• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
edgarb

Please help with spyware/malware

13 posts in this topic

I am having serious problems with programs such as midaddle, cleverIEhooker, and TV Media. Here is the log. Any help is greatly appreciated.

 

Logfile of HijackThis v1.97.7

Scan saved at 9:54:48 PM, on 7/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QUICKENW\QAGENT.EXE

C:\Program Files\QUICKENW\QAGENT.EXE

C:\documents and settings\d. edgar black\local settings\temp\0zJ9aRDcW.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\automove.exe

C:\documents and settings\d. edgar black\local settings\temp\n3h.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\mrtMngr.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\carpserv.exe

C:\dell\bldbubg.exe

C:\WINDOWS\System32\migsta.exe

C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\System32\KedH.exe

C:\WINDOWS\System32\Esad8.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.dur.ac.uk/Admin/proxy.config

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.samford.edu:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\D. Edgar Black\Application Data\Mozilla\Profiles\default\5s16adx6.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINDOWS\PopUpWasher21.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll

O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\Program Files\LexisNexis\CheckCite\llieobj.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE

O4 - HKLM\..\Run: [nslif] C:\WINDOWS\nslif.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [0zJ9aRDcW] C:\documents and settings\d. edgar black\local settings\temp\0zJ9aRDcW.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AutoLoaderu05v1IXSVOPX] "C:\WINDOWS\System32\srvntvol.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\GnsDk.exe

O4 - HKLM\..\Run: [u7mT36i] srvntvol.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

O4 - HKLM\..\Run: [n3h] C:\documents and settings\d. edgar black\local settings\temp\n3h.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [buildBU] c:\dell\bldbubg.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [fw53RWG6O] migsta.exe

O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/telepor...mCity3TeleX.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7901.6964814815

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CCS\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

O17 - HKLM\System\CS2\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CS2\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

O17 - HKLM\System\CS3\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CS3\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

Share this post


Link to post
Share on other sites

Sorry it's taken so long to get to you, but we stay totally swamped these days.

 

You have a Peper infection, click HERE to download the PeperFix tool - save it to your desktop.

 

Reboot your computer into Safe Mode by repeatedly tapping the F8 key during bootup (or see How to boot into Safe Mode). Stay in Safe Mode until instructed to reboot.

 

Run PeperFix.exe.

 

Run a new HJT scan, and mark these items for removal:

 

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

 

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\System32\SWin32.dll

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll

 

O4 - HKLM\..\Run: [nslif] C:\WINDOWS\nslif.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [0zJ9aRDcW] C:\documents and settings\d. edgar black\local settings\temp\0zJ9aRDcW.exe

O4 - HKLM\..\Run: [AutoLoaderu05v1IXSVOPX] "C:\WINDOWS\System32\srvntvol.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\GnsDk.exe

O4 - HKLM\..\Run: [u7mT36i] srvntvol.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

O4 - HKLM\..\Run: [n3h] C:\documents and settings\d. edgar black\local settings\temp\n3h.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [fw53RWG6O] migsta.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe

 

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

 

Open Windows Explorer and reconfigure it to Enable Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the Files and Folders section.

Select: Display the contents of system folders.

Scroll down to the Hidden Files and Folders section.

Select: Show hidden files and folders, Ok the prompt

Uncheck: Hide file extensions for known file types

Uncheck: Hide protected operating system files

Ok the Prompt, click Apply

 

Click the Apply to all Folders button.

 

Delete these files if still present:

 

C:\WINDOWS\System32\automove.exe

C:\WINDOWS\System32\Esad8.exe

C:\WINDOWS\System32\KedH.exe

 

Delete ALL files in this folder (but not the folder itself):

 

C:\documents and settings\d. edgar black\local settings\temp\

 

Now, run PeperFix.exe again.

 

Reboot normally, run another HJT scan, and post it here for further review.

Share this post


Link to post
Share on other sites

Fireflyer, first of all, thank you very much for taking the time to help me with my problem. I know that everyone here is very busy, and I really appreciate it. Ok, I did all that you said, and here is the log file from the most recent HJT scan. Also, my computer ran adaware when it booted back up, and found nothing but a few tracking cookies. That is the first time that has happened in over a month. Anyway, here is the log file. Thanks again!

 

 

Logfile of HijackThis v1.97.7

Scan saved at 10:31:37 PM, on 8/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\wxfsgqlt.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.dur.ac.uk/Admin/proxy.config

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.samford.edu:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\D. Edgar Black\Application Data\Mozilla\Profiles\default\5s16adx6.slt\prefs.js)

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {251A3294-433F-4327-A4E7-D644F8E86E3D} - C:\WINDOWS\System32\xvoll.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\Program Files\LexisNexis\CheckCite\llieobj.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\GnsDk.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [xvollc] C:\WINDOWS\System32\xvollc.exe

O4 - HKLM\..\Run: [qykszdhuz] C:\WINDOWS\System32\wxfsgqlt.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/telepor...mCity3TeleX.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7901.6964814815

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CCS\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

O17 - HKLM\System\CS2\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CS2\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

O17 - HKLM\System\CS3\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CS3\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

Share this post


Link to post
Share on other sites

Well, you're not out of the woods yet. Peper is a strong infection that often masks other infections - they start showing up as the Peper is cleaned out. I think we've weakened the Peper because some things that didn't show before are there now. But the Peper signature is still there too, so lets attack it again.

 

Boot into Safe Mode and run PeperFix again. Stay in Safe Mode until instructed to reboot.

 

Run a HijackThis scan and mark these items for removal:

 

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

O2 - BHO: (no name) - {251A3294-433F-4327-A4E7-D644F8E86E3D} - C:\WINDOWS\System32\xvoll.dll

 

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\GnsDk.exe

O4 - HKLM\..\Run: [xvollc] C:\WINDOWS\System32\xvollc.exe

O4 - HKLM\..\Run: [qykszdhuz] C:\WINDOWS\System32\wxfsgqlt.exe

 

I presume that these are due to you setting restrictions on your system in Spybot, and if that's the case then leave them - but if you (or an administrator) have not placed these restrictions in effect, then mark them also:

 

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

 

Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

 

Open Windows Explorer and navigate to the System32 folder and delete this file if still present:

 

C:\WINDOWS\System32\wxfsgqlt.exe

 

Now, run PeperFix again.

 

Run Ad-aware.

 

Reboot normally, run another HJT scan, and post it here for another look.

(And, upgrade your HJT to the new 1.98.1 version first.)

Share this post


Link to post
Share on other sites

FireFlyer, thanks again for your continued help with my adware problem. I followed your instructions, and here is a post of my new HJT logfile. Thanks again! One more thing. I am currently in England. I am returning to the US on Thursday, Aug. 5. It is possible that beginning on thursday, aug 5 I may not be able to respond for a day or two. Thanks,

 

 

Logfile of HijackThis v1.98.1

Scan saved at 4:16:29 PM, on 8/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\WordPerfect Office 11\Programs\wpwin11.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.dur.ac.uk/Admin/proxy.config

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.samford.edu:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\D. Edgar Black\Application Data\Mozilla\Profiles\default\5s16adx6.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: West Group CiteLink Microsoft IE Shell - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\Program Files\LexisNexis\CheckCite\llieobj.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/telepor...mCity3TeleX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CCS\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

O17 - HKLM\System\CS2\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CS2\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

O17 - HKLM\System\CS3\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CS3\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

Edited by edgarb

Share this post


Link to post
Share on other sites

Just one addition - For Twaintec, please follow the listed instructions for removal ...

 

We need to remove a program called "Twain-Tec". To do this, first you need to disable System restore as per the instructions at here . Twiantec.dll is a transponder. HijackThis will detect it as a BHO but it must not be removed using HijackThis. This is because of the remaining registry entries and files which can be dangerous. Instead the following method of removal is preferable and complete:

Go to "Add/Remove Programs" => Uninstall "Twain-Tech". Reboot the computer to SAFE mode - How do I boot into "Safe" mode?. Delete twaintech.dll and twaintec.ini If twaintech.dll is in use, then you would need to rename it, reboot the computer, and then delete it.

Share this post


Link to post
Share on other sites

PGPhantom,

 

I didn't see Twain-Tech in my add/remove programs list, and a search for the filenames "twaintech.dll" and "twaintec.ini" was unable to locate these files. Not sure what the problem could be, as I have seen adaware and such pick up twaintech before. If you have any suggestions, they would be greatly appreciated. Thanks for your reply.

Share this post


Link to post
Share on other sites

edgarb,

 

The log is clean now of the Peper infection. It also doesn't show any indications of TwainTec. Sorry I had you remove it improperly - I was concentrating on wringing out the Peper and I forgot that TwainTec was a special case.

 

The dll, as listed in your earlier log was:

 

C:\WINDOWS\twaintec.dll <- NOT twaintech.dll

 

So look in the C:Windows folder for it and make sure it's gone. If it's still there delete it - it might delete in normal mode at this point, but if not, boot into Safe Mode and do it.

 

Continuing after a few days layoff is fine - but it's possible we'll finish before you leave. Let me know what you found on the dll and if you're having any more problems.

Share this post


Link to post
Share on other sites

Fireflyer,

 

Thanks so much for your help. I searched for "twaintec.dll" and found five instances of the file on my computer. I deleted them all, and have rebooted and run another hjt scan. I will post the log from that scan in this reply. I just want to say thank you for help on a problem that has plagued me for over a month. It is nice to have people with the knowledge, time, and willingness to help others with the awful spyware problem that is rampant on the internet right now. Thanks, and here is my new log file.

 

 

Logfile of HijackThis v1.98.1

Scan saved at 11:34:32 PM, on 8/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\carpserv.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.dur.ac.uk/Admin/proxy.config

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.samford.edu:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\D. Edgar Black\Application Data\Mozilla\Profiles\default\5s16adx6.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: West Group CiteLink Microsoft IE Shell - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: LexLink IE ToolBar - {CBAA6F21-985C-11D4-A02B-00B0D073E889} - C:\Program Files\LexisNexis\CheckCite\llieobj.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/telepor...mCity3TeleX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CCS\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

O17 - HKLM\System\CS2\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CS2\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

O17 - HKLM\System\CS3\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: Domain = dur.ac.uk

O17 - HKLM\System\CS3\Services\Tcpip\..\{23F095AF-2283-4C1C-BC2F-E93514D8DA19}: NameServer = 129.234.4.13,129.234.4.11

Share this post


Link to post
Share on other sites

The log looks good - no malware seen. All I can find now are these two optional removals that unnecessarily hog system resources:

 

This is a program added when you run installations for cable internet service. It is not needed for you to connect to the internet.

 

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

 

This is a Startup entry for RealPlayer and it is not necessary to run it at start up. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself.

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

Run a HJT scan and mark the items (if you choose to do so) and click Fix checked.

 

Have all your problems cleared up?

Share this post


Link to post
Share on other sites

Yes, all the problems appear to have cleared up. I don't have that computer connected to the laptop at the moment, but when it last was connected, everything seemed to be running smoothly. Thanks so much for all of your help. There is no way that I would have been able to fix all of this without you guys! Thanks again!

 

Edgar

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0