1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] Hijack This log - please review

Discussion in 'Virus & Other Malware Removal' started by rlscott, Sep 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. rlscott

    rlscott Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    5
    Please review & let me know what is safe to delete.
    Thank you!

    Logfile of HijackThis v1.98.2
    Scan saved at 8:59:16 PM, on 9/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\documents and settings\rich\local settings\temp\j.exe
    C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
    C:\documents and settings\rich\local settings\temp\ff.exe
    C:\WINDOWS\System32\clbcatq2.exe
    C:\documents and settings\rich\local settings\temp\iJy.exe
    C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
    C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\NcjSq.exe
    C:\WINDOWS\System32\Dml7v0Ua.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O1 - Hosts: 127.0.0.0 localhost
    O1 - Hosts: 127.0.0.2 auditmypc.com
    O1 - Hosts: 127.0.0.3 boards.cexx.org
    O1 - Hosts: 127.0.0.4 bulletproofsoft.net
    O1 - Hosts: 127.0.0.5 camtech2000.net
    O1 - Hosts: 127.0.0.6 cexx.org
    O1 - Hosts: 127.0.0.7 computercops.us
    O1 - Hosts: 127.0.0.8 ct7support.com
    O1 - Hosts: 127.0.0.9 doxdesk.com
    O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
    O1 - Hosts: 127.0.0.21 kephyr.com
    O1 - Hosts: 127.0.0.22 lavasoft.de
    O1 - Hosts: 127.0.0.23 lavasoftusa.com
    O1 - Hosts: 127.0.0.24 lurkhere.com
    O1 - Hosts: 127.0.0.25 majorgeeks.com
    O1 - Hosts: 127.0.0.26 merijn.org
    O1 - Hosts: 127.0.0.27 mjc1.com
    O1 - Hosts: 127.0.0.28 moosoft.com
    O1 - Hosts: 127.0.0.29 mvps.org
    O1 - Hosts: 127.0.0.30 net-integration.net
    O1 - Hosts: 127.0.0.31 noadware.net
    O1 - Hosts: 127.0.0.32 no-spybot.com
    O1 - Hosts: 127.0.0.33 onlinepcfix.com
    O1 - Hosts: 127.0.0.34 pchell.com
    O1 - Hosts: 127.0.0.35 pestpatrol.com
    O1 - Hosts: 127.0.0.36 safer-networking.org
    O1 - Hosts: 127.0.0.37 secure.spykiller.com
    O1 - Hosts: 127.0.0.38 secureie.com
    O1 - Hosts: 127.0.0.39 security.kolla.de
    O1 - Hosts: 127.0.0.40 spybot.info
    O1 - Hosts: 127.0.0.41 spychecker.com
    O1 - Hosts: 127.0.0.42 spychecker.com
    O1 - Hosts: 127.0.0.43 spycop.com
    O1 - Hosts: 127.0.0.44 spyguard.com
    O1 - Hosts: 127.0.0.45 spykiller.com
    O1 - Hosts: 127.0.0.46 spyware.co.uk
    O1 - Hosts: 127.0.0.47 spyware-cop.com
    O1 - Hosts: 127.0.0.48 spywareinfo.com
    O1 - Hosts: 127.0.0.49 spywarenuker.com
    O1 - Hosts: 127.0.0.50 spywareremove.com
    O1 - Hosts: 127.0.0.51 spywareremove.com
    O1 - Hosts: 127.0.0.52 stopzillapro.com
    O1 - Hosts: 127.0.0.53 sunbelt-software.com
    O1 - Hosts: 127.0.0.54 thiefware.com
    O1 - Hosts: 127.0.0.55 tomcoyote.org
    O1 - Hosts: 127.0.0.56 unwantedlinks.com
    O1 - Hosts: 127.0.0.57 webattack.com
    O1 - Hosts: 127.0.0.58 wilders.org
    O1 - Hosts: 127.0.0.59 www.auditmypc.com
    O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
    O1 - Hosts: 127.0.0.61 www.cexx.org
    O1 - Hosts: 127.0.0.62 www.computercops.us
    O1 - Hosts: 127.0.0.63 www.ct7support.com
    O1 - Hosts: 127.0.0.64 www.doxdesk.com
    O1 - Hosts: 127.0.0.65 www.eblocs.com
    O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
    O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
    O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
    O1 - Hosts: 127.0.0.69 www.grc.com
    O1 - Hosts: 127.0.0.70 www.grisoft.com
    O1 - Hosts: 127.0.0.71 www.hackfaq.org
    O1 - Hosts: 127.0.0.72 www.hazeleger.net
    O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
    O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
    O1 - Hosts: 127.0.0.75 www.kephyr.com
    O1 - Hosts: 127.0.0.76 www.lavasoft.de
    O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
    O1 - Hosts: 127.0.0.78 www.lurkhere.com
    O1 - Hosts: 127.0.0.79 www.majorgeeks.com
    O1 - Hosts: 127.0.0.80 www.merijn.org
    O1 - Hosts: 127.0.0.81 www.mjc1.com
    O1 - Hosts: 127.0.0.82 www.moosoft.com
    O1 - Hosts: 127.0.0.83 www.mvps.org
    O1 - Hosts: 127.0.0.84 www.net-integration.net
    O1 - Hosts: 127.0.0.85 www.noadware.net
    O1 - Hosts: 127.0.0.86 www.no-spybot.com
    O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
    O1 - Hosts: 127.0.0.88 www.pchell.com
    O1 - Hosts: 127.0.0.89 www.pestpatrol.com
    O1 - Hosts: 127.0.0.90 www.safer-networking.org
    O1 - Hosts: 127.0.0.91 www.secureie.com
    O1 - Hosts: 127.0.0.92 www.security.kolla.de
    O1 - Hosts: 127.0.0.93 www.spybot.info
    O1 - Hosts: 127.0.0.94 www.spychecker.com
    O1 - Hosts: 127.0.0.95 www.spychecker.com
    O1 - Hosts: 127.0.0.96 www.spycop.com
    O1 - Hosts: 127.0.0.97 www.spyguard.com
    O1 - Hosts: 127.0.0.98 www.spykiller.com
    O1 - Hosts: 127.0.0.99 www.spyware.co.uk
    O2 - BHO: MyQuickSearch Search Assistant BHO - {04011C11-2F3B-44ed-977C-270CA669C6B2} - C:\Program Files\MyQuickSearch\SrchAstt\1.bin\MQSSRCAS.DLL
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\2.bin\MYSRCHAS.DLL (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - C:\Program Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL
    O2 - BHO: Flash Enhancer - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: My &Quick Search - {0E677229-E309-4341-81BD-3CC3018BF5B3} - C:\Program Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [j] C:\documents and settings\rich\local settings\temp\j.exe
    O4 - HKLM\..\Run: [2X] C:\documents and settings\rich\local settings\temp\2X.exe
    O4 - HKLM\..\Run: [pstP33i] wmeil12n.exe
    O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
    O4 - HKLM\..\Run: [H0QRtfG] C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
    O4 - HKLM\..\Run: [ff] C:\documents and settings\rich\local settings\temp\ff.exe
    O4 - HKLM\..\Run: [826533da638c] C:\WINDOWS\System32\clbcatq2.exe
    O4 - HKLM\..\Run: [WebSavingsFromEbates0] "C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe"
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
    O4 - HKLM\..\Run: [iJy] C:\documents and settings\rich\local settings\temp\iJy.exe
    O4 - HKLM\..\Run: [mNG4lVr] C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
    O4 - HKLM\..\Run: [4SBKM562H4#5AS] C:\WINDOWS\System32\Bin9.exe
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /waitprograms
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
    O4 - HKCU\..\Run: [Bug Eliminator] C:\Program Files\Bug Eliminator\Bug_Elim.exe /tray
    O4 - HKCU\..\Run: [YB2FRTG2h] lttfiles.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Image Transfer.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavings_from_Ebates\Sy400\Tp400\scri400a.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: Fortune Bingo by pogo - http://game2.pogo.com/applet-5.8.1.28/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.2.21/holdem/holdem-ob-assets.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {1FC215B7-F71D-4137-8D67-455A2D5CA8C5} - http://www.fileeliminator.com/get/BEL/Bug Eliminator.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27db3f35481914df3304/netzip/RdxIE601.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F4CAB9-9164-4DDF-AFC6-A5F153A11609}: NameServer = 205.188.146.146
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    hi, Whew what a mess. It's fixable but will require some work, time etc on your part, when you are ready post back...


    Since you are using or have used P2P file sharing programs, which may have been or is Kazaa of some flavor> I can only tell you that reinfection is very very likely to happen and that you should remove the file sharing program. The programs that we are going to use will remove the bundled ad-junk and probably cripple the P2P program anyway. You can reinstall a better file sharing program when through, so if you are ready to part with the P2P, we can proceed. I wish I could help you with backing up your files however I cannot. Files you have gotten this way could contain malware> I will leave what you do with what you have up to you.

    In the meantime: get these downloads if you can get to these sites. Use another computer to get the files that will fit on a floppy disk, or burn the downloads to a data CD and take to your bad pc.

    http://members.aol.com/toadbee/hoster.zip
    Run that- will restore your HOSTS file redirection problems

    Unzip, install the program and run it.
    Press *Restore Original Hosts* and press OK*
    Exit Hoster, and you should now be able to access the sites you need.

    NEXT:

    Remove the Peper trojan here: There are 2 different removers. Run the first one, reboot. You will not see any dialog, it just runs and disappears. You may run it again but remember to connect to the Internet> open one Internet Explorer page, etc.

    The second Peper fix:

    http://downloads.subratam.org/PeperFix.exe

    You do this one online same as the one below. Download the Fix to the desktop, run from there while connected.


    ""You have a peper infection that we need to remove

    http://www.memorywatcher.com/uninst.exe

    When you run the uninstaller, you MUST have an internet connection active for it to work ((open an Internet Explorer page, minimize the window))

    This Peper removal tool only works if run twice. To complete each stage of the Peper removal you need to REBOOT to clear the peper infection each time you run the tool, or the infection will remain."" Reboot after the second run.

    The Peper infection should be cleared up.

    Do those, post a new log from HJT here in this thread> do not start a new thread, just put it as a reply.
     
  3. rlscott

    rlscott Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    5
    Logfile of HijackThis v1.98.2
    Scan saved at 8:41:47 PM, on 9/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\documents and settings\rich\local settings\temp\j.exe
    C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
    C:\WINDOWS\System32\clbcatq2.exe
    C:\documents and settings\rich\local settings\temp\iJy.exe
    C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
    C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\2.bin\MYSRCHAS.DLL (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Flash Enhancer - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Rich\Local Settings\Temp\DET.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [j] C:\documents and settings\rich\local settings\temp\j.exe
    O4 - HKLM\..\Run: [2X] C:\documents and settings\rich\local settings\temp\2X.exe
    O4 - HKLM\..\Run: [pstP33i] wmeil12n.exe
    O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
    O4 - HKLM\..\Run: [H0QRtfG] C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
    O4 - HKLM\..\Run: [ff] C:\documents and settings\rich\local settings\temp\ff.exe
    O4 - HKLM\..\Run: [826533da638c] C:\WINDOWS\System32\clbcatq2.exe
    O4 - HKLM\..\Run: [WebSavingsFromEbates0] "C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe"
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
    O4 - HKLM\..\Run: [iJy] C:\documents and settings\rich\local settings\temp\iJy.exe
    O4 - HKLM\..\Run: [mNG4lVr] C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /waitprograms
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ff.exe] C:\documents and settings\rich\local settings\temp\ff.exe
    O4 - HKLM\..\Run: [mNG4lVr.exe] C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
    O4 - HKLM\..\Run: [j.exe] C:\documents and settings\rich\local settings\temp\j.exe
    O4 - HKLM\..\Run: [iJy.exe] C:\documents and settings\rich\local settings\temp\iJy.exe
    O4 - HKLM\..\Run: [H0QRtfG.exe] C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
    O4 - HKCU\..\Run: [Bug Eliminator] C:\Program Files\Bug Eliminator\Bug_Elim.exe /tray
    O4 - HKCU\..\Run: [YB2FRTG2h] lttfiles.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Image Transfer.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: Fortune Bingo by pogo - http://game2.pogo.com/applet-5.8.1.28/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.2.21/holdem/holdem-ob-assets.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {1FC215B7-F71D-4137-8D67-455A2D5CA8C5} - http://www.fileeliminator.com/get/BEL/Bug Eliminator.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27db3f35481914df3304/netzip/RdxIE601.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F4CAB9-9164-4DDF-AFC6-A5F153A11609}: NameServer = 205.188.146.146
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Hi riscott, I'm going to give you my "canned speech" on P2P programs. It doesn't matter what kind are used. Probably 50 to 75% of the problems we address here in the Security forum are the result of file sharing issues. Helpers can spend literally hours helping a single user cleanup after their use.

    We strongly recommend uninstalling them. More than half of all file sharing downloads are infected...

    http://www.wired.com/news/business/0,1367,61852,00.html

    And quite frankly, when people don't learn the lesson -- and continue to get infected the same way, they can hardly expect the same level of support from those who would rather help those who do.

    As they say, the choice is yours...
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi rlscott> Read through this first> print it with the directions below>

    1. If you have anything turned off from starting up when Windows does, (besides a second Antivirus program), need you to turn it back "on" so it appears in the log.
    I see System Mechanic by Iolo is installed- that has a startup or Task Manager> stop here, turn things back on, reboot, and post a new log if you have shut down anything that is bad ( common sense rules OK- Microsoft Office startup I do NOT mean, I mean malware that you may have End Tasked, or are keeping from starting up)


    Go to Add/Remove Programs, uninstall Web_Rebates or WebSavingsFromRebates, or similar...AND uninstall:

    FlashEnhancer

    MyWaySearch bar, MyBar, other odd looking search and toolbars, NOT NOT google, Yahoo, MSN toolbars if you have those>
    Also, try the uninstaller for WinTools, may not appear there, don't worry if it is not.

    Viewpoint Media Player> also the toolbar...

    It is classified as bundled tracking software, see the link.
    It does come with higher versions of AOL, I see. It's your option to remove it> or keep it. I just feel better telling you about it and let you make the decisions, on items like this.

    http://www.kephyr.com/spywarescanner/library/viewpointmediaplayer/index.phtml


    Run Hijackthis, no other windows open and put checks next to each item below and then click "Fix Checked"
    Some of these will not be there, or have changed, use your judgment on the "H0QRtfG.exe" type random Peper
    files....if any show.

    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe <---- I would advise you to remove the whole Bear Share program-- some other info coming later, OK?

    C:\documents and settings\rich\local settings\temp\j.exe
    C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
    C:\WINDOWS\System32\clbcatq2.exe
    C:\documents and settings\rich\local settings\temp\iJy.exe
    C:\documents and settings\rich\local settings\temp\mNG4lVr.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\2.bin\MYSRCHAS.DLL (file missing)

    O2 - BHO: Flash Enhancer - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll

    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Rich\Local Settings\Temp\DET.dll

    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART <---same advice for P2P

    O4 - HKLM\..\Run: [j] C:\documents and settings\rich\local settings\temp\j.exe
    O4 - HKLM\..\Run: [2X] C:\documents and settings\rich\local settings\temp\2X.exe
    O4 - HKLM\..\Run: [pstP33i] wmeil12n.exe
    O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
    O4 - HKLM\..\Run: [H0QRtfG] C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
    O4 - HKLM\..\Run: [ff] C:\documents and settings\rich\local settings\temp\ff.exe
    O4 - HKLM\..\Run: [826533da638c] C:\WINDOWS\System32\clbcatq2.exe
    O4 - HKLM\..\Run: [WebSavingsFromEbates0] "C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe"
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
    O4 - HKLM\..\Run: [iJy] C:\documents and settings\rich\local settings\temp\iJy.exe
    O4 - HKLM\..\Run: [mNG4lVr] C:\documents and settings\rich\local settings\temp\mNG4lVr.exe

    O4 - HKLM\..\Run: [ff.exe] C:\documents and settings\rich\local settings\temp\ff.exe
    O4 - HKLM\..\Run: [mNG4lVr.exe] C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
    O4 - HKLM\..\Run: [j.exe] C:\documents and settings\rich\local settings\temp\j.exe
    O4 - HKLM\..\Run: [iJy.exe] C:\documents and settings\rich\local settings\temp\iJy.exe
    O4 - HKLM\..\Run: [H0QRtfG.exe] C:\documents and settings\rich\local settings\temp\H0QRtfG.exe

    O4 - HKCU\..\Run: [YB2FRTG2h] lttfiles.exe

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -



    Reboot into Safe Mode:

    Tap the F8 key at startup, you will see the menu, select Safe Mode, give it plenty of time to get to the desktop.

    Open Windows Explorer and do the following settings and operations:

    You may have to do the temp folder emptying for other users- your temp folder may by in the path but under your username.

    Open the Control Panel, then Internet Options, and Delete Files, hit OK, check the "delete offline content", clear History,
    OK. For Cookies- you can delete them, but may erase your saved logins at sites, make sure you have your login name and passwords saved so you know what they are> warning given! (y)


    NEXT: In Windows Explorer- find the following FILES and delete them:

    They may not all be there- no problem


    C:\WINDOWS\System32\P2P Networking\P2P

    C:\documents and settings\rich\local settings\temp\j.exe
    C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
    C:\WINDOWS\System32\clbcatq2.exe
    C:\documents and settings\rich\local settings\temp\iJy.exe
    C:\documents and settings\rich\local settings\temp\mNG4lVr.exe

    temps \H0QRtfG.exe
    ---> \ff.exe
    \iJy.exe
    \mNG4lVr.exe

    these temp files should be gone, check for them anyway!!!!!!!!

    NOTE:: lttfiles.exe---> Use Search for: Files / Folders see if it is found and delete it. If you get a message about "it is in use by Windows"::
    Might be running as a task/process, so End Task it, wait a minute, if it does not pop up the End Process confirm box, CTRL+ALT+DEL again until you see that it has shut down....then delete it, if you can find it.


    C:\WINDOWS\System32\nvms.dll
    C:\WINDOWS\System32\mscb.dll
    C:\Documents and Settings\Rich\Local Settings\Temp\DET.dll
    C:\WINDOWS\System32\msbe.dll
    C:\documents and settings\rich\local settings\temp\2X.exe
    C:\Program Files\Common Files\Java\Xcpy1.exe"
    C:\WINDOWS\System32\clbcatq2.exe

    C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe

    C:\Program Files\Winad Client\Winad.exe
    _____________

    Now find these FOLDERS and delete them:

    C:\Program Files\WebSavings_from_Ebates
    C:\Program Files\Winad Client
    c:\Program Files\XML
    C:\Program Files\MyWay
    C:\WINDOWS\System32\P2P Networking



    And this one down below, is new (running from where it is...)
    Does SpyBot work OK when you start it?
    LEAVE that item alone for now till we find out about what it's doing!!!!!

    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /waitprograms

    After all that is done, restart. I know you have SpyBot, but get AdAware, it is one of the best programs to have.

    You can get AdAware here:

    http://lavasoft.element5.com/software/adaware/

    Make sure you check for updates just after you install it and get them before you remove anything with it.

    After a Full scan with AAW and SpyBot if that runs>>
    post a new Hijackthis log, OK? I realize that is a long list of things to do, but take your time, being careful and accurate is what is important. Print the info using the "Thread Tools" Printable Versionbutton at the top of the thread ((Post#1 and then print these last relevant pages>> it will save you ink, and print a text only version without pics and ads.
     
  6. rlscott

    rlscott Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    5
    OK, I think I deleted everything in your last post. Here's the latest HJT log. Let me know if there's anything else I need to do. Thanks so much for your help!

    Logfile of HijackThis v1.98.2
    Scan saved at 12:37:57 AM, on 9/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [pstP33i] wmeil12n.exe
    O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /waitprograms
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Image Transfer.lnk = ?
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  7. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Fix these with HJT:


    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

    O4 - HKLM\..\Run: [pstP33i] wmeil12n.exe
    O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART



    Windows Explorer: find and delete these FILES:

    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe <----this file
    C:\Program Files\Common Files\Java\Xcpy1.exe <--file only
    C:\Program Files\Winad Client\Winad.exe <---file

    wmeil12n.exe <---file, use Search>for files or folders to find it.


    Delete these FOLDERS:

    C:\WINDOWS\System32\P2P Networking
    C:\Program Files\Winad Client


    Reboot, and you should be good to go.
    One more HJT may do it!
     
  8. rlscott

    rlscott Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    5
    Couldn't find wmeil12n.exe anywhere on the hard drive.
    Here's the latest HJT log:

    Logfile of HijackThis v1.98.2
    Scan saved at 1:33:30 AM, on 9/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
    C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /waitprograms
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Image Transfer.lnk = ?
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab


    Again, Thanks!
    This is a friend's computer & I made sure he saw the recommendations re: P2P, since he was hesitant when I told him essentially the same thing.
    Have a great night!
     
  9. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Good! (y)

    If nothing in the future turns anything up, about that file, good but it sounds like it is hiding somewhere, or is loaded from the Registry> it may be under another user profile, so if there are more than one user configured, you should scan with things like AdAware> which will search all profiles IF the settings are correct for scanning.

    [I checked and that strange file is not in your last log, so that may be a good sign]

    An online scan may find something, but you can do that later and you will not have to post logs about it, unless there is a return of something or further problems.

    http://housecall.antivirus.com/housecall/start_corp.asp

    You should also Disable System Restore right now, before any infections are picked up by "friend" or anyone using that computer. This removes all the saved Restore Points, yes, but they contain the bad stuff, and to get rid of the chance of anyone restoring with infected Restore Points, you have to disable Restore....you can then turn Restore back on, and create a new Restore Point> name it "after TSG' or some catchy phrase :D
    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

    Do the System Restore disable only if AdAware and/or SpyBot are not finding anything, have been updated fully, etc.

    maybe you could get the friend Spywareblaster or some other prevention tool> to keep the bad guys out more.

    www.javacoolsoftware.com
     
  10. rlscott

    rlscott Thread Starter

    Joined:
    Sep 9, 2004
    Messages:
    5
    Thanks so much for your help. Everything looks good so far, except the internet still seems a bit sluggish. I'm not sure if this is a heavy site traffic issue or if its something else. ie, it takes a good 30-45 seconds to load NYTimes.com page, msn.com might take 20-30 seconds. But then other pages come right up. Your thoughts?
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [Solved] Hijack please
  1. genubi
    Replies:
    0
    Views:
    278
  2. bj nick
    Replies:
    0
    Views:
    587
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272058

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice