Hijack This! message window

By message window, we mean your next message on Majorgeeks. For example right here in this thread. Due to your message, I just added some clarification to that step in the HJT procedure.

Before posting HJT logs you must run the standard cleaning procedures as given below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

 

Please read step 3 of the READ ME again:

 

Look in Add/Remove programs for any of the below and uninstall if found:
MyWeb
MyWebSearchBar
MyWebSearch
MyWebSearch EMail or MyWebSearch EMail Plugin


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKCU\..\Run: [Microsoft Admin Protocal] VSADMLN.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\RunServices: [Microsoft Admin Protocal] VSADMLN.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBxdm066YYUS
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (filesize 2822144 bytes, MD5 6101C7E7CD59BB4CBB2CFD362107FB03)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (filesize 2822144 bytes, MD5 6101C7E7CD59BB4CBB2CFD362107FB03)
O15 - Trusted IP range: 67.19.185.246 <--- this may come back. If so, we will use a different fix.
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O21 - SSODL: eplrr - {58A805BE-60A3-4462-8DBE-1E95BEC03678} - C:\WINDOWS\SYSTEM\eplrr3.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\MYWEBS~1 <--- the whole folder. The real name is probably MyWebSearch or MyWebSearch Email Plugin

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

It would be better to delete it first.

By the way do you use AIM? If so, it may be a good idea to run the below:

AIM Fix

 

Go ahead! But you really need to get rid of one of the AVs soon afterwards.

 

I do not know what you are talking about??


Just follow the steps I gave you in msg # 7.

 

Well then perhaps you should complete my directions and use only one antivirus. I would uninstall McAfee now because it can be a huge resource hog.

Do you use Windows Messenger (this is not MSN Messenger)? If not, we can dump it and save resources.
You also do not need to load the below two items at startup:
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

You do have other problems too that we need to fix. I see a Narrator trojan has now popped up. I'll work up some a fix for that. We may need to hunt down some other hidden files.

 

Download this: Find It NT/2000/XP

Unzip it to its own folder and then run "find.bat" by double clicking on it. Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it run.

The tool should generate a text file log. Normally it pops up as a notepad file named output.txt when it completes. Attach this log as an attachment to your next post.

Also please download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Are you sure it was frozen? As I said it does take along time to run. How long did you wait?

And what about: Find It NT/2000/XP

 

I repeat:

 

Did you uninstall McAfee? If not, do it now!!!!!

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\gwyurv.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\gwyurv.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! That's good! You log is clean. How are things working now?

 

Well further check shows somethings to think about:

1) Is this your expect startpage:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://thenewsearch.com/thenewsearch.html

because it was fixed before but now it is back.

2) You do not need to load the following at startup. They just waste resources:
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

3) I thought you uninstalled McAfee! I still see these:

O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab

 

See if the this folder exists: C:\Program Files\McAfee
If so first look in Add/Remove programs for any other McAfee programs and uninstall. If the lines are still in you log afterwards, have HJT fix those three lines.

 

Yes you can just have HJT fix those lines.

 

That's nice, but no comment on how things are running now?

 

I doubt it is a malware problem. Perhaps it is something with your configuration, your ISP, etc. At this point you would be better off working the issue in the Games Forum.

 

You're welcome!