hijackthis log - to remove prosearching

**tsuiss** · 31-08-2004

Thank you!!

Logfile of HijackThis v1.98.2
Scan saved at 9:49:00 PM, on 8/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\Smtray.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\tsiupyz.exe
C:\WINDOWS\fmtninry.exe
C:\WINDOWS\rczkbo.exe
C:\WINDOWS\kwttuvsxw.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\zstatus.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\freecell.exe
C:\Program Files\hijackthis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0 .dll
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {96018DD4-F9E5-4496-8CD1-9764CB9B0675} - (no file)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: (no name) - {B164C33C-60E2-810B-D693-6DCB5AC0159C} - C:\PROGRA~1\ONESET~1\sendroam.exe
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0 .dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [sgzelwwe] C:\WINDOWS\System32\sgzelwwe.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WebScan] C:\Program Files\Acceleration Software\Anti-Virus\defscangui.exe -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Dvd Dash] C:\PROGRA~1\SUPPOR~1\drvwarnhide.exe
O4 - HKLM\..\Run: [cobpsf] C:\WINDOWS\tsiupyz.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [jaetsrjf] C:\WINDOWS\fmtninry.exe
O4 - HKLM\..\Run: [nppckv] C:\WINDOWS\rczkbo.exe
O4 - HKLM\..\Run: [nkozmf] C:\WINDOWS\kwttuvsxw.exe
O4 - HKLM\..\Run: [antethirdtrust4] C:\Documents and Settings\All Users\Application Data\programpokeantethird\film4.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: ICQ (2).lnk = C:\Program Files\ICQ\Icq.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {2BEDAEC2-770C-4C07-8EF8-5A30FF4B2A81} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at0_x.cab
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://go-in-now.com/tl7000.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50181/QDow_AS2.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/mmed.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...60/mcfscan.cab

**HJThis** · 31-08-2004

Hello,tsuiss

You should run these 2 progs here first they will do a
great job cleaning up your system then post a HJT logfile

please make sure to have a look in Add/Remove Programs
first & uninstall if there these 2 items New.Net,WebHancer
but as always it is up to the user to keep this type of software

There is a new and improved version of AdAware that you need to have installed on your computer. The new version is AdAware SE
If you have AdAware already installed on your system and it's NOT SE go to your Control Panel and click on Add/Remove Programs. Click on AdAware and then REMOVE and then just complete the removal process.

Once it's un-installed go to http://www.lavasoft.de/ and download the FREE version of AdAware SE. Once it's downloaded double click on the new file to start the install process.
Click Next>I accept>Next>Next> then be sure and put a dot in the bullet for Anyone Who uses this computer and then click Next>Next>

In the next dialog box remove the dot in the bullets "Start Scan" and also "Launch Help Files" and click Finish

Now if the program doesn't launch double click on the icon that should now be on your desktop to start AdAware SE

Now click on the button for Check for Updates
If updates are found click on the OK button and after it downloads to 100% click on the Finish button.

Click the Start Button
Click on the link for Customize
in the Main Window under Scan Settings
click on the red X in front of Scan within archives to change it to a green check

Then click on the button on the left labeled Advanced
click on the red X in front of Move deleted files to Recycle Bin to change it to a green check
click on the red X in front of Include Environment Information to change it to a green check

Then click on the button on the left labeled Defaults
click on the Read current settings from system

Then click on the button on the left labeled Tweak
Click on the (+) in front of Scanning Engine to expand the group
click on the red X in front of Obtain Command line of scanned processes to change it to a green check
click on the red X in front of Run scan as background process to change it to a green check
click on the red X in front of Use permanent archive caching to change it to a green check

Click on the (+) in front of Cleaning Engine to expand the group
click on the red X in front of Disable manual quarantine if auto-quarantine is selected to change it to a green check

Click on the (+) in front of Safety Settings to expand the group
click on the red X in front of Reanalyze results after scanning . . . to change it to a green check
click on the red X in front of Write protect system files after repair to change it to a green check

Click on the (+) in front of Log File to expand the group
click on the red X Create Log File for removal operations to change it to a green check

Click on the (+) in front of User Interface to expand the group
click on the red X Remember window positions to change it to a green check
click on the red X Snap windows to desktop borders to change it to a green check
click on the red X Use gridlines in results list to change it to a green check

Click on the (+) in front of Web Update Settings to expand the group
click on the red X Create and save WebUpdate log file to change it to a green check

Click on the (+) in front of Misc settings to expand the group
click on the red X Dump details about unhandled exceptions to disk to change it to a green check

Then click on the button at the bottom right labeled Proceed then click the Next button to start scanning.

Once the scan is complete you'll have a flashing Bug and a brief sound to indicate scanning is complete and Adware is found. Click on the Next and then click on each of the empty boxes to the left of the found items under SCAN SUMMARY. Then hit the Next button. Then OK. This should clean your system of all the found nasties. When it's complete simply close the program until your next scan session. Always ALWAYS check for updates before very scan.

Reboot

Now...download Spybot from
http://www.isecurity.org.uk/downloads/spybotsd13.exe
after installing......hit.."Search for Updates".....get them all.......(Download Updates).....then "Check for Problems".......after the scan is complete..allow Spybot to remove everything listed in RED...... then close spybot and reboot....

Then show us a new scan logfile of HJT

HGD

**HJThis** · 31-08-2004

Hi,tsuiss

Just like to add that once we have you all clean you should
run not walk to Windows update & update WinXP to XP-Sp1
& also update IE to IE 6-Sp1

now i would hold for now in updating to Sp2 on both
WinXP & IE they still have some bug's to work out

hmmm are you using a Virus scanner if not bad idea
let us know so we can give you a link to a free one

also do this here

go for a free Online scan from Computer associates.

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx

Tell us how it did. Write down names and locations of any files that cannot be cleaned, post that info here. OR go after them yourself and delete them.

HGD

**tsuiss** · 06-09-2004

Hi,

After I follow your instruction to download Adaware SE and run it, prosearching was gone. But then the next time I started my computer, here it is again. Here are my Hijackthis Log after I did what you told me to.
Thanks!!

Logfile of HijackThis v1.98.2
Scan saved at 11:07:44 AM, on 9/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\Smtray.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\zstatus.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\hijackthis.exe

O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - %SystemRoot%\System32\inetcomm.dll (file missing)
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DL L
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DL L
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll

**owen** · 06-09-2004

I think you are running Hijack This with the /ihatewhitelists command there. Could you please go to C:\Program Files and double click Hijack This and post a new log.

**tsuiss** · 06-09-2004

The log that I post was from C:\Program Files and double click Hijack This, I don't know why it runs with /ihatewhitelists, how and where can I post the Hijack This log that's good?
Thanks!!!

I think you are running Hijack This with the /ihatewhitelists command there. Could you please go to C:\Program Files and double click Hijack This and post a new log

**owen** · 06-09-2004

I mean run the file again and post a fresh log, but just double click the file and don't use shortcuts to access it.

**tsuiss** · 06-09-2004

Here you go. Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 11:50:34 AM, on 9/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\Smtray.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\zstatus.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hijackthis.exe

O4 - HKLM\..\Run: [Dvd Dash] C:\PROGRA~1\SUPPOR~1\drvwarnhide.exe
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - %SystemRoot%\System32\inetcomm.dll (file missing)
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DL L
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DL L
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll (file missing)
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll

**owen** · 06-09-2004

Its still only showing O18 entries. Could you delete the version of Hijack This you have and then download a new version from http://hjt.isecureit.co.uk and run that and post a fresh log.

**tsuiss** · 06-09-2004

I've download the newest version of Hijack This and it still is the 018. It may be because previously when I scan the Hijack This, I Fixed Checked and delete the suspious items (and forgot what it said on the top). What should I do?

hijackthis log - to remove prosearching

hijackthis log - to remove prosearching

Similar Threads

[RESOLVED] I have a Spywre that Spy-Bot couldn't remove (HijackThis log included)

Blackcore trojan how to remove - HijackThis.log included

Prosearching toolbar wont remove and I have icons all over my desktop!!

Trying to remove prosearching

Help me remove Prosearching.com PLEASE (Resolved)