Solve : HJT log...Need help? – InterviewSolution

InterviewSolution

1.	Solve : HJT log...Need help?
Answer» My pc and net are running slow, so I ran spy/adware & virus scanners and found soy/adware & viruses. I ran HJT & PandaScan for another forum at www.techsupportforum.com but they would not help at all. I would greatly appiciate it if some one could tell me what to remove for the HJT log & tell me waht to do for the viruses. Here are my logs. Hijackthis: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 12:30:38 PM, on 03/06/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IOLO\Common\Lib\ioloDMVSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\ps2.exe C:\WINDOWS\system32\S3tray2.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\LTMSG.exe C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe C:\WINDOWS\system32\lexpps.exe C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca7.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL (file MISSING) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update MANAGER\sgtray.exe" /r O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\6.bin\m3SrchMn.exe" /m=0 O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Windows Sz Host] winshvc.exe O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\RunServices: [Windows Sz Host] winshvc.exe O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1008\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Krista and Jessica') O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1008\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Krista and Jessica') O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1008\..\Run: [Skype] "C:\Documents and Settings\Krista and Jessica\Local Settings\Application Data\Skype\Phone\Skype.exe" /nosplash /minimized (User 'Krista and Jessica') O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Krista and Jessica') O4 - S-1-5-21-1936128508-2687675847-3651399767-1008 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Krista and Jessica') O4 - S-1-5-21-1936128508-2687675847-3651399767-1008 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Krista and Jessica') O4 - Startup: csrss.lnk = ? O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZS O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://karenfuldansgirl.spaces.live....d/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137297261718 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://209.91.143.201/activex/AxisCamControl.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://www.cogeco.ca/en/ols21/fscax.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/download...ameManager.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/c...ploader_v6.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...69/mcfscan.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories CACHE daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 9456 bytes PandaScan: Incident Status Location Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Internet Explorer\MSIMG32.dll Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr Adware:adware/sahagent Not disinfected c:\windows\system32\SHAgentNew.dll Virus:trj/spabot.e Disinfected Operating system Adware:adware/ncase Not disinfected c:\windows\msbbau.dat Adware:adware/cws.yexe Not disinfected c:\windows\system32\Services Potentially unwanted tool:application/funweb Not disinfected c:\program files\FunWebProducts Adware:adware/wupd Not disinfected Windows Registry Spyware:spyware/betterinet Not disinfected Windows Registry Adware:adware/wintools Not disinfected Windows Registry Adware:adware/savenow Not disinfected Windows Registry Dialer:dialer.bqw Not disinfected hkey_current_user\software\microsoft\internet explorer\main\conc Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][4].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][5].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][8].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Bettersearch Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected]1[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][2].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][1].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Krista and Jessica\Cookies\[emailprotected][2].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Krista and Jessica\Local Settings\Temp\Cookies\krista and [emailprotected][1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Krista and Jessica\Local Settings\Temp\Cookies\krista and [emailprotected][2].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Krista and Jessica\Local Settings\Temp\Cookies\krista and [emailprotected][1].txt Virus:Trj/Downloader.LTL Not disinfected C:\Documents and Settings\Krista and Jessica\Local Settings\Temp\s1i8[¦%%\br_rt.dll] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Cookies\[emailprotected]t[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\[emailprotected][2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\[emailprotected][1].txt Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\msimg32.dll Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\10-47488c40c3cddfee98fc3b173f6d7beb.exe Virus:Trj/Downloader.LTL Disinfected C:\WINDOWS\18-979cccfcc7622e89302a49c23b6fa37a.exe Adware:Adware/Beginto Not disinfected C:\WINDOWS\system32\SmartShopper\uninstallSE.exewhat programs have you used??I've used Lavasoft adware, Uniblue spyware Scanner, Trend Micro online virus scan, PandsSoft online virus scan. They have all found things & I have removed what each has found but when I scan again there's still things there.look at my signature.. dl those programs update them and reboot into safe mode do the scans one at a time remove what they found.. post logs if available.. reboot in m=normal mode and report back on the state of the computeroh now that I see them I've also used Ccleaner and AVG spyware & virus scanners.JATreace ...... I just had a quick look at the old hijackthis log you posted and it doesnt look GOOD . This is what I would start by doing........... Go into the control panel / add/remove programs ...... and look for Web Search Tool bar ...... and remove it ....... Then while still in add/remove programs..... look for Win-Tools Easy installer ...and remove it. Now exit control panel........ Next ..... open up your installed anti virus program and make sure its updated ...... ( Don't run it ) Then open up AVG antispyware and manually update it . ( Don't run it ) Next , Turn off your system restore ........... Next ...... run the lastest version of CClearner ...... run both the "cleaner" as well as the "Issues" ....remove whatever either of them finds. Now reboot into safe mode and once safe mode has loaded , open your installed anti-virus program and run it ........ Remove anything it finds. Next , while still in safe mode , open AVG antispyware and run it . Remove anything it finds. It might be a idea to print out what has been suggested so you dont miss a step. When that's complete reboot back into normal mode and run hijackthis again and post new logfile here. ( the old one is many days old ) we'll leave the light on for your return.......... dl65 Alirhgt new log after running the virus & spyware scans in safte mode and removing the things that were listed. Also the Web Search Tool-Bar isn't any spyware I know that, it's for MSN it adds more smileys and things for it & as for the Win-Tools Easy Installer I did not find that. Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 10:02:40 AM, on 19/06/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\ps2.exe C:\WINDOWS\system32\S3tray2.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\LTMSG.exe C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\mIRC\mirc.exe C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca7.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Windows Sz Host] winshvc.exe O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\RunServices: [Windows Sz Host] winshvc.exe O4 - Startup: csrss.lnk = ? O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZS O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://karenfuldansgirl.spaces.live.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137297261718 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://209.91.143.201/activex/AxisCamControl.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} - http://www.cogeco.ca/en/ols21/fscax.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4769/mcfscan.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 7895 bytes JATreace ....... Glad to see you return , with a new hijackthis log. Did you do the scan in safe mode with AVG Antispyware ? I ask because I see no mention of it anywhere. Here's what I would remove using hijackthis (mark for removal) R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKCU\..\Run: [Windows Sz Host] winshvc.exe (added by a worm) O4 - HKCU\..\RunServices: [Windows Sz Host] winshvc.exe (added by a worm) O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZS O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) Hopefully you had turned off your system restore Now click "Fix checked" Reboot ....see how things are running and post a fresh hijackthis log. dl65 New HTL log, yes I ran AVG anti-spyware & AVG anti-virus both in safemode. Seems to be running a bit better now, I just need to clean out the other user accounts on the computer. Should I so seperate HTL logs & scans for each user account on the computer? Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 2:20:48 PM, on 23/06/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\ps2.exe C:\WINDOWS\system32\S3tray2.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\lexpps.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca7.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1006\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook (User 'Kayla') O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Kayla') O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1006\..\RunServices: [Windows Sz Host] winshvc.exe (User 'Kayla') O4 - Startup: csrss.lnk = ? O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://karenfuldansgirl.spaces.live.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137297261718 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://209.91.143.201/activex/AxisCamControl.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} - http://www.cogeco.ca/en/ols21/fscax.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - https://disney.go.com/games/downloads/gamemanager/DIGGameManager.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4769/mcfscan.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 6884 bytes JATreace ......... Is the last logfile ..... the one that was generated by signing in as the admin , or another user ?....... The admin is the one to use . dl65 Yea I used the admin account. I noticed though each account held it's own temp files and cookies etc. is why I asked.JATreace ....... This one must be fixed with hijackthis.... So please mark for removal ..... O4 - HKUS\S-1-5-21-1936128508-2687675847-3651399767-1006\..\RunServices: [Windows Sz Host] winshvc.exe (User 'Kayla') once you have let hijackthis remove it , Reboot and see how things are. Another loffile from admin should confinrm that. dl65

Discussion

No Comment Found

Related InterviewSolutions