HJT Log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

User1212

Thread Starter
Joined
Oct 31, 2004
Messages
15
Logfile of HijackThis v1.99.0
Scan saved at 6:13:50 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AdStatus Service\AdStatServ.exe
C:\Program Files\AdStatus Service\AdStatKeep.exe
C:\Temp\salm.exe
C:\temp\CXTPLS~1.EXE
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spy vs Spy\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Rob\LOCALS~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099265423640
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe


:(


anyone can help?
 
Joined
Sep 7, 2004
Messages
49,014
Add/remove programs remove
AdStatus
Bulls Eye
Web Rebates

CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html
Close all browser windows, Open cwshredder.exe then click "Fix" and let
it run.

Print this and boo to safe mode – use HJT to fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Rob\LOCALS~1\Temp\djtopr1150.exe"

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files
C:\WINDOWS\zeta.exe
C:\WINDOWS\System32\msbe.dll


Delete these folders
C:\Program Files\Web_Rebates
C:\Program Files\BullsEye Network
C:\Program Files\AdStatus Service


START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin
Boot and post a new log
 

User1212

Thread Starter
Joined
Oct 31, 2004
Messages
15
Logfile of HijackThis v1.99.0
Scan saved at 10:24:07 PM, on 1/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spy vs Spy\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099265423640
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

____________________

C:\WINDOWS\System32\msbe.dll unadlbe to find and delete this file, even tho in view all files

There was also a file in my temp folder that was oddly named that wouldn't delete because it was 'in use', however its gone now

Now there are
Bargains.exe
cxtpls_loader_ff.exe
optimize.exe
salm.exe
and WebRebates_CDT_InstallSilent.exe

"Adstatus Service" has also reappeared in the program files but not the others.
 
Joined
Dec 9, 2000
Messages
45,855
Can you check and fix these again in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine

Then go to Internet Options > Programs tab and select "reset web settings".

Reboot. If those entries return, please do the following. Install, UPDATE, and run a full Ad-Aware SE scan and include the VX2 plugin. Have it delete all it targets.

Then run Startdreck following the instructions below and upload the log as an attachment along with a new HijackThis scanlog.

Ad-Aware Home Page

http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe
The VX2 plugin will be available in the "add-ons" window once installed and is run from there.


http://www.niksoft.at/_data/startdreck.zip

Instructions:

Run StartDreck.exe. Click the 'Config'. In addition to the default checks, include the following:

Under 'Registry' - All registry options
Under 'System/Drivers' - Running Processes and List Modules
Click 'OK'. Now, back on the main screen, click the 'Save' button > Give it a name and click 'Save' > locate it and launch it.

Upload the log as an attachment.
 
Joined
Feb 9, 2005
Messages
1
I got this when I went to a web site. It's in the temp file folder. It did have a few more related files I deleted them but I cant get rid of this one. I have tryed just deleting them from my c drive no luck. Any ideas?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top