Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter #1
My Granny has been attacked by the winfixer 2005. I ran the hijack this log as others have done while no other programs were running. If someone could please help I am staying here tonight due to hurricane Rita and it would be great to help her while I am here.

Her computer runs Windows ME. Thanks for any help

ktrnbarlow2

Logfile of HijackThis v1.99.1
Scan saved at 7:58:06 PM, on 9/23/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5LP_0001_0715NETINSTALLER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://myzstart.looksmart.com/servlets/myzstart?request=autologon&comefrom=startpage&LSID=ijl1&LK=xM%3FQTE_su%3AXZK*8&ISP=LS&ITLS=S&IPS=A&"); (C:\Program Files\Netscape\Users\paultman\prefs.js)
O2 - BHO: (no name) - {A6250FB8-2206-499E-A7AA-E1EC437E71C0} - C:\PROGRA~1\COMMON~1\MSIETS\MSIELINK.DLL
O2 - BHO: IPInsigtObj Class - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5LP_0001_0715NETINSTALLER.EXE"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0721] "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\FFIVTLIY\WINFIXER2005SCANNERINSTALL[1].EXE"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5LP_0001_0802NETINSTALLER.EXE"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\UWFX5LP_0001_0803NETINSTALLER.EXE"
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5NETINSTALLER.EXE"
O4 - HKLM\..\Run: [Hotbar] C:\PROGRAM FILES\HOTBAR\BIN\HBINST.EXE /Upgrade
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O8 - Extra context menu item: Power Search - res://C:\PROGRAM FILES\COMMON FILES\MSIETS\MSIELINK.DLL//iemenu
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
O16 - DPF: {99B42120-6EC7-11CF-A6C7-00AA00A47DD2} (Label Object) - http://activex.microsoft.com/controls/iexplorer/x86/ielabel.cab
O16 - DPF: {6C636F50-7EB2-11D2-883C-CA8C113EA37E} (McAfee Clinic QuickClean Class) - http://download.mcafee.com/molbin/Clinic/Clean/QuickClean/MGqcctl.cab
O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab
O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/OilChange/MGOcCtl_new.cab
O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/OilChange/MGOcFilt.cab
O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab
O16 - DPF: {BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52} (IO Class) - http://www.online1net.com/kool/coolstuff4.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/VAL94006/valent.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\MSIELINK.DLL
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hi ktrnbarlow2, and Welcome to TSF! Please stay safe tonight and through the next few days!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->View->Folder Options->View tab and make sure that 'Show all files' is checked under the 'Hidden Files' section. Also make sure there is no checkmark beside 'Hide file extensions for known file types'.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident. Make sure you enable TeaTimer after we are done. Do NOT enable Spybot TeaTimer Resident protection at this time. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. It may also hinder our fix at this point. You may enable it after the fix is complete.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

IPInsight
HOTBAR


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {A6250FB8-2206-499E-A7AA-E1EC437E71C0} - C:\PROGRA~1\COMMON~1\MSIETS\MSIELINK.DLL
O2 - BHO: IPInsigtObj Class - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL (file missing)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5LP_0001_0715NETINSTALLER.EXE"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0721] "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\FFIVTLIY\WINFIXER2005SCANNERINST ALL[1].EXE"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5LP_0001_0802NETINSTALLER.EXE"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\UWFX5LP_0001_0803NETINSTALLER.EXE "
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5NETINSTALLER.EXE"
O4 - HKLM\..\Run: [Hotbar] C:\PROGRAM FILES\HOTBAR\BIN\HBINST.EXE /Upgrade
O8 - Extra context menu item: Power Search - res://C:\PROGRAM FILES\COMMON FILES\MSIETS\MSIELINK.DLL//iemenu
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52} (IO Class) - http://www.online1net.com/kool/coolstuff4.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...uditControl.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...4006/valent.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/content...er/imloader.cab
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\MSIELINK.DLL


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\IPINSIGT.DLL
C:\WINDOWS\TWAINTEC.DLL
C:\WINDOWS\wupdt.exe
C:\WINDOWS\SYSTEM\stcloader.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5LP_0001_0715NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5LP_0001_0802NETINSTALLER.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5NETINSTALLER.EXE
C:\PROGRAM FILES\HOTBAR
C:\PROGRA~1\COMMON~1\MSIETS


Restart in normal mode now.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Restart your system, and run a new HijackThis scan. Save the log file and post it here.
 

·
Registered
Joined
·
4 Posts
Discussion Starter #3
files not there

I did as you said with the HJT files and cleaned them. Then I went to delete files/folders and several of the files/folders were not there. I still have 1 winfixer on the pc it was running 5 at once. here are the files I that were not there. This computer only has 64mb and adaware requires more. I am running the trend micro scan and will send the results.

C:\WINDOWS\wupdt.exe
c:\windows\downloaded program files\uwfx5lp_0001_0715netinstaller.exe
c:\windows\downloaded program files\uwfx5lp_0001_0802netinstaller.exe
c:\windows\downloaded program files\conflict.2\
c:\windows\downloaded program files\uwfx5netinstaller.exe
 

·
Registered
Joined
·
6,574 Posts
Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINDOWS\wupdt.exe
c:\windows\downloaded program files\uwfx5lp_0001_0715netinstaller.exe
c:\windows\downloaded program files\uwfx5lp_0001_0802netinstaller.exe
c:\windows\downloaded program files\conflict.2
c:\windows\downloaded program files\uwfx5netinstaller.exe


Check that these are GONE. Reboot and try in Safe Mode if you're having difficulty. Report back with a HJT log and a report on whether or not any of those files are still around.
 

·
Registered
Joined
·
4 Posts
Discussion Starter #5
Didn't work

I ran killbox and deleted the files. The only thing left on the pc is the
Winfixer 2005 installer that is on the desktop and everytime you turn the pc on it try's to install winfixer 2005. Here is my HJT log after killbox.

Logfile of HijackThis v1.99.1
Scan saved at 4:00:17 PM, on 9/24/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\FFIVTLIY\WINFIXER2005SCANNERINSTALL[1].EXE
C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.my.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://myzstart.looksmart.com/servlets/myzstart?request=autologon&comefrom=startpage&LSID=ijl1&LK=xM%3FQTE_su%3AXZK*8&ISP=LS&ITLS=S&IPS=A&"); (C:\Program Files\Netscape\Users\paultman\prefs.js)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0721] "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\FFIVTLIY\WINFIXER2005SCANNERINSTALL[1].EXE"
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
O16 - DPF: {6C636F50-7EB2-11D2-883C-CA8C113EA37E} (McAfee Clinic QuickClean Class) - http://download.mcafee.com/molbin/Clinic/Clean/QuickClean/MGqcctl.cab
O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab
O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic OilChange Class) - http://download.mcafee.com/molbin/OilChange/MGOcCtl_new.cab
O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange Multi-Product Support Filter) - http://download.mcafee.com/molbin/OilChange/MGOcFilt.cab
O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Apologies for not seeing this sooner......Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. Move the Backups folder from C:\WINDOWS\TEMP\TD_0003.DIR as well. This is required because HijackThis will create backups and we don't want them to be deleted until we're sure they are no longer needed, and we're about to delete your temp files.

Run CleanUp! and click on the Options button. Uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0721] "C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\FFIVTLIY\WINFIXER2005SCANNERINST ALL[1].EXE"

Delete the following folder:

C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\FFIVTLIY

Run the CleanUp program again.

Restart and run a new HijackThis scan. Save the log file and post it here.

Have you run the other two tools? TrendMicro AntiSpyware and Panda Active Scan? I require the logs from them as well.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top