Jump to content


Photo

Hijacking putting soap biz down the drain


  • Please log in to reply
6 replies to this topic

#1 riverjade

riverjade

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 July 2004 - 03:11 PM

I need your assistance, please. I am a very small soap maker with no computer knowledge. I understand that my web browser has been hijacked. I have used HIJACK THIS to remove the offending entries that divert me to another website.
However these keep getting reinserted by a devious program that executes every time I open IE under the falsehood that it is trying to install "Windows XP for Students and Teachers".

Any assistance is greatly appreciated since it is gravely impacting my small business.

Here is the log file from HIJACK THIS. The 1st 6 lines keep reappearing every time I execute IE or another program.
THANK YOU SO MUCH.

Logfile of HijackThis v1.98.0
Scan saved at 3:10:15 PM, on 7/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\addly32.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\WINNT\d3yf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\Quicken2001\QWDLLS.EXE
C:\WINNT\System32\mrtMngr.EXE
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\msiexec.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\BACKUP\HJTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.riverjade.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wruge.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\wruge.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wruge.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wruge.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4876F229-4347-F56B-A91E-D83E961F9AA6} - C:\WINNT\system32\d3uu32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart TIMER_SEQUENCE first
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [d3yf.exe] C:\WINNT\d3yf.exe
O4 - HKLM\..\RunOnce: [ienz.exe] C:\WINNT\ienz.exe
O4 - HKLM\..\RunOnce: [addly32.exe] C:\WINNT\system32\addly32.exe
O4 - HKLM\..\RunOnce: [sdkcj.exe] C:\WINNT\sdkcj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken2001\BILLMIND.EXE
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken2001\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch....tp_le/setup.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{068B93CD-46B0-4920-988A-5C0E23E3BCC0}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{068B93CD-46B0-4920-988A-5C0E23E3BCC0}: NameServer = 207.69.188.187 207.69.188.186

#2 riverjade

riverjade

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 19 July 2004 - 06:25 PM

BUMP - please let me know if someone can review the log, I'm definitely need of expert assistance since this is now impacting my small biz.

#3 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 21 July 2004 - 06:55 PM

Hello riverjade,

Sorry, that it's been a few days. The random files may have changed, so please do this:
Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Posted Image Reboot your computer.


Then, please download About:Buster and unzip it to your desktop.
Start it, hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

#4 riverjade

riverjade

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 22 July 2004 - 06:56 PM

AUTODAD,

Thanks so very much for your response. I had already loaded Ad-ware but did not configure it as your described. The 2 normally objects removed grew to 34, wow. I also downloaded and executed the BUSTER program. I'm sorry but I forgot to save the 1st log file specially since it had many, many items in it that were removed. I did run it a second time. Its log and the Hijack this Log are below.

- Scan 2 --------
About:Buster Version 1.31
Error Removing! : C:\WINNT\System32\addly32.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!


Logfile of HijackThis v1.98.0
Scan saved at 6:49:27 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\addly32.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\Quicken2001\QWDLLS.EXE
C:\WINNT\System32\mrtMngr.EXE
C:\WINNT\explorer.exe
C:\WINNT\System32\wuauclt.exe
C:\BACKUP\HJTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4876F229-4347-F56B-A91E-D83E961F9AA6} - C:\WINNT\system32\d3uu32.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart TIMER_SEQUENCE first
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\RunOnce: [javahu.exe] C:\WINNT\javahu.exe
O4 - HKLM\..\RunOnce: [ipea32.exe] C:\WINNT\system32\ipea32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken2001\BILLMIND.EXE
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken2001\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch....tp_le/setup.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB

#5 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 23 July 2004 - 04:58 AM

HI riverjade,

Can you please find this file addly32.exe
It's locates here: C:\WINNT\System32\addly32.exe
Then zip it and please send it to Rubby Ducky here
Please put the link to this topic in the mail too.
Thanks!


Let's try this:
Make sure your PC is configured to show hidden files:

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
___________

Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you donīt find this service listed go ahead with the next steps.

___________

Now, reboot to Safe Mode (tap F8 while restarting).


Then open Hijackthis, click Scan, then put a check next to the following entries:

(If any of these R1's or RO's are there, put a check next to them)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\XXXX.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://XXXX.dll/index.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {4876F229-4347-F56B-A91E-D83E961F9AA6} - C:\WINNT\system32\d3uu32.dll (file missing)

O4 - HKLM\..\RunOnce: [javahu.exe] C:\WINNT\javahu.exe
O4 - HKLM\..\RunOnce: [ipea32.exe] C:\WINNT\system32\ipea32.exe




Now, make sure you Close all open Windows (have only HJT open) and click "Fix Checked".

- - - - - - - -

Then Delete these files (if found)

C:\WINNT\javahu.exe
C:\WINNT\system32\ipea32.exe
C:\WINNT\system32\addly32.exe


Then, while still in safe mode, run About:Buster.
Start it, (If there is a pop-up that says to fix all random objects, we just did that)
Hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

- - - - - - - -

Now run Ad-aware, while still in safe mode.

_________

Then, reboot normally and take a free on-line scan at HouseCall


After you do the above, please post a new HJT log, and your About Buster log.

#6 riverjade

riverjade

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 24 July 2004 - 04:09 PM

Autodad,

Everything seem to work wonderfully. Two logs are below. I deleted
the files you recommended (javahu.exe, ipea32.exe, & addly32.exe). While searching I found similar named files in the winnt/prefecth directory. I have not deleted them yet, should I?
javahu.exe_0359fd98.pf
ipea32.exe_120c5856.pf
addly32.exe_186b7004.pf

Finally, I e-mailed the requested addly32.exe ZIP file.

Thanks again for all your help!

Logfile of HijackThis v1.98.0
Scan saved at 3:28:04 PM, on 7/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\BACKUP\HJTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.riverjade.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart TIMER_SEQUENCE first
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken2001\BILLMIND.EXE
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken2001\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch....tp_le/setup.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB

- Scan 1 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

#7 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 24 July 2004 - 08:19 PM

Hi riverjade,

Your welcome. :D

Yes, I would delete those 3 files in the prefetch directory.

Then you can fix this entry in HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>


Other than that, it looks good.
Here is some free protection you should consider:
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies.

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Check for updates occaisionally.

And also see So how did I get infected in the first place?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button