hijack log- help!!!!!!!!!

Discussion in 'adware, spyware & hijack cleaning' started by kermischocolate, Mar 16, 2004.

Thread Status:
Not open for further replies.
  1. kermischocolate

    kermischocolate Registered Member

    Joined:
    Mar 12, 2004
    Posts:
    15
    Can anyone please check this log. The problem i've got is everytime i turn my computer off it resets the homepage to riveria.cc/ search-town.com.

    I've run spybot, spywareblaster (both latest versions) and my anti-virus software is AVG.

    From looking at it i presume i just delete anything that mentions riveria.cc or search-town.com? I'm not entirely sure though.

    All help is greatly appreciated.

    Cheers. :D

    Additional background information also available in this thread:

    http://www.wilderssecurity.com/showthread.php?t=24367
     
  2. kermischocolate

    kermischocolate Registered Member

    Joined:
    Mar 12, 2004
    Posts:
    15
    ok can we tell i haven't done this before. I presume that in addition to the info in the post above it would also be helpful for those i nthe know to be able to see the log hijack created. Here it is below: (sorry i couldn't attach it. my computer wouldn't save it as a text file)


    Logfile of HijackThis v1.97.7
    Scan saved at 11:00:52, on 16/03/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Apps\ActivBoard\MMKeybd.exe
    C:\WINDOWS\System32\rmctrl.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Logitech\iTouch\kbdtray.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\freeserve\freeserveconnectionkit\atdialler1.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
    C:\Program Files\DV Series\Console\Watch.exe
    C:\Apps\ActivBoard\nhksrv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Apps\ActivBoard\TrayMon.exe
    C:\Apps\ActivBoard\OSD.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\CATHER~1\LOCALS~1\Temp\Rar$EX00.609\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://opti.riviera.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://opti.riviera.cc (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://opti.riviera.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://opti.riviera.cc (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://opti.riviera.cc (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://opti.riviera.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhos;<local>
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login.passport.net/uilogin.srf?id=2
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
    O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
    O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
    O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
    O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
    O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://uk.zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activex/InfosFinder2.CAB
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi kermischocolate :)

    Could u please download and run CWShredder at this link,

    http://209.133.47.200/~merijn/files/CWShredder.exe

    then reboot and post a fresh HijackThis log.

    Thanks.


    snowbound
     
  4. kermischocolate

    kermischocolate Registered Member

    Joined:
    Mar 12, 2004
    Posts:
    15
    thanks for the help. can i be really blonde and check by "reboot" does that mean re-start or boot the entire system?

    Cheers. :oops:
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Yes, it does mean to simply restart your system (shutdown and boot up, or just use the "restart" option itself). It helps to make sure things work properly when cleaning things off.
     
  6. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    Yes it does, Reboot = Restart
     
  7. kermischocolate

    kermischocolate Registered Member

    Joined:
    Mar 12, 2004
    Posts:
    15
    can i ask another really obvious question? in cw shredder do i choose scan only or fix?

    :oops: :oops: :oops:
     
  8. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    You can scan only one time just to see how the thing works..then put everything away and with nothing else running on your PC...have that shredder fix all that it wants..it is safe ;)
     
  9. kermischocolate

    kermischocolate Registered Member

    Joined:
    Mar 12, 2004
    Posts:
    15
    i've now ran the cw shredder. it didn't delete the following as i wasn't sure what they were:

    C:\WINDOWS\smcfg.exe
    C:\WINDOWS\Pp.exe

    Are they harmful or not?

    Again, all help greatly appreciated.
     
  10. kermischocolate

    kermischocolate Registered Member

    Joined:
    Mar 12, 2004
    Posts:
    15
    ok i'm not entirely sure where i just posted the log hijack created after i rebooted my computer so here it is again:
    Please tell me that's the problem sorted!!!!

    Once more thank you so much for your help. :D :D


    LowWaterMark: The other posts on this topic are over in a Javacool thread which is now closed as this is a better place to finish this cleanup:

    http://www.wilderssecurity.com/showthread.php?t=24367
     
  11. kermischocolate

    kermischocolate Registered Member

    Joined:
    Mar 12, 2004
    Posts:
    15
    oops again. here's the log. i think i should go and dye my hair blonde and get it over and done with.

    Logfile of HijackThis v1.97.7
    Scan saved at 17:17:53, on 16/03/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Apps\ActivBoard\MMKeybd.exe
    C:\WINDOWS\System32\rmctrl.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Logitech\iTouch\kbdtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\freeserve\freeserveconnectionkit\atdialler1.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
    C:\Program Files\DV Series\Console\Watch.exe
    C:\Apps\ActivBoard\nhksrv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\Apps\ActivBoard\TrayMon.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Apps\ActivBoard\OSD.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\CATHER~1\LOCALS~1\Temp\Rar$EX00.375\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhos;<local>
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login.passport.net/uilogin.srf?id=2
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
    O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
    O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
    O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
    O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://uk.zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activex/InfosFinder2.CAB
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi kermischocolate,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

    Then reboot and delete:
    C:\Program Files\MyWay
    and uninstall P2P Networking in Add/Remove Software

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.