Wow this laptop has alot of nasties on it.
It already detected several trojans, malware, a few worms, backdoors and other viruses. Some I was able to heal, but some said they are unhealable.
A couple of them are WeirdOnTheWeb and SurfSideKick3.
Here is the hjt log
oh and keep in mind this computer is set up using Swedish so I will need help from our Swedes or any who might know the language enough to be able to help me recognize some of the areas in the computer that are written in svenska. I have been doing pretty well in figuring it out, but there are some things I have trouble with finding because it is in Swedish.
Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 14:48:01, on 2005-11-28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Compaq\EASYAC~1\BttnServ.exe
C:\Program\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\alg.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\HJT do not use without help\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program\SurfSideKick 3\SskBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [8etpnr5l] C:\WINDOWS\System32\8etpnr5l.exe
O4 - HKLM\..\Run: [MNI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: repairs302972979.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
We will try toget our Swedish expert to help you
I will be here later tonight and review the log :thumbsup:
Regards
Die Hard :)
I will check on it tomorrow....and see if I have some instructions.
btw....I have since downloaded ewido, and ran that....but I dont have a new hjt log to give ya. I did not bring the laptop down here tonight.
It is a pain to switch the broadband over to the laptop. Because I have to disconnect the modem for 30 mins so it can reset so that it can recognize the different computer and connect.
So I won't bring it back down until I see some instructions. I don't want to bother my friends too much by going back and forth...hehehehe.
Is it too hard of one to fix?
I read elsewhere that Die Hard got tied up with something -- real life does, on occasion, interfer.
Hi skittles :)
Sorry for the delay in replying. Like Corrine said, I was tied up and hadn´t the time requiered for looking at your log earlier, sorry for that.
Now, proceed like this:
1. Click (Windowskey+R) and type services.msc and in the right pane of the windpw scroll until you find Hardware Clock Driver.Doubleclick on it and in the new window set the "Startup type" to disabled and hit the stop button. Click Apply and close.
If you are uncertain if you have the right service, there is also a filepath to "C:\WINDOWS\System32\hwclock.exe" in the window.
2. Go to your control panel applet and "Add Remove programs" and see if "SurfSideKick" is listed, uninstall it.
Then uninstall WeirdOnTheWeb, if that´s also listed.
3. Run HiJack This and checkmark the following details and have them fixed:
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [8etpnr5l] C:\WINDOWS\System32\8etpnr5l.exe
O4 - HKLM\..\Run: [MNI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program\SurfSideKick 3\Ssk.exe
O16 - DPF: {0C3F7D74-ADA5-4976-8908-A8189590DAFA} (3DGreetings.com Player 2.0) - http://expressit.broderbund.com/Plugin/3DGreetings/vroom.CAB
O20 - AppInit_DLLs: repairs302972979.dll
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
4. Reboot into safe mode and remove the following files and folders:
C:\Program\ SurfSideKick 3\ <<<folder
C:\Program\ WeirdOnTheWeb\ <<<folder
C:\WINDOWS\System32\ 8etpnr5l.exe <<<file
C:\WINDOWS\Downloaded Program Files\ UWFX5LP_0001_0614NetInstaller.exe <<<file
scvhost.exe <<<file Note this filename: There is a legimit Windows-file named "Svchost.exe" and that mustn´t be touched
repairs302972979.dll <<<file
C:\WINDOWS\System32\ hwclock.exe <<<file
5. While still in safe mode, run a full system scan with Ewido and let it remove what it finds.When the scan is finished, save the report.
6. Then , reboot normally and make a scan with Panda and/or TrendMicro
Panda ActiveScan http://www.pandasoftware.com/activescan/
Trend Micro HouseCall http://housecall.trendmicro.com/
7. Go here and download "EmptyTempFolders" : http://www.danish-shareware.dk/soft/emptemp/
Install the program and click "Options" and select "Predefined folders".
Checkmark :
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temporary Internet files
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temporary Internet files
C:\Windows\Temp
Then click "Empty all folders" (blue lightning) to remove the contents in the preset folders
8. Please post back with a new HJT log and the report from Ewido
Best regards
Die Hard :)
1. Click (Windowskey+R) and type services.msc
You are talking about the Run, correct? Like where you type msconfig to check for startup programs and such?
I guess I never used the Windows Key...lol I am assuming it is the key that has the lil windows icon flag waving between the alt and ctrl buttons? Hey also tell me, does anyone know where the ANY KEY is? hehehe
I will get to this when I can take the laptop over to my friends house and get it hooked up to their broadband.
Probably on Monday, maybe tomorrow, but I doubt it.
Quote from: skittlespc on December 03, 2005, 05:19:46 PM
1. Click (Windowskey+R) and type services.msc
You are talking about the Run, correct? Like where you type msconfig to check for startup programs and such?
That´s correct, the key between
Ctrl and
Alt :P
QuoteHey also tell me, does anyone know where the ANY KEY is? hehehe
That´s the key on the upper right side..............no, on the lower left side..........no,no, it´s between the F and H...........or is the one below the Enter-key?
No wait, here´s a professional explanation:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fwww.eakles.com%2F11smash.gif&hash=bfaa0aaec6e30ebf573df4a30baa12484ca396e5)
Die Hard :)
:hysterical: :hysterical: :hysterical:
:hysterical: :hysterical: :hysterical:
ouch my stomach hurts from laughing so hard....and the TEARS....lol
Okay I am now working on this pc.
Oh btw....this is Skittles.....hehehe As if you didn't know. ;)
DieHard I have a question for ya.
I need the translation into Swedish to get into the area where I need to do step 4...to remove the files and folders.
Start....Den här datorn?....then C?
Usually I go into Windows Exploer when I do this, but I can't find it here in Swedish.
Same thing with step 1.
I need the swedish translation for what I need to click.
I was able to get into the Hardware Clock Driver but I cannot figure out where to Disable the Startup type and all that stuff, cuz it is in Swedish.
I got them!
Someone came by here, at the apartment and was able to translate it for me.
I just ran the hjt and fixed the ones you wanted but there were 3 that were not listed at all. I am thinking that Ewido might have fixed it after I installed it, since the log that I posted before was before I installed the Ewido.
It was these three...
O4 - HKLM\..\Run: [MNI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O20 - AppInit_DLLs: repairs302972979.dll
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
Moving on to the SafeMode steps now
Here is the new hjt log....below that will be the Ewido scan log and the Panda log.
Logfile of HijackThis v1.99.1
Scan saved at 15:35:41, on 2005-12-05
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program\PANICW~1\POP-UP~1\PSFree.exe
C:\Program\Compaq\EASYAC~1\BttnServ.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\ewido\security suite\ewidoguard.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\HJT do not use without help\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
*************************************************************************************************
Ewido Scan Log
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 13:27:38, 2005-12-05
+ Report-Checksum: 62C750E
+ Scan result:
C:\Documents and Settings\Lilla Edets Kommun\Cookies\lilla edets kommun@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Lilla Edets Kommun\Lokala inställningar\Temp\temp.fr2615\Ssk.exe -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Lilla Edets Kommun\Lokala inställningar\Temp\temp.fr2615\SskBho.dll -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Lilla Edets Kommun\Lokala inställningar\Temp\temp.fr2615\SskCore.dll -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\system32\updt.pif -> Backdoor.SdBot.aiw : Cleaned with backup
::Report End
****************************************************************************************
Panda Scan Report Log
Incident Status Location
Adware:adware/weirdontheweb Not desinfected C:\Documents and Settings\Lilla Edets Kommun\Favoriter\WeirdOnTheWeb.url
Spyware:spyware/surfsidekick Not desinfected C:\Documents and Settings\Lilla Edets Kommun\Lokala instllningar\Temporary Internet Files\Ssk.log
Adware:adware/ucmore Not desinfected C:\WINDOWS\ucmoreiex.exe
Adware:adware/gator Not desinfected C:\Documents and Settings\Lilla Edets Kommun\Lokala instllningar\Temp\fsg_tmp
Adware:adware/dyfuca Not desinfected Windows Registry
Virus:W32/Gaobot.LJK.worm Disinfected C:\WINDOWS\system32\TFTP784
Adware:Adware/Weirdontheweb Not desinfected C:\WINDOWS\weirdontheweb_topc.exe
********************************************************************************'
I also ran Spybot after all this, which it found 86 more items, which I removed. But 71 of the entries came from WinFixer. I am unsure what WinFixer is. If the ppl who own this laptop has downloaded this, or bought it, or what. I have never used it and don't know anything about it. So I am wondering if that is something I should remove as well. It seems to cause some problems. I had to disable it in the Start Ups, because it was always popping up, constantly wanting me to register it and to run a full scan....which I did not.
Well I will be back tomorrow maybe to see if there is anything further that I will need to do.
I am heading home to make supper.
See yas later
Well I am going to assume that this laptop is clear.
Altho I am concerned of the fact that I have not been online with this laptop since I last posted in this topic, and yet I got an auto warning that popped up from AVG saying that it found a virus. grrr I thought we were clean. At least it fixed it.
And I also got Blacklight form F Secure, to try and locate that stinkin WinFixer, to no avail. It found nothing. grrr
So I am hoping that we got it all. Altho I have a feeling it is still in there somewhere.
But the person who owns this computer is going to need the pc back now. He was able to let me have it for this long since he works at a college and can use their pcs there, but it is the holiday break so they are home now. So I need to wrap this up very very soon.
I just ran Ewido,and that was all clear too.
Grrrr DieHard I still have a lil bit of that WeirdOnTheWeb left somewhere....grrr
Found it during the panda scan.
Here is the log
Adware:adware/weirdontheweb
Not desinfected
Windows Registry
Logfile of HijackThis v1.99.1
Scan saved at 22:11:50, on 2005-12-22
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program\Compaq\EASYAC~1\BttnServ.exe
C:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\PANICW~1\POP-UP~1\PSFree.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Program\HJT do not use without help\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
skittlespc :)
It seems to be a detail in the registry, I would think it will cause no problems. It will be one of many orphaned entries there.
*If* you want to remove it, open the registry editor and in the toolbar click "Edit>Search" and search for "weirdontheweb". When you find one, delete it. Then click F3 to make a search for the next key/value.
As always, make a backup before you do any changes in the registry
Regards
Die Hard :)
Thanks!
I think that I will go ahead and leave it as is. It is no longer showing up on the scans I have on the pc. Only Panda picked it up. I will just monitor it after they have it for awhile and see if they start to get signs of it causing more problems.
I talked to the owner of this laptop and he admitted to downloading the SurfSide. He got one of those popups that say something is wrong with your computer so download this to fix it. And he belived it so he downloaded it. I will educate him further into what is okay to download and update and what is not.
I am glad that I ran the full test scan at pcpitstop, cuz I just realized that the internet cache settings were set for 1. Not that it was a huge difference but it is usually recommended to keep it between 10 and 100.
And I hope that WinFixer will no longer be an issue. I do see is still listed in the Startup List when I run msconfig, but I have them disabled so it should be okay.
Now I am on to going thru the list of startups on msconfig at castlecops to see what things I can disable.
Thanks again!
Skittles