"project1" on task manager

Check these threads out and see if they help. We had Project1 problems in them.

http://forums.majorgeeks.com/showthread.php?t=40219
http://forums.majorgeeks.com/showthread.php?t=38934

Also you should follow all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal > If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

 

If you have run everything in the Read Me First tutorial (including Stinger and the online scanners) you should post a full HJT log as a .txt attachment. Based on what I see in the partial log, we have some work to do.

Take a look thru your Add/Remove programs list too and see if there is anything there you do not recognize.

 

Gloria,

Here is a quote from your post (message #3) in this thread,
"Thank you for you reply! I did try all the methods on the Basic Spyware topic before posting here, and my Spybot is up to date as well."

Now part of my reply to your first message,
"If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs. "

Now lets go back to that Read Me First link to step 6
6: OPTIONAL: Scan With Hijack This; If you have gotten this far without success, you may need to download Hijack This

Had you followed the steps as written you would not be running HijackThis version 1.97.7. I know that this may sound like I'm yelling (and I am sort of) at you but it is very important that instructions be followed to the letter. We are not sitting right next to you to watch what is going on. We need to know that our requests are followed exactly and not ignored. It can be the difference it getting problems resolved. Please go back and make sure you have ALL the correct versions for ALL programs we supplied links to. In addition please run ALL the steps. You did not do ALL of them. Your HijackThis logs show no signs of any online scans being run. Whatelse have you skipped?

After doing ALL of that post a new HijackThis log using version 1.98.2 and only post a log for your WinXP SP2 system. One problem/one PC per thread please. It gets too confusing otherwise especially if problems are complicated and it takes many iterations to fix.

Questions:
1) What is your expected home page?
2) Are you using Propel Dial-Up Accelerator! That may be the reason for 4 lines that say:
O10 - Unknown file in Winsock LSP: c:\program files\joiexpress\prplsf.dll

 

No problem Gloria! It's not trouble! It's just procedural issues to help us to best help you. But you are still missing one important point. You did not download the proper HijackThis file from the links we have given you. You still are posting logs from version 1.97.7. HJT is currently on 1.98.2. Please click the link I gave you in message #6 and get the proper version. Unzip it to its own directory and run it. Post a new log.

Note: you need to get rid of Shareaza. First look to see if there is an uninstall in Add/Remove programs. If not, see if you can follow the steps here:
http://www.pestpatrol.com/pestinfo/s/shareaza.asp

The Messenger Plus program is known to install spyware to your computer. Some people were lucky enough read the sneaky license agreement and not get click happy. But this is crapware itself because of the sneaky fashion they do this. I would uninstall it.
O4 - HKLM\..\Run: [Messenger Plus] "C:\Program Files\Messenger Plus\messplus.exe" -silent

Do you know the reason for this line (are you using a proxy server, is it required by your ISP?)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

And yes these lines should be fixed using HJT after shutting down the processes if you see them running with Task Manager or HJT's Config, Misc Tools, Open Process Manager:
O4 - HKLM\..\Run: [MoneyBound] C:\WINDOWS\System32\MoneyBound.exe
O4 - HKLM\..\RunOnce: [g60murg.exe] C:\WINDOWS\system32\g60murg.exe /k
O4 - HKCU\..\RunOnce: [g60murg.exe] C:\WINDOWS\system32\g60murg.exe /k

Make sure you have enabled viewing of hidden files.
After that boot in safe mode and delete:
C:\WINDOWS\System32\MoneyBound.exe
C:\WINDOWS\system32\g60murg.exe

Come back with a new HJT log from version 1.98.2

 

Is this last HJT log from safe mode? I do not see the MoneyBound and g60murg programs.
Please fix the following with HJT (make sure NO BROWSERS are open when you click FIX):
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F615BC54-7B85-48FF-AAAC-15408A17F135} - C:\WINDOWS\system32\ewnf.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll (file missing)
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.aimthings.com/missingpacks/v1/setup.exe

And if the Moneybound and are there do the fix the following too:
O4 - HKLM\..\Run: [MoneyBound] C:\WINDOWS\System32\MoneyBound.exe
O4 - HKLM\..\RunOnce: [g60murg.exe] C:\WINDOWS\system32\g60murg.exe /k
O4 - HKCU\..\RunOnce: [g60murg.exe] C:\WINDOWS\system32\g60murg.exe /k

Make sure you have enabled viewing of hidden files.
After that boot in safe mode and delete:
C:\WINDOWS\system32\ewnf.dll
C:\WINDOWS\System32\MoneyBound.exe
C:\WINDOWS\system32\g60murg.exe


Always post HJT logs from normal boot mode unless we specifically ask for one in safe mode. So tell me how the above steps go and then post a new HJT log. We'll work Shareaza later.

 

Everything appears okay other than:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

Did you fix the R1 line and it came back? I'm not sure if this is a problem though. Port 8080 is a typical port used for http.


Please do not repair (fix) anything next time before showing me the log. You are confusing me on this end when you say you still have a problem but the log shows no signs of the problem.


How are you looking for the files I asked you to delete?

Reboot and get another log with no modifications or fixes.

 

Okay your log looks clean! If everything is working okay, I would ignore that localhost:8080 line. It may be part of those accelerator applications you have. Any problems???