• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
meprice

Coolsearcher.info - please help!

26 posts in this topic

My web browser keeps getting set back to coolsearcher.info - very annoying! I've read the Hijack article, and I've run a virus scan, Ad-aware and Spybot. Ad-aware and Spybot seem to take care of the problem, but then when I reboot the computer and run MS-Internet Explorer again, coolsearcher.info is back. I also ran HijackThis (after rebooting); I've pasted the log below. I tried deleting R1 and R0, and again, that gave only a temporary solution, until I rebooted.

 

I have another question too: since I ran Spybot, I've been getting a message saying "180searchAssistant" needs to be reinstalled. Do I want to reinstall this?

 

Thanks very much in advance for your help!!!

 

 

Logfile of HijackThis v1.97.7

Scan saved at 6:52:54 PM, on 7/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\bteilvd.exe

C:\WINDOWS\aneb.exe

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\WINDOWS\zsjghch.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\Program Files\Web_Rebates\WebRebates1.exe

C:\Documents and Settings\Matthew\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.coolsearcher.info/sp.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearcher.info

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [storageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~1\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [users System] C:\WINDOWS\svchost.exe

O4 - HKLM\..\Run: [gurrocogaxlyk] C:\WINDOWS\System32\bteilvd.exe

O4 - HKLM\..\Run: [aneb] C:\WINDOWS\aneb.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [zsjghch] C:\WINDOWS\zsjghch.exe

O4 - HKLM\..\RunServices: [users System] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [users System] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKCU\..\RunServices: [users System] C:\WINDOWS\svchost.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\Support.com\Bin\IBMAccessSupport\common\install\ibmegath.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CAB22D16-F61D-4580-91CB-F667FA03CC5A}: NameServer = 199.45.32.43 199.45.32.38

Share this post


Link to post
Share on other sites

Hi there meprice,

 

Please do this first,

 

Update HijackThis to version 1.98

• run HijackThis

select config> misc tools and select "update online". then yes.

Run a scan and post a new Hijackthis log after you are done.

 

 

You are running hijackthis out of a temporary directory. Can you please create a folder in My Documents and call it Hijack (or something similar) like this C:\My Documents\hjt\HijackThis. Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create the backup files that you may need whilst it is being run from a temporary folder

 

Next,

 

 

Download the latest version of CWShredder Here by Merijn Bellekom, the creator of Hijack This. Check for updates!!

Run it, press 'Fix', and allow it to fix all it finds.

 

Post a fresh HijackThis logfile.

Share this post


Link to post
Share on other sites

Thank you for your response! CWS Shredder seems to have worked - the homepage problem looks solved. I've posted the new HijackThis log below - hopefully it is clean now.

I am still, however, getting a notice saying that a third party application has deleted 180search Assistant and telling me that I should reinstall it. Should I reinstall it? What is it, anyway?

Thanks very much for your help - I *really* appreciate it!

 

Logfile of HijackThis v1.98.0

Scan saved at 7:06:19 PM, on 7/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\bteilvd.exe

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\Program Files\Web_Rebates\WebRebates1.exe

C:\Program Files\HijackThis\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [storageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~1\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [users System] C:\WINDOWS\svchost.exe

O4 - HKLM\..\Run: [gurrocogaxlyk] C:\WINDOWS\System32\bteilvd.exe

O4 - HKLM\..\Run: [aneb] C:\WINDOWS\aneb.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [zsjghch] C:\WINDOWS\zsjghch.exe

O4 - HKLM\..\RunServices: [users System] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [users System] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKCU\..\RunServices: [users System] C:\WINDOWS\svchost.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\Support.com\Bin\IBMAccessSupport\common\install\ibmegath.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CAB22D16-F61D-4580-91CB-F667FA03CC5A}: NameServer = 199.45.32.43 199.45.32.38

Share this post


Link to post
Share on other sites

Hi meprice,

 

First, do not reinstall 180search, it is bad news.

 

Please do this now,

 

 

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

 

NOTE THE OPTIONAL FIX

 

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)

O4 - HKLM\..\Run: [gurrocogaxlyk] C:\WINDOWS\System32\bteilvd.exe

O4 - HKLM\..\Run: [aneb] C:\WINDOWS\aneb.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [zsjghch] C:\WINDOWS\zsjghch.exe

O4 - HKLM\..\RunServices: [users System] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [users System] C:\WINDOWS\svchost.exe

O4 - HKCU\..\RunServices: [users System] C:\WINDOWS\svchost.exe

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE<<<<These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...

 

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

 

 

 

Restart your computer in

Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

 

 

Not all or any of these may still show,

 

 

C:\WINDOWS\svchost.exe<<<<File PLEASE MAKE SURE THAT THIS IS THE ONLY FILE OF THIS TYPE THAT YOU DELETE

(IE C:\WINDOWS\system32\svchost.exe....DO NOT TOUCH!!)

 

 

C:\WINDOWS\zsjghch.exe<<<<File

C:\WINDOWS\aneb.exe<<<<File

C:\WINDOWS\nem219.dll<<<<File

C:\WINDOWS\System32\netdc.exe<<<<File

C:\WINDOWS\System32\bteilvd.exe<<<<File

C:\Program Files\Web_Rebates\WebRebates0.exe<<<<Folder

C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm<<<<Folder

C:\Program Files\Web_Rebates\WebRebates1.exe<<<<Folder

 

 

Reboot, then post a fresh logfile so that I can check to see if it is clean.

Share this post


Link to post
Share on other sites

Thanks very much for your help. I did what you suggested, but I had one question. In safe mode, I deleted /netdc.exe and bteilvd.exe and scri1150a.htm. But I wasn't sure whether or not I should delete C:\ProgamFiles\WebRebates\WebRebates1.exe and WebRebates0.exe - they looked like files rather than folders, as you indicated above. Should I get rid of those too?

 

I've posted a new HijackThis log below. Thanks again!!!

 

Logfile of HijackThis v1.98.0

Scan saved at 10:28:23 AM, on 7/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Web_Rebates\WebRebates1.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\Program Files\HijackThis\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [storageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~1\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [users System] C:\WINDOWS\svchost.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\Support.com\Bin\IBMAccessSupport\common\install\ibmegath.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CAB22D16-F61D-4580-91CB-F667FA03CC5A}: NameServer = 199.45.32.43 199.45.32.38

Share this post


Link to post
Share on other sites

Hi there,

 

Yes that Web_Rebates folder does need deleting.

 

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

 

 

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

 

 

Restart your computer in

Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

 

Not all or any of these may still show,

 

 

C:\Program Files\Web_Rebates\WebRebates0.exe<<<<Folder

C:\WINDOWS\System32\netdc.exe<<<<File

 

Reboot, then post a fresh logfile so that I can check to see if it is clean.

Share this post


Link to post
Share on other sites

Hey there,

Thanks for your continued help. I followed your advice, and it looks like maybe we're making progress. When I searched for WebRebates0.exe I discovered two WebRebates related files, but in a different folder than you mentioned - they were in C:\WINDOWS\Prefetch. Should I have deleted those files as well?

Below the new HiJack this log is posted.

I really appreciate your spending so much time helping me out. Thanks!

meprice

 

Logfile of HijackThis v1.98.0

Scan saved at 10:52:04 PM, on 7/12/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\Program Files\HijackThis\hijackthis\hijackthis\HijackThis.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [storageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~1\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [users System] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\Support.com\Bin\IBMAccessSupport\common\install\ibmegath.cab

Share this post


Link to post
Share on other sites

Hi there,

 

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

 

 

 

O4 - HKLM\..\Run: [users System] C:\WINDOWS\svchost.exe

 

Restart your computer in

Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

 

Not all or any of these may still show,

 

C:\WINDOWS\svchost.exe<<<<File

 

 

Reboot, then post a fresh logfile so that I can check to see if it is clean.

Share this post


Link to post
Share on other sites

Hello,

Here's the new hijack this log.

Thanks again,

meprice

 

Logfile of HijackThis v1.98.0

Scan saved at 8:34:49 AM, on 7/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\Program Files\HijackThis\hijackthis\hijackthis\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [storageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~1\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\Support.com\Bin\IBMAccessSupport\common\install\ibmegath.cab

Share this post


Link to post
Share on other sites

Hi there,

 

There are still problems with the BKDR_CCT.A trojan. Follow these links, go to Trend for details regarding the solution, run Trend Micro's free Housecall Scan Scan your system with Trend Micro antivirus and delete all files detected as BKDR_CCT.A. Follow the instuctions carefully.

 

This line here is the culprit,

 

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

 

Then repost a fresh logfile.

Share this post


Link to post
Share on other sites

Hi there,

I ran the Housecall scan, but the program did not detect any files as BKDR_CCT.A. It detected some files as AGENT.AE, ALCHEMIC.A and DYFUCA.M. I followed the directions suggested to clean my system from those viruses, but when I went into registry edit to make the changes they instruct, I could not find any of the keys I was supposed to change. I wasn't sure whether I was supposed to just search for the virus-infected files and delete them as well, or whether deleting them might cause other system problems.

In any case, I've posted another Hijack This log below, but I think it is the same as you saw before - the "culprit" line is still there.

What do you recommend next? Thanks,

meprice

 

Logfile of HijackThis v1.98.0

Scan saved at 9:58:26 PM, on 7/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\Program Files\HijackThis\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [storageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~1\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\Support.com\Bin\IBMAccessSupport\common\install\ibmegath.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CAB22D16-F61D-4580-91CB-F667FA03CC5A}: NameServer = 199.45.32.43 199.45.32.38

Share this post


Link to post
Share on other sites

Hi there,

 

Try fixing that line again. This time in safe mode.

Restart your computer in

Safe Mode

 

Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

 

 

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

 

 

Delete all the files etc in c:\windows\temp - But do not delete the directory itself.

 

 

Reboot, then post a fresh logfile so that I can check to see if it is clean.

Edited by 12g

Share this post


Link to post
Share on other sites

Hi there,

Alas, netdc.exe still seems to be there.... I notice also that Housecall now has something running under 016. Can I kill that, or should it be there?

Thanks for your continued help,

meprice

 

Logfile of HijackThis v1.98.0

Scan saved at 12:36:07 AM, on 7/14/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\Program Files\HijackThis\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [storageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~1\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\Support.com\Bin\IBMAccessSupport\common\install\ibmegath.cab

Share this post


Link to post
Share on other sites

Hi there,

 

Yes you can fix the 016, standby for a long post.

Share this post


Link to post
Share on other sites

Hi there,

 

Follow this,

 

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows>CurrentVersion>Run

In the right panel, locate and delete the entry:

load32 = “%System%\netda.exe”

Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

 

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows>CurrentVersion>Winlogon

In the right panel, locate the entry:

Shell = “Explorer.exe %System%\netdc.exe”

Modify this registry to: Shell = “Explorer.exe”

Close Registry Editor.

 

Run HJT again to see if this has been altered,

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

 

--------------------------------------------------------------------------------

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Removing Autostart Entries from System Files

 

Malware sometimes modify system files so that they automatically execute at Windows startup. These autostart entries must be removed before an affected system can be restarted safely.

 

Open the SYSTEM.INI file. Click Start>Run. In the Open input box, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).

Under the [boot] section, locate the line that begins with:

Shell=Explorer.exe

From the same line, delete the malware path and file name:

%System%\netdc.exe

Close the SYSTEM.INI file and click Yes when prompted to save.

Restoring the Windows HOSTS File

 

Deleting entries in the HOSTS files prevents the redirection of antivirus Web sites to the local machine.

 

Open the following file using your default text editor:

%System%\Drivers\etc\Hosts

Locate and delete the following lines:

127.0.0.1 www.trendmicro.com

127.0.0.1 trendmicro.com

127.0.0.1 rads.mcafee.com

127.0.0.1 customer.symantec.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 us.mcafee.com

127.0.0.1 updates.symantec.com

127.0.0.1 update.symantec.com

127.0.0.1 www.nai.com

127.0.0.1 nai.com

127.0.0.1 secure.nai.com

127.0.0.1 dispatch.mcafee.com

127.0.0.1 download.mcafee.com

127.0.0.1 www.my-etrust.com

127.0.0.1 my-etrust.com

127.0.0.1 mast.mcafee.com

127.0.0.1 ca.com

127.0.0.1 www.ca.com

127.0.0.1 networkassociates.com

127.0.0.1 www.networkassociates.com

127.0.0.1 avp.com

127.0.0.1 www.kaspersky.com

127.0.0.1 www.avp.com

127.0.0.1 kaspersky.com

127.0.0.1 www.f-secure.com

127.0.0.1 f-secure.com

127.0.0.1 viruslist.com

127.0.0.1 www.viruslist.com

127.0.0.1 liveupdate.symantecliveupdate.com

127.0.0.1 mcafee.com

127.0.0.1 www.mcafee.com

127.0.0.1 sophos.com

127.0.0.1 www.sophos.com

127.0.0.1 symantec.com

127.0.0.1 securityresponse.symantec.com

127.0.0.1 www.symantec.com

Save the file and close the text editor.

 

Reboot, and post a fresh log.

Share this post


Link to post
Share on other sites

Hi there,

It looks like the instructions were similar to the ones I followed on the Trend website. Again, I ran into some problems - perhaps I should have been more specific before, sorry.

First, I double clicked on HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows>CurrentVersion>Run, but in the right hand window did not see anything that looked like load32 = “%System%\netda.exe” . In fact, in the right hand window, it looked like filenames (they had AB icons); in any case, none of the filenames nor data descriptions matched what you told me to look for. Am I doing something wrong?

Next, I ran SYSTEM.INI, but there was no [boot] section in that file.

Finally, I opened %System%\Drivers\etc\Hosts , and the only line read:

127.0.0.1 localhost

 

I feel like I must have done something wrong....

Anyway, below is the new/old hijackthis log, even though nothing's changed. I'll be off-line until Friday...

Thanks, meprice

 

Logfile of HijackThis v1.98.0

Scan saved at 8:14:27 AM, on 7/14/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\Program Files\HijackThis\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [storageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~1\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\Support.com\Bin\IBMAccessSupport\common\install\ibmegath.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CAB22D16-F61D-4580-91CB-F667FA03CC5A}: NameServer = 199.45.32.43 199.45.32.38

Share this post


Link to post
Share on other sites

Hi there,

 

Ok we will continue on Friday :wave:

Share this post


Link to post
Share on other sites

Hi there,

 

Ok what I need you to do is go, Start> Run>type "system.ini" then copy and paste the contents of the notepad on here for me please.

Share this post


Link to post
Share on other sites

Hi,

run.ini log is pasted below.

thanks, meprice

 

 

; for 16-bit app support

 

[drivers]

wave=mmdrv.dll

timer=timer.drv

 

[mci]

[driver32]

[386enh]

woafont=dosapp.FON

EGA80WOA.FON=EGA80WOA.FON

EGA40WOA.FON=EGA40WOA.FON

CGA80WOA.FON=CGA80WOA.FON

CGA40WOA.FON=CGA40WOA.FON

Share this post


Link to post
Share on other sites

Hi there,

 

Ok lets do this now,

 

You need to find and remove this hidden startup entry

 

Restart your computer in

Safe Mode

 

Then go Start>Run>All Programs>Startup

 

delete netdc.exe

 

Restart, then post a fresh log.

Share this post


Link to post
Share on other sites

Hi there,

I replied a couple of days ago, but apparently my reply did end up posted... Strange... Anyway, sorry for the delay.

I was a bit confused about your instructions. Could you please clarify them for me? When I go to Start > Run, I get a dialog box. Am I supposed to type "All Programs" in the dialog box? I tried that, but it didn't work. Where do I find the "All Programs" tab? Thanks a lot,

meprice

Share this post


Link to post
Share on other sites

Hi there,

 

Are you sure you were in Safe Mode for that solution? if that is not working let's try this.

 

 

On Windows XP systems, press

CTRL+SHIFT+ESC, then click the Processes tab.

In the list of running programs, locate the malware file or files detected earlier (NETDC.EXE).

Select one of the detected files, then press End Process button.

To check if the malware process has been terminated, close Task Manager, and then open it again.

Close Task Manager.

 

Next;

 

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows NT>CurrentVersion>Winlogon

In the right panel, locate the entry:

Shell = “Explorer.exe C:\WINDOWS\System32\netdc.exe" Delete this!

Still in the right panel, modify the registry to:

Shell = “Explorer.exe”

Close Registry Editor.

 

Reboot, then post another log

Share this post


Link to post
Share on other sites

Hi,

I was indeed in Safe Mode for the previous solution, I'm not sure what I did wrong. In any case, I tried what you suggested in the last email.

netdc.exe is not listed in the list of processes. However, when I opened regedit, I did discover the shell entry you referred to. I modified it to read explorer.exe and then closed regedit. When I rebooted and ran hijack this, netdc.exe seems to have come back. I've posted the log below. Thanks again for your continued help with this. It must get frustrating after awhile to keep having to deal with this problem... I appreciate it.

meprice

 

Logfile of HijackThis v1.98.0

Scan saved at 10:21:06 PM, on 7/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe

C:\Program Files\HijackThis\hijackthis\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [storageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~1\QDCSFS.exe /scheduler

O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\Support.com\Bin\IBMAccessSupport\common\install\ibmegath.cab

Share this post


Link to post
Share on other sites

Hi,

Sorry to bombard you, but one more question about the Start>Run>All Programs>Startup solution. I think I must have been doing something wrong. By "Start", do you mean that I should beginclick on the green start tab in the bottom left corner of the screen? If I do that, I can choose All Programs or I can choose Run. If I choose All Programs, I see an option called Startup, but there is only something from my Quickbooks program in it. If I choose Run, and then type All Programs in the box next to the "Open:" prompt, I'm told that windows cannot find 'all'.

Maybe you can explain what I'm doing wrong? Thanks a lot for your patience.

meprice

Share this post


Link to post
Share on other sites

Hi there,

 

Ok let's try this, go back to regedit,

 

 

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows NT>CurrentVersion>Winlogon

In the right panel, locate the entry:

Shell = “Explorer.exe C:\WINDOWS\System32\netdc.exe" Delete this!

Still in the right panel, modify the registry to:

Shell = “Explorer.exe”

Close Registry Editor.

 

This time do this before rebooting;

 

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Clear "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Clear "Hide protected operating system files."

Click Apply, and then click OK.

 

Find and DELETE the file

 

C:\WINDOWS\System32\netdc.exe<<<<File

 

Next,

 

Turn off System Restore.

 

Right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

 

 

 

Reboot, then post a fresh log

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0