Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[Referred]I'm infected!

Started by underdog9 , May 10 2005 03:25 AM

  • Please log in to reply

#16
underdog9
Posted 11 June 2005 - 04:05 AM

underdog9

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi CW and thanks for your help. :tazz:

I saw that Ad-Aware had been updated so I decided run CCleaner and to do another scan to see if my computer had picked up any unwanted objects since the time I was referred to this forum. There were objects found and I deleted them. My screen is no longer blue and the Smithfraud message is gone which is an improvement I guess, However, my desktop now is black background and the computer still runs very slowly.

Please find my HJT log below:

Logfile of HijackThis v1.99.1
Scan saved at 1:23:47 PM, on 6/10/2005
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fxlwh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fxlwh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fxlwh.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fxlwh.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8EB660-A6B3-A367-121D-91DE13AFDEC2} - C:\WINDOWS\javaim.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
  • 0

Advertisements

#17
coachwife6
Posted 12 June 2005 - 08:26 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please RIGHT-CLICK: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\system32\perfcii.ini
C:\Windows\System32\helper.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\LogFiles
C:\Program Files\Security IGuard

While still in Safe Mode, do the following:

Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED:



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fxlwh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fxlwh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fxlwh.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fxlwh.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5C8EB660-A6B3-A367-121D-91DE13AFDEC2} - C:\WINDOWS\javaim.dll (file missing)

O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll



Close HiJackThis.

Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.
  • 0

#18
underdog9
Posted 13 June 2005 - 07:42 PM

underdog9

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hey CW6. I have followed all the instructions up to the part where I need to run Active Scan. I started Active Scan and it was talking so long that it was still running when I left for work this morning. While at work it completed and my daughter started using the computer so I do not know what happened to the results. I will have to run it again and post it tomorrow.

Thanks again for all of your help.

Edited by underdog9, 13 June 2005 - 07:45 PM.

  • 0

#19
underdog9
Posted 14 June 2005 - 06:34 AM

underdog9

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello CW6,

My desktop appears to be back to normal. I really appreciate your help. :tazz:

I was able to find the results of the ActiveScan without having to run it again. ;) The results are as follows:

Incident Status Location

Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Sites about\What is hydrocodone.url
Please find below the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 5:14:10 AM, on 6/14/2005
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
  • 0

#20
coachwife6
Posted 14 June 2005 - 06:42 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I got a chuckle last night when I read about your daughter. :tazz:

Just clear out your favorite sites list. I will look at the log later. I am at work right now. ;)
  • 0

#21
underdog9
Posted 16 June 2005 - 12:33 AM

underdog9

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi CW6,

I cleaned out the favorites list. Please check my HJT log when you get a chance. :tazz: I am hoping all of the problems are gone. Thanks again.
  • 0

#22
coachwife6
Posted 16 June 2005 - 08:56 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
The log looks good. More importantly, how is it running? Did you do another scan in active scan? Did you get any hits?
  • 0

#23
underdog9
Posted 21 June 2005 - 07:43 PM

underdog9

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi.

Sorry for the delay. Between my teenage daughter and my job, it seems I don't have much time left in my day.

Well, my computer seems to be running better but still a bit slow. I think there are things that load when booting up that are running in the background.... ;) ....trouble with that is I have no clue which ones should not be running and how to stop them from loading in the first place.:tazz:

Here is my new Active Scan report.

Incident Status Location

Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Bruce Wheeler\Favorites\Seven days of free [bleep].url

I have deleted this from my favorites but I have no idea how it got there in the first place.

I really appreciate your help. Thanks!
  • 0

#24
coachwife6
Posted 21 June 2005 - 09:35 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts

that load when booting up that are running in the background


Go to start>>run>> and type "msconfig" without the quotes. There is a list of everything that starts up.
You can post it here or you can do research at www.answersthatwork.com to see what is essential and what isn't.
  • 0

#25
underdog9
Posted 26 June 2005 - 06:22 PM

underdog9

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hello Coachwife6.

Here is my list:

rundll32
RxMon
mcmnhdlr
mcvsshld
mcagent
mcupdate
realsched
MpfTray
IEXPLORE
ctfmon
mssysmgr

These all have a check mark next to the items. The following are also on the list without check marks. I assume that means they do not automatically run at startup.

MpfTray
DrgToDsc
EngUtil
Adobe Gamma Loader.exe
IDW Logging Tool
Microsoft Office
WinZip Quick Pick

Clicking on the Processes tab of the Task Manager I have a longer list that seems to be running at startup. :tazz: I wrote down this list right after my computer booted up and I opened the Task Manager. I had not launched any applications. Does this mean that the list above is incomplete? The list from the process tab of Task Manager is as follows:

alg.exe
csrss.exe
ctfmon.exe
explorer.exe
juscheck.exe
jusched.exe
lsass.exe
mcagent.exe
McShield.exe
McVSEscn.exe
mcvsrte.exe
mcvsshld.exe
mdm.exe
MdfAgent.exe
MpfService.exe
MpfTray.exe
mssysmgr.exe
Playlist.exe
realsched.exe
RxMon.exe
services.exe
smss.exe
spoolslv.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
System
System Idle Process SYSTEM
taskmgr.exe
winlogon.exe
wuauclt.exe

Reaearching these programs on the answersthatwork site it appears that some of these could in fact be viruses (svchost.exe and others).

Any advice you have is most appreciated.
  • 0

Advertisements

#26
coachwife6
Posted 26 June 2005 - 09:44 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Find this and right-click on it and tell me it's properties.

spoolslv.exe
  • 0

#27
underdog9
Posted 29 June 2005 - 12:25 AM

underdog9

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
:tazz: Im sorry. Typo. I should have typed spoolsv.exe. The properties are as follows:

Type of file: Application
Description: Spooler SubSystem App

Location: C:\WINDOWS\system32
Size: 56.0 KB (57,344 bytes)
Size on disk: 56.0 KB (57,344 bytes)

I am not sure if this is what you want. If it isn't please let me know.

Thanks for all of your time and patience.
  • 0

#28
coachwife6
Posted 29 June 2005 - 09:08 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Try this http://www.innovativ...aller/index.htm
Run the powerful Registry cleaner, defragmenter and optimizer which will help you keep your Registry fast, clean,
This should remove the left over reistery key from SearchAid.

It's a 14 day trial. Everything else looks good.

You could take the roxio entries out of task manager.
  • 0

#29
underdog9
Posted 03 July 2005 - 04:03 PM

underdog9

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanks so much CW6. My computer seems to work alot better now. :tazz:

I would like to ask one last question. I don't know if this was related to my other problems or not but everynow and then I get the following message fairly often when browsing net.
A Runtime Error has occurred
Do you wish to Debug?

Line:1
Error: Invalid Character

Do you have any idea of what is causing this message?
  • 0

#30
coachwife6
Posted 03 July 2005 - 04:20 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Look at this
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP