Jump to content


Photo

Hijacked to zestyfind.com


  • Please log in to reply
8 replies to this topic

#1 dawgaritaville

dawgaritaville

    Member

  • New Member
  • Pip
  • 4 posts

Posted 29 June 2004 - 06:56 PM

I have read the FAQ and followed the directions instructed. I have updated and run both Ad-Aware and Spybot with no help :scratchhead:. Installed, updated and ran SpySweeper that removed some additional spyware :p. Still can't remove WinTools, WebSearch Toolbar, and Virtual Bouncer. Here is my HijackThis log. Any help is greatly appreciated!

Logfile of HijackThis v1.98.0
Scan saved at 6:25:58 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hccclntr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\AxhBR.exe
C:\WINDOWS\System32\AxhBR.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Security\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [5YPC#4T4LRJR5E] C:\WINDOWS\System32\BuhgfaH.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [Mo39RWY5Q] hccclntr.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O20 - AppInit_DLLs: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\drv160.tmp.dll

#2 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 29 June 2004 - 11:25 PM

Hi dawgaritaville,
You may want to print off these insructions.

It looks as if you have the peper trojan among a few other nasties.

Let's start by downloading all of the tools you'll need.
Download VXFinder here: http://www.downloads...g/VX2Finder.exe

Please download Option^Explicit's PeperFix from here:
http://downloads.sub...rg/PeperFix.exe

Hit Ctrl-Alt-Delete and end the BuhgfaH.exe process

After you download peperfix, just run it and have it fix whatever it finds.

Please run HJT and have it fix the following lines:

O4 - HKLM\..\Run: [5YPC#4T4LRJR5E] C:\WINDOWS\System32\BuhgfaH.exe


Please reboot into safe mode now by following these instructions:
Safe Mode

You also have WinTools which can removed by following these insructions:

Go to start>Settings>Control Panel>Administrative Tools>Services Look for "WinTools for IE service" in the right pane. If you find it, right click on it. Stop it by pressing the stop button. Then disable it by clicking on the startup type drop down and selecting "Disable"

Then right click on the taskbar and open taskmanager.
Go to applications and/or processes and end task on the following (Most will probably not be running in safe mode):

WToolsA.exe
WToolsS.exe
WSup.exe

Now, run HJT and have it fix the following entries:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)

O4 - HKCU\..\Run: [Mo39RWY5Q] hccclntr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsS.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WSup.exe

(not all of those 04 entries may be present, fix whatever is though)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)



Now, please press ctrl-alt-delete and end the following tasks:

hccclntr.exe

Now, please enable the viewing of hidden files as seen here: view hidden files

Please delete the following files or folders:
C:\Program Files\Common files\WinTools\ <==== delete folder
hccclntr.exe <==== you'll have to search for it and then delete it
Browse to folder C:\DOCUMENTS AND SETTINGS\DO THIS FOR EACH USER\LOCAL SETTINGS\Temp\ and delte all the files and folders

Also, browse to C:\WINDOWS\Temp\ and delete everything in the temp folder.


Please reboot back into normal mode.

To get rid of the zestyfind, please complete the following insructions:

After downloading, locate the file VX2Finder.exe and double click to start the cleaning process.

1.) Delete all files found(VX2Finder will "End Task" on
up to 2 instances of Rundll32.exe automatically)
You will get a message about "cannot delete this one"
matching the same name in the Guardian Key.

2.) Click "Open regedit" will take you right to
the Guardian Key(no need to search for it)


Hilite "Guardian", RightClick and choose
Security/permissions, you'll get another
window with 'advanced'..
DE-select (uncheck) the lower box with
"inheritable permissions"
hit 'ok' and 'remove' on the following
security prompts.

Restart computer.


3.) On restart use VX2Finder again, select + delete the
last file, click "User Agent$" will remove that
entry from the registry.

4.) Click "Open regedit" again, this time
restoring the checkmark in "inheritable permissions"

5.) Click "Guardian.reg" Deletes the Guardian
Key.

6.) Use Find again should produce a clean log of blank values.

7.) Click "Restore Policy" to restore the Debug
policy


I would also run an updated version of ad-aware for good measure.
adaware download
How to use Ad-aware

Please reboot after the above fixes have been made and post an updated HJT log.

#3 dawgaritaville

dawgaritaville

    Member

  • New Member
  • Pip
  • 4 posts

Posted 30 June 2004 - 06:35 PM

Thanks guacamel! I followed your instructions. Ran Ad-Aware, Spybot, and SpySweeper. Here is my new log.

Logfile of HijackThis v1.98.0
Scan saved at 6:26:25 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Security\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {36FDCC55-8CB8-45DF-A208-13F26083370B} - (no file) (HKCU)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O20 - AppInit_DLLs: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\drv160.tmp.dll

#4 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 30 June 2004 - 09:07 PM

It looks clean to me, are you having anymore problems?

#5 dawgaritaville

dawgaritaville

    Member

  • New Member
  • Pip
  • 4 posts

Posted 30 June 2004 - 09:58 PM

No more pop-ups! So far no mor redirects. When I ran SpySweeper it finds BackWeb and WebSearch toolbar. Should I be concerned with these? I have since read about how not to get hijacked and have downloaded SpyBlaster. I also use Outlook Express and will make the necessary settings to be more secure there. Thanks for the help!

#6 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 30 June 2004 - 10:16 PM

Both backweb and websearch should be able to be removed through the add/remove programs in the control panel if I'm not mistaken.

I'm still worried there may be some malicious software left, I'm asking some of my peers right now to verify what they think.

#7 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 30 June 2004 - 10:27 PM

Okay, there are some things that aren't clear yet with the new version of HJT (line 20 is new in this version) so I would check back in a couple days (or sooner if you notice any problems) to see if I have any more information for you.

If you can't remove backweb or mywebsearch in add/remove programs, I would have SpySweeper fix it.




Here is how to protect yourself in the future - download and install these:

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

You've already installed spyblaster which is good, just make sure you keep it up to date.

And also see
So how did I get infected in the first place?

#8 dawgaritaville

dawgaritaville

    Member

  • New Member
  • Pip
  • 4 posts

Posted 02 July 2004 - 09:05 PM

Any info on line 20? I still have an occasional pop-up that with an advertisement for "noadware". Here is my current HiJack This log.

Logfile of HijackThis v1.98.0
Scan saved at 8:59:08 PM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Security\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSComp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {36FDCC55-8CB8-45DF-A208-13F26083370B} - (no file) (HKCU)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O20 - AppInit_DLLs: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\drv160.tmp.dll

#9 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 05 July 2004 - 02:25 AM

Okay, I would run HJT again and have it fix the following items:

O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {36FDCC55-8CB8-45DF-A208-13F26083370B} - (no file) (HKCU)
O20 - AppInit_DLLs: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\drv160.tmp.dll

If you notice any adverse affects from fixing the line 020, you can always have HJT restore fixed items (you shouldn't though with that specific one).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button