Not bad...a couple of dead entries that can be removed:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Some of us think Weatherbug is a huge memory hog, but to each his own. *;-)

I'd also reconsider loading WinMX automatically. I like it (no spyware) and run it manually, but don't want to leave myself as a supernode everytime I'm online.

Cheers,

Texruss

Thankyou for your response, but forgive me, now I have a couple more questions...

What do you mean by 'supernode'?

How do I not load WinMx automatically?

 

>How do I not load WinMx automatically?

Warning: Forum offtopic mode. >;->

A picture is nearly worth a thousand words. See also unsharing files on that page.

>What do you mean by 'supernode'?

Paragraph 8 for Kazaa document

Disabling Supernode in Kazaa (a program I don't recommend or use, but YMMV)

Cheers,

Texruss

OK, lol, call me dense, but one more question...

I only allow one folder for sharing, does that still mean my computer could be a supernode?  Thanks for all your patience. 

Not if you don't share....oldie, but goodie.

Texruss

Hello,

Not sure if anyone will see this, but will give it a shot, this is the most recent HijackThis log for my system  Just wondering how fit my 'puter is.  Thanks for all your help.

 

 

 

Logfile of HijackThis v1.97.7
Scan saved at 4:19:32 PM, on 5/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\wmconnect\wwm.exe
C:\Documents and Settings\Cheryl\My Documents\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Rosary Reminder] C:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - http://www.stop-sign.com/pub/download/lark.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F11AECA8-7B33-4D0E-95A3-B80E9CD56CBB}: NameServer = 205.188.146.146

 

Hi

Before I do all the stuff you've said, just thougth I'd mention that wmconnect is my internet software, soooooooooo, with that said, should I still remove it?

 

Thanks

Why sure...I guess I want to take a look...especially when you need to get rid of a few trojans. *;-)
Scan in Hijackthis...check these:

C:\Program Files\wmconnect\wwm.exe  Followup Edit for future researchers: This is a legit program...my mistake...caught by the alert original poster...mea culpa! I will go and sin no more! *;-)
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnect\wmtray.exe
Comments: Keylogger trojan  (If still alive Sam Walton would be furious! Yeah...at me >;->)

O16 - DPF: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - http://www.stop-sign.com/pub/download/lark.cab
Comments: SearchWWW hostile ActiveX applet

With no other windows open...click on Fix checked.

Now reboot and tap F8 key repeatedly during early boot to get the Startup menu screen.

Select Safe Mode at the top.

In Safe Mode when it gets to Windows (it will look really funny with white text flying by and

black background (that is normal)...run Disk Cleaner (type cleanmgr at Start/Run button).

Have Disk Cleaner scan all of your hard drives and at the end of the scan check and select all

of the categories for removal and remove the files.

Now run Windows Explorer (type explorer at Start/Run button  or another way to load

Windows Explorer is to right button click on Start button and left click on the word explore).

Before navigating to delete the bad files and folders let's activate the option to see hidden

files in Windows as some of those files may be hidden from the default Windows view. Do

this to make all files visible...click on the link below to see how to enable hidden files:

Show hidden files.

Drill down in  Windows Explorer in the left hand window column of folders and find the paths

to these files and folders. Some may not be present, but look for them carefully...the default

view option in Explorer is to show them in alphabetical order by the first letters of the

filenames. You can alter that view option if you wish by pulling down View on the top menu

bar to Arrange Icons by and select Type. That will sort them by the letters in their name

following the period (known as the extension). By doing that all .EXE and all .DLL files will be

arranged in a common listing area and will be alphabetized.

Delete the following folder if found:

C:\Program Files\wmconnect  

Restart back to normal Windows. In regular Windows run Disk Cleanup again

(cleanmgr) to rid the files you deleted from the system. Then browse a bit in your Internet

browser, see how it behaves, and repost a new log with any comments.

All the best,

Texruss

P.S.  After the final all clear is given by us you should flush your Restore Points for XP especially since you had a keylogger Trojan. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.

 

 

 

Message Edited by Texruss on 05-02-2004 10:05 PM

>Before I do all the stuff you've said, just thougth I'd mention that wmconnect is my internet software, soooooooooo, with that said, should I still remove it?

Not unless you want me to string an Ethernet to your house. *;-) Hmmm...better backcheck my databases...hang on for an edit to see where I went wrong.

Edit: Yep it was me...found a wwm.exe hostile file on this page , but it was the wrong directory. That file name is also big with porno files and Google hit it a bunch. Did finally see one lady mention her Wal-Mart account...Ah, can you tell I've been up for 36 hours straight? *;-) Weary soldiers don't fight as well.  Guess it's time for me to hit the sack...big day at work tomorrow with all the poor people getting whacked by Sasser. *;-)

Thanks for catching my error...the other 016 was a bad one though. *;-0

Guess I'll put a boo-boo edit on that post to deter other careless researchers...Hah!

All the best,

Texruss

Message Edited by Texruss on 05-02-2004 10:01 PM

Hello,

Have a small issue, clnmgr hangs up when I try to run it, says it's scanning the system and shows four bars on status window and stays there...

Any suggestions...

Thanks

Reboot to SAFE mode
How to start the computer in Safe mode

Run it in Safe Mode as plan B...some item in memory is conflicting in normal mode, probably not hostile.

Could also be Windows corruption. If you have your Windows CD do this at Start/Run          sfc  /scannow   

That runs the System File Checker which will restore any corrupt system files.

Texruss

 

Hello

I do have my restore CD, but just how does it relate to the instruction I am to use at the start/run option...  As yet I have only removed the offending line from the log, just a little hesitant to start deleting this and that before I'm sure about what I'm doing, lol...

Thanks again for all yer help, hope I'm not being a bother

>I do have my restore CD,

That's not what we want...we need the WINDOWS CD...big difference. The Restore CD is a full image CD that is a replica of what your computer software looked like the day you got it. Use it and you wipe out all personal data. The Windows CD is the Microsoft product and it can be used to run System File Checker, do a clean install on the machine (which wipes all data also), or do a refresher reinstall (sometimes nicknamed a dirty reinstall as it goes over the top of your existing installation and attempts to fix the problems).

Check your disks and see what Dell sent you (if your machine is a Dell you should have a Microsoft Windows CD included ...but we do get Compaq and other folks coming here) *;-)

All the best,

Texruss 

Nope, no windows cd just the reinstallation, the product code is on sticker on the bottom of the computer, and the computer came preinstalled.  Besides, I think I'll just give up.  Cleanmgr will not run, and the scan did not find any descrepencies.  I've tried restoring to an earlier point, and now I'm reallly confused.  Alot of my program icons are still here but the control panel doesn't show any of my peripherals now, soooooooooooooo, I've got my work cut out for me.  Fortunately, all the odd programs and downloads I've done I've saved on CD-R's, like updates and the spyware programs and stuff, so it's just a simple reinstall.  Also, the computer is running much slower than it used to.  I click on the close window or a page link and it takes up to a minute to refresh a page.  I also noticed that the line 16 oddity in my log was there in an earlier log and was overlooked, so it makes me wonder, was it really a problem.  Oh well, may end up doing a format and starting all over.  But from experience, I find the computer is never the same as when you first get it after that.

Thanks for all your help, hope you're getting more sleep :)

Did you try Windows Disk Cleaner in Safe Mode? It's probably some little program in memory that is interfering with it...

Cheers,

Texruss