I have a small..well OK, a big problem

[Stormymystic]

Quote:

Originally posted by Albromor: Also, if you go to www.trendmicro.com they have a free online scan for virus', etc. It found stuff that didn't even know I had (and I have the latest Ad-aware)and removed them as well. It is safe, constantly updated, and it is free!

thanks again, I have used this one before, and had lost the link, I like how it works [img]smile.gif[/img]

[andrewas]

Quote:

Originally posted by Stormymystic: yes! I got it, thanks, and it loads faster, the moniter no longer flashes but there is still 32 processes running, not sure what they are, or how to get rid of them

Google for any process, it will almost always turn up a description. Post any that you can't identify that way.

[harleyquinn]

Quote:

Originally posted by Stormymystic: quote: Originally posted by Jorath Calar: Hit "F8" as soon as Windows start loading... you get a list of startup options and one of them is Safe mode... [img]smile.gif[/img]

yes! I got it, thanks, and it loads faster, the moniter no longer flashes
but there is still 32 processes running, not sure what they are, or how to get rid of them [/QUOTE]Stormy, what version of Windows are you running? I know Win2000 has all these stupid automatic "services" that run but that in real life you don't need most of them. If you go to the control panel and Administrative tools, you'll see "Services" in there. Sorry I can't tell you what you need and don't need, though, someone else here will have to answer that for you.

[Stormymystic]

well, I did what Andrewas suggested, and found at least 1 hijacker, the problem is, it keeps coming back, even after I un-install the program, I have run Ad Aware 5 times now, and it keeps finding things [img]graemlins/crying.gif[/img] I am gonna go scream in a minute, I was planning on spending time with my kids, but if I do not get this fixed, and the computer crashes, my husband will go ballistic
Harley, I am on Windows XP and I have tried that as well, and it does basicly the same thing, I have no clue what should be, and what should not be on there, I keep getting confused on like MCagent, it keeps trying to change the spelling to msagent, and that is not what is showing up!, I also downloaded a hijack killer, called hijack this, and it found alot of stuff, but not sure how to procede from there

[andrewas]

Mcagent is part of network versions of Mcaffe. Which sounds odd to find on a home system, but it is legit.

Edit] On hijack this, heres a tutorial on reading the logs:

http://www.spywareinfo.com/~merijn/htlogtutorial.html

Or post it here. Or ask on those forums.

[ 11-25-2003, 01:59 PM: Message edited by: andrewas ]

[IAmThumper]

If you remove something and it comes back then something must be installing it. I used to use KaZaA and it kept installing stuff and I assume other software does this as well.
The first thing I would do is kill all non essential processes. I would then run your adaware and spybot and antivirus software. I know of some software which while it is running you can never get rid of it (viruses and maleware mostly).

www.blackviper.com is a good site for help in determining what service/process does what.

I would get rid of all the services/processes you absolutely don't need. You can then bring them back one at a time and see if this hijacker gets reinstalled. It's an annoying process but if you have no other choice.
You could also check your registry to see what is being run at startup. Run regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run. I'm sure there is another way to find out what is run at startup but I'm unsure the correct winxp program to run. Anyway this will tell you all the programs that get run at start up. I don't go into the registry very often and I don't advise editing it. I have three things in my run and nothing in runonce. This might help in determining what is reinstalling the hijacker.
I hope some of this helps.

[Stormymystic]

I will post it here Andrewas

Logfile of HijackThis v1.97.7
Scan saved at 10:54:32 AM, on 11/25/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us3.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_2_3_0. dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_2_3_0. dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/game.../y/fltt3_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/active...side_web18.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/fu...tup1.0.0.6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...2/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1475173e0e172f5...p/RdxIE601.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web664.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...05/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


have fun

[andrewas]

Ouch. Longer than I expected. I'll mark down the instant-kill stuff that I can spot. Some of the lexmark stuff is possibly buggy, but it dosent cause internet weirdness, so leave it.

Quote:

Originally posted by Stormymystic: C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe mwsoemon.exe kill this O2 - BHO: (no name) - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL Kill thisfont> O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe Kill this O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg Its unlisted. Leave it to be safe. O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab Kill this have fun

I'm not certain on all of the 016 stuff, but the above is what I know is dangerous.

[ 11-25-2003, 06:04 PM: Message edited by: andrewas ]

[Stormymystic]

ok, I think that helped, so far no random weirdness, or change of sites,
now if it just does not come back :/

[ 11-25-2003, 06:36 PM: Message edited by: Stormymystic ]

[Stormymystic]

ok, I give up, I honestly do, the files are back on my system, no matter how I
go about removing them, they always come back [img]graemlins/crying.gif[/img]

[ 11-25-2003, 06:36 PM: Message edited by: Stormymystic ]