Re: HijackThisLog Analysis - Filmfreak

Here is what you should do.

End the below suspicious process :

C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe

Remove these search keys:

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: yazrdyzzuzuxayq.com / sxTzKUDvtHKNvcc7VRCNscUn / 8b_jng7hU2ZXn909uuQLzcDW4m6zcuG2K53f6KP.jpg

Remove these additional browser plug-in keys (O2...O4):

O2 - BHO: (no name) - {E4B3120A-684E-3343-26F8-0C92B155E5CE} - C: \ DOCUME~1 \ Thierry \ APPLIC~1 \ EACHEX~1 \ drive slow.exe
O4 - HKCU \ .. \ Run: [style way] C: \ DOCUME~1 \ Thierry \ APPLIC~1 \ BOLTAD~1 \ 64twonoun.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - website: ak.imgfarm.com / images / nocache / funwebproducts / ei / SmileyCentralFWBInitialSetup1.0.0.8.cab
O16 - DPF: {9FFCDEC6-3906-11D2-8131-0060080BE220} (Three Ships FileIO Control) - file: / / C: \ DOCUME~1 \ Thierry \ LOCALS~1 \ Temp \ ThreeShipsFileIO.ocx

Remove these Extra protocols and protocol hijackers (O18): 

O18 - Filter: text / html - {453F8F6B-0FB0-4D95-960A-3DEE706D0DB7} - C: \ Documents and Settings \ Thierry \ Local Settings \ Application Data \ microsoft \ internet explorer \ V0.15.dat

Reboot the computer and put it to safe mode.  Then delete these files from your C: drive.

C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe

Original log but with private information removed.

Logfile of HijackThis v1.98.2
Scan saved at 22:14:17, on 9-11-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ Explorer.EXE
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7Debug \ mdm.exe
C: \ WINDOWS \ system32 \ ZoneLabs \ vsmon.exe
C: \ WINDOWS \ System32 \ spool \ drivers \ w32x86 \ 3 \ hpztsb09.exe
C: \ Program Files \ Hewlett-Packard \ Digital Imaging \ bin \ hpotdd01.exe
C: \ Program Files \ QuickTime \ qttask.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ Program Files \ Messenger Plus! 3 \ MsgPlus.exe
C: \ Program Files \ COMPAQ \ Easy Access Button Support \ StartEAK.exe
C: \ Program Files \ Messenger \ msmsgs.exe
C: \ Program Files \ Google \ Google Desktop Search \ GoogleDesktop.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ Compaq \ Easy Access Button Support \ CPQEAKSYSTEMTRAY.EXE
C: \ Program Files \ Compaq \ Easy Access Button Support \ CPQEADM.EXE
C: \ Compaq \ EAKDRV \ EAUSBKBD.EXE
C: \ PROGRA~1 \ Compaq \ EASYAC~1 \ BttnServ.exe
C: \ Program Files \ MSN Messenger \ msnmsgr.exe
C: \ Program Files \ Google \ Google Desktop Search \ GoogleDesktopIndex.exe
C: \ Program Files \ Google \ Google Desktop Search \ GoogleDesktopCrawl.exe
C: \ Program Files \ Google \ Google Desktop Search \ GoogleDesktopOE.exe
C: \ WINDOWS \ System32 \ ctfmon.exe
C: \ WINDOWS \ system32 \ ntvdm.exe
C: \ Program Files \ Zone Labs \ ZoneAlarm \ zlclient.exe
C: \ Program Files \ BitTorrent \ btdownloadgui.exe
C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe
C: \ Program Files \ Mozilla Firefox \ firefox.exe
C: \ Documents and Settings \ Thierry \ Bureaublad \ HijackThis.exe

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: yazrdyzzuzuxayq.com / sxTzKUDvtHKNvcc7VRCNscUn / 8b_jng7hU2ZXn909uuQLzcDW4m6zcuG2K53f6KP.jpg
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: bitdefender.com / scan / licence.php
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings,ProxyServer = proxy.planet.nl:8080
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings,ProxyOverride = reg.planet.nl ; ; 127.1206.87 ; 127.158.81.103 R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=C: \ WINDOWS \ System32 \ Userinit.exe
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 6.0 \ Reader \ ActiveX \ AcroIEHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C: \ Program Files \ Google \ Google Desktop Search \ GoogleDesktopIE.dll
O2 - BHO: (no name) - {E4B3120A-684E-3343-26F8-0C92B155E5CE} - C: \ DOCUME~1 \ Thierry \ APPLIC~1 \ EACHEX~1 \ drive slow.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ System32 \ msdxm.ocx
O4 - HKLM \ .. \ Run: [NvCplDaemon] RUNDLL32.EXE D: \ WINDOWS \ System32 \ NvCpl.dll,NvStartup
O4 - HKLM \ .. \ Run: [nwiz] nwiz.exe / install
O4 - HKLM \ .. \ Run: [NvMediaCenter] RUNDLL32.EXE D: \ WINDOWS \ System32 \ NvMcTray.dll,NvTaskbarInit
O4 - HKLM \ .. \ Run: [MSConfig] C: \ WINDOWS \ PCHealth \ HelpCtr \ Binaries \ MSConfig.exe / auto
O4 - HKLM \ .. \ Run: [KernelFaultCheck] %systemroot% \ system32 \ dumprep 0 -k
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [HPDJ Taskbar Utility] C: \ WINDOWS \ System32 \ spool \ drivers \ w32x86 \ 3 \ hpztsb09.exe
O4 - HKLM \ .. \ Run: [DeviceDiscovery] C: \ Program Files \ Hewlett-Packard \ Digital Imaging \ bin \ hpotdd01.exe
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ Program Files \ QuickTime \ qttask.exe" -atboottime
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" -osboot
O4 - HKLM \ .. \ Run: [MessengerPlus3] "C: \ Program Files \ Messenger Plus! 3 \ MsgPlus.exe"
O4 - HKLM \ .. \ Run: [CPQEASYACC] C: \ Program Files \ COMPAQ \ Easy Access Button Support \ StartEAK.exe
O4 - HKLM \ .. \ Run: [Zone Labs Client] "C: \ Program Files \ Zone Labs \ ZoneAlarm \ zlclient.exe"
O4 - HKCU \ .. \ Run: [MSMSGS] "C: \ Program Files \ Messenger \ msmsgs.exe" / background
O4 - HKCU \ .. \ Run: [MessengerPlus3] "C: \ Program Files \ Messenger Plus! 3 \ MsgPlus.exe" / WinStart
O4 - HKCU \ .. \ Run: [Yahoo! Pager] C: \ Program Files \ Yahoo! \ Messenger \ ypager.exe -quiet
O4 - HKCU \ .. \ Run: [style way] C: \ DOCUME~1 \ Thierry \ APPLIC~1 \ BOLTAD~1 \ 64twonoun.exe
O4 - HKCU \ .. \ Run: [Google Desktop Search] "C: \ Program Files \ Google \ Google Desktop Search \ GoogleDesktop.exe" / startup
O4 - Startup: OpenOffice.org 1.1.2.lnk = C: \ Program Files \ Openoffice-1 \ program \ quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C: \ Program Files \ Microsoft Office \ Office10 \ OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res: / / C: \ PROGRA~1 \ MICROS~2 \ Office10 \ EXCEL.EXE / 3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C: \ WINDOWS \ System32 \ Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE
O9 - Extra ´Tools´ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE O10 - Unknown file in Winsock LSP: c: \ program files \ google \ google desktop search \ googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c: \ program files \ google \ google desktop search \ googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c: \ program files \ google \ google desktop search \ googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c: \ program files \ google \ google desktop search \ googledesktopnetwork1.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - website: messenger.zone.msn.com / binary / msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - website: messenger.zone.msn.com / binary / MessengerStatsPAClient.cab30149.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - website: ak.imgfarm.com / images / nocache / funwebproducts / ei / SmileyCentralFWBInitialSetup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - website: spywarestormer.com / files2 / Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - website: messenger.zone.msn.com / binary / MineSweeper.cab30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - website: security.symantec.com / SSC / SharedContent / vc / bin / AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - website: v5.windowsupdate.microsoft.com / v5consumer / V5Controls / en / x86 / client / wuweb_site.cab?1094246582596
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - website: security.symantec.com / sscv6 / SharedContent / common / bin / cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - website: bitdefender.com / scan / Msie / bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - website: messenger.zone.msn.com / binary / MessengerStatsClient.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - website: pandasoftware.com / activescan / as5 / asinst.cab
O16 - DPF: {9FFCDEC6-3906-11D2-8131-0060080BE220} (Three Ships FileIO Control) - file: / / C: \ DOCUME~1 \ Thierry \ LOCALS~1 \ Temp \ ThreeShipsFileIO.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - website: messenger.zone.msn.com / binary / ZIntro.cab30149.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - website: us.dl1.yimg.com / download.yahoo.com / dl / installs / suite / yautocomplete.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - website: messenger.zone.msn.com / binary / Chess.cab30149.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - website: messenger.zone.msn.com / binary / SolitaireShowdown.cab30149.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C: \ Program Files \ HP \ hpcoretech \ comp \ hpuiprot.dll
O18 - Filter: text / html - {453F8F6B-0FB0-4D95-960A-3DEE706D0DB7} - C: \ Documents and Settings \ Thierry \ Local Settings \ Application Data \ microsoft \ internet explorer \ V0.15.dat