please help dont know whats going on

[fezzy]

my pc is very slow, and i just got rid of a virus that i recieved while on msn messenger but i think itsLogfile of HijackThis v1.99.1
Scan saved at 11:59:02 AM, on 5/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Documents and Settings\feray.CANIM-WB4IPD8VN\My Documents\MsgPlus.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5 _7_0.dll
O2 - BHO: (no name) - {5C71BE13-D61B-3BCD-ECB7-44A78F4FEBE9} - C:\DOCUME~1\FERAY~1.CAN\APPLIC~1\SKIPAI~1\GRAM2.ex e
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5 _7_0.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\feray.CANIM-WB4IPD8VN\My Documents\MsgPlus.exe"
O4 - HKLM\..\Run: [BaitDebugSeekPoke] C:\Documents and Settings\All Users.WINDOWS\Application Data\tonseggsbaitdebug\inter type.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: ubisoft register.lnk = C:\Program Files\Ubi Soft\Register\schedule.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4992395B-E08C-4FAC-9B01-D0B3E8A115B5}: NameServer = 203.134.24.70 203.134.26.70
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe

still lurking, can someone check my log and help me

[hypnotizeminds]

fezzy, welcome to CTH.

I will be helping you with your log. I will take a look at everything I see and be back as soon as possible with help for you. Please note that I am currently in training, therefore I must check with the experts before instructing you to make any changes to your log.

Back soon.

[hypnotizeminds]

fezzy, thank you for your patience. Follow these instructions in the order they are listed and we should have you cleaned up in no time.


First, click Start > Settings > Control Panel > Add or Remove Programs, and see if Window Search is in the list. If so, click Change/Remove beside it to uninstall. You should be given a security code to enter, do so and reboot before continuing. Also, if Window Search is not in the list, click here to download the uninstaller and run it before moving on.

Also, I recommend uninstalling MessengerPlus3 via Add/Remove Programs, it is a source of one of the malwares on your system which we are working to remove. See here for more info.


Run HijackThis again and scan once more. Locate and check the following entries that appear in the list:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

O2 - BHO: (no name) - {5C71BE13-D61B-3BCD-ECB7-44A78F4FEBE9} - C:\DOCUME~1\FERAY~1.CAN\APPLIC~1\SKIPAI~1\GRAM2.ex e

O4 - HKLM\..\Run: [BaitDebugSeekPoke] C:\Documents and Settings\All Users.WINDOWS\Application Data\tonseggsbaitdebug\inter type.exe

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...pDownloader.cab

then click "Fix Checked" and close HijackThis.


Next, be sure you can view hidden files and folders and remove the following FILES in bold if they exist:

C:\DOCUME~1\FERAY~1.CAN\APPLIC~1\SKIPAI~1\GRAM2.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\tonseggsbaitdebug\inter type.exe

If you cannot find the files, try typing the filenames one at a time in an Explorer search window using Start > Search > For Files or Folders... .


Also, click Control+Alt+Del and once again select the Processes tab in Task Manager. Under the CPU column, are there any processes (aside from System Idle Process) that are using continuously high amounts of processing power? If so, please list them in your next post.


When you are finished with these steps, run HijackThis once again and save the new log, then post it back into this thread so we can see how things are looking at this point.