PDA

View Full Version : Help please..HJT log file



Shelley
2008-10-12, 07:15
Hi, I was recently hit with trojan/virus ServU-Daemon in 4 places as well 3 pups ( Dialer-182, Adware-Medload and Adware-HotBar). My anti-virus quarantied them all and I later deleted them. I scanned with Spybot, Adaware as well as Malwarebytes as well as did a virus scan in safe mode and again in normal mode. Everything appears to be clean now but it was suggested to me to download HijackThis and ask for help on the results. It is the first time I haver ever used this so I am hoping you can help me with the log file to make sure that my PC is ok now. There seems to be a warning not to delete any thing if you are not familiar with HJT, that is why I need an experts advice on this log file (below). I am running Windows XP SP3. Thanks in advance for your help.

Thanks again,
Shellley

HJT log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:41 AM, on 10/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\pf5kp0ek.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - http://207.188.7.150/141b0fd91ec1006c0a05/netzip/RdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/300fcaae9b1a22715f05/netzip/RdxIE2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145025402828
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 7852 bytes

Shelley
2008-10-12, 07:20
I also found a pup called terminator.exe when I did a virus scan in safe mode..I deleted that as well.
Thanks

pskelley
2008-10-12, 17:45
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Shelley, since you are new to the Malware Forum, I will take the time to post some information for you. Pinned (sticky) to the top of this forum and posted above are the instructions, they are there for your benefit, and you will see stuff like this:
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.
and much, much more. Since I have no idea what you removed before I got a look, this is all I can suggest at this point.

C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
Have a look at some of this information:
http://www.google.com/search?hl=en&q=ShadowBar.exe&btnG=Google+Search&aq=f&oq=

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
The Java scheduler, which rarely works right, is showing you are out of date.


1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(you could leave these if you put them there)
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - http://207.188.7.150/141b0fd91ec1006...tzip/RdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/300fcaae9b1a227...zip/RdxIE2.cab
Netster adware junk

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

I would like to see a new MBAM scan result, you may use the program you have if you still have it, but update it first.

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Thanks...Phil

Shelley
2008-10-13, 04:24
Hi Phil,
I really appreciate your time, response and help. I hope that it is ok to post a few questions before I do what you suggested as well as post the requested follow up logs. I read all of the links that you provided and was ready to follow all the steps tonight but a few things confused me and I wanted to double check with you before I proceed.
Firstly,
I read about shadowBar.exe and I am wondering if MBAM will remove it, also I am hoping that it is not part of my HP clock on the top of my screen, I would miss that.
Next, I am confused as to which Java I should delete , I have 3 in my add remove programs. Should I only remove the "J2SE runtime environment 5.0 update 3"? Because I also have "Java Web start" as well as "Java 2 Runtime Environment, SE v1.4.0_01". Also,the link to the newer version is in multi language and asks to download a download manager as well. Help! What should I do?

I did download the ATF cleaner and found also that Market Browser(which you made note of) came pre-installed with my computer a few years back. I never use it and decided to delete it, hope that was ok. Not sure if the HJT items will change regarding this.
Sorry for all of the questions but I want to make sure I understand and do the right thing.
Can you get back to me with your thoughts and I will go on from there.

Thanks again,
Shelley

pskelley
2008-10-13, 13:06
Morning Shelley, let's see if I can give you answers...

ShadowBar.exe <<< that would have to be deleted manually. It is put there HP and the reason I posted the Google was so you could understand what it is. It is an optional removal, you can always delete the file to your Recycle Bin where you could restore it if you wanted to. Having never owned a HP with it on, about the only other thing I can suggest is to discuss it with technical support at HP prior to removing the file.
Since it is technically "legitimate" MBAM which goes after rouge malware, would not remove it.


Java << hackers exploit all old verions, once you are updated to
Java SE Runtime Environment (JRE) Version 6 Update 7
according to tashi's information that the version you need is above:
http://java.sun.com/javase/downloads/index.jsp <<< download link
Then this would be your download:
Java Runtime Environment (JRE) 6 Update 7
The Java SE Runtime Environment (JRE) allows end-users to run Java applications.

Then remove all old versions.

According to the information at this link:
http://java.sun.com/javase/technologies/desktop/javawebstart/index.jsp
Where Do You Get Java Web Start?
Java Web Start is included in the Java Runtime Environment (JRE) as part of Java SE 6. So you can leave that if you use it.

If you have problems removing the old versions, and many folks do, this tool will help: http://www.majorgeeks.com/JavaRa_d5967.html

Once you get Java (security risk) up to date complete the rest of the instructions and post those logs, and I will have a better idea of what was done.

Post a Uninstall list also, since Java was out of date, you likely have other out of date programs:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Done hesitate to ask questions, that is how I learn too.

Thanks...Phil

Shelley
2008-10-15, 08:41
Hi Phil,
Firstly, thank you so very much for making me feel comfortable in asking questions, I really apreciate that very much. I did the uninstall of the Java Runtime and during the first one... sure enough I did have an error message:"unhandged exception error number 0x80040702 failed to load dll: act panel. setup will now terminate". I then restarted my pc and used the link to the tool that you had given me, it uninstalled the other version as well as web start. I hope it also took care of the error message, it seems to be ok. I then installed the newer version and it appears in my add/remove programs...I am happy about that! Do you think it took care of the error message? I tried running a java game and it did work, although on the java website I couldn't click on a few things. Well, maybe it had to add something because an icon appeared and loaded something then in the system try an icon appeared saying that I have the standard edition of Java. Any thoughts on that? Web start seems to be gone from my add/remove...what was it for?

Ok, then I removed the 2 "fixes" with HTJ that you said were "nester adware clutter", I will post that log shortly. My next step was to run the ATF Cleaner and here is my question: When I turned on my pc tonight, it advised me that there were 7 Microsoft updates which I downloaded and installed.
Now, on the Windows disc cleaner which I try to do sometmies it says not to delete temporary(..I think it was that) files for one week if they have been modified. Now with all of the Microsoft as well as antivirus updates, is it still safe to "check all"(including windows temp, user temp, etc) under the ATF cleaner? What is your opinion...I don't want to mess up, so far so good I hope. Ok I will do the next steps after I hear from you.
Thanks once again so much for helping me, I truly appreciate it.

Here is my HTJ log file now, I will post the other logs when I finish the next steps.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:44 AM, on 10/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\sistray.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\pf5kp0ek.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145025402828
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 7675 bytes

P.S. If I decided to, would HTJ remove ShadowBar? I know you said I had to do it manually, but I saw it in the log and I was just curious. Not that I am even sure I want to remove it yet.

pskelley
2008-10-15, 13:00
Do you think it took care of the error message?
Yes

Any thoughts on that?
None...ask Java suuport those questions.

If you ran clean manager, you don't have to run ATF-Cleaner.
http://spyware-free.us/tutorials/cleanmgr/

HJT will remove the items from the log, but to remove the file, you have to navigate to it and delete it manually.

C:\Program Files\hp center\137903\Shadow\ShadowBar.exe

You HJT log appear clean of malware, if MBAM is clean and there are no issues in the Uninsall list, you are good to go.

Thanks

Shelley
2008-10-17, 02:35
Hi Phil,
I hope you are well! I have to thank you again for all of your great help.Thanks also for the info on shadowbar etc. I am now ready to post the last of my logs that you had required as well as a couple of questions that I have.
Firstly I will ask my questions before I forget:
Is it safe to delete the HJT logs that are in .txt format as well as "file" format, there are 2. The one in the "file" format just says file and I am not sure what the extension is. In any case, can I safely delete them?

Also, I have the ATF cleaner on my desktop, I think it was a zip file(now I forget), do I just right click and delete (if I decide not to keep it)? Also, if I want to keep it but move it to another folder, how should I do that?
By the way, you said that it was ok to do a disc cleanup instead of the ATF Cleaner and that is what I did, although I did not remove the 1KB in the temporary files as I had just recently did the windows updates...hope that is ok. All others were cleaned (excluding the compress old file folder). Since you said this was ok, what happens to the prefetch files etc, that ATF was supposed to clean? I hope it's ok.

Ok here is the full scan results of the updated MBAM scan (looks great!):
Malwarebytes' Anti-Malware 1.28
Database version: 1276
Windows 5.1.2600 Service Pack 3

10/16/2008 3:30:12 PM
mbam-log-2008-10-16 (15-30-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 144952
Time elapsed: 2 hour(s), 12 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Now here is the Uninstall list from HJT: Let me just say that again quite a few programs came pre-installed with my HP PC. Also, there is one thing that I couldn't get rid of awhile back and I don't know what it is, the one called Morpheus 1.9 it would not delete in the past.

ACDSee
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop Elements 6.0
Adobe Reader 7.0
AtomixMP3
Canon ScanGear Toolbox 3.0
Dazzle Photo Editor
Detto IntelliMover
Easy Internet Sign-up
EAX Unified
EPSON Printer Software
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HiJaak Image Manager Browser 1.0
HijackThis 2.0.2
Hollywood FX Pack 26 - Extra FX
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp center
HP Instant Support
HP Learning Adventure
HP Photo Imaging Software
HP Photo Printing Software
HP Share-to-Web
Inactive HP Printer Drivers (Remove only)
InterVideo WinDVD
Java(TM) 6 Update 7
KBD
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire 4.10.3
Logitech Desktop Messenger
Logitech IM Video Companion
Logitech ImageStudio
Mafia Game
Malwarebytes' Anti-Malware
McAfee SecurityCenter
MGI PhotoSuite 4 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Baseline Security Analyzer 1.2
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Microsoft Windows Journal Viewer
Microsoft Works 6.0
Microsoft Works and Money 2002 Setup Launcher
Monopoly
Morpheus 1.9
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
My Photo Center
Nero 6 Ultra Edition
NeroVision Express 2
Netscape (7.0)
OmniPage Pro 9.0
Paint Shop Pro 7 ESD
PC-Doctor for Windows
PhotoJam 3
Pinnacle Hollywood FX 5
Pinnacle Hollywood FX Pack0 - Extra FX
Pinnacle Hollywood FX

Pinnacle USB device drivers
Polyphonic Wizard v4
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
Quicken Financial Center
QuickTime
RealPlayer
RichFX Player
Scan Manager 5.2
Scrabble
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
SereneScreen Aquarium
SiS 650
SiS 900 PCI Fast Ethernet Adapter Driver
SiS Audio Driver
SmartSound Quicktracks Plugin
Sonic Foundry Super Duper Music Looper XPress
Spybot - Search & Destroy
Studio 9
Studio 9.3 Patch
Studio Content DVD
SureThing CD Labeler - Stomper Edition 32 bit
SureThing CD Labeler SE - Sonic
Tcl 8.0.5 for Windows
TMPGEnc Plus 2.5
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Viewpoint Media Player (Remove Only)
Windows Genuine Advantage v1.3.0254.0
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Movie Maker 2 Winter Fun Pack
Windows XP Creativity Fun Packs - Windows Movie Maker 2
Windows XP Service Pack 3
WordPerfect Office 2002 Try Before You Buy
WordPerfect Office 2002 Try Before You Buy
Yahoo! Messenger

Thanks and have a great night/day.
Shelley

pskelley
2008-10-17, 03:37
Is it safe to delete the HJT logs that are in .txt format as well as "file" format,
Yes, I always leave the last HJT log in the folder here:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
When you create a new one and close it, the one in the folder should be replaced with the newest. This way you can always refer to the last HJT log if you have questions about something new in the log.

Here is a good tutorial for learning all of the functions of HJT:
http://www.bleepingcomputer.com/tutorials/tutorial42.html

ATF-Cleaner should be a small trash can. It is freeware and you may do with it as you wish, but you will not find a better cleaning tool anywhere for that price.
http://forums.security-central.us/showthread.php?t=1925 <<< tutorial

I did not remove the 1KB in the temporary files as I had just recently did the windows updates
why do you think they call them temporary?

what happens to the prefetch files etc
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

MBAM scan <<< waste of space posting a clean scan

Uninstall list I only look at malware and security issues.

LimeWire 4.10.3 <<< http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

Morpheus 1.9 <<< I see no reason why it should not uninstall?
http://www.google.com/search?hl=en&q=remove+Morpheus+1.9&btnG=Google+Search&aq=f&oq=

Viewpoint Media Player (Remove Only) <<< if you do not use this item, I would uninstall it.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

Shelley
2008-10-17, 05:54
Hi Phil,
Just a short note to thank you for all of your wonderful help.
I would highly recommend you and this forum to all.
Be well and take care.
Will read links and get back to you if anything occurs.
All the best,

Shelley

Shelley
2008-10-17, 09:17
Hi Phil,
Me again. I did as you said and deleted the Viewpoint Media Player, but I am having a very difficult time removing Morpheus 1.9 (add/remove did not work). I read that many people had the same problem as me and there was a registry cleaner for this but it no longer seems to exist (morpheus_regclean.exe). I did a search on my system and can't find the program file, supposedly there is an uninstall there but it is nowhere to be found. I believe that this is from 2002(acording to searches and is very hard to find a fix now). It seems to be spyware, why didn't SpyBot or MBAM catch it? Could it be that it is not active and only some registry keys are left behind... if this is true is it dangerous? In any case, is it dangerous? Can I leave it be, I need your expert advice on this one aslo. Help please, I am upset, after all of this work. There is a link to go into the registry and delete some files but I am afraid to fool around with the registry....sigh. Any thoughts?
Thanks,
Shelley

Shelley
2008-10-17, 09:25
sorry it printed 3 times...I really apologize to waste space. Please read the final one. Why is there no edit button to these posts...sigh.


Edit:

Can I edit my own posts?

In the Spybot-S&D forum, there is a 15 minute time frame to edit one's post.
In the Malware Removal Forum, members may not edit their posts. A helper may already be analysing the information given.


"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) ;)

Shelley
2008-10-18, 16:31
Read many posts, afraid to edit registry....sigh. Need help in removing morpheus 1.9.
Also removed rarely used Limewire.

pskelley
2008-10-18, 16:52
Hi Shelley, I removed the extra posts, you must only hit Add Reply one time. Sometimes if the site is busy, it takes a few moments to post.

I believe that this is from 2002(acording to searches and is very hard to find a fix now). It seems to be spyware, why didn't SpyBot or MBAM catch it?
Keep in mind the tools are specific to certain malware and the databases would have to be hugh if they were to include malware from 2002. I personally have not seen it in a while.

http://forums.spybot.info/showthread.php?t=288

Can I edit my own posts?
In the Spybot-S&D forum, there is a 15 minute time frame to edit one's post.
In the Malware Removal Forum, members may not edit their posts. A helper may already be analysing the information given.

http://forums.spybot.info/showthread.php?t=30113
If you should ever use a registry cleaner, be sure you have made a backup prior to starting.

We could install combofix and use the CFScript feature to remove that toolbar/program, but that seems like overkill. Post a new Uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

and a fresh HJT log. Give me some time to look at the information and think on it.

Thanks...Phil

Shelley
2008-10-19, 19:55
Hi Phil,
Thanks for your reply! Morpheus 1.9 is not a "toolbar" but resides in my add/remove list,as you know. I did not realize that the databases were limited, thanks for that info. I also read the post about registry cleaners.
I did more research and found that this might have come with Kazaa that was installed on this pc in or around 2004/2005. As a matter of fact, there is still a Kazza entry in my msconfig startup list though it is unchecked. So to me, you probably know better, it seems they came together. You are right about these P2P programs, I never realized. I unistalled LImewire via add/remove but I am still left with a huge file (7.52MB) C:/documents and settings/owner .limewire . It includes (network share, themes, splash free.png, etc). Also under C:/Stubinstaller (limewire swarmed installer)...YIKES! Not happy with the uninstall at all.
Ok, back to my logs,
I made a few changes to my main page and email so if you see that it wasn't done maliciously.

Here is the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:40 AM, on 10/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\pf5kp0ek.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145025402828
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 7701 bytes

And here is the uninstall list from HJT that you asked for:
ACDSee
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop Elements 6.0
Adobe Reader 7.0
AtomixMP3
Canon ScanGear Toolbox 3.0
Dazzle Photo Editor
Detto IntelliMover
Easy Internet Sign-up
EAX Unified
EPSON Printer Software
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HiJaak Image Manager Browser 1.0
HijackThis 2.0.2
Hollywood FX Pack 26 - Extra FX
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp center
HP Instant Support
HP Learning Adventure
HP Photo Imaging Software
HP Photo Printing Software
HP Share-to-Web
Inactive HP Printer Drivers (Remove only)
InterVideo WinDVD
Java(TM) 6 Update 7
KBD
Lernout & Hauspie TruVoice American English TTS Engine
Logitech Desktop Messenger
Logitech IM Video Companion
Logitech ImageStudio
Mafia Game
Malwarebytes' Anti-Malware
McAfee SecurityCenter
MGI PhotoSuite 4 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Baseline Security Analyzer 1.2
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Microsoft Windows Journal Viewer
Microsoft Works 6.0
Microsoft Works and Money 2002 Setup Launcher
Monopoly
Morpheus 1.9
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
My Photo Center
Nero 6 Ultra Edition
NeroVision Express 2
Netscape (7.0)
OmniPage Pro 9.0
Paint Shop Pro 7 ESD
PC-Doctor for Windows
PhotoJam 3
Pinnacle Hollywood FX 5
Pinnacle Hollywood FX Pack0 - Extra FX
Pinnacle Hollywood FX

Pinnacle USB device drivers
Polyphonic Wizard v4
PS2
Python 1.5 combined Win32 extensions
Python 1.5.2 (final)
Quicken Financial Center
QuickTime
RealPlayer
RichFX Player
Scan Manager 5.2
Scrabble
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
SereneScreen Aquarium
SiS 650
SiS 900 PCI Fast Ethernet Adapter Driver
SiS Audio Driver
SmartSound Quicktracks Plugin
Sonic Foundry Super Duper Music Looper XPress
Spybot - Search & Destroy
Studio 9
Studio 9.3 Patch
Studio Content DVD
SureThing CD Labeler - Stomper Edition 32 bit
SureThing CD Labeler SE - Sonic
Tcl 8.0.5 for Windows
TMPGEnc Plus 2.5
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Windows Genuine Advantage v1.3.0254.0
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Movie Maker 2 Winter Fun Pack
Windows XP Creativity Fun Packs - Windows Movie Maker 2
Windows XP Service Pack 3
WordPerfect Office 2002 Try Before You Buy
WordPerfect Office 2002 Try Before You Buy
Yahoo! Messenger

Why are there double listings of some programs?
Have a nice day and thanks again!
Shelley

pskelley
2008-10-19, 21:25
I notice this Adobe Reader 7.0 <<< what is happening, hackers are exploiting out of date programs to infect us, so it is more important now than ever to keep all programs securely up to date. This information may help you.

Here is a small free tool that lets you know when something needs an update if you are interested:
https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Morpheus
Morpheus is a file-sharing program. When using Morpheus to download from an unknown source, you may download malicious files or files that come bundled with other software or adware.
http://www.safer-networking.com/spywaredatabase.php

http://www.safer-networking.com/removeMorpheus.php <<< manual removal instructions.

You will be using Windows Registry Editor and I still suggest you make a registry backup and place it on the Desktop. After you are sure all went well and the computer is running fine
(give it a few days) then RIGHT click and delete the Registry Backup. DO NOT click or double click, you may return the junk to the Registry.

Backup Your Registry Manually With Windows
Credit for this canned speech goes to Michelle.
We need to backup the registry before we continue.
Registry edits can be potentially dangerous; we can revert to the backup if needed.
Go to Start » Run » type: regedit » OK.
On the leftside, click to highlight My Computer at the top.
Go up to File » Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File » Exit.

Thanks

Shelley
2008-10-22, 06:09
Hi Phil,
Hope all is well.
Thanks once again for your help.
Firstly, I will update my Adobe Reader as you said, but is it safe to do so now? I read not long ago that they (Adobe) too were having problems with viruses/spam, or something malicious. I want to make sure that I am ok to do this now. Actually, even McAfee was hit with spam attacks.

Thanks for the link to the database, as well as the free PSI update tool. I will keep the PSI tool in mind but will try to keep my programs up to date properly. Not sure if I want another program running is the sys tray just yet.

Now my big problem... I am very afraid to do anything to the registry and was told never to edit it if I was not sure about what I was doing. I have never done it once. There is even a warning on the link that you gave me for the manual removal instructions of Morpheus. Honestly, I am stuck now. I would rather have my pc running as it is now that not have it not running at all or making a big mistake in the registry.
Also,I know I read about registry editors, but one saleman told me to try "registry mechanic" to clean it up...what is your take on that?
Anyway, now I am lost.
Hope to hear from you soon, let me know if it is safe now for the Adobe update and thanks for everything.
Have a great night,
Shelley

pskelley
2008-10-22, 13:17
Firstly, I will update my Adobe Reader as you said, but is it safe to do so now?
Yes

I am very afraid to do anything to the registry
See this: http://forums.spybot.info/showthread.php?t=30113
I suggest you not listen to "salesmen" He wants to sell a product.

The information and method with a backup is the safest way I know of to edit the registry. Keep in mind Microsoft included that tool in the program for this reason. Here are instructions from Microsoft for doing what I posted:
http://support.microsoft.com/kb/322755

I would suggest you ask someone with more computer experience to assist if you wish. I believe I have done all I can for you at this point. The option would be to ignore the item, especially if it is causing no problems. My guess would be that somone tried to remove it without using Add Remove and something needed for the uninstall process was deleted. You could also try to reinstall the item, then try to uninstall. Reinstalling would put back the uninstaller.

Thanks...Phil

Shelley
2008-10-24, 06:16
Hi Phil,
I just updated my Adobe to version 9, thanks for that also. I will try to stay up to date with things. I will now print all of your instructions regarding the registry edit and ask a friend (at some point)with more experience than me to help. I did read your link on registry edit programs again and won't take that route.

So I guess this is good bye and A BIG THANK YOU for working so hard with me and for me. You are so very kind. If I have to come back to this forum, I hope it will be you that will assist me. If we could give a rating, I would give you 5/5 stars.
Be well and take care.
Sincerely and with much gratitude,
Shelley

Shelley
2008-10-24, 07:37
Hi Phil,
Just can't seem to leave this forum just yet. If it's ok I have a few more (hopefully last) questions that I just realized. Sorry for the extra post but wanted to ask you before I finally bid you farewell...again... . Hope it's ok.

I know that you told me to remove morpheus 1.9 manually, but the link that you gave me also includes a "removal" tool for this infection,what about that..or is that not a good idea? Just thought I would ask...
Also, the link that you provided from Microsoft(how to backup, edit restore registry) is for windows 2000, is it the same method that I would use for Windows XP?

I continue to have a great deal of spam...is that normal?

Also since you told me to update my programs, but I am not sure if I can ask you in this forum, the instructions to uninstall Spybot (I want to update to latest version and must uninstall...last time a had 2 Spybots without uninstalling previous version first) recommend that you remove a hidden folder in C:\Documents and Settings\All users\Application Data\Spybot-Search & Destroy\ is this necessary if I will reinstall the newer version? In the instructions it is not clear to me if I must do this if I am simply upgrading to the newer version.
Thanks for your patience,
Shelley

pskelley
2008-10-24, 14:21
The link provides programs that may be able to remove the toolbar, if you want to download and try, it is your computer.
I have no way of knowing if they will work.

http://www.google.com/search?hl=en&q=how+to+Backup+the+WinXP+registry&btnG=Google+Search&aq=f&oq=+

Spam...it is a problem for all of us. Use the spam filters in your email program to send as much as possible to junk.
http://www.google.com/search?hl=en&q=how+to+control+spam&btnG=Google+Search&aq=f&oq=
I don't use any of these programs and can only suggest you research them well before allowing them on your computer.
http://spywarewarrior.com/ <<< look here, but I am not sure they cover spam control software. I see you have MSN as a startpage, if that means you use hotmail, here is some information:
http://www.google.com/search?hl=en&q=Hotmail+junk+mail+filters&btnG=Search

http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html
http://www.google.com/search?hl=en&q=install+spybot+S%26D+tutorial&btnG=Search

Thanks