Jump to content


Photo

Seem to be infected with CWS_NS3 and other spyware


  • Please log in to reply
17 replies to this topic

#1 smartone848

smartone848

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 July 2004 - 05:46 PM

After running webroot spysweeper countless times, I still havent been able to get rid of suspected spyware such as CWS_NS3 and Apropo. Now I'm lost, as I have no idea what to do next. If someone were to guide me through this, it would be greatly appreciated...

Logfile of HijackThis v1.97.7
Scan saved at 3:39:07 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\CacheBoost\cbsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\crls32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\addec.exe
C:\Program Files\CacheBoost\trayicon.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\documents and settings\user\local settings\temp\4vdaiAcX.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\sndtrolsuite.exe
C:\WINDOWS\System32\danui1.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\Integrator.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsqwj.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jsqwj.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jsqwj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsqwj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jsqwj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jsqwj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C59F735-B9A9-0E5E-7F02-4AC713EE9662} - C:\WINDOWS\crsf32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [addec.exe] C:\WINDOWS\system32\addec.exe
O4 - HKLM\..\Run: [javazl32.exe] C:\WINDOWS\system32\javazl32.exe
O4 - HKLM\..\Run: [adduw.exe] C:\WINDOWS\system32\adduw.exe
O4 - HKLM\..\Run: [CacheBoost] C:\Program Files\CacheBoost\trayicon.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [4vdaiAcX] C:\documents and settings\user\local settings\temp\4vdaiAcX.exe
O4 - HKLM\..\Run: [33EW3EU] sndtrolsuite.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [I0x6ROY4g] danui1.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKLM\..\RunOnce: [addly32.exe] C:\WINDOWS\system32\addly32.exe
O4 - HKLM\..\RunOnce: [winoa32.exe] C:\WINDOWS\system32\winoa32.exe
O4 - HKLM\..\RunOnce: [addvy.exe] C:\WINDOWS\system32\addvy.exe
O4 - HKLM\..\RunOnce: [sysfy32.exe] C:\WINDOWS\system32\sysfy32.exe
O4 - HKLM\..\RunOnce: [apizo32.exe] C:\WINDOWS\apizo32.exe
O4 - HKLM\..\RunOnce: [winmo32.exe] C:\WINDOWS\system32\winmo32.exe
O4 - HKLM\..\RunOnce: [atlwg32.exe] C:\WINDOWS\atlwg32.exe
O4 - HKLM\..\RunOnce: [crey32.exe] C:\WINDOWS\system32\crey32.exe
O4 - HKLM\..\RunOnce: [ntgb32.exe] C:\WINDOWS\ntgb32.exe
O4 - HKLM\..\RunOnce: [addiq32.exe] C:\WINDOWS\addiq32.exe
O4 - HKLM\..\RunOnce: [apish32.exe] C:\WINDOWS\apish32.exe
O4 - HKLM\..\RunOnce: [winyf32.exe] C:\WINDOWS\system32\winyf32.exe
O4 - HKLM\..\RunOnce: [crne32.exe] C:\WINDOWS\system32\crne32.exe
O4 - HKLM\..\RunOnce: [apigb32.exe] C:\WINDOWS\apigb32.exe
O4 - HKLM\..\RunOnce: [ipbn.exe] C:\WINDOWS\system32\ipbn.exe
O4 - HKLM\..\RunOnce: [crkl.exe] C:\WINDOWS\system32\crkl.exe
O4 - HKLM\..\RunOnce: [iepi32.exe] C:\WINDOWS\system32\iepi32.exe
O4 - HKLM\..\RunOnce: [adddg.exe] C:\WINDOWS\adddg.exe
O4 - HKLM\..\RunOnce: [atljw.exe] C:\WINDOWS\atljw.exe
O4 - HKLM\..\RunOnce: [iedh.exe] C:\WINDOWS\iedh.exe
O4 - HKLM\..\RunOnce: [d3bw.exe] C:\WINDOWS\d3bw.exe
O4 - HKLM\..\RunOnce: [addnf32.exe] C:\WINDOWS\system32\addnf32.exe
O4 - HKLM\..\RunOnce: [sdknh.exe] C:\WINDOWS\sdknh.exe
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 28 July 2004 - 10:39 AM

Hello please download About:Buster and unzip it to your desktop. Don´t run it yet.

How to use Ad-Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Don´t use it yet.
1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R334 24.07.2004 or higher listed.

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

4. Reboot to Safe Mode
How to start the computer in Safe mode


5. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsqwj.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jsqwj.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jsqwj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsqwj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jsqwj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jsqwj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
O2 - BHO: (no name) - {5C59F735-B9A9-0E5E-7F02-4AC713EE9662} - C:\WINDOWS\crsf32.dll
O4 - HKLM\..\Run: [addec.exe] C:\WINDOWS\system32\addec.exe
O4 - HKLM\..\Run: [javazl32.exe] C:\WINDOWS\system32\javazl32.exe
O4 - HKLM\..\Run: [adduw.exe] C:\WINDOWS\system32\adduw.exe
O4 - HKLM\..\Run: [4vdaiAcX] C:\documents and settings\user\local settings\temp\4vdaiAcX.exe
O4 - HKLM\..\Run: [33EW3EU] sndtrolsuite.exe
O4 - HKCU\..\Run: [I0x6ROY4g] danui1.exe
O4 - HKLM\..\RunOnce: [addly32.exe] C:\WINDOWS\system32\addly32.exe
O4 - HKLM\..\RunOnce: [winoa32.exe] C:\WINDOWS\system32\winoa32.exe
O4 - HKLM\..\RunOnce: [addvy.exe] C:\WINDOWS\system32\addvy.exe
O4 - HKLM\..\RunOnce: [sysfy32.exe] C:\WINDOWS\system32\sysfy32.exe
O4 - HKLM\..\RunOnce: [apizo32.exe] C:\WINDOWS\apizo32.exe
O4 - HKLM\..\RunOnce: [winmo32.exe] C:\WINDOWS\system32\winmo32.exe
O4 - HKLM\..\RunOnce: [atlwg32.exe] C:\WINDOWS\atlwg32.exe
O4 - HKLM\..\RunOnce: [crey32.exe] C:\WINDOWS\system32\crey32.exe
O4 - HKLM\..\RunOnce: [ntgb32.exe] C:\WINDOWS\ntgb32.exe
O4 - HKLM\..\RunOnce: [addiq32.exe] C:\WINDOWS\addiq32.exe
O4 - HKLM\..\RunOnce: [apish32.exe] C:\WINDOWS\apish32.exe
O4 - HKLM\..\RunOnce: [winyf32.exe] C:\WINDOWS\system32\winyf32.exe
O4 - HKLM\..\RunOnce: [crne32.exe] C:\WINDOWS\system32\crne32.exe
O4 - HKLM\..\RunOnce: [apigb32.exe] C:\WINDOWS\apigb32.exe
O4 - HKLM\..\RunOnce: [ipbn.exe] C:\WINDOWS\system32\ipbn.exe
O4 - HKLM\..\RunOnce: [crkl.exe] C:\WINDOWS\system32\crkl.exe
O4 - HKLM\..\RunOnce: [iepi32.exe] C:\WINDOWS\system32\iepi32.exe
O4 - HKLM\..\RunOnce: [adddg.exe] C:\WINDOWS\adddg.exe
O4 - HKLM\..\RunOnce: [atljw.exe] C:\WINDOWS\atljw.exe
O4 - HKLM\..\RunOnce: [iedh.exe] C:\WINDOWS\iedh.exe
O4 - HKLM\..\RunOnce: [d3bw.exe] C:\WINDOWS\d3bw.exe
O4 - HKLM\..\RunOnce: [addnf32.exe] C:\WINDOWS\system32\addnf32.exe
O4 - HKLM\..\RunOnce: [sdknh.exe] C:\WINDOWS\sdknh.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab




7. Delete the following files and folders if present.
C:\WINDOWS\apizo32.exe
C:\WINDOWS\crsf32.dll
C:\WINDOWS\atlwg32.exe
C:\WINDOWS\ntgb32.exe
C:\WINDOWS\addiq32.exe
C:\WINDOWS\apish32.exe
C:\WINDOWS\apigb32.exe
C:\WINDOWS\adddg.exe
C:\WINDOWS\atljw.exe
C:\WINDOWS\iedh.exe
C:\WINDOWS\d3bw.exe
C:\WINDOWS\sdknh.exe
C:\WINDOWS\system32\addec.exe
C:\WINDOWS\system32\jsqwj.dll
C:\WINDOWS\system32\javazl32.exe
C:\WINDOWS\system32\adduw.exe
C:\WINDOWS\system32\addly32.exe
C:\WINDOWS\system32\winoa32.exe
C:\WINDOWS\system32\addvy.exe
C:\WINDOWS\system32\sysfy32.exe
C:\WINDOWS\system32\winmo32.exe
C:\WINDOWS\system32\crey32.exe
C:\WINDOWS\system32\winyf32.exe
C:\WINDOWS\system32\crne32.exe
C:\WINDOWS\system32\ipbn.exe
C:\WINDOWS\system32\crkl.exe
C:\WINDOWS\system32\iepi32.exe
C:\WINDOWS\system32\addnf32.exe
C:\documents and settings\user\local settings\temp\4vdaiAcX.exe

Find (f3) and delete:
sndtrolsuite.exe
danui1.exe



8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


11. Reboot to normal mode, scan again with Hijack This and post a new log here.

12. Finally, do an online scan HERE. Let it remove any infected files found.

#3 smartone848

smartone848

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 July 2004 - 12:55 AM

Everything was done as told, thank you so much for your time. Although CWS_NS3 is still detected by spysweeper, i was still able to get rid of the rest of the spyware. With that said, here are my logs. Thanks again.

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\gnvoq.dat
Removed! : C:\WINDOWS\gnvoq.dll
Removed! : C:\WINDOWS\kqecx.dat
Removed! : C:\WINDOWS\System32\fcqtn.dat
Removed! : C:\WINDOWS\System32\mtprk.dll
Removed! : C:\WINDOWS\System32\syram.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 10:48:05 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\CacheBoost\trayicon.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CacheBoost\cbsrv.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {45BF02B3-6F53-F516-CA0B-8B10C0085204} - C:\WINDOWS\apidi32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [CacheBoost] C:\Program Files\CacheBoost\trayicon.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 08:34 AM

OK you´re almost there.

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

O2 - BHO: (no name) - {45BF02B3-6F53-F516-CA0B-8B10C0085204} - C:\WINDOWS\apidi32.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)


Replace Deleted Files
It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

I noticed that you have the BroadJump program on your computer. It is not a true spyware program, but it may have been installed on your system when you got cable Internet from your cable company. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit. Fix the line following line in Hijackthis:

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
Now to uninstall it, please this article:
http://support.cox.n...fd_remove.shtml

This is an automatic updater for Wild Tangent, which is of dubious repute. If you wish to keep the program, fine, otherwise remove Wild Tangent in Add/Remove Programs and also delete its icon from the Control Panel.... and fix the following 04 line as well.....

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. This is the item to fix in HJT:
O4 - HKLM\..\Run: [TkBellExe] "C:\ProgramFiles\Common Files\Real\Update_OB\realsched.exe" –osboot

P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. If you opt to remove it, first use Add/Remove Program , and fix this in Hijack This:
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Please post a new log.

#5 smartone848

smartone848

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 July 2004 - 02:42 PM

Hopefully I followed the instructions correctly. Thanks for your time once again.

Logfile of HijackThis v1.97.7
Scan saved at 12:39:30 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CacheBoost\trayicon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\CacheBoost\cbsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\Integrator.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2AB80E5C-C6A3-016D-788D-E1F289A65E42} - C:\WINDOWS\winag32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CacheBoost] C:\Program Files\CacheBoost\trayicon.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#6 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 03:15 PM

Not there yet.

Fix this:
O2 - BHO: (no name) - {2AB80E5C-C6A3-016D-788D-E1F289A65E42} - C:\WINDOWS\winag32.dll

and delete this file
C:\WINDOWS\winag32.dll

You are using DAP which is not technically malware, but it may include malware and allow it into your system. To remove it, fix these items with HJT and then remove it in Add/Remove Programs....
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Run DAP (HKLM)


Reboot and post a new log.

#7 smartone848

smartone848

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 July 2004 - 04:00 PM

Logfile of HijackThis v1.97.7
Scan saved at 1:58:36 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CacheBoost\trayicon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\WINDOWS\Integrator.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\CacheBoost\cbsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ntla32.exe
C:\HJT\HijackThis.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {61A23520-0CDE-88EC-4C30-94D8137D6984} - C:\WINDOWS\apicz32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CacheBoost] C:\Program Files\CacheBoost\trayicon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#8 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 04:33 PM

mmmm. a hard one.
Do not reboot.

Right click on your task bar, go to Task Manager, in the processes tab stop this process:
ntla32.exe

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

O2 - BHO: (no name) - {61A23520-0CDE-88EC-4C30-94D8137D6984} - C:\WINDOWS\apicz32.dll


Delete the files:
C:\WINDOWS\ntla32.exe
C:\WINDOWS\apicz32.dll

Double click AboutBuster.exe , Run the program twice, save both logs.
Scan with Adaware and let it remove any bad files found.

Post a new HJThis log and both About Buster logs.

#9 smartone848

smartone848

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 July 2004 - 04:48 PM

:D Ad-aware found nothing to delete, which must be a good sign

-- Scan 1 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 2:42:18 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CacheBoost\trayicon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\WINDOWS\Integrator.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\CacheBoost\cbsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\HJT\HijackThis.exe
C:\Documents and Settings\User\Desktop\Extras\AboutBuster.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2AB80E5C-C6A3-016D-788D-E1F289A65E42} - C:\WINDOWS\winag32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CacheBoost] C:\Program Files\CacheBoost\trayicon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#10 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 04:51 PM

Good job!
Your log is clean.
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
So how did I get infected in the first place?

Good luck :D

#11 smartone848

smartone848

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 July 2004 - 04:53 PM

Thanks for putting up with this. I really hope this wasn't too much trouble for you.

#12 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 04:57 PM

Hold on! I think i´m missing some thing here

What is that support.com program in your program files folder?

#13 smartone848

smartone848

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 July 2004 - 05:23 PM

It looks like this folder has many .exe, .dll, and url files that I've never heard of (they suspiciously look like advertisement url's btw). Actually I dont ever remember installing this onto my computer. It doesnt seem like i'll be needing it either. Do you think it might be a spyware threat?

#14 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 29 July 2004 - 05:48 PM

Yes I think so. So...
CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray


Uninstall it form the Add/Remove Programs Panel if present and delete the folder c:\program files\support.com

#15 smartone848

smartone848

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 29 July 2004 - 10:35 PM

Logfile of HijackThis v1.97.7
Scan saved at 8:34:56 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CacheBoost\trayicon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\WINDOWS\Integrator.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\CacheBoost\cbsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\Program Files\AIM\aim.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\explorer.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CacheBoost] C:\Program Files\CacheBoost\trayicon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#16 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 30 July 2004 - 09:03 AM

Did you delete the C:\program files\support.com folder?, I still see the process running.

#17 smartone848

smartone848

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 July 2004 - 11:04 PM

Sorry About that. Yesterday my computer wouldn't let me delete it, but today i was able to send it to the recycle bin without any trouble. So here is, hopefully, my last and final log (btw the other support.exe you see here is one installed by dell and is supposed to be a helping utility of somekind).

Logfile of HijackThis v1.97.7
Scan saved at 9:00:17 PM, on 7/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CacheBoost\trayicon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\WINDOWS\Integrator.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\CacheBoost\cbsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CacheBoost] C:\Program Files\CacheBoost\trayicon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#18 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 31 July 2004 - 10:27 AM

OK. You´re ready to go.

Your log is clean.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button