Logfile of HijackThis v1.98.2 - Hrndg

Date: 5 Jan 2005

what should i keep?

Remove MySearchWeb and SmileyCentral.

Remember DO NOT run hijackthis.exe inside the zip file.  Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).

Here is what you should do.

End the below suspicious process :

C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: ie.redirect.hp.com / svs / rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = website: ie.redirect.hp.com / svs / rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: red.clientapps.yahoo.com / customize / ie / defaults / sb / ymsgr6 / *website: yahoo.com / ext / search / search.html
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: red.clientapps.yahoo.com / customize / ie / defaults / sp / ymsgr6 / *website: yahoo.com
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: my.msn.com / ?page=1&refresh=1
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: ie.redirect.hp.com / svs / rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = website: red.clientapps.yahoo.com / customize / ie / defaults / su / ymsgr6 / *website: yahoo.com
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: red.clientapps.yahoo.com / customize / ie / defaults / sb / ymsgr6 / *website: yahoo.com / ext / search / search.html
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: red.clientapps.yahoo.com / customize / ie / defaults / sp / ymsgr6 / *website: yahoo.com
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: ie.redirect.hp.com / svs / rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ SearchURL,(Default) = website: red.clientapps.yahoo.com / customize / ie / defaults / su / ymsgr6 / *website: yahoo.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C: \ Program Files \ MyWebSearch \ SrchAstt \ 1.bin \ MWSSRCAS.DLL

Remove these additional browser plug-in keys (O2...O4):

Remove these extra items in IE menu (O8...O9):

O9 - Extra ´Tools´ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - website: ak.imgfarm.com / images / nocache / funwebproducts / ei-2 / SmileyCentralFWBInitialSetup1.0.0.8-2.cab

Reboot the computer and put it to safe mode.  Then delete these files from your C: drive.

C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe

Original log but with private information removed.

Scan saved at 12:32:33 AM, on 12 / 31 / 2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ Program Files \ Ahead \ InCD \ InCDsrv.exe
c: \ Program Files \ Common Files \ Symantec Shared \ ccProxy.exe
c: \ Program Files \ Common Files \ Symantec Shared \ ccSetMgr.exe
c: \ Program Files \ Norton AntiVirus \ navapsvc.exe
c: \ Program Files \ Common Files \ Symantec Shared \ ccEvtMgr.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ system32 \ hkcmd.exe
C: \ WINDOWS \ system32 \ hphmon06.exe
C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe
C: \ Program Files \ Winamp \ winampa.exe
C: \ WINDOWS \ ALCXMNTR.EXE
C: \ WINDOWS \ system32 \ igfxtray.exe
C: \ Program Files \ CyberLink \ PowerDVD \ PDVDServ.exe
C: \ Program Files \ Ahead \ InCD \ InCD.exe
C: \ WINDOWS \ system32 \ ctfmon.exe
C: \ Program Files \ Messenger \ msmsgs.exe
C: \ Program Files \ MSN Messenger \ MsnMsgr.Exe
C: \ Program Files \ Common Files \ Microsoft Shared \ VS7DEBUG \ MDM.EXE
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ twain_32 \ ca561a \ SnapDetect.exe
c: \ Program Files \ Common Files \ Symantec Shared \ Security Center \ SymWSC.exe
c: \ PROGRA~1 \ NORTON~1 \ navw32.exe
C: \ WINDOWS \ system32 \ WISPTIS.EXE
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ Yahoo! \ Messenger \ ypager.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ PROGRA~1 \ WINZIP \ wzqkpick.exe
C: \ PROGRA~1 \ WINZIP \ winzip32.exe
C: \ Documents and Settings \ HP_Owner \ Local Settings \ Temp \ HijackThis.exe

R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: ie.redirect.hp.com / svs / rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = website: ie.redirect.hp.com / svs / rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: red.clientapps.yahoo.com / customize / ie / defaults / sb / ymsgr6 / *website: yahoo.com / ext / search / search.html
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: red.clientapps.yahoo.com / customize / ie / defaults / sp / ymsgr6 / *website: yahoo.com
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: my.msn.com / ?page=1&refresh=1
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: ie.redirect.hp.com / svs / rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Search_URL = website: red.clientapps.yahoo.com / customize / ie / defaults / su / ymsgr6 / *website: yahoo.com
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: red.clientapps.yahoo.com / customize / ie / defaults / sb / ymsgr6 / *website: yahoo.com / ext / search / search.html
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Page = website: red.clientapps.yahoo.com / customize / ie / defaults / sp / ymsgr6 / *website: yahoo.com
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: ie.redirect.hp.com / svs / rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ SearchURL,(Default) = website: red.clientapps.yahoo.com / customize / ie / defaults / su / ymsgr6 / *website: yahoo.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C: \ Program Files \ MyWebSearch \ SrchAstt \ 1.bin \ MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C: \ Program Files \ MyWebSearch \ SrchAstt \ 1.bin \ MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C: \ PROGRA~1 \ Yahoo! \ COMPAN~1 \ Installs \ cpn \ ycomp5_5_7_0.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C: \ Program Files \ MyWebSearch \ bar \ 1.bin \ MWSBAR.DLL
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c: \ Program Files \ Common Files \ Symantec Shared \ AdBlocking \ NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c: \ Program Files \ Norton AntiVirus \ NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c: \ Program Files \ HP \ Digital Imaging \ bin \ HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c: \ Program Files \ Norton AntiVirus \ NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C: \ PROGRA~1 \ Yahoo! \ COMPAN~1 \ Installs \ cpn \ ycomp5_5_7_0.dll
O4 - HKLM \ .. \ Run: [HotKeysCmds] C: \ WINDOWS \ system32 \ hkcmd.exe
O4 - HKLM \ .. \ Run: [HPHUPD06] c: \ Program Files \ HP \ {AAC4FC36-8F89-4587-8DD3-EBC57C83374D} \ hphupd06.exe
O4 - HKLM \ .. \ Run: [HPHmon06] C: \ WINDOWS \ system32 \ hphmon06.exe
O4 - HKLM \ .. \ Run: [Symantec NetDriver Monitor] C: \ PROGRA~1 \ SYMNET~1 \ SNDMon.exe
O4 - HKLM \ .. \ Run: [MyWebSearch Email Plugin] C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe
O4 - HKLM \ .. \ Run: [WinampAgent] C: \ Program Files \ Winamp \ winampa.exe
O4 - HKLM \ .. \ Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM \ .. \ Run: [IgfxTray] C: \ WINDOWS \ system32 \ igfxtray.exe
O4 - HKLM \ .. \ Run: [RemoteControl] "C: \ Program Files \ CyberLink \ PowerDVD \ PDVDServ.exe"
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [InCD] C: \ Program Files \ Ahead \ InCD \ InCD.exe
O4 - HKCU \ .. \ Run: [ctfmon.exe] C: \ WINDOWS \ system32 \ ctfmon.exe
O4 - HKCU \ .. \ Run: [MSMSGS] "C: \ Program Files \ Messenger \ msmsgs.exe" / background
O4 - HKCU \ .. \ Run: [Yahoo! Pager] C: \ Program Files \ Yahoo! \ Messenger \ ypager.exe -quiet
O4 - HKCU \ .. \ Run: [MyWebSearch Email Plugin] C: \ PROGRA~1 \ MYWEBS~1 \ bar \ 1.bin \ mwsoemon.exe
O4 - HKCU \ .. \ Run: [MsnMsgr] "C: \ Program Files \ MSN Messenger \ MsnMsgr.Exe" / background
O4 - Startup: MyWebSearch Email Plugin.lnk = C: \ Program Files \ MyWebSearch \ bar \ 1.bin \ MWSOEMON.EXE
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = C: \ WINDOWS \ twain_32 \ ca561a \ SnapDetect.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C: \ Program Files \ MyWebSearch \ bar \ 1.bin \ MWSOEMON.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C: \ Program Files \ WinZip \ WZQKPICK.EXE
O8 - Extra context menu item: &Search - website: bar.mywebsearch.com / menusearch.html?p=ZSYYYYYY92US
O8 - Extra context menu item: &Yahoo! Search - file: / / / C: \ Program Files \ Yahoo! \ Common / ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C: \ PROGRA~1 \ HEWLET~1 \ HPORGA~1 \ bin \ core.hp.main \ SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res: / / C: \ PROGRA~1 \ MI1933~1 \ OFFICE11 \ EXCEL.EXE / 3000
O8 - Extra context menu item: Yahoo! &Dictionary - file: / / / C: \ Program Files \ Yahoo! \ Common / ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file: / / / C: \ Program Files \ Yahoo! \ Common / ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra ´Tools´ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C: \ Program Files \ Yahoo! \ Messenger \ yhexbmes0521.dll
O9 - Extra ´Tools´ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C: \ Program Files \ Yahoo! \ Messenger \ yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C: \ PROGRA~1 \ MI1933~1 \ OFFICE11 \ REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O9 - Extra ´Tools´ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - website: ak.imgfarm.com / images / nocache / funwebproducts / ei-2 / SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - website: messenger.msn.com / download / MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - website: chat.msn.com / bin / msnchat45.cab

Smiley Central 5-Jan-2005