TechSpot

Help with HijackThis log

By sungar
Jan 30, 2005
  1. I've got a couple of spyware-type things on my system that I'm trying to clear up. I've already run AdAware and Sybot S&D. The main things I see are:

    -> When I run a seach, I get another window that opens with the search results from Lycos.

    -> I get a lot of popups from eSyndicate (I even just got one when I tried to upload my log file!)

    Attached is a copy of my HijackThis log. Any help would be appreciated.
    Thanks,
    -Steve
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Just wondering if you have been messing with your sister's or girlfriend's (Denise) PC?

    Boot in Safe Mode.
    Turn off System Restore.

    UNinstall (if you can) anything to do with:

    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
    C:\Program Files\SEP\sep.dll
    C:\Program Files\eSyndicate\esyn.dll
    C:\Program Files\Middadle\Clicks10017.dll

    Move Hijackthis to its OWN directory, e.g. C:\Program Files\HJT
    Now run HJT on its own, and let it 'fix' (if still there):


    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\documents and settings\denise\local settings\temp\hT4l9d.exe
    C:\windows\temp\Ug.exe
    C:\documents and settings\denise\local settings\temp\hT4l9d.exe
    C:\windows\temp\Ug.exe
    C:\WINDOWS\System32\cdfview0.exe
    C:\windows\system32\azhmXzaHL.exe
    C:\windows\system32\P1x3Pt.exe
    C:\windows\system32\avgk.exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
    C:\WINDOWS\System32\fast.exe
    C:\Documents and Settings\Denise\Application Data\othb.exe
    C:\WINDOWS\system32\avgk.exe

    ALL lines starting with R1
    ALL lines starting with R0

    R3 - Default URLSearchHook is missing
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {51B856E8-E00B-C5DD-7B11-EDDC4F3FE7EA} - C:\WINDOWS\System32\lvt.dll
    O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\System32\lmf32v.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Middadle\Clicks10017.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [hT4l9d] C:\documents and settings\denise\local settings\temp\hT4l9d.exe
    O4 - HKLM\..\Run: [Ug] C:\windows\temp\Ug.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
    O4 - HKLM\..\Run: [hT4l9d.exe] C:\documents and settings\denise\local settings\temp\hT4l9d.exe
    O4 - HKLM\..\Run: [Ug.exe] C:\windows\temp\Ug.exe
    O4 - HKLM\..\Run: [afd0b7ffd936] C:\WINDOWS\System32\cdfview0.exe
    O4 - HKLM\..\Run: [azhmXzaHL.exe] C:\windows\system32\azhmXzaHL.exe
    O4 - HKLM\..\Run: [P1x3Pt.exe] C:\windows\system32\P1x3Pt.exe
    O4 - HKLM\..\Run: [avgk.exe] c:\windows\system32\avgk.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
    O4 - HKCU\..\Run: [Qjotbe] C:\WINDOWS\System32\fast.exe
    O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Denise\Application Data\othb.exe
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPihp001
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: SEARCH - {FE5A1910-F121-11d2-BE9E-01C04A7936B1} - http://www.google.com.super-fast-search.apsua.com/find.htm (file missing)
    O9 - Extra button: ENTERTAINMENT - {FE5A1910-F121-11d2-BE9E-01C04A7936B2} - http://www.google.com.super-fast-search.apsua.com/av.htm (file missing)
    O9 - Extra button: PILLS - {FE5A1910-F121-11d2-BE9E-01C04A7936B3} - http://www.google.com.super-fast-search.apsua.com/med.htm (file missing)
    O9 - Extra button: SECURITY - {FE5A1910-F121-11d2-BE9E-01C04A7936B4} - http://www.google.com.super-fast-search.apsua.com/check.htm (file missing)
    O9 - Extra button: SEARCH - {FE5A1910-F121-11d2-BE9E-01C04A7936B5} - http://www.google.com.super-fast-search.apsua.com (file missing)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com

    ALL lines starting with O16 - DPF:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{6E6C188C-E167-4898-AE09-499A363F27C9}: NameServer = 198.81.17.4

    When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

    Go to C:\documents and settings\denise\local settings\temp\ and delete EVERYTHING in the temp directory.


    It is cheaper to go to your local software shop and buy a CD with all sorts of card-games etc. on it, probably less than a tenner. Heck, they even display those in the supermart.
    Don't EVER go to ANY games-website, unless it belongs to official producers of Sims, Call of Duty, etc.
     
  3. sungar

    sungar TS Rookie Topic Starter

    Updated HijackThis log file

    Thanks for the help - it seems to have cleared up a lot of what was going on.

    I've attached the HijackThis log file after I cleaned up the system. Could you let me know if I missed anything/picked up anything new?

    Thanks.

    (BTW - It's my wife's system.)
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Sorry, no offense meant.

    You are almost there.

    Boot in Safe Mode
    Stop System restore
    Press ctrl/alt/del and in Taskmanager, try to stop:

    mwsoemon.exe
    avgk.exe

    Next, try to UNinstall anything to do with:
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

    Next, run HJT on its own and let it "fix":
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\windows\system32\avgk.exe
    C:\WINDOWS\system32\avgk.exe
    O2 - BHO: (no name) - {0C4DB3BB-0A00-2E81-2EF3-5387EBF2E9EF} - C:\WINDOWS\System32\vzbup.dll
    O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O4 - HKLM\..\Run: [avgk.exe] C:\windows\system32\avgk.exe

    When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

    Reboot and restart System Restore
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.