[solved]yuhmee adware

Discussion in 'adware, spyware & hijack cleaning' started by Tannia, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. Tannia

    Tannia Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    I have an adware called yuhmee in my computer and I can't get rid of it. It slows down my IE browser tremendously and directs me to their url when I click on some links. Please, please help me get rid of it. I followed your instructions and ran ad-ware 6 with the latest update available before running HijackThis. Here is my HijackThis log:
    --------------------------------------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 6:55:40 PM, on 6/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\mqsvc.exe
    C:\WINDOWS\System32\mqtgsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Automatic Update\AutoUpdate.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
    C:\downloads\hijackThis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tannia the Goddess
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
    R3 - URLSearchHook: (no name) - _{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - (no file)
    O1 - Hosts: 172.21.91.16 miasrvvss01 #PRE
    O1 - Hosts: 66.98.178.19 06272002-dbase.hitcountz.net
    O1 - Hosts: 66.98.178.19 1ca.cqcounter.com
    O1 - Hosts: 66.98.178.19 2001-007.com
    O1 - Hosts: 66.98.178.19 ad-logics.com
    O1 - Hosts: 66.98.178.19 ad.trafficmp.com
    O1 - Hosts: 66.98.178.19 adclient.rottentomatoes.com
    O1 - Hosts: 66.98.178.19 adcounter.globeandmail.com
    O1 - Hosts: 66.98.178.19 adcounter.theglobeandmail.com
    O1 - Hosts: 66.98.178.19 adlog.com.com
    O1 - Hosts: 66.98.178.19 admanmail.com
    O1 - Hosts: 66.98.178.19 ads.specificpop.com
    O1 - Hosts: 66.98.178.19 adtech.de
    O1 - Hosts: 66.98.178.19 askmen.thruport.com
    O1 - Hosts: 66.98.178.19 banner.0catch.com
    O1 - Hosts: 66.98.178.19 bilbo.counted.com
    O1 - Hosts: 66.98.178.19 c1.statcounter.com
    O1 - Hosts: 66.98.178.19 c1.thecounter.com
    O1 - Hosts: 66.98.178.19 c2.gostats.com
    O1 - Hosts: 66.98.178.19 c2.thecounter.com
    O1 - Hosts: 66.98.178.19 c3.thecounter.com
    O1 - Hosts: 66.98.178.19 c3.xxxcounter.com
    O1 - Hosts: 66.98.178.19 cashcounter.com
    O1 - Hosts: 66.98.178.19 cgi.hotstat.nl
    O1 - Hosts: 66.98.178.19 clit6.sextracker.com
    O1 - Hosts: 66.98.178.19 clit8.sextracker.com
    O1 - Hosts: 66.98.178.19 cookies.cmpnet.com
    O1 - Hosts: 66.98.178.19 counter.aaddzz.com
    O1 - Hosts: 66.98.178.19 counter.bloke.com
    O1 - Hosts: 66.98.178.19 counter.hitslink.com
    O1 - Hosts: 66.98.178.19 counter.yadro.ru
    O1 - Hosts: 66.98.178.19 counter14.sextracker.com
    O1 - Hosts: 66.98.178.19 counter16.bravenet.com
    O1 - Hosts: 66.98.178.19 counter17.bravenet.com
    O1 - Hosts: 66.98.178.19 counter2.hitslink.com
    O1 - Hosts: 66.98.178.19 counter26.bravenet.com
    O1 - Hosts: 66.98.178.19 counter32.bravenet.com
    O1 - Hosts: 66.98.178.19 counter34.breavenet.com
    O1 - Hosts: 66.98.178.19 counter41.bravenet.com
    O1 - Hosts: 66.98.178.19 counter47.bravenet.com
    O1 - Hosts: 66.98.178.19 counter6.sextracker.com
    O1 - Hosts: 66.98.178.19 counter8.bravenet.com
    O1 - Hosts: 66.98.178.19 data.coremetrics.com
    O1 - Hosts: 66.98.178.19 delivery.loopingclick.com
    O1 - Hosts: 66.98.178.19 dwclick.com
    O1 - Hosts: 66.98.178.19 ebay.doubleclick.net
    O1 - Hosts: 66.98.178.19 ehg-amerix.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-bestbuy.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-crain.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-dig.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-eckounlimited.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-espn.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-idg.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-liveperson.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-oreilley.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-space.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-sportsline.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-techtarget.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-tigerdirect.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-uniontrib.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg-viacom.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg.commjun.hitbox.com
    O1 - Hosts: 66.98.178.19 ehg.hitbox.com
    O1 - Hosts: 66.98.178.19 fastclick.net
    O1 - Hosts: 66.98.178.19 fcstats.bcentral.com
    O1 - Hosts: 66.98.178.19 flycast.com
    O1 - Hosts: 66.98.178.19 g-wizzads.net
    O1 - Hosts: 66.98.178.19 gostats.com
    O1 - Hosts: 66.98.178.19 gtcc1.acecounter.com
    O1 - Hosts: 66.98.178.19 hc2.humanclick.com
    O1 - Hosts: 66.98.178.19 hit2.hotlog.ru
    O1 - Hosts: 66.98.178.19 hit37.chark.dk
    O1 - Hosts: 66.98.178.19 hitbox.com
    O1 - Hosts: 66.98.178.19 hits.webstat.com
    O1 - Hosts: 66.98.178.19 images.dailydiscounts.com
    O1 - Hosts: 66.98.178.19 imp.clickability.com
    O1 - Hosts: 66.98.178.19 impacts.alliancehub.com
    O1 - Hosts: 66.98.178.19 insightfirst.com
    O1 - Hosts: 66.98.178.19 int.sitestat.com
    O1 - Hosts: 66.98.178.19 jkearns.freestats.com
    O1 - Hosts: 66.98.178.19 linktrack.bravenet.com
    O1 - Hosts: 66.98.178.19 logs.comics.com
    O1 - Hosts: 66.98.178.19 m1.nedstatbasic.net
    O1 - Hosts: 66.98.178.19 media101.sitebrand.com
    O1 - Hosts: 66.98.178.19 mediatrack.revenue.net
    O1 - Hosts: 66.98.178.19 mt122.mtree.com
    O1 - Hosts: 66.98.178.19 nedstat.s0.nl
    O1 - Hosts: 66.98.178.19 nl.sitestat.com
    O1 - Hosts: 66.98.178.19 partner.alerts.aol.com
    O1 - Hosts: 66.98.178.19 paxito.sitetracker.com
    O1 - Hosts: 66.98.178.19 perso.estat.com
    O1 - Hosts: 66.98.178.19 pmg.ad-logics.com
    O1 - Hosts: 66.98.178.19 postclick.adcentriconline.com
    O1 - Hosts: 66.98.178.19 prof.estat.com
    O1 - Hosts: 66.98.178.19 s10.sitemeter.com
    O1 - Hosts: 66.98.178.19 s11.sitemeter.com
    O1 - Hosts: 66.98.178.19 s12.sitemeter.com
    O1 - Hosts: 66.98.178.19 s13.sitemeter.com
    O1 - Hosts: 66.98.178.19 s14.sitemeter.com
    O1 - Hosts: 66.98.178.19 s15.sitemeter.com
    O1 - Hosts: 66.98.178.19 s16.sitemeter.com
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL__SpybotSDDisabled (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno6\qsacc\X1IEBHO.dll__SpybotSDDisabled (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C6DC2BCC-6813-478E-98A6-9B2C96B21CAC} - C:\WINDOWS\rkvp.dll__SpybotSDDisabled (file missing)
    O2 - BHO: (no name) - {DDE0F563-E133-4B33-B042-CDF5D4B57535} - C:\WINDOWS\piyrtdy.dll__SpybotSDDisabled (file missing)
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [sysu] "C:\progra~1\ddm\sysu.exe"
    O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [Rrtl] C:\Documents and Settings\Tannia\Application Data\rawe.exe
    O4 - HKCU\..\Run: [TransTask] "C:\Program Files\Tweak-XP Pro 3\transtask.exe"
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Gogol INFO - Toolbar search - res://C:\Program Files\GIToolBar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Short Message (HKLM)
    O9 - Extra button: FlashKeeper (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.amadeusproweb.com
    O15 - Trusted Zone: http://*.amadeusvista.com
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://us.amadeusvista.com/common/cabs/VistaPWComms.CAB
    O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://jazz.amadeuslink.com/mcsimenu.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
    O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeusvista.com/common/cabs/MSIInspect.CAB
    O16 - DPF: {9C067552-A98D-11D3-BE8E-0000832BD4E5} (CCCertInfo4 Class) - http://us.amadeusvista.com/common/cabs/Certificateinfo.CAB
    O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://www.aeuniversitylive.com/sametime/stmeetingroomclient/STJNILoader.cab
    O16 - DPF: {AA7AB619-0AEB-404C-B12F-D34D4EF32787} (Amadeus CCCert02 Wrapper) - http://us.amadeusproweb.com/ComCoreDownload/CCCert02Wrapper.CAB
    O16 - DPF: {AC502E9E-5AFF-11D3-8F90-00008321C804} (CCLibV024.ComCore) - http://us.amadeusproweb.com/ComCoreDownload/CCLibV024.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.timevision.com/codebase4E/OrgPubX.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/roing.cab
    O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://us.amadeusvista.com/common/cabs/AmadeusInit.CAB
    O16 - DPF: {FD48A80F-95C2-456A-AF3A-FC3B774C21CF} (Certificates_Info Class) - http://certificates.amadeusvista.com/certificateinfo/Certificatetool.CAB
    ---------------------------------------------------------------------
    Thank you in advance.
    ---------------------------------------------------------------------
    Part 2 of the yuhmee saga:

    In my frustration I have cleaned my Hosts file from all the unnecessary entries and ran Spybot also. Here is my HJT log after doing this. Needless to say it did not help! Help!!!!!
    Log follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:18:09 AM, on 6/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\mqsvc.exe
    C:\WINDOWS\System32\mqtgsvc.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Automatic Update\AutoUpdate.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MpfTray.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\downloads\hijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tannia the Goddess
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - _{D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
    R3 - URLSearchHook: (no name) - _{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - (no file)
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL__SpybotSDDisabled (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [Rrtl] C:\Documents and Settings\Tannia\Application Data\rawe.exe
    O4 - HKCU\..\Run: [TransTask] "C:\Program Files\Tweak-XP Pro 3\transtask.exe"
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: &Gogol INFO - Toolbar search - res://C:\Program Files\GIToolBar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Short Message (HKLM)
    O9 - Extra button: FlashKeeper (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.amadeusproweb.com
    O15 - Trusted Zone: http://*.amadeusvista.com
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://us.amadeusvista.com/common/cabs/VistaPWComms.CAB
    O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://jazz.amadeuslink.com/mcsimenu.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
    O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeusvista.com/common/cabs/MSIInspect.CAB
    O16 - DPF: {9C067552-A98D-11D3-BE8E-0000832BD4E5} (CCCertInfo4 Class) - http://us.amadeusvista.com/common/cabs/Certificateinfo.CAB
    O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://www.aeuniversitylive.com/sametime/stmeetingroomclient/STJNILoader.cab
    O16 - DPF: {AA7AB619-0AEB-404C-B12F-D34D4EF32787} (Amadeus CCCert02 Wrapper) - http://us.amadeusproweb.com/ComCoreDownload/CCCert02Wrapper.CAB
    O16 - DPF: {AC502E9E-5AFF-11D3-8F90-00008321C804} (CCLibV024.ComCore) - http://us.amadeusproweb.com/ComCoreDownload/CCLibV024.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.timevision.com/codebase4E/OrgPubX.cab
    O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://us.amadeusvista.com/common/cabs/AmadeusInit.CAB
    O16 - DPF: {FD48A80F-95C2-456A-AF3A-FC3B774C21CF} (Certificates_Info Class) - http://certificates.amadeusvista.com/certificateinfo/Certificatetool.CAB

    Thanks again!!!!
     
    Last edited: Jun 19, 2004
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Re: yuhmee adware

    Hello Tannia,

    Go to Add/Remove programs and look to see if MYWebSearch is there, if so, uninstall. You need to be online to uninstall it.

    Run Hijackthis again with all browsers closed and check these items and then on Fix:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - _{D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
    R3 - URLSearchHook: (no name) - _{6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - (no file)

    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL__SpybotSDDisabled (file missing)
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll

    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll (file missing)

    O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Rrtl] C:\Documents and Settings\Tannia\Application Data\rawe.exe

    Reboot the computer into safe mode

    Make sure you can view all hidden files and folders

    Find and delete these files/folders:

    C:\Program Files\Automatic Update
    C:\PROGRA~1\MYWEBS~1
    C:\Documents and Settings\Tannia\Application Data\rawe.exe

    Reboot and post a new log here.
     
  3. Tannia

    Tannia Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    Re: yuhmee adware

    Thank you so much for your response.
    I went into the Control Panel and checked for MyWebSearch as you recommended. It is there in the following 2 entries:
    MyWebSearch (Outlook, Outlook Express and Incredimail)
    MyWebSearch (Smiley Central)
    I tried to remove them while online (I have a cable connection that is always on) and when removing the 1st (Outlook, blah, blah) I get a browser window trying to open: res//C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsbar.dll\106
    But the window has no content. It's totally empty.
    When I try to open the other one, I get the same empty window prompting to open: res//C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsbar.dll\101
    I looked in Program Fiiles in Windows Explorer and can't find any such folder or "dll" file.
    I guess I'll have to look into the registry, but I am not that good. Any suggestions? I decided to wait until I hear back before proceeding.
    Again a big thanl you for your help. I cannot tell you how frustrated I am with this Yuhmme thing.
     
  4. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Re: yuhmee adware

    Hello Tannia,

    Welcome to Wilders :)

    Please show us your fresh log.

    With Thanks !
    Newkid !
     
  5. Tannia

    Tannia Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    Re: yuhmee adware

    Hi again.
    Here is my latest log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:06:04 AM, on 6/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\mqsvc.exe
    C:\WINDOWS\System32\mqtgsvc.exe
    C:\WINDOWS\byon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\downloads\hijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tannia the Goddess
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [eqej] C:\WINDOWS\byon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [TransTask] "C:\Program Files\Tweak-XP Pro 3\transtask.exe"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: &Gogol INFO - Toolbar search - res://C:\Program Files\GIToolBar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Short Message (HKLM)
    O9 - Extra button: FlashKeeper (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.amadeusproweb.com
    O15 - Trusted Zone: http://*.amadeusvista.com
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://us.amadeusvista.com/common/cabs/VistaPWComms.CAB
    O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://jazz.amadeuslink.com/mcsimenu.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
    O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeusvista.com/common/cabs/MSIInspect.CAB
    O16 - DPF: {9C067552-A98D-11D3-BE8E-0000832BD4E5} (CCCertInfo4 Class) - http://us.amadeusvista.com/common/cabs/Certificateinfo.CAB
    O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://www.aeuniversitylive.com/sametime/stmeetingroomclient/STJNILoader.cab
    O16 - DPF: {AA7AB619-0AEB-404C-B12F-D34D4EF32787} (Amadeus CCCert02 Wrapper) - http://us.amadeusproweb.com/ComCoreDownload/CCCert02Wrapper.CAB
    O16 - DPF: {AC502E9E-5AFF-11D3-8F90-00008321C804} (CCLibV024.ComCore) - http://us.amadeusproweb.com/ComCoreDownload/CCLibV024.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.timevision.com/codebase4E/OrgPubX.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
    O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://us.amadeusvista.com/common/cabs/AmadeusInit.CAB
    O16 - DPF: {FD48A80F-95C2-456A-AF3A-FC3B774C21CF} (Certificates_Info Class) - http://certificates.amadeusvista.com/certificateinfo/Certificatetool.CAB
     
  6. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Re: yuhmee adware

    Hello,

    Run HJT again and check these items and fix:

    O4 - HKLM\..\Run: [eqej] C:\WINDOWS\byon.exe

    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab

    Reboot into safe mode. Find and delete this file:

    C:\WINDOWS\byon.exe

    Reboot.

    Also, just a couple of clean up things you can do:

    Open Internet Explorer. Then click on TOOLS in the top toolbar. Click on "Internet Options..." from the drop-down menu.
    A new smaller window will display. Under the "General" tab, in the middle, are 3 buttons.
    Click the Delete Cookies button - then a small warning box pops up. Click OK.
    Click the Delete Files button - a small warning box pops us. Check the box for "Delete all offline content" and click OK.
    Then on the same General tab, click Clear History, then click OK.

    And:

    1. Open My Computer
    2. Right click on your hard drive that you wish to clean (C drive, for example)
    3. In the context menu that opens, select properties
    4. Under the general tab you should select Disk Cleanup
    5. Windows will scan your drive which will take a few seconds/minutes
    6. A box will display the various files you can remove. Here are some safe examples:

    Temporary Internet Files
    Recycle Bin
    Temporary Files

    7. Click OK and windows will comply.

    Reboot, run HJT again and post a new log here.
     
  7. Tannia

    Tannia Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    Re: yuhmee adware

    Thanks again Taz! Did all you recommended. Here is the HJT log after reboot:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:51:10 PM, on 6/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\mqsvc.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
    C:\WINDOWS\System32\mqtgsvc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\downloads\hijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tannia the Goddess
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [TransTask] "C:\Program Files\Tweak-XP Pro 3\transtask.exe"
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: &Gogol INFO - Toolbar search - res://C:\Program Files\GIToolBar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/227
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\SourceTec\Sothink SWF Quicker\InternetExplorer.htm
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Short Message (HKLM)
    O9 - Extra button: FlashKeeper (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: SWF Catcher (HKLM)
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.amadeusproweb.com
    O15 - Trusted Zone: http://*.amadeusvista.com
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://us.amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://us.amadeusvista.com/common/cabs/VistaPWComms.CAB
    O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://jazz.amadeuslink.com/mcsimenu.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
    O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeusvista.com/common/cabs/MSIInspect.CAB
    O16 - DPF: {9C067552-A98D-11D3-BE8E-0000832BD4E5} (CCCertInfo4 Class) - http://us.amadeusvista.com/common/cabs/Certificateinfo.CAB
    O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://www.aeuniversitylive.com/sametime/stmeetingroomclient/STJNILoader.cab
    O16 - DPF: {AA7AB619-0AEB-404C-B12F-D34D4EF32787} (Amadeus CCCert02 Wrapper) - http://us.amadeusproweb.com/ComCoreDownload/CCCert02Wrapper.CAB
    O16 - DPF: {AC502E9E-5AFF-11D3-8F90-00008321C804} (CCLibV024.ComCore) - http://us.amadeusproweb.com/ComCoreDownload/CCLibV024.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.timevision.com/codebase4E/OrgPubX.cab
    O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://us.amadeusvista.com/common/cabs/AmadeusInit.CAB
    O16 - DPF: {FD48A80F-95C2-456A-AF3A-FC3B774C21CF} (Certificates_Info Class) - http://certificates.amadeusvista.com/certificateinfo/Certificatetool.CAB

    Sure hope it's clean! Thanks!
     
  8. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Re: yuhmee adware

    Hello Tannia,

    Things look good to me. If by chance I missed something, someone will pop a note here to you telling you so.

    Here is a link for you to go to that will give you suggestions on how to keep your computer safe:
    https://www.wilderssecurity.com/showthread.php?t=27971

    Happy Surfing!
     
  9. Tannia

    Tannia Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    Re: yuhmee adware

    Hey Taz, thank you so much for the valuable help you gave me. You guys are the greatest!
    Thanks again!
     
Thread Status:
Not open for further replies.