• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Rothagar

New BHO found - not listed in directory

46 posts in this topic

New BHO is the first one listed: A17627CF - etc.

Does anyone else see any other garbage besides the R1's #96676 which keep showing up on HJ after I start IE.

Logfile of HijackThis v1.97.7

Scan saved at 12:55:00 PM, on 7/5/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PMObserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\RDS\srscandr.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\mfcsf32.exe

C:\Program Files\RDS\ddsschednt.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\RDS\dds.exe

C:\Program Files\RDS\spooler.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\zjqdgf.exe

C:\WINDOWS\system32\ntdf.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Norton SystemWorks\Process Viewer\PrcView.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\MailboxFilter\MBF4Wait.exe

C:\Documents and Settings\Roger\Local Settings\Temp\Temporary Directory 19 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cox.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\futwz.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://futwz.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://futwz.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\futwz.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://futwz.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\futwz.dll/sp.html#96676

O2 - BHO: (no name) - {A17627CF-36CE-3C0C-3C8B-C2D325D2B4AA} - C:\WINDOWS\addre.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [hubxnimz] C:\WINDOWS\System32\zjqdgf.exe

O4 - HKLM\..\Run: [ntdf.exe] C:\WINDOWS\system32\ntdf.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Mailbox Filter.lnk = C:\MailboxFilter\MBF4Wait.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Start Delivery Services.lnk = ?

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/126e5c8787bf5e09f221/...ip/RdxIE601.cab

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.166/Media/visitorchat/TLIEFlash.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.2118634259

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

Share this post


Link to post
Share on other sites

Just so you know, I'm taking a look at your case right now and I should have a reply up tonight (hopefully).

Share this post


Link to post
Share on other sites

Please re-run HJT from a more permanent location such as C:\HJT\HijackThis.exe . You are currently running it from a \temp\ folder which is not recommended because HJT creates backups of all of the files it fixes. It's important there isn't a chance for those backups to get deleted.

 

After you have moved HJT to a permanent location, please run it and have it fix the following:

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/126e5c8787bf5e09f221/...ip/RdxIE601.cab

 

Please download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

Edited by guacamel

Share this post


Link to post
Share on other sites

Greetings Guacamel,

Thank You!

Also how do I attach my logs from the desktop?

Right now I cut and paste- kinda slow.

Thanks again for your help - there was another guy - title of topic

"EIGHT DAYS AND NO REPLY'

I think he had the same problem as me I will attempt to find him and forward your info.

Thank You,

Rothagar

 

About:Buster Version 1.24

Removed! : C:\WINDOWS\addiu.exe

Removed! : C:\WINDOWS\addre.dll

Removed! : C:\WINDOWS\addvs.exe

Removed! : C:\WINDOWS\akqmml.dat

Removed! : C:\WINDOWS\apijd32.exe

Removed! : C:\WINDOWS\apijt32.exe

Removed! : C:\WINDOWS\apiou32.exe

Removed! : C:\WINDOWS\apiyz32.exe

Removed! : C:\WINDOWS\atlgt.exe

Removed! : C:\WINDOWS\atloq.exe

Removed! : C:\WINDOWS\bftorx.dat

Removed! : C:\WINDOWS\bwawpj.dat

Removed! : C:\WINDOWS\cieked.dat

Removed! : C:\WINDOWS\coegde.dat

Removed! : C:\WINDOWS\cpwdgw.dat

Removed! : C:\WINDOWS\cyysux.dat

Removed! : C:\WINDOWS\dbrphe.dat

Removed! : C:\WINDOWS\fedxyh.dat

Removed! : C:\WINDOWS\fwncmy.dat

Removed! : C:\WINDOWS\gdnwjq.dat

Removed! : C:\WINDOWS\gftfyp.dat

Removed! : C:\WINDOWS\giviql.dat

Removed! : C:\WINDOWS\hioqog.dat

Removed! : C:\WINDOWS\hlgecr.dat

Removed! : C:\WINDOWS\iardvz.dat

Removed! : C:\WINDOWS\iern32.exe

Removed! : C:\WINDOWS\iesi.exe

Removed! : C:\WINDOWS\ietk.exe

Removed! : C:\WINDOWS\ifzhdq.dat

Removed! : C:\WINDOWS\ipjf.exe

Removed! : C:\WINDOWS\javayu32.exe

Removed! : C:\WINDOWS\jikdpx.dat

Removed! : C:\WINDOWS\jpdlcw.dat

Removed! : C:\WINDOWS\lefbne.dat

Removed! : C:\WINDOWS\mfcpf.exe

Removed! : C:\WINDOWS\mfcsf32.exe

Removed! : C:\WINDOWS\mhxxmg.dat

Removed! : C:\WINDOWS\msbr.exe

Removed! : C:\WINDOWS\msds.exe

Removed! : C:\WINDOWS\msif.exe

Removed! : C:\WINDOWS\msxt.exe

Removed! : C:\WINDOWS\nqmqkf.dat

Removed! : C:\WINDOWS\nvpuv.dat

Removed! : C:\WINDOWS\n_alfvev.dat

Removed! : C:\WINDOWS\n_asdebr.dat

Removed! : C:\WINDOWS\n_dqmtvp.dat

Removed! : C:\WINDOWS\n_dxyzlm.dat

Removed! : C:\WINDOWS\n_ejfnqs.dat

Removed! : C:\WINDOWS\n_gsltfa.dat

Removed! : C:\WINDOWS\n_hszbbr.dat

Removed! : C:\WINDOWS\n_lhjwfs.dat

Removed! : C:\WINDOWS\n_lqpsmy.dat

Removed! : C:\WINDOWS\n_mbdwvd.dat

Removed! : C:\WINDOWS\n_mmvzru.dat

Removed! : C:\WINDOWS\n_ndnbyt.dat

Removed! : C:\WINDOWS\n_nxabcy.dat

Removed! : C:\WINDOWS\n_tqrsuw.dat

Removed! : C:\WINDOWS\n_uawnfz.dat

Removed! : C:\WINDOWS\n_vdowlz.dat

Removed! : C:\WINDOWS\n_vrzxqs.dat

Removed! : C:\WINDOWS\n_wcezav.dat

Removed! : C:\WINDOWS\n_wvbzvc.dat

Removed! : C:\WINDOWS\n_yilrko.dat

Removed! : C:\WINDOWS\n_zbrmmr.dat

Removed! : C:\WINDOWS\pwtbkw.dat

Removed! : C:\WINDOWS\qndang.dat

Removed! : C:\WINDOWS\rgipz.dat

Removed! : C:\WINDOWS\rihdpv.dat

Removed! : C:\WINDOWS\rmzzvm.dat

Removed! : C:\WINDOWS\sdkmr.exe

Removed! : C:\WINDOWS\sjtqkq.dat

Removed! : C:\WINDOWS\tbvba.dat

Removed! : C:\WINDOWS\tcrerq.dat

Removed! : C:\WINDOWS\tdboum.dat

Removed! : C:\WINDOWS\tiosum.dat

Removed! : C:\WINDOWS\tiqzpj.dat

Removed! : C:\WINDOWS\uckmpl.dat

Removed! : C:\WINDOWS\unvucg.dat

Removed! : C:\WINDOWS\vqfqwm.dat

Removed! : C:\WINDOWS\vthpgt.dat

Removed! : C:\WINDOWS\vzlscq.dat

Removed! : C:\WINDOWS\wineg.exe

Removed! : C:\WINDOWS\winfh.exe

Removed! : C:\WINDOWS\winva32.exe

Removed! : C:\WINDOWS\xqnfxy.dat

Removed! : C:\WINDOWS\yjhdif.dat

Removed! : C:\WINDOWS\yynbux.dat

Removed! : C:\WINDOWS\zjgphd.dat

Removed! : C:\WINDOWS\zqghwk.dat

Removed! : C:\WINDOWS\System32\addcy32.exe

Removed! : C:\WINDOWS\System32\appcv.exe

Removed! : C:\WINDOWS\System32\applv.exe

Removed! : C:\WINDOWS\System32\atlpc32.exe

Removed! : C:\WINDOWS\System32\crhc32.exe

Removed! : C:\WINDOWS\System32\crxg32.exe

Removed! : C:\WINDOWS\System32\gouwf.dat

Removed! : C:\WINDOWS\System32\iehd.exe

Removed! : C:\WINDOWS\System32\ipxj.exe

Removed! : C:\WINDOWS\System32\javacl.exe

Removed! : C:\WINDOWS\System32\javagq.exe

Removed! : C:\WINDOWS\System32\javamv.exe

Removed! : C:\WINDOWS\System32\mfcok.exe

Removed! : C:\WINDOWS\System32\mfcxt32.exe

Removed! : C:\WINDOWS\System32\msjm32.exe

Removed! : C:\WINDOWS\System32\mspy32.exe

Removed! : C:\WINDOWS\System32\netdp.exe

Error Removing! : C:\WINDOWS\System32\ntdf.exe

Removed! : C:\WINDOWS\System32\syseh.exe

Removed! : C:\WINDOWS\System32\winyw32.exe

Removed! : C:\WINDOWS\System32\winze.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

Logfile of HijackThis v1.97.7

Scan saved at 8:48:59 PM, on 7/5/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PMObserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\RDS\srscandr.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\mfcsf32.exe

C:\Program Files\RDS\ddsschednt.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\RDS\dds.exe

C:\Program Files\RDS\spooler.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\zjqdgf.exe

C:\WINDOWS\system32\ntdf.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Documents and Settings\Roger\Desktop\HijackThis.exe

C:\MailboxFilter\MBF4Wait.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cox.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\futwz.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://futwz.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://futwz.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\futwz.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://futwz.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\futwz.dll/sp.html#96676

O2 - BHO: (no name) - {A17627CF-36CE-3C0C-3C8B-C2D325D2B4AA} - C:\WINDOWS\addre.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [hubxnimz] C:\WINDOWS\System32\zjqdgf.exe

O4 - HKLM\..\Run: [ntdf.exe] C:\WINDOWS\system32\ntdf.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Mailbox Filter.lnk = C:\MailboxFilter\MBF4Wait.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Start Delivery Services.lnk = ?

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.166/Media/visitorchat/TLIEFlash.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.2118634259

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

 

Wow - all this and you don't even know me!!!!!!!!!!

 

Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You,Thank You!

Roger

Share this post


Link to post
Share on other sites

Please reboot your computer and post an updated HJT log... the R1s are still there.

 

If they are still there after you reboot, try running about:buster in safe mode.

 

If you are unfamiliar with how to get into safe mode, please follow thsese instructions:

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Share this post


Link to post
Share on other sites

By the way, cutting and pasting is how I do it.

 

To speed things up, you can open the log in notepad and hit Ctrl-A and then hit Ctrl-C and then open up a reply and hit Ctrl-V

Share this post


Link to post
Share on other sites

Greetings,

Kind of same problem!

No control over home page with:

Lots of casino stuff and tons of favorite folders of crap!

Lets call this one - Laurels - in honor of my secretary, so as not to confuse your guidelines!

Thank You.

Roger

 

 

See HJ Log B4 Fix.

 

Logfile of HijackThis v1.97.7

Scan saved at 10:15:15 PM, on 7/5/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\VCAXIS~1\Firstmeal.exe

C:\Program Files\Spyware Doctor\spydoctor.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\System32\cidaemon.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Debbie\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: programwmasetup - {EE07EB20-5775-22BB-279A-258A3EAE2612} - C:\PROGRA~1\EXITIT~1\acid poll.dll (file missing)

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [spyCop ScanCheck] C:\Program Files\Common Files\Microsoft Shared\MAIN.EXE /LASTSCAN

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [Dupe1] C:\PROGRA~1\VCAXIS~1\Firstmeal.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: AdsGone 2003.lnk = C:\Program Files\AdsGone\adsgone.exe

O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: AdsGone (HKLM)

O9 - Extra 'Tools' menuitem: &AdsGone Settings (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7713.5614467593

O17 - HKLM\System\CCS\Services\Tcpip\..\{4FB429DC-67C9-4DF0-9987-503ED8200B70}: Domain = wfix.com

O17 - HKLM\System\CS1\Services\Tcpip\..\{4FB429DC-67C9-4DF0-9987-503ED8200B70}: Domain = wfix.com

O17 - HKLM\System\CS2\Services\Tcpip\..\{4FB429DC-67C9-4DF0-9987-503ED8200B70}: Domain = wfix.com

Share this post


Link to post
Share on other sites

Actually G :bounce: ,

I think emailing to you pushed the energy to remove the garbage or somewhere somehow my running of fixes - on something - Worked!

Anyway do not seem to still have the problem :evilgrin: on Laurel's computer so also don't seem to have the problem on my computer however am awaiting instructions on what to do next?

Maybe I don't have to do anything next but just BE!

Thank You Very Much :love: !

RR :bounce:

Share this post


Link to post
Share on other sites

Wait, so the HJT log you just posted was from a different computer?

 

Can you post an updated HJT log from your computer after you rebooted it?

Share this post


Link to post
Share on other sites

G,

Oops Sorry - I will make that a new topic!

Forget about herrrrrrrrr!

No more Laurel!

Just me!

I have rebooted and will now attach a new rebooted HJ log after the fix.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:14:29 PM, on 7/5/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PMObserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\RDS\srscandr.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\RDS\ddsschednt.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\RDS\dds.exe

C:\Program Files\RDS\spooler.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\zjqdgf.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\WINDOWS\System32\msiexec.exe

C:\MailboxFilter\C4.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Roger\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cox.net

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {A17627CF-36CE-3C0C-3C8B-C2D325D2B4AA} - C:\WINDOWS\addre.dll (file missing)

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [hubxnimz] C:\WINDOWS\System32\zjqdgf.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Mailbox Filter.lnk = C:\MailboxFilter\MBF4Wait.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Start Delivery Services.lnk = ?

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.166/Media/visitorchat/TLIEFlash.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.2118634259

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

 

Fresh About Buster after the reboot!

 

About:Buster Version 1.24

Removed! : C:\WINDOWS\System32\ntdf.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

:whistle:

Saved my b-t- on that one!

Thank You,

R

Share this post


Link to post
Share on other sites

G,

When was I supposed to reboot?

I presume after removing the offending and running Buster!

Anyway that is what I have sent you!

RR

:cool:

Share this post


Link to post
Share on other sites

O4 - HKLM\..\Run: [hubxnimz] C:\WINDOWS\System32\zjqdgf.exe

 

 

That line shouldn't be there... don't fix it with HJT though.

 

Reboot into safe mode (by tapping f8 when the computer restarts) and run about:buster from safe mode. Then, boot back into normal mode and post an updated HJT log. :wave:

Share this post


Link to post
Share on other sites

Greetings G,

Wow - what happened to SWI this morning?

I could not get in and my computer was definitely sluggish, acting up and freezing - in Phoenix - in the Summer! Guess the spy bugs were upset about the changes - Go figure.

Anyway here is the updated Buster Log after running in safe mode.

 

About:Buster Version 1.24

Removed! : C:\WINDOWS\appqs.exe

Removed! : C:\WINDOWS\System32\javafl32.exe

Removed! : C:\WINDOWS\System32\javanl.exe

Removed! : C:\WINDOWS\System32\javavj32.exe

Removed! : C:\WINDOWS\System32\sysda32.exe

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Pages Reset... Done!

 

Also including an updated HJT log in case.

 

Logfile of HijackThis v1.97.7

Scan saved at 2:43:40 PM, on 7/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PMObserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\RDS\srscandr.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\RDS\ddsschednt.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\RDS\dds.exe

C:\Program Files\RDS\spooler.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\zjqdgf.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\WINDOWS\System32\FXSCLNT.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\MailboxFilter\C4.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Roger\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cox.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {A17627CF-36CE-3C0C-3C8B-C2D325D2B4AA} - C:\WINDOWS\addre.dll (file missing)

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [hubxnimz] C:\WINDOWS\System32\zjqdgf.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Mailbox Filter.lnk = C:\MailboxFilter\MBF4Wait.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Start Delivery Services.lnk = ?

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.166/Media/visitorchat/TLIEFlash.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.2118634259

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

 

 

Thanks again my friend!

Any idea why my computer went so wild this morning?

R

Share this post


Link to post
Share on other sites

Hmm, you're still not completely adware/malware free... that line is still there and the about:buster is supposed to remove it...

 

There is a new version of about:buster that was released today.

 

Download About:Buster and follow the same instructions as before (rebooting into safe mode and running about:buster in safe mode) Then boot back into normal mode and post an updated HJT log. Also, make sure you have about:buster 1.25 (the newest one)

 

If that still doesn't fix it, I can try to give you directions on how to manually remove it.

Share this post


Link to post
Share on other sites

Hey - how are you doing?

Boy was my computer wacked :scratchhead: this morning!

Lots of trouble however it seems to have straightened itself out :whistle: .

Thanks again for your :thumbsup: help!!

Roger ;D

Share this post


Link to post
Share on other sites

G,

 

After Buster 1.25

 

Logfile of HijackThis v1.97.7

Scan saved at 4:16:01 PM, on 7/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PMObserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\RDS\srscandr.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\RDS\ddsschednt.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\RDS\dds.exe

C:\Program Files\RDS\spooler.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\zjqdgf.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\MailboxFilter\MBF4Wait.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\WINDOWS\System32\msiexec.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Documents and Settings\Roger\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cox.net

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {A17627CF-36CE-3C0C-3C8B-C2D325D2B4AA} - C:\WINDOWS\addre.dll (file missing)

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [hubxnimz] C:\WINDOWS\System32\zjqdgf.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Mailbox Filter.lnk = C:\MailboxFilter\MBF4Wait.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Start Delivery Services.lnk = ?

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.166/Media/visitorchat/TLIEFlash.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.2118634259

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

 

Thank You,

R

Share this post


Link to post
Share on other sites

Hello Again,

I ran Bazooka and it said that I have an "Msot" file.

The Trojan Horse - I have tried to find it to delete however I get lost with the instruction:

Start "Windows Explorer" (did this) and delete: %WinDir%\MSOPT>DLL

 

I can't find it :gack: !

 

Help on this one also?

 

Roger

Share this post


Link to post
Share on other sites

Pleaser run HJT again and have it fix the following:

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {A17627CF-36CE-3C0C-3C8B-C2D325D2B4AA} - C:\WINDOWS\addre.dll (file missing)

O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll

O4 - HKLM\..\Run: [hubxnimz] C:\WINDOWS\System32\zjqdgf.exe

 

I would also fix this line:

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.166/Media/visitorchat/TLIEFlash.CAB

 

(I don't know that the above line is bad, but fix it anyways, because if it's good, then it will simply be downloaded again when you visit the site. So fixing it won't hurt anything)

 

Please delete the following files:

C:\WINDOWS\System32\ntdf.exe

C:\WINDOWS\System32\mfcqr32.exe

C:\WINDOWS\sysjn.exe

C:\WINDOWS\msopt.dll

 

If it gives an error when you try to delete the above files, then hit ctrl-alt-delete and if you see any of those processes running, end them. If you still get an error, then reboot into safe mode and delete the file there. You may not be able to see some of the files, if you can't see them, then you'll need to enable viewing of hidden files. (here's how: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

). If the file still isn't there with hidden files enabled, then don't worry about it.

Edited by guacamel

Share this post


Link to post
Share on other sites

Oh, and can you reboot and post an updated HJT log so I can make sure I don't see anymore problems?

 

edit: Oh, you were talking about my post count lol :)

Edited by guacamel

Share this post


Link to post
Share on other sites

G,

Yes - I was - Congrats - No longer v_rg_n - or something!

I do not know how to delete or find the files that you mentioned:

C\

 

I did the HJT thing - am awaiting instructions!

TY,

R

 

Lame I know - I was a MacMan till recently :blush: !

Share this post


Link to post
Share on other sites

Just go to the directory that the file is in and find it and delete it. It should be listed alphabetically, so won't be too bad.

Share this post


Link to post
Share on other sites

G,

Regarding My Success with your email.

 

Pleaser run HJT again and have it fix the following:

 

+ (Did) O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

+ (Did) O2 - BHO: (no name) - {A17627CF-36CE-3C0C-3C8B-C2D325D2B4AA} - C:\WINDOWS\addre.dll (file missing)

- (Not) O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll

+ O4 - HKLM\..\Run: [hubxnimz] C:\WINDOWS\System32\zjqdgf.exe

 

 

I would also fix this line:

+ O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://143.166.224.166/Media/visitorchat/TLIEFlash.CAB

 

(I don't know that the above line is bad, but fix it anyways, because if it's good, then it will simply be downloaded again when you visit the site. So fixing it won't hurt anything)

 

Please delete the following files:

- C:\WINDOWS\System32\ntdf.exe

- C:\WINDOWS\System32\mfcqr32.exe

- C:\WINDOWS\sysjn.exe

- C:\WINDOWS\msopt.dll

 

Do I need to be in Resedit?

Roger :wave:

P.S. I have done the hidden file thing!

Just don't know how to follow the family tree - something simple missing :bounce: I know will show up!

 

If it gives an error when you try to delete the above files, then hit ctrl-alt-delete and if you see any of those processes running, end them. If you still get an error, then reboot into safe mode and delete the file there. You may not be able to see some of the files, if you can't see them, then you'll need to enable viewing of hidden files. (here's how: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

). If the file still isn't there with hidden files enabled, then don't worry about it.

Share this post


Link to post
Share on other sites

okay, boot into safe mode then to delete the files.

 

Once in safe mode, go to run and type in "C:\WINDOWS\System32\" (without the quotes) That will open up the system32 folder and inside that folder are the ntdf.exe and the mfcqr32.exe files. Find those and delete them.

 

Now, while still in safe mode, go to run and type in "C:\WINDOWS\" (without the quotes). That will open up the windows folder and inside that folder are the sysjn.exe and msopt.dll files. Find those and delete them.

 

If you can't find the files with hidden files viewing enabled, then don't worry about them.

Share this post


Link to post
Share on other sites

Good Morning G,

Looks like I have been successful in getting rid of the Msot Trojan Horse :bounce: .

 

Attached the most recent log - what do you think?

If it is clear are you up for looking at my other computer?

I of course will run Adware, Spybot etc. before sending the HJT log.

Let me know - and one more time :thumbsup: Thank You!

Roger

 

Logfile of HijackThis v1.97.7

Scan saved at 9:52:14 AM, on 7/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PMObserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\RDS\srscandr.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\RDS\ddsschednt.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\RDS\dds.exe

C:\Program Files\RDS\spooler.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\zjqdgf.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\MailboxFilter\MBF4Wait.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\WINDOWS\System32\msiexec.exe

C:\Documents and Settings\Roger\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cox.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [hityjkzv] C:\WINDOWS\System32\zjqdgf.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Mailbox Filter.lnk = C:\MailboxFilter\MBF4Wait.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Start Delivery Services.lnk = ?

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.2118634259

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

 

:wave:

Share this post


Link to post
Share on other sites

Have HJT fix the following lines:

2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O4 - HKLM\..\Run: [hityjkzv] C:\WINDOWS\System32\zjqdgf.exe

 

Also delete this file: C:\WINDOWS\System32\zjqdgf.exe

(you may have to use the safe mode process we used earlier)

Share this post


Link to post
Share on other sites

Hello Hello G,

The new log.

All three tasks have been completed including emptying the trash while in safe mode so that the little pest is still not lingering - did that really make a difference - emptying the trash in safe mode?

Thank You,

Roger

 

Logfile of HijackThis v1.97.7

Scan saved at 12:10:31 PM, on 7/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PMObserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\RDS\srscandr.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\RDS\ddsschednt.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\RDS\dds.exe

C:\Program Files\RDS\spooler.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\MailboxFilter\MBF4Wait.exe

C:\WINDOWS\System32\msiexec.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Roger\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cox.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [dsrhegvva] C:\WINDOWS\System32\zjqdgf.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Mailbox Filter.lnk = C:\MailboxFilter\MBF4Wait.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Start Delivery Services.lnk = ?

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.2118634259

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

 

:D

Share this post


Link to post
Share on other sites

While most of the bad stuff is cleaned out, you still have some bad files. I suspect possibly a virus or a trojan.

 

I would do an online virus scan at these places:

 

http://www.pandasoftware.com/activescan/co...n_principal.htm

 

http://housecall.trendmicro.com/housecall/start_corp.asp

 

Also, you're not using the latest version of HJT, that can be downloaded here:

http://tomcoyote.com/hjt/

 

Once you download it, please set your date ahead a few days and then re-run HJT and post a new log.

 

Hopefully the newer version of HJT can give me some more clues as to why that file keeps appearing.

Share this post


Link to post
Share on other sites

Hello G,

Went to Panda had 3 infections removed.

Zero (0) at House Call, did after Panda already removed.

Updated HJT, set date forward and have rescaned.

Following below:

 

Logfile of HijackThis v1.97.7

Scan saved at 12:01:04 PM, on 7/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PMObserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\RDS\srscandr.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\RDS\ddsschednt.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\RDS\dds.exe

C:\Program Files\RDS\spooler.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxsclnt.exe

C:\WINDOWS\notepad.exe

C:\Program Files\Outlook Express\msimn.exe

C:\MailboxFilter\C4.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\Roger\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cox.net

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [dsrhegvva] C:\WINDOWS\System32\zjqdgf.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\RunOnce: [spyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Mailbox Filter.lnk = C:\MailboxFilter\MBF4Wait.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Start Delivery Services.lnk = ?

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7561.2118634259

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

 

Once again I appreciate your help, let me know where we are on mine then perhaps you could help me

:D on my other computers - it should go much faster now that I understand the :techsupport: the process.

Roger

Share this post


Link to post
Share on other sites

That's HJT 1.97.7, it should be 1.98.

Share this post


Link to post
Share on other sites

All Right!

 

Logfile of HijackThis v1.98.0

Scan saved at 12:47:41 PM, on 7/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PMObserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\RDS\srscandr.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\RDS\ddsschednt.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\RDS\dds.exe

C:\Program Files\RDS\spooler.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\fxsclnt.exe

C:\WINDOWS\notepad.exe

C:\Program Files\Outlook Express\msimn.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\MailboxFilter\MBF4Wait.exe

C:\Documents and Settings\Roger\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cox.net

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [dsrhegvva] C:\WINDOWS\System32\zjqdgf.exe

O4 - HKLM\..\RunOnce: [spyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Mailbox Filter.lnk = C:\MailboxFilter\MBF4Wait.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Start Delivery Services.lnk = ?

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

Share this post


Link to post
Share on other sites

You're still not completely clean, this is proving to be very difficult.

 

We need to remove a program called "Twain-Tec". To do this, first you need to disable System restore as per the instructions at here . Twaintec.dll is a transponder. HijackThis will detect it as a BHO but it must not be removed using HijackThis. This is because of the remaining registry entries and files which can be dangerous. Instead the following method of removal is preferable and complete:

Go to "Add/Remove Programs" => Uninstall "Twain-Tech". Reboot the computer to SAFE mode - How do I boot into "Safe" mode?. Delete twaintech.dll and twaintec.ini If twaintech.dll is in use, then you would need to rename it, reboot the computer, and then delete it.

 

That fix is provided by PGPhantom.

Share this post


Link to post
Share on other sites

Hello G,

Thanks for you help.

Went to Add/Remove Programs the only program I could find close to Twain-Tec was

TYPE1232 TWAIN Driver Ver.3

 

Is this the same program that I should delete?

 

New HJT log:

 

Logfile of HijackThis v1.98.0

Scan saved at 12:46:45 PM, on 7/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PMObserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\RDS\srscandr.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\RDS\ddsschednt.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\RDS\dds.exe

C:\Program Files\RDS\spooler.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Outlook Express\msimn.exe

C:\MailboxFilter\C4.exe

C:\WINDOWS\System32\FXSCLNT.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\Roger\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cox.net

R3 - Default URLSearchHook is missing

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Mailbox Filter.lnk = C:\MailboxFilter\MBF4Wait.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Start Delivery Services.lnk = ?

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

 

Thank You,

Roger

Share this post


Link to post
Share on other sites

G,

I removed again the line using HJT:

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

 

Was this the Twain Tec?

 

Now what??

 

Roger

 

P.S. I will not do anymore fixing until I hear from you. :whistle:

Share this post


Link to post
Share on other sites

OKay, please run HJT again with no other windows open and have it fix the following:

 

R3 - Default URLSearchHook is missing

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

 

After that, please run ad-aware with the latest reference file (very important, it's 08.07.2004). After that, please reboot and post an updated HJT log.

Share this post


Link to post
Share on other sites

Hello G,

Is this telling us anything?

 

Registry Mechanic tells me it finds 360 erors:

1 Start Up Programs

2 Shared Programs

357 Deep Registry Scan

 

It will NOT fix any of the problems unless I buy the program - is this a scam?

Do you know another program that will fix my 360 errors without purchasing it.

Could this be the Twain Tec?

I am running Windows XP and have run:

Norton Disk Doctor - No errors.

Norton WinDoctor - No errors.

 

Thanks in Advance,

Roger

 

Logfile of HijackThis v1.98.0

Scan saved at 4:41:50 PM, on 7/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\PMObserv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\RDS\RsiSvc.exe

C:\Program Files\RDS\srscandr.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\RDS\ddsschednt.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\RDS\dds.exe

C:\Program Files\RDS\spooler.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\MailboxFilter\C4.exe

C:\Documents and Settings\Roger\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.cox.net

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe

O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Startup: Camio Viewer 2.0.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Mailbox Filter.lnk = C:\MailboxFilter\MBF4Wait.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Start Delivery Services.lnk = ?

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_3_0.cab

 

Hope I am not adding to the confusion!

Thank You,

Roger

Share this post


Link to post
Share on other sites

Okay, everything looks clean. Don't mess with that twain.dll file, also, I'm suspicious of that registry mechanic-- I wouldn't worry about what it finds.

 

If you have anymore problems with your computer then post them here. Otherwise, I'll consider this log closed.

 

Thanks!

 

Guacamel!

 

Also, I would like to thank Budfred, Nonsuch, VashonDude, and PGPhantom for helping with this fix.

Edited by guacamel

Share this post


Link to post
Share on other sites

Greetings Guacamel,

I also would like to Thank You for your help and all of those who helped suppport you through this jumble.

My machine feels good, fast and lean!

I will watch out for the pests!

This has been a whole new introduction to the cyberworld of help.

What can I do to learn more and become a helper?

Thank You Again!

Roger

Share this post


Link to post
Share on other sites

Glad we could help!

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

 

If you want to learn about these parasites, then I suggest that you join the Boot Camp here. See Here for details of how to sign up.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0