Solved: Mediapipe-Media movie Popup

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

rajah

Thread Starter
Joined
Dec 31, 2005
Messages
19
I use windows xp and on 23.12.05 a pop-up appeared and offered media movie for a trial period of three days and I accepted it. I downloaded the software and used it for about two times. When the trial period was over a pop-up keeps appearing whenever I am on internet explorer demanding I make payment since I did not cancel the software during the trial period. I have all the anti pop-ups installed and the latest norton antivirius yet this problem persists. I NEED HELP. As I am writing this e-mail the pop-up is on.
Rajah
 

rajah

Thread Starter
Joined
Dec 31, 2005
Messages
19
Thank you imidiot. I have downloaded Hijackthis but I do not know how to get an expert to advise. I have also made a log. I am sorry I am not an IT expert.
Rajah
 
Joined
Dec 2, 2005
Messages
586
copy and paste a copy of the log here. someone will take a look at it and advise you in what needs to be done.
 

rajah

Thread Starter
Joined
Dec 31, 2005
Messages
19
I have it on C:\Documents and Settings\Administrator\Desktop\hijackthis.log I do not have any formal training on IT and I learnt it on my own with a lot of mistakes. Could you kindly let me know how to copy and paste the log on this page.
Much appreciated for your kind advise. Many thanks & Wish You A Happy New Year
Rajah
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,896
Hi and welcome to TSG!

Double click the HijackThis log file to open it. Then go to "Edit" and click on "select all" and then click on "copy".

Now open up a reply post here and place your cursor in the white dialog box. Right click in the empty space and then from the menu that appears select "paste" and the log will be copied here.
 

rajah

Thread Starter
Joined
Dec 31, 2005
Messages
19
Logfile of HijackThis v1.99.1
Scan saved at 6:40:31 PM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\ItBill\itbill.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\fsupport\notifier.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1000
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [Notification Utility] "C:\Program Files\ItBill\itbill.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm072YYMY
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?e6479f8666084ca184fd8ff8c443b86a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?e6479f8666084ca184fd8ff8c443b86a
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1103876447640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123905165937
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A3CD0DF-0489-4CF0-92E2-F8D06FBFD471}: NameServer = 202.188.0.133,202.188.1.5
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

from Rajah ( Thankyou Cookiegal for your kind advise. I hope someone can help me to remove the pop-up from media movie )
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,896
Download Cleanup from Here
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • DO NOT RUN IT YET


Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.

Click here for info on how to boot to safe mode if you don't already know how.


Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


Restart your computer into safe mode now. Perform the following steps in safe mode:


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop



Run Cleanup:
  • Click on the "Cleanup" button and let it run.
  • Once it’s done, close the program.


Go to Control Panel - Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Restart back into Windows normally now.


Do a Panda Active Scan. Be sure to save the log it creates.


Come back here and post a new HijackThis log, as well as the logs from the Ewido and Panda scans.
 

rajah

Thread Starter
Joined
Dec 31, 2005
Messages
19
Thanks Cookiegirl, I did run cleanup prior to this. It did not help.However I have not installed ewido orPanda Active Scan which I will do now. I just have a question since my log Hijackthis shows at 04 HKLM\..Run.[Media Pipe P2P Loader]"C:\Program Files\p2pnetworks\mpp2pl.exe"/H . Is it ok to use Hijackthis and get rid of it? I am only guessing.
Rajah
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,896
Please do not remove anything with HijackThis on your own. That will be the next step and I will guide you through it once you've completed the previous instructions.
 

rajah

Thread Starter
Joined
Dec 31, 2005
Messages
19
Cookiegal
Thanks, I have done as you advised. I hope I did the right things. Sincerely Rajah

Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
Potentially unwanted tool:application/mywebsearch Not disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\MyWebSearch Email Plugin.lnk
Potentially unwanted tool:application/funweb Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
Adware:adware/gator Not disinfected C:\WINDOWS\GatorFDDLI.log
Adware:adware/wupd Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
Dialer:dialer generic Not disinfected HKEY_CLASSES_ROOT\CLSID\{A9571378-68A1-443D-B082-284F960C6D17}
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:Application/MyWay Not disinfected D:\old data\Program Files\MyWay\Installr\1.bin\MYEZSETP.DLL
Spyware:Spyware/New.net Not disinfected D:\old data\Program Files\NewDotNet\NEWDOT~2.DLL
Adware:Adware/StripPlayer Not disinfected D:\old data\Program Files\strip-player\default_skin\Strip-Player.ini
Adware:Adware/MediaTickets Not disinfected D:\old data\Program Files\Winamp3\uninst-wa3.exe
Adware:Adware/Gator Not disinfected D:\old data\Program Files\Common Files\CMEII\GAppMgr.dll
Adware:Adware/Gator Not disinfected D:\old data\Program Files\Common Files\CMEII\GMTProxy.dll
Adware:Adware/Gator Not disinfected D:\old data\Program Files\Common Files\CMEII\GObjs.dll
Adware:Adware/Gator Not disinfected D:\old data\Program Files\Common Files\CMEII\Gtools.dll
Adware:Adware/Gator Not disinfected D:\old data\Program Files\Common Files\GMT\GUninstaller.exe
Adware:Adware/Gator Not disinfected D:\old data\Program Files\Common Files\GMT\EGIEProcess.dll
Adware:Adware/Gator Not disinfected D:\old data\Program Files\Common Files\GMT\EGNSEngine.dll
Adware:Adware/Gator Not disinfected D:\old data\Program Files\Common Files\GMT\GatorStubSetup.exe
Potentially unwanted tool:Application/MyWay Not disinfected D:\old data\window\Downloaded Program Files\myinitialsetup1.0.0.3.inf
Adware:Adware/KeenValue Not disinfected D:\old data\window\Downloaded Program Files\imloader.exe
Adware:Adware/MyDailyHoroscope Not disinfected D:\old data\window\Downloaded Program Files\setup.inf
Spyware:Cookie/go Not disinfected D:\old data\window\Cookies\[email protected][2].txt
Dialer:Dialer.YC Not disinfected D:\old data\window\INF\nsupd9x.inf
Dialer:Dialer.Gen Not disinfected D:\old data\window\SYSTEM\Hot_Pleasure-uninstall.exe file:///C:/Documents%20and%20Settings/Administrator/Desktop/hijackthis.log
Logfile of HijackThis v1.99.1
Scan saved at 4:35:53 PM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\P2PNET~1\P2PNET~1.EXE
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1000
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm072YYMY
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?e6479f8666084ca184fd8ff8c443b86a
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?e6479f8666084ca184fd8ff8c443b86a
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1103876447640
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123905165937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A3CD0DF-0489-4CF0-92E2-F8D06FBFD471}: NameServer = 202.188.0.133,202.188.1.5
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:07:30 PM, 1/8/2006
+ Report-Checksum: E5FA721D

+ Scan result:

D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050571.EXE -> Spyware.NewDotNet : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050572.DLL -> Spyware.NewDotNet : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050573.exe -> Adware.SaveNow : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050574.dll -> Spyware.ZipClix : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050575.exe -> Heuristic.Win32.Dialer : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050576.EXE -> Downloader.Dyfuca.cw : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050577.exe -> Downloader.Dyfuca.cw : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050578.dll -> Spyware.HotBar : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050579.dll -> Spyware.HotBar : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050580.exe -> Downloader.Dyfuca.bg : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050581.exe -> Downloader.Dyfuca.bl : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050582.exe -> Downloader.Dyfuca.bl : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050583.dll -> Adware.Gator : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050584.dll -> Adware.Gator : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050585.dll -> Adware.Gator : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050586.dll -> Adware.Gator : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050587.dll -> Adware.Gator : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050588.exe -> Adware.Gator : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050589.dll -> Adware.Gator : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050590.dll -> Adware.Gator : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050591.exe -> Spyware.NewDotNet : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050592.exe -> Spyware.NewDotNet : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050593.exe -> Adware.NewDotNet : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050594.exe -> Spyware.NewDotNet : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050595.exe -> Spyware.NewDotNet : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050596.ocx -> Dialer.Generic : Cleaned with backup
D:\System Volume Information\_restore{387B3981-DB69-4C9C-9BE9-F54CD26AA522}\RP211\A0050597.exe -> Dialer.Generic : Cleaned with backup


::Report End
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,896
Click Here and download Killbox and save it to your desktop but don’t run it yet.


Download the LSP Fix just in case you lose your Internet connection as a result of removing New.Net. It shouldn’t happen and this is just a precaution but if it does, run the LPS Fix to get the connection back and click the "I know what I'm doing" checkbox. (Don't do anything else)

Then click Finish.

http://cexx.org/lspfix.htm


Go to Control Panel - Add/Remove programs and remove:

MyWebSearch and/or MyWebSearch Assistant
MyWay and or MyWay Search Assistant


Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)

O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm072YYMY



Then boot to safe mode:


How to restart to safe mode


Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf

    C:\WINDOWS\GatorFDDLI.log

    C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf

    D:\old data\Program Files\NewDotNet

    D:\old data\Program Files\strip-player

    D:\old data\Program Files\Winamp3\uninst-wa3.exe

    D:\old data\Program Files\Common Files\CMEII

    D:\old data\Program Files\Common Files\GMT

    D:\old data\window\Downloaded Program Files\myinitialsetup1.0.0.3.inf

    D:\old data\window\Downloaded Program Files\imloader.exe

    D:\old data\window\Downloaded Program Files\setup.inf

    D:\old data\window\INF\nsupd9x.inf

    D:\old data\window\SYSTEM\Hot_Pleasure-uninstall.exe


  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confirmation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Next in Killbox go to Tools > Delete Temp Files
  • In the window that pops up, put a check by ALL the options there except these three:
    • XP Prefetch
    • Recent
    • History
  • Now click the Delete Selected Temp Files button.
  • Exit the Killbox.


Navigate to the following folders and delete the cookies mentioned in the Panda scan:

C:\Documents and Settings\Administrator\Cookies

D:\old data\window\Cookies


Boot back to Windows normally and post another HijackThis log please.


Is this your ISP provider?

TMNET IP Administrators
Level 25 (South), Menara Telekom,
Jalan Pantai Baru,
50672 Kuala Lumpur.
 

rajah

Thread Starter
Joined
Dec 31, 2005
Messages
19
Dear Cookiegal
Thanks. I have downloaded Killbox and saved it to desktop. Downloaded LSP Fix and ran it & clicked finish. From control panel tried to Add/Remove program My Web Search and I get a reply RUNDLL Error loading C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsbar.dll The specific module could not be found. What next?
Thanks for the help. I now do not get the pop-up of media movie.
Rajah
 

rajah

Thread Starter
Joined
Dec 31, 2005
Messages
19
Dear Cookiegal
I forgot to mention that the only web search I found was My Web Search (My Fun Cards) and which showed the reply as I quoted earlier. Thanks. Rajah
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Staff online

Members online

Top