• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
newyork

Hijacked

14 posts in this topic

I wanted to replace my notepad.exe file just to be sure. I downloaded the notepad replacement zip file from this site. before replacing, I wanted to delete the old files first. I deleted the notepad.exe file in C:\windows folder and before I could copy a new version into the folder the notepad.exe file was already replaced automatically.

 

This also happens with CTFMON.EXE (info indicates this file could be associated with CoolWebSearch). If the ctfmon.exe file is deleted, bam it is replaced again automatically and TeaTimer (Spybot) indicates that a registry entry wants to be changed indicating this file. I deny the change.

 

I have cleaned my system of the About:Blank issue and believe my system is clean, but I have this feeling that something is running in the background still. Have used cwshredder, spybot and ad-aware and nothing is found. Norton AV also comes up clean. So here is my HijackThis log.

 

Logfile of HijackThis v1.98.0

Scan saved at 11:22:21 PM, on 07/14/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE

C:\WINDOWS\System32\lvhidsvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe

C:\WINDOWS\system32\ntvdm.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Tools\Diagnostics\HijackThis\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS07

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab

O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab

O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://simcity.ea.com/updater//EARTPX.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - http://simcity.ea.com/updater//MaxisSimCity4PatcherX.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab

 

Please help me.... :scratchhead:

Share this post


Link to post
Share on other sites

It sounds like you're on the right track.

The W32.Mydoom.B@mm virus can sometimes

disguise as ctfmon. Do you have the CTFMON.DLL file?

(If so, delete it.)

You can try to disable the process ctfmon.exe until you find out more

by disabling “Text Services & Speech” in the Control Panel if you are not using them. Then, disable CTFMon using Startup Manager.

You may need to go into safe mode. (By the way, did you scan using Norton in Safe Mode?) I recommend you try another virus scan just to

be sure. (Norton is known to sometimes miss certain trojans that accompany spyware.)

AVG 6.0 is an option to download, or if you just want a quick, but efficient scan try

http://www.pandasoftware.com/activescan/ac...2&Country=63&...

or

http://housecall.antivirus.com/housecall/start_corp.asp

 

 

It is also safe to disable or change to manual nvsvc32.exe and CTsvcCDA.exe--they're memory hogs.

 

P.S. Just a reminder: Notepad.exe needs to be pasted into System32.

If you already have a notepad in the Windows folder, that's fine.

Share this post


Link to post
Share on other sites

Thank you for the help

 

I do not see a way to disable speech or voice recognition when I double click the speech icon in control panel.

 

I can not delete the ctfmon.dll file from the Windows\System32 folder, it just recreates itself again. It also creates an entry in the registry to load the file on startup.

 

Other symptoms I see: a process named Wowexec (with a space in the first position) is running and the process Msmsgs.exe is running even though I have setup Messenger to NOT start during startup of Windows.

 

I was able to just replace the Notepad.exe file in the Windows folder and place a new Notepad .exe file in the Windows\System32 folder after deleting the original in that folder.

 

What about my HijackThis log, does it look ok? I have run all the other programs mentioned in other posts, but the system seems clean.

Share this post


Link to post
Share on other sites

O.k. You must get rid of ctfmon.dll

So, here's a list of options.

First, have you tried Mcafee's Stinger tool?

 

It is supposed to get rid of the W32.Mydoom.B@mm virus.

THEN, we can get rid of the .dll files left over from the infection

(and garbage implanted by the spyware that goes along with it.)

So, download away...

 

http://vil.nai.com/vil/stinger

 

After that, go into SAFE MODE. Run Ad-aware, Spybot S&D, and your anti-virus. Results should be clean....

NEXT, migrate over to windows/system32 and make sure that explorer.exe is NOT there. (The legitimate Explorer is in the Windows file only.)

Now, find ctfmon.dll and try to delete it.

(Hopefully, now, it will.)

Then reboot in normal mode and look for ctfmon.dll

If it is not there, the main task is taken care of....just a few more minor

tasks. If it is there, I have some other removal instructions.

 

O.k., about Msmsgs.exe ,it is automatically configured to activate when you open Outlook Express. Go to Outlook Express (or other default mail)

click on Tools/Options/General. Uncheck the box that says "Automatically log onto Windows Messenger"

 

There are a few items in your HJT log file that may or may not pose problems. After you follow these steps, if your OS is still acting funny,

I'll help you disable/delete/ or adjust the processes.

So, you can hold off on ending the text services until we see how this

plan goes.

Follow these steps exactly, and don't give up....these things are a pain in the @$$ but you can get rid of them.

P.S. Is notepad back to normal, yet?

Share this post


Link to post
Share on other sites

Newyork. click on this link if you want to know more about ctfmon.exehttp://support.microsoft.com/default.aspx?...kb;en-us;282599]mcrosoft.support[/url]

However, you have some spyware on your log.

I suggest you wait for one of our qualified helpers to get to you. Be patient and don't do anything rash with your system in the meantime.

Share this post


Link to post
Share on other sites

Ctfmon.exe is a legitimate program. (Sometimes, it can cause a computer to

perform sluggishly.) It is safe to keep or disable it.

HOWEVER, CTFMON.DLL is a virus. (There is a difference.)

You can go to www.answersthatwork.com and click on task list

for confirmation on this information.

I've not given you any suggestions that would damage your system, but

you can get other opinions.

Share this post


Link to post
Share on other sites

Thank you for your help, I guess having the About:Blank problem has made me very werry of processes running on my system. So lets see where I stand:

 

1. CTFMON.EXE is the process running, I do not have the CTFMON.DLL file.

2. MSMSGS.EXE still starts up when I boot up. If I stop the process, it just starts again in a few moments. I did disable automatic logon of Windows Messenger in Microsoft Outlook, no change. What could be starting this process, a registry entry or is it a possibility that something bad is using it to spy on my system or collect information?

3. Wowexec with a space in front is another process that is running. When I boot up, Monwow.exe a part of Norton Cleansweep tries to load and a error about not able to find Shell.dll comes up, click OK, again another Shell.dll can be fond appears, click ok, then the error about some component of Monwow not being found appears. click ok and that is it. Symantic states that it is a virus issue.

 

So here is my HijackThis log, see what you think:

 

Logfile of HijackThis v1.98.0

Scan saved at 7:20:35 PM, on 07/16/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE

C:\WINDOWS\System32\lvhidsvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Tools\Diagnostics\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS07

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab

O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab

O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://simcity.ea.com/updater//EARTPX.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - http://simcity.ea.com/updater//MaxisSimCity4PatcherX.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

newyork,

 

I am guessing that this is the item that is causing your problems and you can easily fix it with HJT.... Fix it and see if the other problems persist... Close all open windows and browsers, open HJT and mark/fix:

 

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

 

Then reboot and see if the problems are still there... Run HJT with other windows and browsers closed and post a fresh log with details of any remaining problem... We may need to fix your Messenger...

Share this post


Link to post
Share on other sites

Look, all I want is to make sure my computer is spyware free.

 

In the task manager the Wowexec.exe process is listed with a space in the first digit which is different then all the other listed processes. Is this normal?

 

I deleted the DPF listed in the HijackThis log as suggested, and this did not change the fact that Msmsgs.exe still lists as a running process on startup. I did disable automatic logon of Windows Messenger in Microsoft Outlook.

 

I still have the problem when I boot up, Monwow.exe a part of Norton Cleansweep tries to load and a error about not able to find Shell.dll comes up, click OK, again another Shell.dll can not be fond error appears. Click ok, then the error about some component of Monwow not being found appears, click ok and that is it. Symantic states that it is a virus issue and they can not help.

 

So here is my HijackThis log, please look it over and let me know if there is anything else that needs fixing.

 

Logfile of HijackThis v1.98.0

Scan saved at 12:23:02 AM, on 07/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE

C:\WINDOWS\System32\lvhidsvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\NMSSvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Tools\Diagnostics\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS07

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab

O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab

O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab

O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://simcity.ea.com/updater//EARTPX.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - http://simcity.ea.com/updater//MaxisSimCity4PatcherX.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab

Share this post


Link to post
Share on other sites

I am not sure what process you used to clean up CWS, but it may be that it caused some damage to system processes... Go here to learn about running System File Checker to restore basic WinXP settings... You will probably need you WinXP disk to use it...

 

http://support.microsoft.com/default.aspx?...7&Product=winxp

 

When that is done, post back with details about how things are going... Your log seems to be clean... If you have any further problems, compare a new log with this one and post it if it is different. Also, please describe how you got rid of CWS....

Share this post


Link to post
Share on other sites

I suggest fixing this startup (won't affect the file itself).

O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe

 

http://www.windowsstartup.com/wso/browse.p...art=250&end=275

Part of Norton System Works 2003 Not Required - Can Be started through Norton System Works / Preferences

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0