New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!
· Ian T's (AR 24)
· Marcia's (CO8)
· Bill G's (CO12)
· Paul's (AR 5)
· Robin's (AR 2)
· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· RegChat
· Reviews
· Google Search
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?
$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 1180
Comments: 21
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsFavForums 

hey guys, every so often i get this...
Goto page 1, 2, 3  Next
 
Post new topic   This topic is locked you cannot edit posts or make replies       All -> FavForums -> Spyware - Guests
View previous topic :: View next topic  
Author Message
needhelp007

Guest
PostPosted: Thu May 27, 2004 10:43 am    Post subject: hey guys, every so often i get this...
Reply with quote
every so often when i do a search that does not come up, i get this porn pop up site that says search everything and it is an untitled document. I really need this fixed asap. It is extremely annoying. My my spybot mode was clean. Norton is clean. Here are my hijackthis results

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\Microsoft Plus! Digital Media Edition\Alarm Clock\AlarmClock.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\PSD Tools\blengine.exe
C:\PROGRA~1\AIM95\aim.exe
C:\WINDOWS\System32\wnsapisv.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\USB Sharing\usbshare.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Common Files\First Virtual Communications\CUCore.exe
C:\WINDOWS\regedit.exe
C:\Program Files\NoAdware\NoAdware.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\WP6V0D27\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/m...earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/m...earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m...earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/m...earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-DBFC-ED1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0rbi.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\EarthLink\FastLane\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\EarthLink\FastLane\IPMon32.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [Plus! Alarm Clock] "C:\Program Files\Microsoft Plus! Digital Media Edition\Alarm Clock\AlarmClock.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CUCore Agent] "C:\Program Files\Common Files\First Virtual Communications\ConfAgent.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: USB Sharing.lnk = C:\Program Files\USB Sharing\usbshare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud2.sports.yahoo.com/java/y/nflgcst1008_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/dkvaget/x.chm::/load.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwe....0.0.6.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - http://conference1.pottersschool.net:80...update.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9BE3C90-FEC9-4077-8955-502915EE130B}: NameServer = 207.69.188.186 207.69.188.187


Is there anything i can clean out in my registry? What about from the hijack log. Also how does this happen? For a while i used to have changing start page problems...now this. please help and thanks for everything..
Back to top
satchick

1st Responder
1st Responder



Joined: Apr 29, 2004
Posts: 825
Location: Canada
PostPosted: Thu May 27, 2004 1:12 pm    Post subject:
Reply with quote
Hi and welcome to computercops. You've got lots of malware on this system.

The first thing to do is to move HijackThis to a folder of its own like c:\hjt because when we sue it to fix your system, it will create backups of the changes we make and those can get lost in a temp folder.

Once you have moved it, run HJT and have it fix the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-DBFC-ED1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0rbi.dll
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/dkvaget/x.chm::/load.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwe....0.0.6.cab

Go to Add/Remove programs (Start/Settings/Control panel) and uninstall the following:

ebateswebsavings
WebSearch Toolbar.Emailplug

Go here to uninstall purity scan:
http://www.purityscan.com/uninstall.html

Restart into safe mode and make sure you can see Hidden & System files and then delete these files/folders:

C:\Program Files\powersoft [folder]
C:\Program Files\Common Files\PSD Tools [folder]
C:\WINDOWS\System32\wnsapisv.exe
C:\Program Files\WebSavingsfromEbates [folder]
MWSOEMON.EXE (search for location)

Restart and post a new log. That should have gotten rid of your pop-ups. Very Happy
Back to top
View users profile Send private message Send email
needhelp007

Guest
PostPosted: Thu May 27, 2004 9:23 pm    Post subject:
Reply with quote
wow dude (dudette?) dont have time to do that now, but thats defintely great help. I really appreciate your step by step process. Hopefully it will aid me in getting rid of this stuff. Thanks again, and ill let you know if it works or not.

peace
Back to top
satchick

1st Responder
1st Responder



Joined: Apr 29, 2004
Posts: 825
Location: Canada
PostPosted: Thu May 27, 2004 9:56 pm    Post subject:
Reply with quote
Just trying to help, oh and its Dudette if your fishing. Very Happy
Back to top
View users profile Send private message Send email
needhelp007

Guest
PostPosted: Fri May 28, 2004 1:56 pm    Post subject:
Reply with quote
couple things, first off im not quite sure how to make a back-up of the hijackthis log. im really new to hijack this. I see something called save log. if i save it, will that back it up. also there is a box checked saying create back-ups. Another thing is when i went into control panel, add or remove programs, neither of the programs you listed were there...also how do i know for sure that if i delete these logs, it wouldnt affect my computer? thanks again!
Back to top
satchick

1st Responder
1st Responder



Joined: Apr 29, 2004
Posts: 825
Location: Canada
PostPosted: Fri May 28, 2004 2:46 pm    Post subject:
Reply with quote
Hi again, to answer your questions:
Quote:
first off im not quite sure how to make a back-up of the hijackthis log.

HJT makes backups of changes you make to your system with it automattically, just leave all the default settings as it. Hitting the save log button will save the log generated from the scan to a file and then pop it into notepad for easy manipulation.
Quote:
Another thing is when i went into control panel, add or remove programs, neither of the programs you listed were there.

Sorry, I should have mentioned in my post that those files/folders may not be there. It depends greatly on the variant of the malware you have. I just try to cover all the bases. Better too much info then not enough.
Quote:
how do i know for sure that if i delete these logs, it wouldnt affect my computer?

Not sure what you mean here. Do you mean the HJT logs you save? If so, deleting those won't matter at all. If your talking about the backup-.... files then leave those until we're sure your system is clean. These are the configuration backups HJT makes and if a mistake is made, we may need them later on.
Back to top
View users profile Send private message Send email
needhelp007

Guest
PostPosted: Sat May 29, 2004 2:08 am    Post subject:
Reply with quote
oh ok thanks, ill make the changes and keep you updated if pop ups and other stuff continue to happen.
Back to top
needhelp007

Guest
PostPosted: Sat May 29, 2004 2:12 am    Post subject:
Reply with quote
o btw my notepad is completely gone. like it used to be there about a few months ago and now its gone. i dunno whats going on but if i can download it again that would be awesome...
Back to top
needhelp007

Guest
PostPosted: Sat May 29, 2004 2:49 am    Post subject:
Reply with quote
sry for posting lots of different messages but when i came to delete the files you told me to, they were either missing or or could not be deleted...

i did delete the ebatewebsavings though. also lmk, how this looks...it is my updated hijackthis results...it looks like some of the things you told me to delete came back...i dunno whats going on. again, thanks alot. your SO helpful...

Logfile of HijackThis v1.97.7
Scan saved at 11:40:03 PM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Microsoft Plus! Digital Media Edition\Alarm Clock\AlarmClock.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\PSD Tools\blengine.exe
C:\Program Files\Common Files\First Virtual Communications\CUCore.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\USB Sharing\usbshare.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\UHCJGDSH\HijackThis[1].exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/m...earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/m...earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m...earch.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\EarthLink\FastLane\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\EarthLink\FastLane\IPMon32.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [Plus! Alarm Clock] "C:\Program Files\Microsoft Plus! Digital Media Edition\Alarm Clock\AlarmClock.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CUCore Agent] "C:\Program Files\Common Files\First Virtual Communications\ConfAgent.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: USB Sharing.lnk = C:\Program Files\USB Sharing\usbshare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud2.sports.yahoo.com/java/y/nflgcst1008_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} (CU LiveUpdate Control) - http://conference1.pottersschool.net:80...update.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
Back to top
satchick

1st Responder
1st Responder



Joined: Apr 29, 2004
Posts: 825
Location: Canada
PostPosted: Sun May 30, 2004 8:39 am    Post subject:
Reply with quote
Sorry for the delay! Yesterday was a strange one.

Run HJT and fix these entries:

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

If you don't know what this is, then fix it too:

O4 - HKCU\..\Run: [CUCore Agent] "C:\Program Files\Common Files\First Virtual Communications\ConfAgent.exe" /minimize

Restart into safe mode and make sure you can see Hidden & System files and then delete this folder:

C:\PROGRAM FILES1\MYWEBS~1

It may also be called MYWEBSEARCH

Do a search for notepad.exe. Let me know if you find it. Smile
Back to top
View users profile Send private message Send email
needhelp007

Guest
PostPosted: Sun May 30, 2004 4:23 pm    Post subject:
Reply with quote
i did do a search on notepad...thats how i realized that it was missing. anyways, if i do go to safe mode, how do i get it back again. and what is the need for safe mode...also what is the need of unchecking the hidden system files. also are there any consequences by deleting mywebsearch?
Back to top
needhelp007

Guest
PostPosted: Sun May 30, 2004 4:26 pm    Post subject:
Reply with quote
o btw, when i try to delete the folder, it says access denied because this file:

MWSOEPLG.exe it says make sure it is not full or write protected...
Back to top
satchick

1st Responder
1st Responder



Joined: Apr 29, 2004
Posts: 825
Location: Canada
PostPosted: Sun May 30, 2004 5:29 pm    Post subject:
Reply with quote
To unprotect MWSOEPLG.exe, right click on it and select properties. Uncheck the read only attribute (bottom left).

To get out of safe mode, just restart and let your system boot up normally.

Lots of malware tries to hide itself using windows attributes, so making sure your system can see hidden & system files, makes sure you can see ALL the files when browsing.

Go ahead and delete mywebsearch. This is a nasty so the only consequences with deleting it are good. I won't tell you to delete a good file.
Back to top
View users profile Send private message Send email
satchick

1st Responder
1st Responder



Joined: Apr 29, 2004
Posts: 825
Location: Canada
PostPosted: Sun May 30, 2004 5:35 pm    Post subject:
Reply with quote
Here is a new copy of notepad. Click on the download link below and save it to your desktop. Unizp the notepad.exe file to your desktop.

Now copy it into your c:\windows & c:\windows\system32 folders.

Last edited by satchick on Sun May 30, 2004 9:42 pm, edited 1 time in total
Back to top
View users profile Send private message Send email
needhelp007

Guest
PostPosted: Sun May 30, 2004 7:52 pm    Post subject:
Reply with quote
k thanks alot, got rid of my web search...now i notice in my reg edit- Hkeylocal machine/software/microsoft/internet exploeer/main- there is a new item called start page that wasnt there before. under it, it is called about blank. im just checking to make sure its normal. as of now my start page is still yahoo which is ok but im just making sure that after restarting this isnt harmful. also when i download the notepad it says the compressed (zipped) folder is corrupted or invalid. dont know what that means but anyways, thanks for the quick response and for all the help.
Back to top
Display posts from previous:   
Post new topic   This topic is locked you cannot edit posts or make replies       All -> FavForums -> Spyware - Guests All times are GMT - 5 Hours
Goto page 1, 2, 3  Next
Page 1 of 3

 
 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8a © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
Home · Topics · Submit News · Top 10
This entire site, Cops Themes, and Computer Cops are © 2002 - 2004 Computer Cops, LLC. All rights reserved.
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Acceptable Use Policy. Use signifies your agreement.
Engine Copyright © 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member.
Paul Laudanski, Member of Computer Cops, LLC
Server Load: 921 pages served in previous 5 minutes. Page Rendered: 0.438 seconds.