[Solved] Hijack This log - please review

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

rlscott

Thread Starter
Joined
Sep 9, 2004
Messages
5
Please review & let me know what is safe to delete.
Thank you!

Logfile of HijackThis v1.98.2
Scan saved at 8:59:16 PM, on 9/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\documents and settings\rich\local settings\temp\j.exe
C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
C:\documents and settings\rich\local settings\temp\ff.exe
C:\WINDOWS\System32\clbcatq2.exe
C:\documents and settings\rich\local settings\temp\iJy.exe
C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\NcjSq.exe
C:\WINDOWS\System32\Dml7v0Ua.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.22 lavasoft.de
O1 - Hosts: 127.0.0.23 lavasoftusa.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.76 www.lavasoft.de
O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: MyQuickSearch Search Assistant BHO - {04011C11-2F3B-44ed-977C-270CA669C6B2} - C:\Program Files\MyQuickSearch\SrchAstt\1.bin\MQSSRCAS.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\2.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - C:\Program Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL
O2 - BHO: Flash Enhancer - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: My &Quick Search - {0E677229-E309-4341-81BD-3CC3018BF5B3} - C:\Program Files\MyQuickSearch\bar\1.bin\MQSBAR.DLL
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [j] C:\documents and settings\rich\local settings\temp\j.exe
O4 - HKLM\..\Run: [2X] C:\documents and settings\rich\local settings\temp\2X.exe
O4 - HKLM\..\Run: [pstP33i] wmeil12n.exe
O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
O4 - HKLM\..\Run: [H0QRtfG] C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
O4 - HKLM\..\Run: [ff] C:\documents and settings\rich\local settings\temp\ff.exe
O4 - HKLM\..\Run: [826533da638c] C:\WINDOWS\System32\clbcatq2.exe
O4 - HKLM\..\Run: [WebSavingsFromEbates0] "C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe"
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [iJy] C:\documents and settings\rich\local settings\temp\iJy.exe
O4 - HKLM\..\Run: [mNG4lVr] C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
O4 - HKLM\..\Run: [4SBKM562H4#5AS] C:\WINDOWS\System32\Bin9.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /waitprograms
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Bug Eliminator] C:\Program Files\Bug Eliminator\Bug_Elim.exe /tray
O4 - HKCU\..\Run: [YB2FRTG2h] lttfiles.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavings_from_Ebates\Sy400\Tp400\scri400a.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Fortune Bingo by pogo - http://game2.pogo.com/applet-5.8.1.28/superbingo/superbingo-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.2.21/holdem/holdem-ob-assets.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {1FC215B7-F71D-4137-8D67-455A2D5CA8C5} - http://www.fileeliminator.com/get/BEL/Bug Eliminator.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27db3f35481914df3304/netzip/RdxIE601.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F4CAB9-9164-4DDF-AFC6-A5F153A11609}: NameServer = 205.188.146.146
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
hi, Whew what a mess. It's fixable but will require some work, time etc on your part, when you are ready post back...


Since you are using or have used P2P file sharing programs, which may have been or is Kazaa of some flavor> I can only tell you that reinfection is very very likely to happen and that you should remove the file sharing program. The programs that we are going to use will remove the bundled ad-junk and probably cripple the P2P program anyway. You can reinstall a better file sharing program when through, so if you are ready to part with the P2P, we can proceed. I wish I could help you with backing up your files however I cannot. Files you have gotten this way could contain malware> I will leave what you do with what you have up to you.

In the meantime: get these downloads if you can get to these sites. Use another computer to get the files that will fit on a floppy disk, or burn the downloads to a data CD and take to your bad pc.

http://members.aol.com/toadbee/hoster.zip
Run that- will restore your HOSTS file redirection problems

Unzip, install the program and run it.
Press *Restore Original Hosts* and press OK*
Exit Hoster, and you should now be able to access the sites you need.

NEXT:

Remove the Peper trojan here: There are 2 different removers. Run the first one, reboot. You will not see any dialog, it just runs and disappears. You may run it again but remember to connect to the Internet> open one Internet Explorer page, etc.

The second Peper fix:

http://downloads.subratam.org/PeperFix.exe

You do this one online same as the one below. Download the Fix to the desktop, run from there while connected.


""You have a peper infection that we need to remove

http://www.memorywatcher.com/uninst.exe

When you run the uninstaller, you MUST have an internet connection active for it to work ((open an Internet Explorer page, minimize the window))

This Peper removal tool only works if run twice. To complete each stage of the Peper removal you need to REBOOT to clear the peper infection each time you run the tool, or the infection will remain."" Reboot after the second run.

The Peper infection should be cleared up.

Do those, post a new log from HJT here in this thread> do not start a new thread, just put it as a reply.
 

rlscott

Thread Starter
Joined
Sep 9, 2004
Messages
5
Logfile of HijackThis v1.98.2
Scan saved at 8:41:47 PM, on 9/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\documents and settings\rich\local settings\temp\j.exe
C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
C:\WINDOWS\System32\clbcatq2.exe
C:\documents and settings\rich\local settings\temp\iJy.exe
C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\2.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Flash Enhancer - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Rich\Local Settings\Temp\DET.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [j] C:\documents and settings\rich\local settings\temp\j.exe
O4 - HKLM\..\Run: [2X] C:\documents and settings\rich\local settings\temp\2X.exe
O4 - HKLM\..\Run: [pstP33i] wmeil12n.exe
O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
O4 - HKLM\..\Run: [H0QRtfG] C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
O4 - HKLM\..\Run: [ff] C:\documents and settings\rich\local settings\temp\ff.exe
O4 - HKLM\..\Run: [826533da638c] C:\WINDOWS\System32\clbcatq2.exe
O4 - HKLM\..\Run: [WebSavingsFromEbates0] "C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe"
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [iJy] C:\documents and settings\rich\local settings\temp\iJy.exe
O4 - HKLM\..\Run: [mNG4lVr] C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /waitprograms
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ff.exe] C:\documents and settings\rich\local settings\temp\ff.exe
O4 - HKLM\..\Run: [mNG4lVr.exe] C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
O4 - HKLM\..\Run: [j.exe] C:\documents and settings\rich\local settings\temp\j.exe
O4 - HKLM\..\Run: [iJy.exe] C:\documents and settings\rich\local settings\temp\iJy.exe
O4 - HKLM\..\Run: [H0QRtfG.exe] C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [Bug Eliminator] C:\Program Files\Bug Eliminator\Bug_Elim.exe /tray
O4 - HKCU\..\Run: [YB2FRTG2h] lttfiles.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Fortune Bingo by pogo - http://game2.pogo.com/applet-5.8.1.28/superbingo/superbingo-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.2.21/holdem/holdem-ob-assets.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {1FC215B7-F71D-4137-8D67-455A2D5CA8C5} - http://www.fileeliminator.com/get/BEL/Bug Eliminator.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27db3f35481914df3304/netzip/RdxIE601.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F4CAB9-9164-4DDF-AFC6-A5F153A11609}: NameServer = 205.188.146.146
 
Joined
Dec 9, 2000
Messages
45,855
Hi riscott, I'm going to give you my "canned speech" on P2P programs. It doesn't matter what kind are used. Probably 50 to 75% of the problems we address here in the Security forum are the result of file sharing issues. Helpers can spend literally hours helping a single user cleanup after their use.

We strongly recommend uninstalling them. More than half of all file sharing downloads are infected...

http://www.wired.com/news/business/0,1367,61852,00.html

And quite frankly, when people don't learn the lesson -- and continue to get infected the same way, they can hardly expect the same level of support from those who would rather help those who do.

As they say, the choice is yours...
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi rlscott> Read through this first> print it with the directions below>

1. If you have anything turned off from starting up when Windows does, (besides a second Antivirus program), need you to turn it back "on" so it appears in the log.
I see System Mechanic by Iolo is installed- that has a startup or Task Manager> stop here, turn things back on, reboot, and post a new log if you have shut down anything that is bad ( common sense rules OK- Microsoft Office startup I do NOT mean, I mean malware that you may have End Tasked, or are keeping from starting up)


Go to Add/Remove Programs, uninstall Web_Rebates or WebSavingsFromRebates, or similar...AND uninstall:

FlashEnhancer

MyWaySearch bar, MyBar, other odd looking search and toolbars, NOT NOT google, Yahoo, MSN toolbars if you have those>
Also, try the uninstaller for WinTools, may not appear there, don't worry if it is not.

Viewpoint Media Player> also the toolbar...

It is classified as bundled tracking software, see the link.
It does come with higher versions of AOL, I see. It's your option to remove it> or keep it. I just feel better telling you about it and let you make the decisions, on items like this.

http://www.kephyr.com/spywarescanner/library/viewpointmediaplayer/index.phtml


Run Hijackthis, no other windows open and put checks next to each item below and then click "Fix Checked"
Some of these will not be there, or have changed, use your judgment on the "H0QRtfG.exe" type random Peper
files....if any show.

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe <---- I would advise you to remove the whole Bear Share program-- some other info coming later, OK?

C:\documents and settings\rich\local settings\temp\j.exe
C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
C:\WINDOWS\System32\clbcatq2.exe
C:\documents and settings\rich\local settings\temp\iJy.exe
C:\documents and settings\rich\local settings\temp\mNG4lVr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\2.bin\MYSRCHAS.DLL (file missing)

O2 - BHO: Flash Enhancer - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Rich\Local Settings\Temp\DET.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART <---same advice for P2P

O4 - HKLM\..\Run: [j] C:\documents and settings\rich\local settings\temp\j.exe
O4 - HKLM\..\Run: [2X] C:\documents and settings\rich\local settings\temp\2X.exe
O4 - HKLM\..\Run: [pstP33i] wmeil12n.exe
O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
O4 - HKLM\..\Run: [H0QRtfG] C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
O4 - HKLM\..\Run: [ff] C:\documents and settings\rich\local settings\temp\ff.exe
O4 - HKLM\..\Run: [826533da638c] C:\WINDOWS\System32\clbcatq2.exe
O4 - HKLM\..\Run: [WebSavingsFromEbates0] "C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe"
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [iJy] C:\documents and settings\rich\local settings\temp\iJy.exe
O4 - HKLM\..\Run: [mNG4lVr] C:\documents and settings\rich\local settings\temp\mNG4lVr.exe

O4 - HKLM\..\Run: [ff.exe] C:\documents and settings\rich\local settings\temp\ff.exe
O4 - HKLM\..\Run: [mNG4lVr.exe] C:\documents and settings\rich\local settings\temp\mNG4lVr.exe
O4 - HKLM\..\Run: [j.exe] C:\documents and settings\rich\local settings\temp\j.exe
O4 - HKLM\..\Run: [iJy.exe] C:\documents and settings\rich\local settings\temp\iJy.exe
O4 - HKLM\..\Run: [H0QRtfG.exe] C:\documents and settings\rich\local settings\temp\H0QRtfG.exe

O4 - HKCU\..\Run: [YB2FRTG2h] lttfiles.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -



Reboot into Safe Mode:

Tap the F8 key at startup, you will see the menu, select Safe Mode, give it plenty of time to get to the desktop.

Open Windows Explorer and do the following settings and operations:

flrman1 said:
Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\administrator\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
You may have to do the temp folder emptying for other users- your temp folder may by in the path but under your username.

Open the Control Panel, then Internet Options, and Delete Files, hit OK, check the "delete offline content", clear History,
OK. For Cookies- you can delete them, but may erase your saved logins at sites, make sure you have your login name and passwords saved so you know what they are> warning given! (y)


NEXT: In Windows Explorer- find the following FILES and delete them:

They may not all be there- no problem


C:\WINDOWS\System32\P2P Networking\P2P

C:\documents and settings\rich\local settings\temp\j.exe
C:\documents and settings\rich\local settings\temp\H0QRtfG.exe
C:\WINDOWS\System32\clbcatq2.exe
C:\documents and settings\rich\local settings\temp\iJy.exe
C:\documents and settings\rich\local settings\temp\mNG4lVr.exe

temps \H0QRtfG.exe
---> \ff.exe
\iJy.exe
\mNG4lVr.exe

these temp files should be gone, check for them anyway!!!!!!!!

NOTE:: lttfiles.exe---> Use Search for: Files / Folders see if it is found and delete it. If you get a message about "it is in use by Windows"::
Might be running as a task/process, so End Task it, wait a minute, if it does not pop up the End Process confirm box, CTRL+ALT+DEL again until you see that it has shut down....then delete it, if you can find it.


C:\WINDOWS\System32\nvms.dll
C:\WINDOWS\System32\mscb.dll
C:\Documents and Settings\Rich\Local Settings\Temp\DET.dll
C:\WINDOWS\System32\msbe.dll
C:\documents and settings\rich\local settings\temp\2X.exe
C:\Program Files\Common Files\Java\Xcpy1.exe"
C:\WINDOWS\System32\clbcatq2.exe

C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe

C:\Program Files\Winad Client\Winad.exe
_____________

Now find these FOLDERS and delete them:

C:\Program Files\WebSavings_from_Ebates
C:\Program Files\Winad Client
c:\Program Files\XML
C:\Program Files\MyWay
C:\WINDOWS\System32\P2P Networking



And this one down below, is new (running from where it is...)
Does SpyBot work OK when you start it?
LEAVE that item alone for now till we find out about what it's doing!!!!!

O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /waitprograms

After all that is done, restart. I know you have SpyBot, but get AdAware, it is one of the best programs to have.

You can get AdAware here:

http://lavasoft.element5.com/software/adaware/

Make sure you check for updates just after you install it and get them before you remove anything with it.

LDTate said:
Spybot:
Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY.
Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)
After a Full scan with AAW and SpyBot if that runs>>
post a new Hijackthis log, OK? I realize that is a long list of things to do, but take your time, being careful and accurate is what is important. Print the info using the "Thread Tools" Printable Versionbutton at the top of the thread ((Post#1 and then print these last relevant pages>> it will save you ink, and print a text only version without pics and ads.
 

rlscott

Thread Starter
Joined
Sep 9, 2004
Messages
5
OK, I think I deleted everything in your last post. Here's the latest HJT log. Let me know if there's anything else I need to do. Thanks so much for your help!

Logfile of HijackThis v1.98.2
Scan saved at 12:37:57 AM, on 9/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [pstP33i] wmeil12n.exe
O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /waitprograms
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Fix these with HJT:


C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

O4 - HKLM\..\Run: [pstP33i] wmeil12n.exe
O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART



Windows Explorer: find and delete these FILES:

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe <----this file
C:\Program Files\Common Files\Java\Xcpy1.exe <--file only
C:\Program Files\Winad Client\Winad.exe <---file

wmeil12n.exe <---file, use Search>for files or folders to find it.


Delete these FOLDERS:

C:\WINDOWS\System32\P2P Networking
C:\Program Files\Winad Client


Reboot, and you should be good to go.
One more HJT may do it!
 

rlscott

Thread Starter
Joined
Sep 9, 2004
Messages
5
Couldn't find wmeil12n.exe anywhere on the hard drive.
Here's the latest HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 1:33:30 AM, on 9/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiapowerpage.com/myPowerPage.cfm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /waitprograms
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab


Again, Thanks!
This is a friend's computer & I made sure he saw the recommendations re: P2P, since he was hesitant when I told him essentially the same thing.
Have a great night!
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Good! (y)

If nothing in the future turns anything up, about that file, good but it sounds like it is hiding somewhere, or is loaded from the Registry> it may be under another user profile, so if there are more than one user configured, you should scan with things like AdAware> which will search all profiles IF the settings are correct for scanning.

[I checked and that strange file is not in your last log, so that may be a good sign]

An online scan may find something, but you can do that later and you will not have to post logs about it, unless there is a return of something or further problems.

http://housecall.antivirus.com/housecall/start_corp.asp

You should also Disable System Restore right now, before any infections are picked up by "friend" or anyone using that computer. This removes all the saved Restore Points, yes, but they contain the bad stuff, and to get rid of the chance of anyone restoring with infected Restore Points, you have to disable Restore....you can then turn Restore back on, and create a new Restore Point> name it "after TSG' or some catchy phrase :D
http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

Do the System Restore disable only if AdAware and/or SpyBot are not finding anything, have been updated fully, etc.

maybe you could get the friend Spywareblaster or some other prevention tool> to keep the bad guys out more.

www.javacoolsoftware.com
 

rlscott

Thread Starter
Joined
Sep 9, 2004
Messages
5
Thanks so much for your help. Everything looks good so far, except the internet still seems a bit sluggish. I'm not sure if this is a heavy site traffic issue or if its something else. ie, it takes a good 30-45 seconds to load NYTimes.com page, msn.com might take 20-30 seconds. But then other pages come right up. Your thoughts?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top