Jump to content


Photo

Hijacked


  • Please log in to reply
13 replies to this topic

#1 newyork

newyork

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 03:00 PM

I wanted to replace my notepad.exe file just to be sure. I downloaded the notepad replacement zip file from this site. before replacing, I wanted to delete the old files first. I deleted the notepad.exe file in C:\windows folder and before I could copy a new version into the folder the notepad.exe file was already replaced automatically.

This also happens with CTFMON.EXE (info indicates this file could be associated with CoolWebSearch). If the ctfmon.exe file is deleted, bam it is replaced again automatically and TeaTimer (Spybot) indicates that a registry entry wants to be changed indicating this file. I deny the change.

I have cleaned my system of the About:Blank issue and believe my system is clean, but I have this feeling that something is running in the background still. Have used cwshredder, spybot and ad-aware and nothing is found. Norton AV also comes up clean. So here is my HijackThis log.

Logfile of HijackThis v1.98.0
Scan saved at 11:22:21 PM, on 07/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE
C:\WINDOWS\System32\lvhidsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Tools\Diagnostics\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS07
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot2_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://simcity.ea.co...ter//EARTPX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/p...at/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab

Please help me.... :scratchhead:

#2 newyork

newyork

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 04:40 PM

bump... :wtf:

#3 terryb

terryb

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 15 July 2004 - 07:18 PM

It sounds like you're on the right track.
The W32.Mydoom.B@mm virus can sometimes
disguise as ctfmon. Do you have the CTFMON.DLL file?
(If so, delete it.)
You can try to disable the process ctfmon.exe until you find out more
by disabling “Text Services & Speech” in the Control Panel if you are not using them. Then, disable CTFMon using Startup Manager.
You may need to go into safe mode. (By the way, did you scan using Norton in Safe Mode?) I recommend you try another virus scan just to
be sure. (Norton is known to sometimes miss certain trojans that accompany spyware.)
AVG 6.0 is an option to download, or if you just want a quick, but efficient scan try
http://www.pandasoft...2&Country=63&...
or
http://housecall.ant.../start_corp.asp


It is also safe to disable or change to manual nvsvc32.exe and CTsvcCDA.exe--they're memory hogs.

P.S. Just a reminder: Notepad.exe needs to be pasted into System32.
If you already have a notepad in the Windows folder, that's fine.

#4 newyork

newyork

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 16 July 2004 - 01:37 AM

Thank you for the help

I do not see a way to disable speech or voice recognition when I double click the speech icon in control panel.

I can not delete the ctfmon.dll file from the Windows\System32 folder, it just recreates itself again. It also creates an entry in the registry to load the file on startup.

Other symptoms I see: a process named Wowexec (with a space in the first position) is running and the process Msmsgs.exe is running even though I have setup Messenger to NOT start during startup of Windows.

I was able to just replace the Notepad.exe file in the Windows folder and place a new Notepad .exe file in the Windows\System32 folder after deleting the original in that folder.

What about my HijackThis log, does it look ok? I have run all the other programs mentioned in other posts, but the system seems clean.

#5 terryb

terryb

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 16 July 2004 - 05:31 AM

O.k. You must get rid of ctfmon.dll
So, here's a list of options.
First, have you tried Mcafee's Stinger tool?

It is supposed to get rid of the W32.Mydoom.B@mm virus.
THEN, we can get rid of the .dll files left over from the infection
(and garbage implanted by the spyware that goes along with it.)
So, download away...

http://vil.nai.com/vil/stinger

After that, go into SAFE MODE. Run Ad-aware, Spybot S&D, and your anti-virus. Results should be clean....
NEXT, migrate over to windows/system32 and make sure that explorer.exe is NOT there. (The legitimate Explorer is in the Windows file only.)
Now, find ctfmon.dll and try to delete it.
(Hopefully, now, it will.)
Then reboot in normal mode and look for ctfmon.dll
If it is not there, the main task is taken care of....just a few more minor
tasks. If it is there, I have some other removal instructions.

O.k., about Msmsgs.exe ,it is automatically configured to activate when you open Outlook Express. Go to Outlook Express (or other default mail)
click on Tools/Options/General. Uncheck the box that says "Automatically log onto Windows Messenger"

There are a few items in your HJT log file that may or may not pose problems. After you follow these steps, if your OS is still acting funny,
I'll help you disable/delete/ or adjust the processes.
So, you can hold off on ending the text services until we see how this
plan goes.
Follow these steps exactly, and don't give up....these things are a pain in the @$$ but you can get rid of them.
P.S. Is notepad back to normal, yet?

#6 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 16 July 2004 - 06:39 AM

Newyork. click on this link if you want to know more about ctfmon.exehttp://support.microsoft.com/default.aspx?...kb;en-us;282599]mcrosoft.support[/URL]
However, you have some spyware on your log.
I suggest you wait for one of our qualified helpers to get to you. Be patient and don't do anything rash with your system in the meantime.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#7 terryb

terryb

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 16 July 2004 - 12:58 PM

Ctfmon.exe is a legitimate program. (Sometimes, it can cause a computer to
perform sluggishly.) It is safe to keep or disable it.
HOWEVER, CTFMON.DLL is a virus. (There is a difference.)
You can go to www.answersthatwork.com and click on task list
for confirmation on this information.
I've not given you any suggestions that would damage your system, but
you can get other opinions.

#8 newyork

newyork

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 16 July 2004 - 09:34 PM

Thank you for your help, I guess having the About:Blank problem has made me very werry of processes running on my system. So lets see where I stand:

1. CTFMON.EXE is the process running, I do not have the CTFMON.DLL file.
2. MSMSGS.EXE still starts up when I boot up. If I stop the process, it just starts again in a few moments. I did disable automatic logon of Windows Messenger in Microsoft Outlook, no change. What could be starting this process, a registry entry or is it a possibility that something bad is using it to spy on my system or collect information?
3. Wowexec with a space in front is another process that is running. When I boot up, Monwow.exe a part of Norton Cleansweep tries to load and a error about not able to find Shell.dll comes up, click OK, again another Shell.dll can be fond appears, click ok, then the error about some component of Monwow not being found appears. click ok and that is it. Symantic states that it is a virus issue.

So here is my HijackThis log, see what you think:

Logfile of HijackThis v1.98.0
Scan saved at 7:20:35 PM, on 07/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE
C:\WINDOWS\System32\lvhidsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Tools\Diagnostics\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS07
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot2_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://simcity.ea.co...ter//EARTPX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/p...at/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab

#9 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 17 July 2004 - 03:39 PM

CEOn10ec and terryb,

We do ask that helpers here be trained to work on these issues and would be happy to have you join us if you are interested in becoming helpers here... Check here for details about how this all works:

http://forums.spywar...?showtopic=9270
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#10 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 17 July 2004 - 03:57 PM

newyork,

I am guessing that this is the item that is causing your problems and you can easily fix it with HJT.... Fix it and see if the other problems persist... Close all open windows and browsers, open HJT and mark/fix:

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

Then reboot and see if the problems are still there... Run HJT with other windows and browsers closed and post a fresh log with details of any remaining problem... We may need to fix your Messenger...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#11 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 17 July 2004 - 10:49 PM

Some off-topic posts have been moved to a new thread.
http://forums.spywar...showtopic=16136

Sorry about all the interruptions, newyork.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#12 newyork

newyork

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 18 July 2004 - 03:02 AM

Look, all I want is to make sure my computer is spyware free.

In the task manager the Wowexec.exe process is listed with a space in the first digit which is different then all the other listed processes. Is this normal?

I deleted the DPF listed in the HijackThis log as suggested, and this did not change the fact that Msmsgs.exe still lists as a running process on startup. I did disable automatic logon of Windows Messenger in Microsoft Outlook.

I still have the problem when I boot up, Monwow.exe a part of Norton Cleansweep tries to load and a error about not able to find Shell.dll comes up, click OK, again another Shell.dll can not be fond error appears. Click ok, then the error about some component of Monwow not being found appears, click ok and that is it. Symantic states that it is a virus issue and they can not help.

So here is my HijackThis log, please look it over and let me know if there is anything else that needs fixing.

Logfile of HijackThis v1.98.0
Scan saved at 12:23:02 AM, on 07/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE
C:\WINDOWS\System32\lvhidsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Tools\Diagnostics\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS07
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot2_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - http://simcity.ea.co...ter//EARTPX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/p...at/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab

#13 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 18 July 2004 - 07:39 AM

I am not sure what process you used to clean up CWS, but it may be that it caused some damage to system processes... Go here to learn about running System File Checker to restore basic WinXP settings... You will probably need you WinXP disk to use it...

http://support.micro...7&Product=winxp

When that is done, post back with details about how things are going... Your log seems to be clean... If you have any further problems, compare a new log with this one and post it if it is different. Also, please describe how you got rid of CWS....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#14 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 18 July 2004 - 12:33 PM

I suggest fixing this startup (won't affect the file itself).
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe

http://www.windowsst...art=250&end=275

Part of Norton System Works 2003 Not Required - Can Be started through Norton System Works / Preferences


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button