Help with HijackThis log

Status
Not open for further replies.
S

sungar

Posts: 9   +0
I've got a couple of spyware-type things on my system that I'm trying to clear up. I've already run AdAware and Sybot S&D. The main things I see are:

-> When I run a seach, I get another window that opens with the search results from Lycos.

-> I get a lot of popups from eSyndicate (I even just got one when I tried to upload my log file!)

Attached is a copy of my HijackThis log. Any help would be appreciated.
Thanks,
-Steve
 

Attachments

  • hijackthis.txt
    14.2 KB · Views: 5
Just wondering if you have been messing with your sister's or girlfriend's (Denise) PC?

Boot in Safe Mode.
Turn off System Restore.

UNinstall (if you can) anything to do with:
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\Program Files\SEP\sep.dll
C:\Program Files\eSyndicate\esyn.dll
C:\Program Files\Middadle\Clicks10017.dll

Move Hijackthis to its OWN directory, e.g. C:\Program Files\HJT
Now run HJT on its own, and let it 'fix' (if still there):

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\documents and settings\denise\local settings\temp\hT4l9d.exe
C:\windows\temp\Ug.exe
C:\documents and settings\denise\local settings\temp\hT4l9d.exe
C:\windows\temp\Ug.exe
C:\WINDOWS\System32\cdfview0.exe
C:\windows\system32\azhmXzaHL.exe
C:\windows\system32\P1x3Pt.exe
C:\windows\system32\avgk.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\WINDOWS\System32\fast.exe
C:\Documents and Settings\Denise\Application Data\othb.exe
C:\WINDOWS\system32\avgk.exe

ALL lines starting with R1
ALL lines starting with R0

R3 - Default URLSearchHook is missing
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {51B856E8-E00B-C5DD-7B11-EDDC4F3FE7EA} - C:\WINDOWS\System32\lvt.dll
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\System32\lmf32v.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Middadle\Clicks10017.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
- Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [hT4l9d] C:\documents and settings\denise\local settings\temp\hT4l9d.exe
O4 - HKLM\..\Run: [Ug] C:\windows\temp\Ug.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [hT4l9d.exe] C:\documents and settings\denise\local settings\temp\hT4l9d.exe
O4 - HKLM\..\Run: [Ug.exe] C:\windows\temp\Ug.exe
O4 - HKLM\..\Run: [afd0b7ffd936] C:\WINDOWS\System32\cdfview0.exe
O4 - HKLM\..\Run: [azhmXzaHL.exe] C:\windows\system32\azhmXzaHL.exe
O4 - HKLM\..\Run: [P1x3Pt.exe] C:\windows\system32\P1x3Pt.exe
O4 - HKLM\..\Run: [avgk.exe] c:\windows\system32\avgk.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Qjotbe] C:\WINDOWS\System32\fast.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Denise\Application Data\othb.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZPihp001
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: SEARCH - {FE5A1910-F121-11d2-BE9E-01C04A7936B1} - http://www.google.com.super-fast-search.apsua.com/find.htm (file missing)
O9 - Extra button: ENTERTAINMENT - {FE5A1910-F121-11d2-BE9E-01C04A7936B2} - http://www.google.com.super-fast-search.apsua.com/av.htm (file missing)
O9 - Extra button: PILLS - {FE5A1910-F121-11d2-BE9E-01C04A7936B3} - http://www.google.com.super-fast-search.apsua.com/med.htm (file missing)
O9 - Extra button: SECURITY - {FE5A1910-F121-11d2-BE9E-01C04A7936B4} - http://www.google.com.super-fast-search.apsua.com/check.htm (file missing)
O9 - Extra button: SEARCH - {FE5A1910-F121-11d2-BE9E-01C04A7936B5} - http://www.google.com.super-fast-search.apsua.com (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com

ALL lines starting with O16 - DPF:

O17 - HKLM\System\CCS\Services\Tcpip\..\{6E6C188C-E167-4898-AE09-499A363F27C9}: NameServer = 198.81.17.4

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

Go to C:\documents and settings\denise\local settings\temp\ and delete EVERYTHING in the temp directory.


It is cheaper to go to your local software shop and buy a CD with all sorts of card-games etc. on it, probably less than a tenner. Heck, they even display those in the supermart.
Don't EVER go to ANY games-website, unless it belongs to official producers of Sims, Call of Duty, etc.
 
Updated HijackThis log file

Thanks for the help - it seems to have cleared up a lot of what was going on.

I've attached the HijackThis log file after I cleaned up the system. Could you let me know if I missed anything/picked up anything new?

Thanks.

(BTW - It's my wife's system.)
 
Sorry, no offense meant.

You are almost there.

Boot in Safe Mode
Stop System restore
Press ctrl/alt/del and in Taskmanager, try to stop:
mwsoemon.exe
avgk.exe

Next, try to UNinstall anything to do with:
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

Next, run HJT on its own and let it "fix":
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\windows\system32\avgk.exe
C:\WINDOWS\system32\avgk.exe
O2 - BHO: (no name) - {0C4DB3BB-0A00-2E81-2EF3-5387EBF2E9EF} - C:\WINDOWS\System32\vzbup.dll
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [avgk.exe] C:\windows\system32\avgk.exe

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

Reboot and restart System Restore
 
Status
Not open for further replies.

Similar threads

lilithgrace
Help? Everis e2011
Replies
0
Views
478
lilithgrace
lilithgrace
A
Unbelievable lag when playing PC games in the evening only
Replies
3
Views
710
Mark Fuller
M
Dood123
Help login in Instagram account, says use 2FA code but have not set up 2FA for insta
Replies
0
Views
707
Dood123
Dood123

Latest posts

Back