• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Dallas_67

Belgiandip Won't Go & There Are Other Infections

4 posts in this topic

Okay...I think I'm literally riddled with Spyware / Malware. Previously it has just been annoying but now its at a point where it won't let me run an Internet MMORGH (City of Heroes) that I PAY for. According to the game support, they recommend removing any *.dll files in the BHO section that I cannot readily identify. I can't identify any of them since I have no skills. So here's my HijackThis log.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:49:55 PM, on 7/27/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE

C:\Program Files\Grisoft\AVG6\avgw.exe

C:\WINDOWS\System32\regedit.exe

C:\Documents and Settings\Dallas Bloom\Desktop\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Outlook Express\msimn.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [ventclse] C:\WINDOWS\System32\ventclse.exe

O4 - HKLM\..\Run: [hsvcss] C:\WINDOWS\System32\hsvcss.exe

O4 - HKLM\..\Run: [CashToolbar] C:\WINDOWS\system32\inetsrv\CD_Load.exe

O4 - HKLM\..\Run: [ClickTheButton] C:\WINDOWS\system32\drivers\MSCStat.exe

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpywareBlocker.exe" /0

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: PowerReg Scheduler.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: MindSpring (HKCU)

O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://*.microsoft.com

O16 - DPF: Win32 Classes -

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/081283eac605de811d05/...ip/RdxIE601.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Installs...AST%20SETUP.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7800.0530555556

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab

O16 - DPF: {E2FAE86D-7641-46EF-BB52-AD4BEC97EB64} (ThinkHTMLEditor.HTMLEditorComponent) - http://www.thinktechnologies.com/htmldemo/...kHTMLEditor.CAB

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

 

I have read the FAQ but I couldn't get the link to the article to work. Of all the spyware that keeps popping up with Spybot S&D, Ad-Aware, and Earthlink's own detector, Belgiandip seems to be the most persistant. But I get new spyware all the time. Another one of the little bastards is that damn Downloader (I think that's the name) that gives you a fake Windows error message with an 'okay' button to a web site selling spyware removal software. I got rid of it for a long time (don't ask me how) but now it's back and better than ever. I also have Wild Tangent hanging around that I have yet to learn how to remove. I know there's plenty of info on that one...I just haven't gotten around to looking for it.

 

I've started using Firefox rather than IE as my Internet Explorer. I don't know if that's important but I'm saying just because. One other quirk is that I can't seem to use regedit...at least in normal mode. When I type it into the run box, I get some hourglass action but then nothing opens. Maybe it would in safe mode.

 

It may be to the point where only formatting my drive and reinstalling everything might be an option. As I no longer have some of my disks, I really, really don't want to do that. Any help would be very much appreciated.

Share this post


Link to post
Share on other sites

Hi,

First thing to do is ...

 

Update Ad-aware's Reference File: instructions icon11.gifhere

 

Required Step: icon11.gifReconfigure Ad-Aware for Full Scan

 

Note: do not run Ad-Aware yet, just update and reconfigure.

 

atb_help.gifReconfigure Windows Explorer to show Hidden Files: [required step]

Open the Windows Explorer | Tools | Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button. Close Windows Explorer.

 

Next:

 

Close all open programs and browsers, rescan with HijackThis

Place a check in each of the following then click "Fix checked".

 

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [ventclse] C:\WINDOWS\System32\ventclse.exe

O4 - HKLM\..\Run: [hsvcss] C:\WINDOWS\System32\hsvcss.exe

O4 - HKLM\..\Run: [CashToolbar] C:\WINDOWS\system32\inetsrv\CD_Load.exe

O4 - HKLM\..\Run: [ClickTheButton] C:\WINDOWS\system32\drivers\MSCStat.exe

O4 - Global Startup: PowerReg Scheduler.exe

O16 - DPF: Win32 Classes -

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/081283eac605de811d05/...ip/RdxIE601.cab

 

Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

 

Start | Run (type) "%temp%" (no quotes)

Completely delete the entire contents of that "temp" folder.

 

Open Windows Explorer locate and delete the following:

 

C:\WINDOWS\System32\ventclse.exe <--this file

C:\WINDOWS\System32\hsvcss.exe <--this file

C:\WINDOWS\system32\drivers\MSCStat.exe <--this file

C:\WINDOWS\System32\regedit.exe <--this file

Note: do not delete C:\WINDOWS\regedit.exe

 

While still in Safe Mode, run Ad-Aware and fix everything it finds.

 

Restart normally and then ...

 

icon13.gifImportant! Your system is severly out of date!

Visit icon11.gifWindows Update and install all the "Critical Updates"

 

After the above, reboot, rescan with HijackThis and post a fresh log ...

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0