Hijack This Log - Help!

Question

Hi, I've got the pop-ups, about-blank home page . . . also, there are some new programs installed that 'look' like they are anti virus products - however, I can not get rid of them.   I also see 'home search assistent' (yes, with the incorrect spelling) in my add/remove programs, however - I can not remove it.     Anyway, I've followed all of the pre-steps & am at the point where I have the Hijack this log.   This is where I need some help.   Here is the log . . .   Logfile of HijackThis v1.99.1 Scan saved at 10:22:27 AM, on 7/6/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\D3HS.EXE C:\WINDOWS\SYSTEM\IPSW32.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\HPOOPM07.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\ADDAO32.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.EXE C:\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - Default URLSearchHook is missing O2 - BHO: Class - {E1F1A46E-FC39-10DA-D25A-38ED117064E0} - C:\WINDOWS\CREI.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS	askmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk\PDesk.exe /Autolaunch O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKLM\..\Run: [VSOCheckTask] 'C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE' /checktask O4 - HKLM\..\Run: [VirusScan Online] 'C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe' O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE O4 - HKLM\..\Run: [ADDAO32.EXE] C:\WINDOWS\ADDAO32.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKLM\..\RunServices: [D3HS.EXE] C:\WINDOWS\SYSTEM\D3HS.EXE /s O4 - HKLM\..\RunServices: [IPSW32.EXE] C:\WINDOWS\SYSTEM\IPSW32.EXE /s O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [PopUpStopperFreeEdition] 'C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE' O4 - HKCU\..\Run: [msnmsgr] 'C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE' /background O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://demo4.view22.com/view22/V22RTE.cab O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/3110/ftp.coupons.com/r31/brix6ie.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1432481ec1677f54bb04/netzip/RdxIE601.cab O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4013/ftp.coupons.com/v3121/cpbrkpie.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4326/mcfscan.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - http://support.dell.com/systemprofiler/SysProfLcd.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

cghost · Answer

Hi,

=Please download Intermute's CWShredder from here:
http://cwshredder.net/bin/CWShredder.exe
Save it to the desktop and run it, and click "Fix" to remove the CWS infection.

=Please download About:Buster from here:
http://www.malwarebytes.biz/AboutBuster5.zip
Unzip the files to a convenient location such as C:\AboutBuster, and run AboutBuster.exe. Read the instructions then click OK to proceed. Click "Check for Updates", and then "Download Updates" to update About:Buster to the newest version. Then click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved.

=Go to http://www.ravantivirus.com/scan/ and run RAV on your system.
When finished, save the RAV report.

=Reboot the system.

=Run a new hijackthis log.

Post the aboutbuster log.
Post the RAV report.
Post the new hijackthis log.

Regards.
cg

debeepes · Answer

I've done the CWJ & the AboutBuster. Nothing was found for both - I've pasted the AboutBuster below. When I try to download the Rav products - I get re-routed to other sites. I have not been able to get to a screen where I can either download or run on-line the antivirus from Rav. Also - the Rav products keep coming up as pop ups - they look like they are part of the problem. Should I try another HJT? Suggestions?

AboutBuster 5.0 reference file 28

Scan started on [7/6/2005] at [11:32:33 AM]

------------------------------------------------

Streams(ADS) not scanned: System not NTFS

------------------------------------------------

Removed File! : C:\Windows\poths.dat

------------------------------------------------

Scan was COMPLETED SUCCESSFULLY at 11:32:34 AM

AboutBuster 5.0 reference file 30

Scan started on [7/6/2005] at [11:37:51 AM]

------------------------------------------------

Streams(ADS) not scanned: System not NTFS

------------------------------------------------

No Files Found!

------------------------------------------------

Scan was COMPLETED SUCCESSFULLY at 11:37:51 AM

cghost · Answer

Use pandasoftware's scan instead:   http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm   It also has the ability to generate a log.   Regards. cg

debeepes · Answer

Panda worked . . . Here is the Panda log:

Incident Status Location

Virus:Trj/Downloader.CVB Disinfected C:\WINDOWS\SYSTEM\sqaa.dll

Adware:Adware/Startpage.CFE No disinfected C:\WINDOWS\TEMP\twc\installer\bin\AddFavorites.vbs

Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\WT2B8DMN\mt[1].htm

Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\2IGNIM5X\CAQJE7MH.HTM

Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Search the web.url

Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Only xxx website.url

Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Seven days of free porn.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Credit counseling.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Insurance home.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Mortgage life insurance.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Help desk software.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Ab scissor.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Videos.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\What is hydrocodone.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online gambling casino.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Refinancing my mortgage.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Debt credit card.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Fha.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Loan for debt consolidation.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Health insurance.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Personal loans online.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Payroll advance.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Marketing email.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Prescription Drugs Rx Online.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Credit report.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Tahoe vacation rental.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Escorts.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Order phentermine.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Mortgage insurance.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Personal loans with bad credit.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Crm software.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Nevada corporations.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Unsecured bad credit loans.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Loan for people with bad credit.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Broadband comparison.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online Betting Site.url

Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online instant loan.url

Adware:Adware/Coupons No disinfected C:\WINDOWS\cpbrkpie.ocx

Adware:Adware/Antivirus-gold No disinfected C:\Program Files\AntivirusGold\AntivirusGold.exe

Virus:Trj/Downloader.CVB Disinfected C:\ms32.tmp

debeepes · Answer

After a restart - here is the new HJT log:

Logfile of HijackThis v1.99.1

Scan saved at 12:59:05 PM, on 7/6/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\WINDOWS\SYSTEM\D3HS.EXE

C:\WINDOWS\SYSTEM\IPSW32.EXE

C:\WINDOWS\WINHC32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\HPOOPM07.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE

C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\ADDAO32.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {E1F1A46E-FC39-10DA-D25A-38ED117064E0} - C:\WINDOWS\CREI.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk\PDesk.exe /Autolaunch

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE

O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

O4 - HKLM\..\Run: [ADDAO32.EXE] C:\WINDOWS\ADDAO32.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKLM\..\RunServices: [D3HS.EXE] C:\WINDOWS\SYSTEM\D3HS.EXE /s

O4 - HKLM\..\RunServices: [IPSW32.EXE] C:\WINDOWS\SYSTEM\IPSW32.EXE /s

O4 - HKLM\..\RunServices: [WINHC32.EXE] C:\WINDOWS\WINHC32.EXE /s

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://demo4.view22.com/view22/V22RTE.cab

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/3110/ftp.coupons.com/r31/brix6ie.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1432481ec1677f54bb04/netzip/RdxIE601.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4013/ftp.coupons.com/v3121/cpbrkpie.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4326/mcfscan.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/download/tgctlcm.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - http://support.dell.com/systemprofiler/SysProfLcd.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

cghost · Answer

Hi,

Going to try to get back with another post shortly. Just found out cws is changing again, please don't reboot again or if you have already done so, you will have to run a new log and add additional lines to the fix I give you.

One other thing to do:

Please get this program and use it to clean temp and temp internet folders.

ccleaner:
http://www.ccleaner.com/

Regards.

cg

cghost · Answer

Hi,

The pandasoftware log showed some files cleaned, showed some temp file issues, showed some problems in favorites - you'll need to do some cleanup there later, and it showed the antivirus gold which was not cleaned.

=Please reboot the system to safe mode:
*To reboot to safe mode, tap the F8 key repeatedly when you start the computer. This will bring you to a startup menu you can select safe mode on.
*More information here if you need it: http://www.bleepingcomputer.com/forums/tutorial61.html

=Be sure you can see hidden files and folders:
** [How to: http://www.bleepingcomputer.com/forums/tutorial62.html
** [or here: http://www.xtra.co.nz/help/0,,4155-1916458,00.html ]
** [When you finish repairs, it is important to rehide your system files so you do not accidentally delete one later.]

=Start Hijackthis.

=Go to misc tools section, get a process list and see if there is anything running that looks like it might relate to that antivirus gold.
If there is, end it. Then go back to the main menu.

=Scan, check these items and click the fix button.
-----------------------------
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\iwfra.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E1F1A46E-FC39-10DA-D25A-38ED117064E0} - C:\WINDOWS\CREI.DLL
O4 - HKLM\..\Run: [ADDAO32.EXE] C:\WINDOWS\ADDAO32.EXE
O4 - HKLM\..\RunServices: [D3HS.EXE] C:\WINDOWS\SYSTEM\D3HS.EXE /s
O4 - HKLM\..\RunServices: [IPSW32.EXE] C:\WINDOWS\SYSTEM\IPSW32.EXE /s
O4 - HKLM\..\RunServices: [WINHC32.EXE] C:\WINDOWS\WINHC32.EXE /s
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://demo4.view22.com/view22/V22RTE.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/3110/ftp.coupons.com/r31/brix6ie.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1432481ec1677f54bb04/netzip/RdxIE601.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4013/ftp.coupons.com/v3121/cpbrkpie.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

-----------------------------

=Delete these files and folders:

-----------------------------
C:\WINDOWS\CREI.DLL <== file, this one is probably gone.
C:\WINDOWS\ADDAO32.EXE <== file
C:\WINDOWS\SYSTEM\D3HS.EXE <== file
C:\WINDOWS\SYSTEM\IPSW32.EXE <== file
C:\WINDOWS\WINHC32.EXE <== file
C:\WINDOWS\cpbrkpie.ocx <== file
C:\Program Files\AntivirusGold <== folder
-----------------------------

=Rerun ccleaner for at least the temp and temp internet files to be sure something hasn't crept in there again.

=Reboot to normal mode. If there is a missed cws file, it will reimplement the problems, we'll just have to see what the logs look like.

=Run Hijackthis again and post a new log.

Regards
cg

debeepes · Answer

Thanks - I will be back home tomorrow & will follow your instructions (I didn't want you to think I was ignoring you!).    I really appreciate the help.

debeepes · Answer

I have completed the instructions as you detailed. The only thing different from your instructions was - the program cpbrkpie.ocx was already gone when I went to delete it. Everything else was as you described. Here is the new hjt log let me know your thoughts:

Logfile of HijackThis v1.99.1

Scan saved at 3:51:07 PM, on 7/7/2005

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

C:\WINDOWS\SYSTEM\IPMH.EXE

C:\WINDOWS\SYSTEM\WINOD.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\HPOOPM07.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE

C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE

C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.EXE

C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk\PDesk.exe /Autolaunch

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE

O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding

O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

O4 - HKLM\..\RunServices: [IPMH.EXE] C:\WINDOWS\SYSTEM\IPMH.EXE /s

O4 - HKLM\..\RunServices: [WINOD.EXE] C:\WINDOWS\SYSTEM\WINOD.EXE /s