I noticed that your running HijackThis from your Temporary Internet Files. HijackThis needs to be run from a folder on it's own and not from Temporary Internet Files. So while you are waiting for me could you please follow the instructions below...
- Download HijackThis from
here - Save it on the root of your C: Drive to a folder called
C:\HJT or
C:\HijackThis 1. Open "My Computer"
2. Double-click "C:" or "Local Disk (C: )"
3. Right-click in an open area in that window
4. Select/left-click on "New" from the drop-down
5. Select/left-click on "Folder"
6. A folder will appear with the cursor blinking and the words "New Folder" will be highlighted
7. Name the folder
HJT or
HijackThis 8. Please reply back with a new HijackThis log
I just saved HJT on C: drive and here's the new log.
Thanks for the instructions and hope to hear from you soon.:smileyhappy:
Regards,
Lily
PS: log file below
Logfile of HijackThis v1.99.1 Scan saved at 9:51:18 PM, on 4/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Note: Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Step 1. ======== We first need to disable Microsoft Antispyware as it may interfer with our "Fixes" - Open "Microsoft AntiSpyware" - Click on Options then select Settings - In left-hand window click on Real-time Protection - Under Startup Options de-select\uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended) - Under Real-time spyware threat protection de-select\uncheck Enable real-time spyware threat protection (recommended) - Click Save button to save your changes - Close Microsoft AntiSpyware - Right-click on the "Microsoft AntiSpyware" icon on the taskbar - Select Shutdown Microsoft AntiSpyware - Click Yes at next window (Note: After all of the fixes are complete it is very important that you enable Real-time Protection again)
Note: If you decided to remove Viewpoint Manager then proceed with Step 3. If you decided to keep the program then proceed to Step 4 Step 3. ======== We need to stop some Windows Processes - Run HiJackThis then... 1. Click "Config..." button 2. Click "Misc Tools" button 3. Click "Open process manager" button 4. While holding down the CTRL key, locate (if present) and click on (highlight) each of the following... C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe 5. Double-check to make sure that only those item(s) above are highlighted, then click "Kill process" button 6. Click "Refresh". Check to make sure they are not listed 7. Repeat this step if any remain - Close HijackThis
Step 4. ======== - Close all Windows and programs - Run HijackThis - Select\check the following entries, Double-check to make sure that only these entries are checked... O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file) O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll (file missing) O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe <<<= Select only if you uninstalled O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
Did you uninstall the Lexico Toolbar? If so then select\check the entries below also O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm - Click the "Fix checked" button
Step 5. ======== - Reboot computer into Safe Mode. Instructions can be found here
Step 6. ======== - Enable all Hidden Files and Folders. Instructions can be found here
Step 7. ======== - Search for and delete the following files and folders in BOLD only. (Do not be concerned if they do not exist) C:\Program Files\Viewpoint <<<= This Folder Only <<<= Only if you uninstalled C:\Program Files\Lexico <<<= This Folder Only <<<= Only if you selected FIXING with HijackThis
Step 8. ======== Lets clean out the "Temp" and "Temporary Internet Files" - Click the "Start" button, then "RUN" - Enter cleanmgr in the "RUN" menu to start XP's "Disk Cleanup" tool - Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are selected then click OK - Close "Disk Cleanup"
Step 9. ======== - Reboot back into Normal Mode - Reply back with a new HijackThis log
dobhar
1.1K Posts
0
April 22nd, 2005 06:00
Hi MzLilyStr...
My name is dobhar and I will be looking over your log. Please give me some time to go look it over. I will post back as soon as possible.
If you have any questions please post them back in this thread.
Thanks,
dobhar
1.1K Posts
0
April 22nd, 2005 07:00
I noticed that your running HijackThis from your Temporary Internet Files. HijackThis needs to be run from a folder on it's own and not from Temporary Internet Files. So while you are waiting for me could you please follow the instructions below...
- Download HijackThis from here
- Save it on the root of your C: Drive to a folder called C:\HJT or C:\HijackThis
1. Open "My Computer"
2. Double-click "C:" or "Local Disk (C: )"
3. Right-click in an open area in that window
4. Select/left-click on "New" from the drop-down
5. Select/left-click on "Folder"
6. A folder will appear with the cursor blinking and the words "New Folder" will be highlighted
7. Name the folder HJT or HijackThis
8. Please reply back with a new HijackThis log
MzLilyStr
2 Posts
0
April 24th, 2005 00:00
Hi, me again,
I just saved HJT on C: drive and here's the new log.
Thanks for the instructions and hope to hear from you soon.:smileyhappy:
Regards,
Lily
PS: log file below
Logfile of HijackThis v1.99.1
Scan saved at 9:51:18 PM, on 4/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZINIOD~2.EXE /hide
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://real.gamehouse.com/real/games/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
dobhar
1.1K Posts
0
April 24th, 2005 01:00
dobhar
1.1K Posts
0
April 24th, 2005 23:00
Hi MzLilyStr...
Let's get to it...
Note: Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Step 1.
========
We first need to disable Microsoft Antispyware as it may interfer with our "Fixes"
- Open "Microsoft AntiSpyware"
- Click on Options then select Settings
- In left-hand window click on Real-time Protection
- Under Startup Options de-select\uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended)
- Under Real-time spyware threat protection de-select\uncheck Enable real-time spyware threat protection (recommended)
- Click Save button to save your changes
- Close Microsoft AntiSpyware
- Right-click on the "Microsoft AntiSpyware" icon on the taskbar
- Select Shutdown Microsoft AntiSpyware
- Click Yes at next window
(Note: After all of the fixes are complete it is very important that you enable Real-time Protection again)
Step 2.
========
- Did you install the Viewpoint Manager? If not I recommend uninstalling using "Add\Remove Programs". Reason...check out the following links...
=> http://forums.spywareinfo.com/index.php?showtopic=42667&hl=Viewpoint
=> http://www.spywareinfo.com/newsletter/archives/april-2003/2.php
=> http://castlecops.com/posts77740-0.html
Note: By removing the Viewpoint Media Player the program that it came bundled with may not function as intended. Information can be found here
Note: If you decided to remove Viewpoint Manager then proceed with Step 3. If you decided to keep the program then proceed to Step 4
Step 3.
========
We need to stop some Windows Processes
- Run HiJackThis then...
1. Click "Config..." button
2. Click "Misc Tools" button
3. Click "Open process manager" button
4. While holding down the CTRL key, locate (if present) and click on (highlight) each of the following...
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
5. Double-check to make sure that only those item(s) above are highlighted, then click "Kill process" button
6. Click "Refresh". Check to make sure they are not listed
7. Repeat this step if any remain - Close HijackThis
Step 4.
========
- Close all Windows and programs
- Run HijackThis
- Select\check the following entries, Double-check to make sure that only these entries are checked...
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe <<<= Select only if you uninstalled
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
Did you uninstall the Lexico Toolbar? If so then select\check the entries below also
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
- Click the "Fix checked" button
Step 5.
========
- Reboot computer into Safe Mode. Instructions can be found here
Step 6.
========
- Enable all Hidden Files and Folders. Instructions can be found here
Step 7.
========
- Search for and delete the following files and folders in BOLD only. (Do not be concerned if they do not exist)
C:\Program Files\Viewpoint <<<= This Folder Only <<<= Only if you uninstalled
C:\Program Files\Lexico <<<= This Folder Only <<<= Only if you selected FIXING with HijackThis
Step 8.
========
Lets clean out the "Temp" and "Temporary Internet Files"
- Click the "Start" button, then "RUN"
- Enter cleanmgr in the "RUN" menu to start XP's "Disk Cleanup" tool
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are selected then click OK
- Close "Disk Cleanup"
Step 9.
========
- Reboot back into Normal Mode
- Reply back with a new HijackThis log