.exe
O4 - Startup: Microsoft Find Fast.lnk = F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = F:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: A-Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: A-eFax DllCmd 4.0.lnk = F:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: A-eFax Tray Menu 4.0.lnk = F:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: A-Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &StealthBid - http://www.stealthbid.com/Toolbar/ContextMenu.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: StealthBid - {DA430631-621F-411c-A883-A4850D1928EC} - C:\WINDOWS\Downloaded Program Files\IQStealthBid.dll (HKCU)
O9 - Extra 'Tools' menuitem: StealthBid - {DA430631-621F-411c-A883-A4850D1928EC} - C:\WINDOWS\Downloaded Program Files\IQStealthBid.dll (HKCU)
O15 - Trusted Zone: *.netmagazines.com
O16 - DPF: {271BEE78-FBBE-43D7-980B-58B5F53E34A7} (StealthBid Class) - http://www.stealthbid.com/Toolbar/IQStealthBid.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - F:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton\SystemWorks2003\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\Program Files\Norton\SystemWorks2003\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\Norton\SYSTEM~2\SPEEDD~1\nopdb.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - F:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - F:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

3
Contributors
6
Replies
13
Views
10 Years
Discussion Span
Last Post by crunchie
0

The tool I use to diagnose HJT logs spits out all the bad entries it finds, so you can pick through what malware you wish to leave on your pc :).

Please run the PurityScan uninstaller.

==

Can you please do the following.

===============

When we're done cleaning off your system, I'd recommend that you install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccurring in the future.


===============

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.


===============

Go to Add/Remove programs and uninstall the following, if present:

CME II
GMT, GAIN or GATOR

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Let's look for, and delete, any program segments (prefetches) that might be present, and are associated with the 'problems' we're trying to remove from your PC. To do this, let's:

1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:

GMT.exe*
mwrka.exe*

2) Then if any are found in the 'prefetch' folder, delete them.

Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.

===============

Next, Open a command prompt by:

1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).

-

Now, locate and 'stop' the following services, if present:

COM+ Messages owner ... (C:\WINDOWS\System32\svchosts.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\System32\svchosts.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Common Files\{CC4978D5-0327-1033-0226-010507990001}\Update.exe
C:\WINDOWS\System32\WNSXS~1\services.exe
C:\PROGRA~1\COMMON~1\mwrk\mwrkm.exe
C:\Program Files\??crosoft\?xplorer.exe
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\PROGRA~1\COMMON~1\mwrk\mwrka.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R3 - URLSearchHook: (no name) - {3ADB627F-8EB4-8C4F-C52F-8BCD5F63D7CF} - C:\WINDOWS\System32\rmx.dll

O2 - BHO: (no name) - {3ADB627F-8EB4-8C4F-C52F-8BCD5F63D7CF} - C:\WINDOWS\System32\rmx.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [Asme] "C:\WINDOWS\System32\WNSXS~1\services.exe" -vt yazr
O4 - HKCU\..\Run: [mwrk] C:\PROGRA~1\COMMON~1\mwrk\mwrkm.exe
O4 - HKCU\..\Run: [Vkczkp] C:\Program Files\??crosoft\?xplorer.exe
O4 - Global Startup: A-Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Common Files\CMEII
C:\Program Files\Common Files\{CC4978D5-0327-1033-0226-010507990001}
C:\WINDOWS\System32\WNSXS~1
C:\PROGRA~1\COMMON~1\mwrk
C:\Program Files\Gator.com
C:\Program Files\Common Files\GMT

files...

C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\System32\rmx.dll
C:\WINDOWS\System32\IETie.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

Hello Crunchie

Thanks for the quick reply, I really appreciate the help.

It has taken a while and I have had to work through this
a few times, and it looks like all has been fixed.

=====================================================

CME II, GMT, GAIN / GATOR, GMT.exe, CMESys.exe, Gator.exe
All appear to be related to Gator and I left them alone for now.

Found empty folder:
C:\WINDOWS\system32\WinSxS = C:\WINDOWS\System32\WNSXS~1

Folder and contents previously removed:
C:\Program Files\Common Files\mwrk
= C:\PROGRA~1\COMMON~1\mwrk
C:\Program Files\Common Files\mwrk\mwrka.exe
C:\Program Files\Common Files\mwrk\mwrkl.exe
C:\Program Files\Common Files\mwrk\mwrkm.exe
C:\Program Files\Common Files\mwrk\mwrkp.exe ... and other files

=====================================================

Ran PurityScan uninstaller (again)

===============

Found:
C:\WINDOWS\Prefetch\GMT.EXE-00C623D4.pf
C:\WINDOWS\Prefetch\MWRKA.EXE-38DEA512.pf
C:\WINDOWS\Prefetch\MWRKL.EXE-2D78DA05.pf
C:\WINDOWS\Prefetch\UPDATE.EXE-276CF44C.pf

Deleted:
C:\WINDOWS\Prefetch\MWRKA.EXE-38DEA512.pf

===============

Ran: services.msc
Found entry with Display name=[COM+ Messages]
Service command="C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213
Service was already Stopped.
Service Startup type was set=Automatic
Set service Startup type=Disabled

===============

Ran HiJackThis-process manager:

I found this process, highlighted it and clicked [Kill process]:
C:\Program Files\Common Files\{CC4978D5-0327-1033-0226-010507990001}\Update.exe
The process: C:\...\Update.exe closed successfully.

===============

Not Found:
C:\WINDOWS\System32\WNSXS~1\services.exe [folder was empty]
C:\PROGRA~1\COMMON~1\mwrk\mwrkm.exe [folder/contents previously removed]
C:\PROGRA~1\COMMON~1\mwrk\mwrka.exe [folder/contents previously removed]
C:\Program Files\??crosoft\?xplorer.exe [folder/file not present]

Found but left running:
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe

===============

Ran HijackThis-Scan:

Found and checked only these four items:
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)

Clicked to Fix these

===============

Also removed entry:

HKCU\..\Run: "C:\Program Files\Common
Files\{CC4978D5-0327-1033-0226-010507990001}\Update.exe"

===============

Deleted folder and contents:
C:\Program Files\Common Files\{CC4978D5-0327-1033-0226-010507990001}

Deleted empty folder:
C:\Program Files\Common Files\{3C4978D5-0327-1033-0226-010507990001}

===============

Removed empty folder:
C:\WINDOWS\System32\WNSXS~1 = C:\WINDOWS\system32\WinSxS

Folder and contents previously renoved:
C:\PROGRA~1\COMMON~1\mwrk

===============

Removed files:
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\System32\IETie.dll

=====================================================

Rebooted and repeated some steps to remove some items
that re-appeared. Then rebooted again. So far, all
reboots are normal, not safe-mode.

=====================================================

After 2nd and further Reboots:

===============

Found these files --- should they be deleted ?:
C:\WINDOWS\Prefetch\MWRKL.EXE-2D78DA05.pf 58.5 KB (59,938 bytes)
C:\WINDOWS\Prefetch\OIUNINSTALLER.EXE-11C837B6.pf 13.5 KB (13,868 bytes)
C:\WINDOWS\Prefetch\OIUNINSTALLER[1].EXE-11C837B6.pf 13.4 KB (13,748 bytes)
C:\WINDOWS\Prefetch\UPDATE.EXE-276CF44C.pf 8.86 KB (9,078 bytes)

===============

These folders/files are no longer present:-)
C:\Program Files\Common Files\{3C4978D5-0327-1033-0226-010507990001}
C:\Program Files\Common Files\{CC4978D5-0327-1033-0226-010507990001}\Update.exe
C:\WINDOWS\System32\IETie.dll

===============

This file is still present:
C:\WINDOWS\Web\RELATED.HTM
File RELATED.HTM contains referance to Msn.com only:
http://related.msn.com/related.asp?url=

===============

HijackThis no longer shows O23 - Service: COM+ Messages
For HKLM\SYSTEM\ControlSet001\Services\COM+ Messages
These key/values still exist in registry in
three places:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\COM+ Messages
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\COM+ Messages
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM+ Messages
DisplayName=COM+ Messages
ImagePath="C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213

File: C:\WINDOWS\System32\svchosts.exe is no longer present.
When I run services.msc, the entry for 'COM+ Messages' is still
present.

=====================================================

I still have a folder/files:
C:\Program Files\Cowabanga
C:\Program Files\Cowabanga\License.txt
C:\Program Files\Cowabanga\uninstaller.exe
License.txt refers to http://www.outerinfo.com/OiUninstaller.exe

This is the same file/location given at
http://www.purityscan.com/uninstall.html

I will manually remove the folder and contents.

=====================================================

What does the presence of mwrka.exe (and mwrk[almp].exe) indicate ?

=====================================================

Do you know What this is --- I always find files in trash from here:
C:\Program Files\Common Files\onudfbuu\mpaqrmcs
C:\Program Files\Common Files\onudfbuu\oufqaqmosn

=====================================================

Here is my latest HJT log ... thanks again ...

Logfile of HijackThis v1.99.1
Scan saved at 4:43:17 AM, on 1/12/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
F:\Program Files\WS_FTP Pro\ftpsched.exe
F:\Program Files\Norton\SystemWorks2003\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton\SystemWorks2003\Norton Utilities\NPROTECT.EXE
F:\PROGRA~1\Norton\SYSTEM~2\SPEEDD~1\nopdb.exe
F:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
F:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
F:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
F:\PROGRA~1\ALLUME~1\StuffIt\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\LMSXXD.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Gator.com\Gator\Gator.exe
F:\Program Files\Creative Element Power Tools\Startup.exe
F:\Program Files\Qualcomm\Eudora\Eudora.exe
F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
F:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\GMT\GMT.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - F:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton\SystemWorks2003\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - F:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton\SystemWorks2003\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [LMSXXD] LMSXXD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [ftpqueue] F:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Creative Element Power Tools Startup.lnk = F:\Program Files\Creative Element Power Tools\Startup.exe
O4 - Startup: Eudora 6-GMspam.lnk = F:\Program Files\Qualcomm\Eudora\Eudora.exe
O4 - Startup: Microsoft Find Fast.lnk = F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = F:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: A-Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: A-Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: A-Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O8 - Extra context menu item: &StealthBid - http://www.stealthbid.com/Toolbar/ContextMenu.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: StealthBid - {DA430631-621F-411c-A883-A4850D1928EC} - C:\WINDOWS\Downloaded Program Files\IQStealthBid.dll (HKCU)
O9 - Extra 'Tools' menuitem: StealthBid - {DA430631-621F-411c-A883-A4850D1928EC} - C:\WINDOWS\Downloaded Program Files\IQStealthBid.dll (HKCU)
O15 - Trusted Zone: *.netmagazines.com
O16 - DPF: {271BEE78-FBBE-43D7-980B-58B5F53E34A7} (StealthBid Class) - http://www.stealthbid.com/Toolbar/IQStealthBid.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81 Hartwell Ave, Lexington MA 02421 - F:\Program Files\WS_FTP Pro\ftpsched.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton\SystemWorks2003\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\Program Files\Norton\SystemWorks2003\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - F:\PROGRA~1\Norton\SYSTEM~2\SPEEDD~1\nopdb.exe
O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - F:\PROGRA~1\ALLUME~1\StuffIt\MXTask.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - F:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

0

Folder and contents previously removed:
C:\Program Files\Common Files\mwrk
= C:\PROGRA~1\COMMON~1\mwrk
C:\Program Files\Common Files\mwrk\mwrka.exe
C:\Program Files\Common Files\mwrk\mwrkl.exe
C:\Program Files\Common Files\mwrk\mwrkm.exe
C:\Program Files\Common Files\mwrk\mwrkp.exe ... and other files

Unsure where these originated, but you can be sure they are not good. .exe files shouldn't be running from there.

Found:
C:\WINDOWS\Prefetch\GMT.EXE-00C623D4.pf
C:\WINDOWS\Prefetch\MWRKA.EXE-38DEA512.pf
C:\WINDOWS\Prefetch\MWRKL.EXE-2D78DA05.pf
C:\WINDOWS\Prefetch\UPDATE.EXE-276CF44C.pf

Deleted:
C:\WINDOWS\Prefetch\MWRKA.EXE-38DEA512.pf

Entire contents of the prefetch folder are safe to delete too.

Found but left running:
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe

:(

This file is still present:
C:\WINDOWS\Web\RELATED.HTM
File RELATED.HTM contains referance to Msn.com only:
http://related.msn.com/related.asp?url

Don't stress on this one :).

HijackThis no longer shows O23 - Service: COM+ Messages
For HKLM\SYSTEM\ControlSet001\Services\COM+ Messages
These key/values still exist in registry in
three places:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\COM+ Messages
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\COM+ Messages
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM+ Messages
DisplayName=COM+ Messages
ImagePath="C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213

File: C:\WINDOWS\System32\svchosts.exe is no longer present.
When I run services.msc, the entry for 'COM+ Messages' is still
present.

Download the attached zip file and unzip fixme.reg. Close all browser windows. Double click the file to run it and when asked if you want to merge with your registry, answer yes.
Reboot when done and check if the entries are gone.

I still have a folder/files:
C:\Program Files\Cowabanga
C:\Program Files\Cowabanga\License.txt
C:\Program Files\Cowabanga\uninstaller.exe
License.txt refers to http://www.outerinfo.com/OiUninstaller.exe

This is the same file/location given at
http://www.purityscan.com/uninstall.html

I will manually remove the folder and contents.

Have you done this?

Do you know What this is --- I always find files in trash from here:
C:\Program Files\Common Files\onudfbuu\mpaqrmcs
C:\Program Files\Common Files\onudfbuu\oufqaqmosn

Never seen them before, but they do not look legit. I would remove them.

Apart from the obvious garbage you elected to keep, your HJT log looks ok :). Personally, I would install Roboform and use that. It can import your Gator settings and doesn't include the rubbish :D.

0

Found these files --- should they be deleted ?:
C:\WINDOWS\Prefetch\MWRKL.EXE-2D78DA05.pf
C:\WINDOWS\Prefetch\OIUNINSTALLER.EXE-11C837B6.pf
C:\WINDOWS\Prefetch\OIUNINSTALLER[1].EXE-11C837B6.pf
C:\WINDOWS\Prefetch\UPDATE.EXE-276CF44C.pf

Entire contents of the prefetch folder are safe to delete too.

I deleted these files and they were no longer present after multiple reboots.


HijackThis no longer shows O23 - Service: COM+ Messages
For HKLM\SYSTEM\ControlSet001\Services\COM+ Messages
These key/values still exist in registry in
three places:
...
...

Download the attached zip file and unzip fixme.reg. Close all browser windows. Double click the file to run it and when asked if you want to merge with your registry, answer yes.
Reboot when done and check if the entries are gone.

I ran the registry script and found entries were no longer present after multiple reboots.


I still have a folder/files:
C:\Program Files\Cowabanga
C:\Program Files\Cowabanga\License.txt
...
...
I will manually remove the folder and contents

Have you done this?

Not yet, I wanted to make sure I didn't need the uninstaller, and that Cowabanga was gone from the registry.

At this point, there is a single related entry in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Cowabanga]
(default)="C:\Program Files\Cowabanga\Cowabanga.exe"

The file Cowabanga.exe is not present so, unless you have some concerns, I feel it is safe to remove the related files, folders, and registry entry.


Do you know What this is --- I always find files in trash from here:
C:\Program Files\Common Files\onudfbuu\mpaqrmcs
C:\Program Files\Common Files\onudfbuu\oufqaqmosn

Never seen them before, but they do not look legit. I would remove them.

I discovered these are used by Gator/GMT, so for now they will stay. :sad: I will make sure to remove them later, when I delete Gator.


Personally, I would install Roboform and use that. It can import your Gator settings ...

I was aware of Roboform but I didn't know it could import passwords from Gator :). I always wanted to try/switch to Roboform, but I never did because I wasn't looking forward to looking up and manually entering passwords for all my logins.

Now, I will definately look into giving Roboform a try.

Thanks again for all your help.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.