Please review my hijack this log

[MellyJC]

So you guys should all know how absolutely awesome you are for being here giving out free help like you do. I know you've saved my computer in the past and I'm sure you've saved that of many others as well.

In any case, here's my hijack this log. No known problems in terms of operations, it's just been a while since it's been run and it seemed like time.


Thank you again you awesome people!

 

[RealBlackStuff]

You have one piece of malware, some rubbish, and a fair bit of unnecessary extras.

Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager.
On Windows 95/98/ME, press CTRL+ALT+DELETE.
On Windows NT/2000/XP, press CTRL+SHIFT+ESC.
Click the Processes tab, select the process (if there), click End Process for:
swdoctor.exe (rubbish)
jusched.exe (unnecessary)
qttask.exe (unnecessary)
winampa.exe (malware)
UpdReg.EXE (unnecessary)
SPLASHA.EXE (unnecessary)

Next, try to UNinstall anything to do with (not delete yet!):
F:\Program Files\Spyware Doctor\swdoctor.exe

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
F:\Program Files\Spyware Doctor\swdoctor.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - F:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Introducing Media Manager.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\SPLASHA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
Fix ALL your O16 - DPF: entries
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

 

[DonNagual]

Can I just say.... wow.

RealBlackStuff, set up a paypal account so we can donate beer to you.

 

[RealBlackStuff]

I have a PayPal account, but I don't think Julio would appreciate me making money out of my services. (I would...) :giddy:

 

[MellyJC]

I actually paid for Spyware Doctor in desperation of my begin2search problem before finding you guys a while back.

So if I get rid of winamp....wma will be able to play all the vids I use it for?

 

[RealBlackStuff]

You only get rid of ONE program-file, winampa.exe, which is the infected WinampAgent, not Winamp itself.
That is of course, assuming you follwed my instructions to the letter!

You can keep the Dr, it won't do you any harm. It won't do you much good either...

 

[MellyJC]

Ah, alright. Thanks!

 

[MellyJC]

Alright, did what you said. None of those things were actually running, for whatever that's worth. You said a couple of the processes (updreg, splasha etc) are unnecessary, does that mean I should delete them through hijack this?

I was bad and kept two of the 016 DPFs. I know what the windows genuine thing is about, and it's a nuisance to have to go through so I'm assuming it's ok to keep that, as well as the pinecone, I trust that site. Is it important I get rid of those too even though I know the sources? I'm just sort of afraid I might have problems if I get rid of them.

Thanks again for all your help RealBlackStuff, you're my computer hero!

Also, curious what you think of the Microsoft Antispyware program. It found 4 entries for 'old friends' like begin2search today. At least it's free. heh.

 

[RealBlackStuff]

My advice for the unnecessary programs only involved stopping them from running, HJT only removed the Run at startup from the registry.
I did NOT advise to delete any unnecessary programs. You can still run them manually.

The O16s are only registry clutter, you can keep them if you want, but they are useless.
The Windows genuine thing should be gone through only once, unless you reinstall.
The pinecone thing almost pains me! It's an ActiveX thing and we all know how harmful that is, don't we?
It means that after all the tirades we have on these forums, and the worldwide advice to ditch it, you are still using Internet Explorer.

GO TO WWW.GETFIREFOX.COM AND INSTALL/USE FIREFOX!!!

I use that MS Antispyware myself, it is excellent. (one of the few good M$ programs)

 

[MellyJC]

Don't recall the reason it got lost the first time, but I"ve had to do windows validation twice now. The first time was a real pain in the **** since I was using Firefox and it wanted IE or something.

But yea...I tried Firefox. Great ideas...but half the time my pages wouldn't load. I posted about it on a forum here asking for help getting it working but nobody replied.