1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HJT Log

Discussion in 'Virus & Other Malware Removal' started by User1212, Jan 26, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. User1212

    User1212 Thread Starter

    Joined:
    Oct 31, 2004
    Messages:
    15
    Logfile of HijackThis v1.99.0
    Scan saved at 6:13:50 PM, on 1/26/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\wdfmgr.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AdStatus Service\AdStatServ.exe
    C:\Program Files\AdStatus Service\AdStatKeep.exe
    C:\Temp\salm.exe
    C:\temp\CXTPLS~1.EXE
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Spy vs Spy\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Rob\LOCALS~1\Temp\djtopr1150.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099265423640
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe


    :(


    anyone can help?
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Add/remove programs remove
    AdStatus
    Bulls Eye
    Web Rebates

    CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html
    Close all browser windows, Open cwshredder.exe then click "Fix" and let
    it run.

    Print this and boo to safe mode – use HJT to fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine

    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

    O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe

    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

    O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Rob\LOCALS~1\Temp\djtopr1150.exe"

    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files
    C:\WINDOWS\zeta.exe
    C:\WINDOWS\System32\msbe.dll


    Delete these folders
    C:\Program Files\Web_Rebates
    C:\Program Files\BullsEye Network
    C:\Program Files\AdStatus Service


    START – RUN – key in %temp% - Edit – Select all – File – Delete
    Empty the recycle bin
    Boot and post a new log
     
  3. User1212

    User1212 Thread Starter

    Joined:
    Oct 31, 2004
    Messages:
    15
    Logfile of HijackThis v1.99.0
    Scan saved at 10:24:07 PM, on 1/26/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\wdfmgr.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Spy vs Spy\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?aff=821&q=Phentermine
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099265423640
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

    ____________________

    C:\WINDOWS\System32\msbe.dll unadlbe to find and delete this file, even tho in view all files

    There was also a file in my temp folder that was oddly named that wouldn't delete because it was 'in use', however its gone now

    Now there are
    Bargains.exe
    cxtpls_loader_ff.exe
    optimize.exe
    salm.exe
    and WebRebates_CDT_InstallSilent.exe

    "Adstatus Service" has also reappeared in the program files but not the others.
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Can you check and fix these again in HijackThis:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.klikfeed.com/search.php?...1&q=Phentermine
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.klikfeed.com/search.php?...1&q=Phentermine

    Then go to Internet Options > Programs tab and select "reset web settings".

    Reboot. If those entries return, please do the following. Install, UPDATE, and run a full Ad-Aware SE scan and include the VX2 plugin. Have it delete all it targets.

    Then run Startdreck following the instructions below and upload the log as an attachment along with a new HijackThis scanlog.

    Ad-Aware Home Page

    http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe
    The VX2 plugin will be available in the "add-ons" window once installed and is run from there.


    http://www.niksoft.at/_data/startdreck.zip

    Instructions:

    Run StartDreck.exe. Click the 'Config'. In addition to the default checks, include the following:

    Under 'Registry' - All registry options
    Under 'System/Drivers' - Running Processes and List Modules
    Click 'OK'. Now, back on the main screen, click the 'Save' button > Give it a name and click 'Save' > locate it and launch it.

    Upload the log as an attachment.
     
  5. cp0069

    cp0069

    Joined:
    Feb 9, 2005
    Messages:
    1
    I got this when I went to a web site. It's in the temp file folder. It did have a few more related files I deleted them but I cant get rid of this one. I have tryed just deleting them from my c drive no luck. Any ideas?
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/323750

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice