Jump to content


Photo

madfinder, pop up site


  • Please log in to reply
16 replies to this topic

#1 blkkiddo

blkkiddo

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 30 May 2004 - 03:17 PM

i keep getting this site that auto open each time i enter a site :
http://www.odysseusm...ting.com/adult/

even if i use cwshredder and restart after, the problem remain

#2 blkkiddo

blkkiddo

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 30 May 2004 - 03:24 PM

my log:

Logfile of HijackThis v1.97.7
Scan saved at 4:22:29 PM, on 5/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\windows\system32\msbb.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\temp\0w.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSER~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Backup\ORDICL~1\HIJACK~1\HIJACK~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [0w] C:\DOCUME~1\ADMINI~1\LOCALS~1\temp\0w.exe
O4 - HKLM\..\Run: [msbb] c:\windows\system32\msbb.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\Administrator\Local Settings\Temp\msA.tmp"
O8 - Extra context menu item: Chercher avec Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab

#3 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 30 May 2004 - 03:42 PM

Tap Ctrl+Alt+Delete, click the Processes tab, and kill the following processes:


msbb.exe
0w.exe

Close all programs, tick the following for removal in HJT, and click "Fix Checked:"

O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (file missing)

O4 - HKLM\..\Run: [0w] C:\DOCUME~1\ADMINI~1\LOCALS~1\temp\0w.exe
O4 - HKLM\..\Run: [msbb] c:\windows\system32\msbb.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\Administrator\Local Settings\Temp\msA.tmp"

Reboot.

Find and delete the following files/folders:

C:\WINDOWS\System32\msgked.exe
c:\windows\system32\msbb.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ - DEELTE _EVERYTHING_ IN THIS FOLDER

Scan again with HJT and post the new log.

Also, you need to get Windows XP Service Pack 1 from Windows Update. This is critical to the security of your computer.
Signature file is under revision. This will be back shortly.

#4 blkkiddo

blkkiddo

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 30 May 2004 - 04:18 PM

here is my log:
Logfile of HijackThis v1.97.7
Scan saved at 5:16:54 PM, on 5/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSER~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
F:\Backup\ORDICL~1\HIJACK~1\HIJACK~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O8 - Extra context menu item: Chercher avec Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab

#5 blkkiddo

blkkiddo

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 30 June 2004 - 09:13 PM

one of my cousin's prob :
Logfile of HijackThis v1.97.7
Scan saved at 10:11:30, on 2004-06-30
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
C:\Program Files\Internet Explorer\csrss.exe
C:\WINDOWS\System32\wuamagr32.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Bargain Buddy\bin2\bargains.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\Mcafeescn.exe
C:\windows\system32\task32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\scvhost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\cmsssr.exe
C:\WINDOWS\system32\1033\webpc.exe
C:\Program Files\Hotbar\bin\4.4.6.0\HbInst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\mslagent\mslagent_.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\AssistantInternet\bin\mpbtn.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Hotbar\bin\4.4.6.0\HbSrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\System32\taskmngrs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nadou.INC-IQJZKI865E8\Mes documents\Mes fichiers reçus\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.co...rchPageHome.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\4.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\mslagent\4b_1,0,1,0_mslagent.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\4.bin\MWSBAR.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.4.2.0\HbHostIE.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\Program Files\Bargain Buddy\bin2\apuc.dll
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRA~1\COMETS~1\Platform\Bin\csbho.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\4.bin\MWSBAR.DLL
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.4.2.0\HbHostIE.dll
O3 - Toolbar: Starware - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRA~1\COMETS~1\Platform\Bin\csietb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Update] C:\Program Files\Internet Explorer\csrss.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [msn] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\Run: [Microsoft Task Scheduler] C:\windows\system32\task32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsofts Updatez] cmsssr.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [webpc] C:\WINDOWS\system32\1033\webpc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.4.6.0\HbInst.exe /Upgrade
O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\RunServices: [msn] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\RunServices: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\RunServices: [Microsoft Task Scheduler] C:\windows\system32\task32.exe
O4 - HKLM\..\RunServices: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\RunServices: [Microsofts Updatez] cmsssr.exe
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent_.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKCU\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKCU\..\Run: [Microsofts Updatez] cmsssr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\AssistantInternet\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\4.bin\MWSOEMON.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot4_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.exe
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo...tia32_FR_XP.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downlo..._1012_FR_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_FR_XP.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C6D4E2D-F648-4AB5-8BFE-ED54D13E3D66}: NameServer = 206.47.244.90 206.47.244.106

#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 30 June 2004 - 11:14 PM

Hi blkkiddo,

You have a good deal of spyware but none of it looks hard to remove.

Clear most of it out:

Download the latest version of Ad-Aware:
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.
Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

After that run one or both of these online virus scanners:
http://www.pandasoft...n_principal.htm
http://housecall.trendmicro.com/

Then post another HijackThis log.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#7 blkkiddo

blkkiddo

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 01 July 2004 - 08:32 PM

Logfile of HijackThis v1.97.7
Scan saved at 09:31:42, on 2004-07-01
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
C:\Program Files\Internet Explorer\csrss.exe
C:\WINDOWS\System32\xvshost.exe
C:\WINDOWS\System32\wuammgr32.exe
C:\WINDOWS\System32\Mcafeescn.exe
C:\windows\system32\task32.exe
C:\WINDOWS\System32\scvhost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\cmsssr.exe
C:\WINDOWS\system32\1033\webpc.exe
C:\WINDOWS\System32\gnmbpr.exe
C:\WINDOWS\System32\msdns.exe
C:\WINDOWS\System32\svxhost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AssistantInternet\bin\mpbtn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nadou.INC-IQJZKI865E8\Mes documents\Mes fichiers reçus\HijackThis.exe
C:\WINDOWS\system32\bling.exe
C:\WINDOWS\system32\svxhost.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\4.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\4.bin\MWSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Update] C:\Program Files\Internet Explorer\csrss.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\Run: [msn] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\Run: [Microsoft Task Scheduler] C:\windows\system32\task32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsofts Updatez] cmsssr.exe
O4 - HKLM\..\Run: [webpc] C:\WINDOWS\system32\1033\webpc.exe
O4 - HKLM\..\Run: [cefwpejrj] C:\WINDOWS\System32\gnmbpr.exe
O4 - HKLM\..\Run: [Microsoft DNS Query] msdns.exe
O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\Run: [Winsock2 driver] ZONEALARM.EXE
O4 - HKLM\..\RunServices: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\RunServices: [msn] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\RunServices: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\RunServices: [Microsoft Task Scheduler] C:\windows\system32\task32.exe
O4 - HKLM\..\RunServices: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\RunServices: [Microsofts Updatez] cmsssr.exe
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKCU\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKCU\..\Run: [Microsofts Updatez] cmsssr.exe
O4 - HKCU\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [Winsock2 driver] ZONEALARM.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\AssistantInternet\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\4.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm375
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot4_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.exe
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo...tia32_FR_XP.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_FR_XP.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C6D4E2D-F648-4AB5-8BFE-ED54D13E3D66}: NameServer = 206.47.244.90 206.47.244.106

#8 blkkiddo

blkkiddo

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 01 July 2004 - 08:35 PM

Logfile of HijackThis v1.97.7
Scan saved at 09:31:42, on 2004-07-01
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
C:\Program Files\Internet Explorer\csrss.exe
C:\WINDOWS\System32\xvshost.exe
C:\WINDOWS\System32\wuammgr32.exe
C:\WINDOWS\System32\Mcafeescn.exe
C:\windows\system32\task32.exe
C:\WINDOWS\System32\scvhost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\cmsssr.exe
C:\WINDOWS\system32\1033\webpc.exe
C:\WINDOWS\System32\gnmbpr.exe
C:\WINDOWS\System32\msdns.exe
C:\WINDOWS\System32\svxhost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AssistantInternet\bin\mpbtn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nadou.INC-IQJZKI865E8\Mes documents\Mes fichiers reçus\HijackThis.exe
C:\WINDOWS\system32\bling.exe
C:\WINDOWS\system32\svxhost.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\4.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\4.bin\MWSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Update] C:\Program Files\Internet Explorer\csrss.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\Run: [msn] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\Run: [Microsoft Task Scheduler] C:\windows\system32\task32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsofts Updatez] cmsssr.exe
O4 - HKLM\..\Run: [webpc] C:\WINDOWS\system32\1033\webpc.exe
O4 - HKLM\..\Run: [cefwpejrj] C:\WINDOWS\System32\gnmbpr.exe
O4 - HKLM\..\Run: [Microsoft DNS Query] msdns.exe
O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\Run: [Winsock2 driver] ZONEALARM.EXE
O4 - HKLM\..\RunServices: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\RunServices: [msn] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\RunServices: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\RunServices: [Microsoft Task Scheduler] C:\windows\system32\task32.exe
O4 - HKLM\..\RunServices: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\RunServices: [Microsofts Updatez] cmsssr.exe
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKCU\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKCU\..\Run: [Microsofts Updatez] cmsssr.exe
O4 - HKCU\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [Winsock2 driver] ZONEALARM.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\AssistantInternet\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\4.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm375
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot4_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.exe
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo...tia32_FR_XP.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_FR_XP.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C6D4E2D-F648-4AB5-8BFE-ED54D13E3D66}: NameServer = 206.47.244.90 206.47.244.106

#9 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 01 July 2004 - 08:52 PM

Your 4 threads merged to here. Please stick to just this one.

This looks like a different and much worse log than you started with, which is puzzling since you told me in #privacy that all your threads were for the same PC.

Did you follow my directions above?

Did you run Ad-Aware with latest update?
Did you run http://www.pandasoft...n_principal.htm ?
Did you run http://housecall.trendmicro.com/ ?

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#10 blkkiddo

blkkiddo

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 01 July 2004 - 09:05 PM

yea all of them

#11 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 01 July 2004 - 09:27 PM

Well, let's see how far we get.

Tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.

O4 - HKLM\..\Run: [Update] C:\Program Files\Internet Explorer\csrss.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\Run: [Microsoft Task Scheduler] C:\windows\system32\task32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\Run: [Microsofts Updatez] cmsssr.exe
O4 - HKLM\..\Run: [webpc] C:\WINDOWS\system32\1033\webpc.exe
O4 - HKLM\..\Run: [cefwpejrj] C:\WINDOWS\System32\gnmbpr.exe
O4 - HKLM\..\Run: [Microsoft DNS Query] msdns.exe
O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\Run: [Winsock2 driver] ZONEALARM.EXE
O4 - HKLM\..\RunServices: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\RunServices: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\RunServices: [Microsoft Task Scheduler] C:\windows\system32\task32.exe
O4 - HKLM\..\RunServices: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\RunServices: [Microsofts Updatez] cmsssr.exe
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKCU\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKCU\..\Run: [Microsofts Updatez] cmsssr.exe
O4 - HKCU\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe

O4 - HKCU\..\RunOnce: [Winsock2 driver] ZONEALARM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

After reboot, post another log.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#12 blkkiddo

blkkiddo

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 01 July 2004 - 10:02 PM

new log

Logfile of HijackThis v1.97.7
Scan saved at 11:02:25, on 2004-07-01
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
C:\Program Files\Internet Explorer\csrss.exe
C:\WINDOWS\System32\xvshost.exe
C:\WINDOWS\System32\wuammgr32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\Mcafeescn.exe
C:\windows\system32\task32.exe
C:\WINDOWS\System32\scvhost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\cmsssr.exe
C:\WINDOWS\system32\1033\webpc.exe
C:\WINDOWS\System32\gnmbpr.exe
C:\WINDOWS\System32\msdns.exe
C:\WINDOWS\System32\svxhost.exe
C:\WINDOWS\System32\ZONEALARM.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AssistantInternet\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kazaa Lite K++\Kazaa.kpp
C:\WINDOWS\System32\taskmngrs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\nadou.INC-IQJZKI865E8\Mes documents\Mes fichiers reçus\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\4.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\4.bin\MWSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Fichiers communs\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [msn] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [webpc] C:\WINDOWS\system32\1033\webpc.exe
O4 - HKLM\..\Run: [Winsock2 driver] ZONEALARM.EXE
O4 - HKLM\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\RunServices: [msn] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\RunServices: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\RunServices: [Windows Firewalll] scvhost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKCU\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] ZONEALARM.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\AssistantInternet\bin\matcli.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\4.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm375
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot4_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.exe
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo...tia32_FR_XP.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_FR_XP.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C6D4E2D-F648-4AB5-8BFE-ED54D13E3D66}: NameServer = 206.47.244.90 206.47.244.106

#13 blkkiddo

blkkiddo

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 01 July 2004 - 10:12 PM

and i still hav a start up page

http://www.angelfire...urvey/tool.html

#14 numbbrrr

numbbrrr

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 July 2004 - 10:15 PM

http://www.odysseusm....com/uninstall/

#15 blkkiddo

blkkiddo

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 01 July 2004 - 10:50 PM

still have the same errors as usual

#16 blkkiddo

blkkiddo

    Member

  • Full Member
  • Pip
  • 33 posts

Posted 01 July 2004 - 10:51 PM

its like all i did was for nothing snifff :blush:

#17 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 01 July 2004 - 11:08 PM

Hi blkkiddo,

Thanks for that link numbbrrr. We're going to try to get rid of this one more time befire using that uninstaller. I for one am not sure -exactly- what that uninstaller does to the computer (although it may be perfectly fine).

Configure your computer to show hidden files.

Then reboot your computer in safe mode.

Go to Add/Remove Programs and uninstall MyWebSearch (or MyWay)

Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\4.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\4.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [webpc] C:\WINDOWS\system32\1033\webpc.exe
O4 - HKLM\..\Run: [Winsock2 driver] ZONEALARM.EXE
O4 - HKLM\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] xvshost.exe
O4 - HKLM\..\RunServices: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKLM\..\RunServices: [Windows Firewalll] scvhost.exe
O4 - HKCU\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKCU\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] ZONEALARM.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\4.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm375
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.exe
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo...tia32_FR_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_FR_XP.cab


Next, while still in safe mode, delete the following files:
C:\WINDOWS\system32\1033\webpc.exe
C:\WINDOWS\System32\taskmngrs.exe
C:\WINDOWS\System32\svxhost.exe
C:\WINDOWS\System32\ZONEALARM.EXE
C:\WINDOWS\System32\gnmbpr.exe
C:\WINDOWS\System32\cmsssr.exe
C:\WINDOWS\System32\scvhost.exe
C:\WINDOWS\System32\Mcafeescn.exe
C:\windows\system32\task32.exe
C:\WINDOWS\System32\xvshost.exe
C:\WINDOWS\System32\wuammgr32.exe
C:\Program Files\Internet Explorer\csrss.exe

And delete the following folder:
C:\PROGRAM FILES\MyWay

Reboot your computer.

Your computer is out of date with security patches and updates. Please go to Microsoft's Windows update site and install ALL critical updates:
http://windowsupdate.microsoft.com
These updates will help protect your computer from some of this nasty stuff.

Since you had so many viruses and trojans here, you need to check the subscription of your Anti-Virus program and be sure to keep the virus definitions up to date.

Finally, post an updated hijackthis log back into this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button