kwisties

Hello I've used the HijackThis Analyzer program to get this log..
Any help much appreciated!

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:58:06 PM, on 28/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\PROGRA~1\Canon\MULTIP~1\mptbox.exe
C:\WINDOWS\newsd32.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Mr Bean Calendar\eDskTmr.exe
C:\Documents and Settings\pctosw\Desktop\unused icons\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [CfgDownload] c:\ixos-archive\bin\CfgDownload.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [MPTBox] C:\PROGRA~1\Canon\MULTIP~1\mptbox.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\winagent.exe /i
O4 - HKLM\..\Run: [supernews12] C:\WINDOWS\newsd32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [z-WrDialer] C:\Program Files\WinPoET Broadband Connection\WrDialer.exe
O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\svchost.exe
O4 - Startup: eDskTmr.lnk = C:\Program Files\Mr Bean Calendar\eDskTmr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: Casa Framework - file://D:\Citidirect\CitiDirect\ie\casaframework.cab
O16 - DPF: Casa Global Trade - file://D:\Citidirect\CitiDirect\ie\casaglobaltradepi.cab
O16 - DPF: Casa Global Trade Common - file://D:\Citidirect\CitiDirect\ie\casaglobaltradecommon.cab
O16 - DPF: Casa Global Trade Detail - file://D:\Citidirect\CitiDirect\ie\casaglobaltradedetail.cab
O16 - DPF: Casa Global Trade Lib - file://D:\Citidirect\CitiDirect\ie\casaglobaltradelib.cab
O16 - DPF: Casa Global Trade Summary - file://D:\Citidirect\CitiDirect\ie\casaglobaltradesummary.cab
O16 - DPF: Casa IBM XML Parser - file://D:\Citidirect\CitiDirect\ie\casaxml.cab
O16 - DPF: Casa ILC - file://D:\Citidirect\CitiDirect\ie\casailc.cab
O16 - DPF: Casa Images - file://D:\Citidirect\CitiDirect\ie\casaimages.cab
O16 - DPF: Casa Language ar_EG - file://D:\Citidirect\CitiDirect\ie\casa_ar_eg.cab
O16 - DPF: Casa Language bg_BG - file://D:\Citidirect\CitiDirect\ie\casa_bg_bg.cab
O16 - DPF: Casa Language cs_CZ - file://D:\Citidirect\CitiDirect\ie\casa_cs_cz.cab
O16 - DPF: Casa Language de_DE - file://D:\Citidirect\CitiDirect\ie\casa_de_de.cab
O16 - DPF: Casa Language el_GR - file://D:\Citidirect\CitiDirect\ie\casa_el_gr.cab
O16 - DPF: Casa Language es_AR - file://D:\Citidirect\CitiDirect\ie\casa_es_ar.cab
O16 - DPF: Casa Language fr_FR - file://D:\Citidirect\CitiDirect\ie\casa_fr_fr.cab
O16 - DPF: Casa Language he_IL - file://D:\Citidirect\CitiDirect\ie\casa_he_il.cab
O16 - DPF: Casa Language hu_HU - file://D:\Citidirect\CitiDirect\ie\casa_hu_hu.cab
O16 - DPF: Casa Language it_IT - file://D:\Citidirect\CitiDirect\ie\casa_it_it.cab
O16 - DPF: Casa Language ja_JP - file://D:\Citidirect\CitiDirect\ie\casa_ja_jp.cab
O16 - DPF: Casa Language ko_KP - file://D:\Citidirect\CitiDirect\ie\casa_ko_kp.cab
O16 - DPF: Casa Language nl_NL - file://D:\Citidirect\CitiDirect\ie\casa_nl_nl.cab
O16 - DPF: Casa Language pl_PL - file://D:\Citidirect\CitiDirect\ie\casa_pl_pl.cab
O16 - DPF: Casa Language pt_BR - file://D:\Citidirect\CitiDirect\ie\casa_pt_br.cab
O16 - DPF: Casa Language ro_RO - file://D:\Citidirect\CitiDirect\ie\casa_ro_ro.cab
O16 - DPF: Casa Language ru_RU - file://D:\Citidirect\CitiDirect\ie\casa_ru_ru.cab
O16 - DPF: Casa Language sk_SK - file://D:\Citidirect\CitiDirect\ie\casa_sk_sk.cab
O16 - DPF: Casa Language th_TH - file://D:\Citidirect\CitiDirect\ie\casa_th_th.cab
O16 - DPF: Casa Language tr_TR - file://D:\Citidirect\CitiDirect\ie\casa_tr_tr.cab
O16 - DPF: Casa Language zh_CN - file://D:\Citidirect\CitiDirect\ie\casa_zh_cn.cab
O16 - DPF: Casa Language zh_TW - file://D:\Citidirect\CitiDirect\ie\casa_zh_tw.cab
O16 - DPF: Casa Libraries - file://D:\Citidirect\CitiDirect\ie\casalibs.cab
O16 - DPF: Casa Liquidity - file://D:\Citidirect\CitiDirect\ie\casaliquidity.cab
O16 - DPF: Casa List Manager - file://D:\Citidirect\CitiDirect\ie\casalistmgr.cab
O16 - DPF: Casa Lockbox - file://D:\Citidirect\CitiDirect\ie\casalockbox.cab
O16 - DPF: Casa Misc - file://D:\Citidirect\CitiDirect\ie\casamisc.cab
O16 - DPF: Casa Payments Common - file://D:\Citidirect\CitiDirect\ie\casapmtscomm.cab
O16 - DPF: Casa Payments Detail - file://D:\Citidirect\CitiDirect\ie\casapmtsdtl.cab
O16 - DPF: Casa Payments Disbursements - file://D:\Citidirect\CitiDirect\ie\casadisbursements.cab
O16 - DPF: Casa Payments Libraries - file://D:\Citidirect\CitiDirect\ie\casapmtslibs.cab
O16 - DPF: Casa Payments Misc - file://D:\Citidirect\CitiDirect\ie\casapmtsmisc.cab
O16 - DPF: Casa Pref Mgr - file://D:\Citidirect\CitiDirect\ie\casaprefmgr.cab
O16 - DPF: Casa Receivables Mandates - file://D:\Citidirect\CitiDirect\ie\casareceivablesmandates.cab
O16 - DPF: Casa ReceivablesDirectDebit - file://D:\Citidirect\CitiDirect\ie\casareceivablesdirectdebit.cab
O16 - DPF: Casa ReceivablesInquiries - file://D:\Citidirect\CitiDirect\ie\casareceivablesinquiries.cab
O16 - DPF: Casa Report - file://D:\Citidirect\CitiDirect\ie\casareport.cab
O16 - DPF: Casa Safeword - file://D:\Citidirect\CitiDirect\ie\casasafeword.cab
O16 - DPF: Casa Security Admin - file://D:\Citidirect\CitiDirect\ie\casasecurityadmin.cab
O16 - DPF: Casa ServForCollItems - file://D:\Citidirect\CitiDirect\ie\casaservforcollitems.cab
O16 - DPF: Casa ServicesForLR - file://D:\Citidirect\CitiDirect\ie\casaservforrece.cab
O16 - DPF: Casa User Maint - file://D:\Citidirect\CitiDirect\ie\casausrmaint.cab
O16 - DPF: CasaReceivablesServices - file://D:\Citidirect\CitiDirect\ie\casareceivablesservices.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/game...s/y/sdt1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://iaccess.singaporepower.com.sg/iNotes.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/c...b?ver=1,1,0,32
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/c...on=4,3,2,20802
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {769A2483-FEFF-11D2-8A61-0008C7453304} (CasaVerify Class) - file://D:\Citidirect\CitiDirect\ie\casaverifier.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/game...utLauncher.cab
O16 - DPF: {DF304508-B304-11D3-B860-00201857EBF5} (Pixami Print Layout Control) - http://www.imagestation.com/common/c...b?ver=2,0,0,50
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = powergrid.com.sp
O17 - HKLM\Software\..\Telephony: DomainName = powergrid.com.sp
O17 - HKLM\System\CCS\Services\Tcpip\..\{46578765-A75E-4DC0-979A-375A98586C7F}: NameServer = 165.21.83.88 165.21.100.88
O17 - HKLM\System\CCS\Services\Tcpip\..\{992561DB-4832-413A-9FBB-34F748C69BFD}: Domain = spower.com.sg
O17 - HKLM\System\CCS\Services\Tcpip\..\{992561DB-4832-413A-9FBB-34F748C69BFD}: NameServer = 10.65.4.100,10.150.4.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = powergrid.com.sp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = powergrid.com.sp
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE


End of KRC HijackThis Analyzer Log.
====================================================================

Ried

Hello kwisties and welcome to TSF,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this.. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download Spybot 1.3 from this site Spybot 1.3. Install the program, update the definitions file and run a scan. Fix all the entries, which are indicated in RED.

Please download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Click here to download ETRemover. Unzip it, but don't run it yet.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Run ETRemover.exe now. When it's done, follow the prompts, but don't restart yet. Do the below fixes first.

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one if they are still listed (they shouldn't be - but double check it):(You must kill them one at a time).

C:\WINDOWS\newsd32.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Media Access
Also,
Check for any of these entries and Uninstall if found:
Elite
EliteToolBar
SearchMiracle

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [supernews12] C:\WINDOWS\newsd32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKCU\..\Run: [WindowsUpdate] C:\WINDOWS\svchost.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v6.cab

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\newsd32.exe
C:\Program Files\Media Access
mssmmspgr.exe <---Search for this and delete any entries found
C:\WINDOWS\svchost.exe <----ONLY from this location **NOTE C:\WINDOWS\system32\svchost.exe is the legitimate Windows file
C:\WINDOWS\web
Delet the folder if any of these were found in Add/Remove:
C:\Program Files\Elite
C:\Program Files\EliteToolbar
C:\Program Files\SearchMiracle

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006