Lasko

You have some strange way to store your programs.
Looks like Finnish to me. I could live with OHJELMATIEDOSTOT whatever that means, (Program Files ?)
but I am highly suspicious of: ELISA TIETOTURVAPALVELU\4119343
If Elisa Tie... is a person's name, OK, but \4119343\ looks very wrong by my books. Backweb is in internet communications-program that can do a lot of damage, unless you know and accept where it comes from.

I will leave it up to you if you want to do anything about these:
C:\OHJELMATIEDOSTOT\ELISA TIETOTURVAPALVELU\4119343\PROGRAM\BACKWEB-4119343.EXE
C:\OHJELMATIEDOSTOT\ELISA TIETOTURVAPALVELU\4119343\6.1.0.145-4119343L\PROGRAM\SPLASH.EXE
O4 - Global Startup: Elisa Tietoturvapalvelu.lnk = C:\Ohjelmatiedostot\Elisa Tietoturvapalvelu\4119343\Program\backweb-4119343.exe

Boot in Safe Mode
Stop System Restore
UNinstall these:
C:\Ohjelmatiedostot\SpyKiller\spykiller.exe /startup
C:\Ohjelmatiedostot\BestPopUpKiller\BestPopupKille r.exe /startup

If you use Firefox, you don't need them at all.

Run HJT on its own and let it 'fix':
C:\WINDOWS\LOADQM.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://elisa.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.fi;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Name - {B09C89EE-3A3F-42DD-9013-6DCF4C4FA258} - C:\WINDOWS\SYSTEM\MSLFA.DLL
O2 - BHO: (no name) - {1C2E2155-E0D0-430A-81C2-717D4D348D8A} - C:\WINDOWS\SYSTEM\SFCMAN32.DLL (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IECUSTOM32.DLL
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Ohjelmatiedostot\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Ohjelmatiedostot\BestPopUpKiller\BestPopupKille r.exe /startup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://elisa.net/
O16 - DPF: {11212111-2121-1311-1141-115611111222} -
ms-its:mhtml:file://d: oo.mht!http://69.50.166.213/users/alex/web...hm::/update.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/m...pdownloader.cab

Unless these IP-addresses belong to your ISP, 'fix' them also
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,195.225.176.31

When done, delete the bold files. When a directory-name is bold, delete everything in it, including that directory itself.

Boot normal. If all OK, put Sytem Restore back on.

I am unable to boot in safe mode. Everytime I try I get hung up and have to ctrl +alt+del. Here is a copy of my hijack log

Attached Files

hjt.txt (9.8 KB, 1 views)

jenny1377

Armed with the list below, do your 'homework' first
Go to this post here first, and follow the instructions EXACTLY.
How to remove Begin2Search/Coolwebsearch and Other Nasties
Then see How to post your Hijackthis log-files.
Post a fresh log if you still have problems.


The following is all rubbish. Uninstall what you can from that lot:
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TEMP\7H.EXE
C:\JTQFMYW.EXE
C:\WINDOWS\SYSTEM\IEMXMLC.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE ==>> VX2-infection <<==
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\QMF.EXE
C:\WINDOWS\SYSTEM\ESSN30.EXE
C:\WINDOWS\SYSTEM\MZFK.EXE
C:\WINDOWS\SYSTEM\RFWZ.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bankofamerica.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\slhzo.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\slhzo.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B861DEB5-D7DB-8E8A-08BF-EC5D9BEDE04D} - (no file)
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\PROGRAM FILES\WINDOWS CONTROLAD\WINCTLAD.EXE
O4 - HKLM\..\Run: [fCi0W] C:\JTQFMYW.EXE
O4 - HKLM\..\Run: [7h] C:\WINDOWS\TEMP\7H.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [¢‰¸ï04Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\JTQFMYW.EXE
O4 - HKLM\..\Run: [¢‰¸ï0+¿ÔÇè]mú*àaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\JTQFMYW.EXE
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [fCi0+¿ÔÇè]mú*àaîžigC:\Program Files\ISTsvc\istsvc.exe] C:\JTQFMYW.EXE
O4 - HKLM\..\Run: [op4g37g] IEMXMLC.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [42HNQFX5S@X5SW] C:\WINDOWS\SYSTEM\DfsIp4.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [MSI_CallerID_CAI40] C:\BUSYBUSTER\BUSYBUSTER32.EXE
O4 - HKLM\..\RunServices: [MFCCF.EXE] C:\WINDOWS\MFCCF.EXE
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [Ctfghez] C:\WINDOWS\SYSTEM\qmf.exe
O4 - HKCU\..\Run: [ZEvmRXMmj] ESSN30.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {17490F14-B6E6-11D2-8E5C-0000F87A4946} (MSN Communities Upload Control) - http://content.communities.msn.com/cs/msnupld.cab
O16 - DPF: {33C9CD44-1EB4-41BC-BDAE-67200C31CC01} - http://supportservices.msn.com/us/oe...ges/msncfg.CAB
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/oeconfig/MailCfg.cab
O16 - DPF: {D1B80EBF-1A26-4FEC-B0B9-DCB934C6507E} (Loader Class) - http://dialup.carpediem.fr/CABS/1,0,...ccesMembre.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab

"O10 - Hijacked Internet access by New.Net", I already ran Spybot a couple of times but i still get this when i run hijack this.... I read your instructions and did what was told but this this hijacked internet access still comes up.


O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\system32\ic2_win.dll (file missing)

Also, those O2 - BHO lines, you said i should delete them if there was no name AND file missing, but these only have one of the two, so i don't know if i should delete them.

Logfile of HijackThis v1.99.1
Scan saved at 12:44:58 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.swirve.com/utopia
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\system32\ic2_win.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Ironmask92

Go here http://www.short-media.com/review.php?r=252&p=3 and download/install/run OmegakillerSW. Read the instructions on that page first, please!
That should get rid of your O10 - Hijacked Internet access by New.Net

Boot in Safe Mode and let HJT 'fix' these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.swirve.com/utopia
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\system32\ic2_win.dll (file missing)

When done, delete the bold files. When a directory-name is bold, delete everything in it, including that directory itself.

I got rid of that "010 - Hijacked internet access by New.net", i tried the omegakillerSW you told me to use to get rid of it (i read all the instructions on the page), but it didn't get rid of it. So i tried to delete it and it said i can't delete it cause it was write-protected (like that little square at the bottom right of a floppy disk that you need to push up or down to go from write-protected to readable). Anyways, i went into the "NewDotNet" folder and it had an uninstall file, so i used that to uninstall "NewDotNet", now its gone, btw, when i used omegakillerSW, i found that i had about 50 of those "01 - searchnet.com" stuff (all different search programs or something, which i got rid of, thank god for omegakillerSW or i would never have known i had so much of that stuff in my computer (which explains why my internet is so slow).

I ran hijack this in safe mode, got rid of most of the stuff, but the problem is that the two "R0" lines don't go away when i had deleted them. I also get a "about:blank" page when i open up Internet explorer. I put a new homepage for it "games.swirve.com/utopia" (Utopia is an online game), but when i run hijack this in normal mode, it puts Utopia as a "R0"

BTW, how do i tell which directories are bold or not? Since when i run hijack this, there was nothing in BOLD, do i just delete the ones in capital letters?

Thank you for your time so far in helping me to solve this problem, i really appreciate it. Hopefully i can solve this new problem soon and give you my full thanks,



Logfile of HijackThis v1.99.1
Scan saved at 3:29:06 PM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://games.swirve.com/utopia
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Okay heres my problem. I have Begin2search as a tool bar on my IE5.

and a program called My Way Search Assistant in my Add/Remove Programs file list.

The biggest problem is that I can't remove the My Way Search Assistant when I highlight it under Add/Remove programs it does not give me any options it just says used: rarely and nothing else.

I tried following the steps of a post for removing Begin2Search and it didnt' work.. so the only thing I can figure is its the My Way Search Assistant that is bringing it back??

Logfile of HijackThis v1.97.7
Scan saved at 5:27:09 PM, on 3/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\RUNDLL32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\windows\system32\jbevqpk.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\windows\system32\packager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brett Bennett\Local Settings\Temporary Internet Files\Content.IE5\6NQZU96B\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://216.130.185.122/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://216.130.185.122/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\system32\winb2s32.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\system32\winb2s32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [jbevqpk] c:\windows\system32\jbevqpk.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab



Someone please help

ironmask92

Boot in Safe Mode and let HJT 'fix' these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

The rest is fine.
With bold files/directories I mean the files and/or directories that I have highlighted by making them bold.

NTFRGTN

Armed with the info underneath, go and do your homework.
Go to this post here first, and follow the instructions EXACTLY, especially the ones about UPDATING and LOCATION of files..
How to remove Begin2Search/Coolwebsearch and Other Nasties
Then see How to post your Hijackthis log-files.

Get rid of these, using the above post's instructions:
C:\windows\system32\jbevqpk.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://216.130.185.122/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://216.130.185.122/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\system32\winb2s32.dll
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\system32\winb2s32.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [jbevqpk] c:\windows\system32\jbevqpk.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pu...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v6.cab

I am a new member. I came here for help because my computer is running slow, and keeps having to run check disk on reboot. I am pasting the hijack log because it is giving me an error when I try to upload my text file.

Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 2:27:27 AM, on 3/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\CTHELPER.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\McAfee.com\VSO\mcshield.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>;www.pld.fcps.net
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

bkmorgan

Go to this post here first, and follow the instructions EXACTLY, especially see UPDATING!!!
How to remove Begin2Search/Coolwebsearch and Other Nasties
Then see How to post your Hijackthis log-files.

These need to be taken care of, AFTER your updates etc.
Plus whatever others show up from using the NEWEST Hijackthis.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1;<local>;www.pld.fcps.net
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
ALL lines starting with: O16 - DPF:

Post another log if needed.

I have used HijackThis in Safe Mode but i can't seem to get rid of these two RO's. They come back everytime i rerun HijackThis. I used HijackThis in Safe Mode, then i ran HijackThis in normal mode and those two lines came back again. Also, when i open up my IE browser, i get a blank page everytime (about:blank). My HijackThis log is attached, plz have a look at it, thank you.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Attached Files

hijackthis.txt (2.8 KB, 3 views)

ironmask92

Apart from those 2 lines, your log looks clean.
The only possible culprits could be in the settings for the Google and Yahoo searchbars.
Uninstall both completely.
Do not reinstall (Google is already on version 3 AFAIK) them until you have tested your browser.
Leave them out, I don't think you need them. With Firefox you get your built-in Google-style search-window.

I have cleaned out and updated the things you directed me to do. This is my new log. The computer is still having trouble with lagging, but it does not scan the disk at boot up.

When trying to upload my hijackthis txt file I get this message:
POST requests from foreign hosts are not allowed

Logfile of HijackThis v1.98.2
Scan saved at 5:55:44 AM, on 3/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe
C:\Program Files\McAfee.com\VSO\mcshield.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

I removed the 016 entries, but they keep showing up.

bkmorgan

my first post to you said:
Go to this post here first, and follow the instructions EXACTLY, especially see UPDATING!!!

I rest my case.

So far so good,

Have used the great guide supplied by 'RealBlackStuff' and have reduced my log by about half! I think I am almost there. Please would someone cast their eye through my log and let me know if anything else is 'not supposed to be there'.

I have several more questions but I think one at a time...

Cheers,
J.

Attached Files

HJT.txt (2.6 KB, 1 views)

Alright first off, I would like to thank all of you for helping me out in advance.

Next, my situation. My computer was running fine until three months ago when my sister and my nephew came to visit (during the winter holiday). My nephew had to do some "homework" (he's 16) and I think he did a little bit more then just homework if you catch my drift.

Since that little visit my computer has not been operating very well. Simple tasks are fine, as is browsing the internet. But any downloads simply go at a snails pace, or just time out. Even online poker games tend to drop me. Even my nephew complained while he was here, saying his Half life (is that right?) game wasn't working online anymore.

I am on a ethernet (included in my monthly rent) which used to download at a very high rate (ex: 120 kb/s) and now I can barely get 1.2 kb/s.

Thanks again you guys, any advice or help is greatly appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 9:03:47 PM, on 3/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\DefWatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~2\Rtvscan.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~2\vptray.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kazaa Lite Revolution\kazaalite.kpp
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\vptray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] C:\Utopia\Angel\Angel.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

Jkasj

Go to this post here first, and follow the instructions EXACTLY, especially about UPDATING and HJT-location.
How to remove Begin2Search/Coolwebsearch and Other Nasties

While you are at it, try to UNinstallanything to do with:
C:\Program Files\Kazaa Lite Revolution\kazaalite.kpp
C:\WINDOWS\kdx\KHost.exe
C:\Utopia\Angel\Angel.exe

The above is not all, though! You need to post a new log.
See How to post your Hijackthis log-files.

Followed your instructions and cleared a bunch of stuff, however having an issue (maybe cause I've been screwing with it all afternoon) with getting my "running processes" deleted. It's on that list of bad applications running, but whenever I run hijackthis it goes right to R1's etc....

Don't mean to trouble ya, and if you can help me out with this I will have the majority of it done. Thanks again for your help. Just seeing that list of processes that shouldn't be running is a big eye opener. Appreciate your time. Thanks again.

Jkasj
There is no such list of "bad applications running".
The Processes running: will show up in the log after you SAVED the logfile AS e.g. hjt.txt
I will advise you which ones are the baddies, so post your new log pronto, please.