The Aardvark Needs Help :(

Aardvark

:banghead:

Can someone help me sort out the trash from the needed files in this log?

Logfile of HijackThis v1.97.7
Scan saved at 6:18:59 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\JUNKEA~1\InfoProgram.exe
C:\Program Files\D-Tools\daemon.exe
C:\documents and settings\stephen klick\local settings\temp\GmlrhZ.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\System32\IEHost.exe
C:\PROGRA~1\WHENUS~1\Search.exe
C:\WINDOWS\System32\imeberos.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Documents and Settings\Stephen Klick\Application Data\ttuh.exe
C:\WINDOWS\System32\wtsit.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\WINDOWS\System32\DopwS4t.exe
C:\WINDOWS\System32\DopwS4t.exe
C:\Program Files\Folding@Home\FahCore_65.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SysAI\SysAI.exe
C:\WINDOWS\System32\SSIP32M.exe
C:\Documents and Settings\Stephen Klick\Desktop\HijackTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = omegasearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {80576AF2-0166-9AFB-4902-376B85835666} - C:\PROGRA~1\BashMode\OneDvd.dll
O3 - Toolbar: 4intra - {06F32CD1-F7CA-B4B1-4633-2DEAE5CF3199} - C:\PROGRA~1\BashMode\OneDvd.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hole mags] C:\PROGRA~1\JUNKEA~1\InfoProgram.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [GmlrhZ] C:\documents and settings\stephen klick\local settings\temp\GmlrhZ.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\KrwH5f.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [378i38i] imeberos.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [SSIP32M] C:\WINDOWS\System32\SSIP32M.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Stephen Klick\Application Data\ttuh.exe
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtsit.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Startup: Folding@home 4.00.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

- I know for certain that

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = omegasearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omegasearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://omegasearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omegasearch.com/searchbar.html

are all trash. But before I go on a deleting spree, I'd like to make sure I get everything

Thanks in advance guys.

>droops ears as the popups march five by five across his screen<

Straight_Man

Aardvark, I need to know if this is a Dell computer with an HP burner or AN HP computer with a Dell antispam util stuck on it and whether it is on AOl or not, to tell you if three things are junk or not.

THESE are stock XP things:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

____

This is used for HP brand burners:

C:\WINDOWS\system32\dla\tfswctrl.exe

____

This is for AOL support only, and removing it breaks an AOL Internet connection, it is supplied by AOL for their portal-- not stock XP, but removing it can break things you will need to fix by redoing networking settings-- possibly dangerous to remove:

C:\WINDOWS\wanmpsvc.exe

____

This is the Dell antispam thing, valid for Dell boxes, might not work with hardware they do not use, if it does work right keep it if you want:

C:\WINDOWS\System32\DSentry.exe

____

Unless you are using an old D-Tools to let you run a game ISO as a CD drive, this might be spyware-- cannot get definitive info on any other valid use for this except when using Oracle:

C:\Program Files\D-Tools\daemon.exe

____

This is probably a temp download archive, should be deletable, if not could be a virus or malware archive, name was genned randomly by XP unless this is so new nothing has been said about it ANYWHERE that Google has indexed-- delete it unless you KNOW what it is and that you want it-- temp normally can be emptied in the directory this temp directory is in:

C:\documents and settings\stephen klick\local settings\temp\GmlrhZ.exe

____


Everything in the mcafee.com directory is for remote AV scans by mcafee.
What I skipped down to next line quoted is normal for an XP box with normal software on it

____

This is adware, type ID DrummerBoy:

C:\Documents and Settings\Stephen Klick\Application Data\ttuh.exe

One Remover for that is here:

http://www.enigmasoftwaregroup.com/affiliate/link.php?ref=42&productid=4

If you do not like spyhunter, try AdAware 6.0 with latest updates to kill this.

____

This is possibly a Microsoft legit autoupdater, but left over from Windows ME and not used by XP (if you did not do an upgrade from WindowsMe to XP on this Dell box, let me know please):

C:\WINDOWS\System32\wuauclt.exe

____

Both these are download.trojan files, and there should be only one of these listed-- running AdAware and then SpyBotS&D kills that trojan, but given this listing, I think I would kill this in SAFE MODE after getting and updating both programs mentioned above:

C:\WINDOWS\System32\DopwS4t.exe
C:\WINDOWS\System32\DopwS4t.exe

____

Let's start there, then if you would rerun HJT and repost your log, we can see what is left, ok????

____ = ADDED SECTION Markers, to stop Thrax from posting UTTER junk. MODs, please remove Thrax's comments from this thread. they only serve to warp and confuse in this context.

colon means what is before and after it is equal, normally

Thrax

C:\Program Files\D-Tools\daemon.exe

This is probably a temp download archive, should be deletable, if not could be a virus or malware archive, name was genned randomly by XP unless this is so new nothing has been said about it ANYWHERE that Google has indexed-- delete it unless you KNOW what it is and that you want it-- temp normally can be emptied in the directory this temp directory is in:

That's the Daemon Tools virtual CD-ROM client folder and executable. It isn't spyware, malware, or a virus.

Straight_Man

Thrax wrote:

That's the Daemon Tools virtual CD-ROM client folder and executable. It isn't spyware, malware, or a virus.

I use THIS FIRST, then what I am talking about Thrax.... What I am talking about is BELOW the text.... SHEESH. The stuff you are objecting to is in ref to C:\documents and settings\stephen klick\local settings\temp\GmlrhZ.exe
.

NOTE I put label of what it is first from top down consistently.

Thrax

My rare apologies to you.

You're the only one on the forum who lists in that manner. You can understand the mistake.

Straight_Man

Not when top of post started with a list-- did it for consistency, and to go from top of log down. Label would get lost if after list. In this case of having a list first, since had lots of complaints about not being brief enough, decided to use label as header instead of footer for each section.

Aardvark

This compy is an XP computer and always has been.

It's a Dell.

I use Daemon Tools so that I can play music and still have a video game running

I'll repost a log in a bit. Thanks a lot for the help guys!

Aardvark

I removed what you said in safe mode... o.o

I still have the OmegaSearh bar on my computer... its now reset my homepage to omegasearch ... I now have a NEW little thing at the bottom of my screen called "searchbar" -_- --- and I still have popups marching across my screen. Wah!

Here is the log again ;

Logfile of HijackThis v1.97.7
Scan saved at 12:39:33 AM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\JUNKEA~1\InfoProgram.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\IEHost.exe
C:\PROGRA~1\WHENUS~1\Search.exe
C:\WINDOWS\System32\imeberos.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\WINDOWS\System32\wtsit.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\WINDOWS\System32\ASHLPRI.exe
C:\WINDOWS\System32\Zak3X9EP.exe
C:\WINDOWS\System32\Ndi39.exe
C:\Program Files\Folding@Home\FahCore_65.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stephen Klick\Desktop\HijackTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {80576AF2-0166-9AFB-4902-376B85835666} - C:\PROGRA~1\BashMode\OneDvd.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hole mags] C:\PROGRA~1\JUNKEA~1\InfoProgram.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\RazhIQ.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [378i38i] imeberos.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [ASHLPRI] C:\WINDOWS\System32\ASHLPRI.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtsit.exe
O4 - Startup: Folding@home 4.00.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

What am I doing wrong?

Dexter

Rebbot in SAFE MODE.

Run HJT (make sure you have placed HJT in it's own directory so that it can save backups safely.)

Fix the following:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omegasearch.com/passthrough/index.html?http://about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {80576AF2-0166-9AFB-4902-376B85835666} - C:\PROGRA~1\BashMode\OneDvd.dll

(Omegasearch and MySearch entries)


O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

(Auto Updatersfor Real Player and Quicktim - waste of resources, not necessary at boot)


O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SysUpd.exe

(This is a hijacker called InternetAntispy. It's crapware. Toast it.)


O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

(Adware - ClickAlchemy.com. Kill it.)



O4 - HKLM\..\Run: [hole mags] C:\PROGRA~1\JUNKEA~1\InfoProgram.exe

(Omegasearch re-installer.)



O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe

(Adware)



O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\RazhIQ.exe

O4 - HKLM\..\Run: [378i38i] imeberos.exe

O4 - HKLM\..\Run: [ASHLPRI] C:\WINDOWS\System32\ASHLPRI.exe


(Unknown files - no search matches, random file name protocol, not likely to be anything good.)



O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe

(Adware)



O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

(People on Page crapware. Unless you like People on Page, toast this.)


O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

(Adware based Media Player - Delfin Promulgate viewer.)



O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

(Adware)

After you have done this, it is a good idea to manually locate each of the .exe or .dll files listed, and place them in a Quarantine directory. Rename ecah of them so that instead of ".exe" you have .XXX, and instead of ".dll" you have .DDD, so that you can easily retrieve them if necessary.

That should clean you all up. Reboot in normal mode, check things out, run another HJT scan and pos the log.

I recommend you consider using Spyware Blaster to immunize your browser against further hijacks. Go to our downloads section for that app.

Dexter...

Aardvark

help! computer barely runs! popups at critical condition o_o.



This is the log. It took me like an hour to get. Everything keeps freezing up.

Logfile of HijackThis v1.97.7
Scan saved at 12:09:46 AM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\xdeoue.exe
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\Wast.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wtsit.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\WINDOWS\System32\ERFD009P.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\WINDOWS\System32\ZxdecM.exe
C:\WINDOWS\System32\Xms09TI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
C:\Documents and Settings\Stephen Klick\Desktop\HijackTHIS\HijackThis.exe

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msglji.gif
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\KrwH5f.exe
O4 - HKLM\..\Run: [ijofxwcvnx] C:\WINDOWS\System32\xdeoue.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [hgl] C:\WINDOWS\hgl.exe
O4 - HKLM\..\Run: [Wast] C:\WINDOWS\Wast
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [ERFD009P] C:\WINDOWS\System32\ERFD009P.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtsit.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /waitstart
O4 - Startup: Folding@home 4.00.lnk = ?
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

shwaip

please follow the instructions in this thread to run adaware and spybot S&D:
http://www.short-media.com/forum/showthread.php?t=14915

if you have already done so, let us know.

if not, do so and post a new log.