Re: HijackThisLog Analysis - Ashbing

Hi Ashbing,

Before you start, you may like to consider uninstalling P2P (Kazaa) Networking from Add/Remove Software.  You can always reinstall them after you have clean up your system.   Then run the log again.  Remember DO NOT run hijackthis.exe inside the zip file.  Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).

Browse throught the following references, just to give you a grip of what you are dealing with:

• WTOOLSA.EXE
• MWSOEMON.EXE
• GMT.EXE
• Search Assistant

Here is what you should do.

End the below suspicious process :

C: \ PROGRA~1 \ Toolbar \ TBPSSvc.exe
C: \ Program Files \ Common Files \ WinTools \ WToolsS.exe
C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe
C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsA.exe
C: \ PROGRA~1 \ Toolbar \ TBPS.exe
C: \ PROGRA~1 \ Toolbar \ PIB.exe
C: \ Program Files \ Common Files \ GMT \ GMT.exe
C: \ Program Files \ Common Files \ WinTools \ WSup.exe

Remove these search keys:

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: seekerbar.com / ie.aspx?tb_id=50154
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: zpecialoffer.com R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: msn.co.uk /
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,SearchAssistant = website: seekerbar.com / ie.aspx?tb_id=50154
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,CustomizeSearch = res: / / C: \ PROGRA~1 \ Toolbar \ toolbar.dll / sa
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = website: files.cc.cometsystems.com / assist / cc / 1.0 / assist_st.html?src_id=312
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,CustomizeSearch = res: / / C: \ PROGRA~1 \ Toolbar \ toolbar.dll / sa
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ SearchURL,(Default) = website: zpecialoffer.com / results.asp?keyword=%s
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C: \ PROGRA~1 \ Toolbar \ toolbar.dll

Remove these Hosts file redirection (O1):

Paste_it

Remove these additional browser plug-in keys (O2...O4):

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C: \ Program Files \ MyWebSearch \ SrchAstt \ 1.bin \ MWSSRCAS.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C: \ PROGRA~1 \ PERFEC~1 \ BHO \ PERFEC~1.DLL (file missing)
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C: \ Program Files \ MySearch \ bar \ 1.bin \ S4BAR.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C: \ Program Files \ MyWebSearch \ bar \ 1.bin \ MWSBAR.DLL
O2 - BHO: C: \ WINDOWS \ lbbho.dll - {2073F152-7465-4025-838E-20BFCB10325F} - C: \ WINDOWS \ lbbho.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C: \ Program Files \ NewDotNet \ newdotnet6_38.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C: \ PROGRA~1 \ Toolbar \ toolbar.dll
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C: \ PROGRA~1 \ Comet \ Bin \ csbho.dll

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C: \ Program Files \ MyWebSearch \ bar \ 1.bin \ MWSBAR.DLL
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C: \ Program Files \ MySearch \ bar \ 1.bin \ S4BAR.DLL
O3 - Toolbar: Starware - {FE6BC4EF-5676-484B-88AE-883323913256} - C: \ PROGRA~1 \ Comet \ Bin \ csietb.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C: \ PROGRA~1 \ Toolbar \ toolbar.dll

O4 - HKLM \ .. \ Run: [GSISETUP] C: \ DOCUME~1 \ COL&DE~1 \ LOCALS~1 \ Temp \ GsiInst.exe INSTALL C: \ DOCUME~1 \ COL&DE~1 \ LOCALS~1 \ Temp \ . \ V205Res 13
O4 - HKLM \ .. \ Run: [SearchUpgrader] C: \ Program Files \ Common files \ SearchUpgrader \ SearchUpgrader.exe
O4 - HKLM \ .. \ Run: [DietK] C: \ PROGRA~1 \ DIETK~1 \ DietK.exe
O4 - HKLM \ .. \ Run: [Wild-Flics] C: \ WINDOWS \ Wild-Flics.exe -n
O4 - HKLM \ .. \ Run: [New.net Startup] rundll32 C: \ PROGRA~1 \ NEWDOT~1 \ NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM \ .. \ Run: [MyWebSearch Email Plugin] C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe
O4 - HKLM \ .. \ Run: [WinTools] C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsA.exe
O4 - HKLM \ .. \ Run: [TBPS] C: \ PROGRA~1 \ Toolbar \ TBPS.exe
O4 - HKLM \ .. \ Run: [Diet K] C: \ PROGRA~1 \ DIETK~1 \ DietK.exe
O4 - HKCU \ .. \ Run: [MsnMsgr] "C: \ Program Files \ MSN Messenger \ MsnMsgr.Exe" / background
O4 - HKCU \ .. \ Run: [MyWebSearch Email Plugin] C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C: \ Program Files \ MyWebSearch \ bar \ 1.bin \ MWSOEMON.EXE
O4 - Global Startup: GStartup.lnk = C: \ Program Files \ Common Files \ GMT \ GMT.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C: \ Program Files \ MyWebSearch \ bar \ 1.bin \ MWSOEMON.EXE

Remove these extra items in IE menu (O8...O9):

O8 - Extra context menu item: &Search - website: bar.mywebsearch.com / menusearch.html?p=ZRxdm353XXUS
O9 - Extra button: GloPhone - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - C: \ Documents and Settings \ All Users \ Desktop \ Glophone.lnk (file missing)
O9 - Extra button: GloPhone - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - C: \ Documents and Settings \ All Users \ Desktop \ Glophone.lnk (file missing)

Hijacked winsock (O10):

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - website: ak.imgfarm.com / images / nocache / funwebproducts / ei / PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - website: dm.screensavers.com / dm / installers / si / 1 / sinstaller.cab

Extra protocols and protocol hijackers  (O18):

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C: \ PROGRA~1 \ Toolbar \ toolbar.dll

Reboot the computer and put it to safe mode.  Then delete these files from your C: drive.

C: \ PROGRA~1 \ Toolbar \ TBPSSvc.exe
C: \ Program Files \ Common Files \ WinTools \ WToolsS.exe
C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe
C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsA.exe
C: \ PROGRA~1 \ Toolbar \ TBPS.exe
C: \ PROGRA~1 \ Toolbar \ PIB.exe
C: \ Program Files \ Common Files \ GMT \ GMT.exe
C: \ Program Files \ Common Files \ WinTools \ WSup.exe

Original log but with private information removed.

Logfile of HijackThis v1.98.2
Scan saved at 19:16:51, on 10 / 11 / 2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ PROGRA~1 \ Grisoft \ AVG6 \ avgserv.exe
C: \ PROGRA~1 \ Toolbar \ TBPSSvc.exe
C: \ Program Files \ Common Files \ WinTools \ WToolsS.exe
C: \ PROGRA~1 \ Grisoft \ AVG6 \ avgcc32.exe
C: \ Program Files \ MSN Apps \ Updater \ 01.02.3000.1001 \ en-gb \ msnappau.exe
C: \ Program Files \ iTunes \ iTunesHelper.exe C: \ Program Files \ QuickTime \ qttask.exe
C: \ Program Files \ iPod \ bin \ iPodService.exe
C: \ WINDOWS \ system32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ rundll32.exe
C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsA.exe
C: \ PROGRA~1 \ Toolbar \ TBPS.exe
C: \ Program Files \ MSN Messenger \ MsnMsgr.Exe
C: \ PROGRA~1 \ Toolbar \ PIB.exe
C: \ Program Files \ Common Files \ GMT \ GMT.exe
C: \ Program Files \ iMesh \ Client \ iMeshClient.exe
C: \ Program Files \ BT Broadband \ Help \ bin \ mpbtn.exe
C: \ Program Files \ Common Files \ WinTools \ WSup.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ Program Files \ WinRAR \ WinRAR.exe
C: \ DOCUME~1 \ COL&DE~1 \ LOCALS~1 \ Temp \ Rar$EX0g.t10 \ HijackThis.exe

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: seekerbar.com / ie.aspx?tb_id=50154
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: zpecialoffer.com R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: msn.co.uk /
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,SearchAssistant = website: seekerbar.com / ie.aspx?tb_id=50154
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,CustomizeSearch = res: / / C: \ PROGRA~1 \ Toolbar \ toolbar.dll / sa
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,SearchAssistant = website: files.cc.cometsystems.com / assist / cc / 1.0 / assist_st.html?src_id=312
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search,CustomizeSearch = res: / / C: \ PROGRA~1 \ Toolbar \ toolbar.dll / sa
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ SearchURL,(Default) = website: zpecialoffer.com / results.asp?keyword=%s
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C: \ PROGRA~1 \ Toolbar \ toolbar.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C: \ Program Files \ MyWebSearch \ SrchAstt \ 1.bin \ MWSSRCAS.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C: \ PROGRA~1 \ PERFEC~1 \ BHO \ PERFEC~1.DLL (file missing)
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C: \ Program Files \ MySearch \ bar \ 1.bin \ S4BAR.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C: \ Program Files \ MyWebSearch \ bar \ 1.bin \ MWSBAR.DLL
O2 - BHO: C: \ WINDOWS \ lbbho.dll - {2073F152-7465-4025-838E-20BFCB10325F} - C: \ WINDOWS \ lbbho.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C: \ Program Files \ NewDotNet \ newdotnet6_38.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C: \ PROGRA~1 \ Toolbar \ toolbar.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C: \ Program Files \ MSN Apps \ ST \ 01.02.3000.1002 \ en-xu \ stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C: \ Program Files \ MSN Apps \ MSN Toolbar \ 01.02.3000.1001 \ en-gb \ msntb.dll
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C: \ PROGRA~1 \ Comet \ Bin \ csbho.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C: \ Program Files \ MSN Apps \ MSN Toolbar \ 01.02.3000.1001 \ en-gb \ msntb.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C: \ Program Files \ MyWebSearch \ bar \ 1.bin \ MWSBAR.DLL
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C: \ Program Files \ MySearch \ bar \ 1.bin \ S4BAR.DLL
O3 - Toolbar: Starware - {FE6BC4EF-5676-484B-88AE-883323913256} - C: \ PROGRA~1 \ Comet \ Bin \ csietb.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C: \ PROGRA~1 \ Toolbar \ toolbar.dll
O4 - HKLM \ .. \ Run: [AVG_CC] C: \ PROGRA~1 \ Grisoft \ AVG6 \ avgcc32.exe / STARTUP
O4 - HKLM \ .. \ Run: [NeroCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [DSLAGENTEXE] C: \ Program Files \ BT Voyager 205 ADSL Router \ Adsl \ dslagent.exe
O4 - HKLM \ .. \ Run: [GSISETUP] C: \ DOCUME~1 \ COL&DE~1 \ LOCALS~1 \ Temp \ GsiInst.exe INSTALL C: \ DOCUME~1 \ COL&DE~1 \ LOCALS~1 \ Temp \ . \ V205Res 13
O4 - HKLM \ .. \ Run: [KAZAA] C: \ Program Files \ Kazaa \ kazaa.exe / SYSTRAY
O4 - HKLM \ .. \ Run: [SearchUpgrader] C: \ Program Files \ Common files \ SearchUpgrader \ SearchUpgrader.exe
O4 - HKLM \ .. \ Run: [DietK] C: \ PROGRA~1 \ DIETK~1 \ DietK.exe
O4 - HKLM \ .. \ Run: [msnappau] "C: \ Program Files \ MSN Apps \ Updater \ 01.02.3000.1001 \ en-gb \ msnappau.exe"
O4 - HKLM \ .. \ Run: [iTunesHelper] C: \ Program Files \ iTunes \ iTunesHelper.exe
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ Program Files \ QuickTime \ qttask.exe" -atboottime
O4 - HKLM \ .. \ Run: [Wild-Flics] C: \ WINDOWS \ Wild-Flics.exe -n
O4 - HKLM \ .. \ Run: [New.net Startup] rundll32 C: \ PROGRA~1 \ NEWDOT~1 \ NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM \ .. \ Run: [CMESys] "C: \ Program Files \ Common Files \ CMEII \ CMESys.exe"
O4 - HKLM \ .. \ Run: [MyWebSearch Email Plugin] C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" -osboot
O4 - HKLM \ .. \ Run: [WinTools] C: \ PROGRA~1 \ COMMON~1 \ WinTools \ WToolsA.exe
O4 - HKLM \ .. \ Run: [TBPS] C: \ PROGRA~1 \ Toolbar \ TBPS.exe
O4 - HKLM \ .. \ Run: [Diet K] C: \ PROGRA~1 \ DIETK~1 \ DietK.exe
O4 - HKCU \ .. \ Run: [MsnMsgr] "C: \ Program Files \ MSN Messenger \ MsnMsgr.Exe" / background
O4 - HKCU \ .. \ Run: [MyWebSearch Email Plugin] C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe
O4 - Startup: iMesh.lnk = C: \ Program Files \ iMesh \ Client \ iMeshClient.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C: \ Program Files \ MyWebSearch \ bar \ 1.bin \ MWSOEMON.EXE
O4 - Global Startup: BT Broadband Help.lnk = C: \ Program Files \ BT Broadband \ Help \ bin \ matcli.exe
O4 - Global Startup: GStartup.lnk = C: \ Program Files \ Common Files \ GMT \ GMT.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C: \ Program Files \ MyWebSearch \ bar \ 1.bin \ MWSOEMON.EXE
O8 - Extra context menu item: &Search - website: bar.mywebsearch.com / menusearch.html?p=ZRxdm353XXUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res: / / C: \ PROGRA~1 \ MICROS~2 \ OFFICE11 \ EXCEL.EXE / 3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C: \ PROGRA~1 \ MICROS~2 \ OFFICE11 \ REFIEBAR.DLL
O9 - Extra button: GloPhone - {C9B8ABB6-1CC3-4957-9CA3-053036B2EE3A} - C: \ Documents and Settings \ All Users \ Desktop \ Glophone.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra ´Tools´ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra button: PICgrabber - {4964E240-D53C-11D5-BDA9-444553540000} - C: \ Program Files \ PICgrabber \ PICGRABBER.EXE (HKCU)
O9 - Extra ´Tools´ menuitem: PICgrabber - Movie&Image Search / Download Software - {4964E240-D53C-11D5-BDA9-444553540000} - C: \ Program Files \ PICgrabber \ PICGRABBER.EXE (HKCU) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - website: thepaymentcentre.com / build / vbiewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - website: ak.imgfarm.com / images / nocache / funwebproducts / ei / PopularScreenSaversInitialSetup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - website: a840.g.akamai.net / 7 / 840 / 537 / 2004061001 / housecall.trendmicro.com / housecall / xscan53.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - website: dm.screensavers.com / dm / installers / si / 1 / sinstaller.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C: \ PROGRA~1 \ Toolbar \ toolbar.dll