• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
ccrb

"illinois" system

16 posts in this topic

Hi Guys.

 

This is a new problem system. I didn't think it was that serious, but when I ran HJT (log follows) I can see what seems to be a number of random dll and exe file names.

 

I have highlighted on paper what I would probably delete, but as a still learning amateur, I submit it to your for your inspection:

 

Logfile of HijackThis v1.98.0

Scan saved at 10:18:37 AM, on 7/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\USBMonit.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Navnt\navapw32.exe

C:\Program Files\ACT\SideACT.exe

C:\Program Files\Web_Rebates\WebRebates1.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\rob\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msnbc.com/

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {73172428-DBFC-490D-8539-E06BCBAA9BD8} - C:\WINNT\SYSTEM32\0gp0iqb.dll

O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\USBMonit.exe

O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load

O4 - HKLM\..\Run: [PCPROXYR] C:\WINNT\system32\PCPROXYR.exe

O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [RO_tater] C:\WINNT\SYSTEM32\RO_tater2.exe -invisible

O4 - HKLM\..\RunOnce: [cetec] regedit.exe /s C:\DOCUME~1\dspencer\LOCALS~1\Temp\cetec.reg

O4 - HKLM\..\RunOnce: [3zweh6.exe] C:\WINNT\system32\3zweh6.exe /k

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpcc.exe

O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msmc.exe

O4 - HKCU\..\RunOnce: [3zweh6.exe] C:\WINNT\system32\3zweh6.exe /k

O4 - Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - (no file)

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: Talk City EZTalk 3.0 - http://live.talkcity.com/java/ezmed/ezmed.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.43/09df48207f2a382e7b05/netzip/RdxIE.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.37.22.162:1081/activex/AxisCamControl.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {BA5D7692-1A71-11D2-92B9-000000000000} (ProjectPoint Document) - https://folders.buzzsaw.com/nokz/kala_en_3_0_605_20.cab

O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C02F818-6051-4F4E-89A4-7577E6EC802C}: NameServer = 64.19.9.33,69.57.174.186

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

 

:D

 

Norton has detected Trojan.Chost twice today

 

Trend house call is now running, and has so far found Troj-Agent-1

Troj Alchemic.a

troj isbar.o

troj small.xc

troj blazefind.a

troj stilen.a

 

So, it seems to be quite a mess on this system.

Share this post


Link to post
Share on other sites

Hey, it would be a great idea to run adaware and spybot.

 

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

 

Install the program and launch it.

 

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

 

Next, we need to configure Ad-aware for a full scan.

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

 

1. In the General window make sure the following are selected:

  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

icon11.gif Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

  • Use Custom Scanning Options

icon11.gif Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

 

icon11.gif When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

 

icon11.gifReboot your computer.

 

THEN

 

Scanning in Spybot Search and Destroy:

 

1. Downloaded and Install Spybot S&D, accepting the Default Settings

(Please ensure you have version 1.3 final.)

Home - The home of Spybot-S&D!: http://www.safer-networking.org/

 

2. Go to Start > Programs >Spybot – Search & Destroy and choose Spybot S&D

 

3. Close ALL windows except Spybot S&D

 

4. Click the button to ‘Search for Updates’ and download and install the Updates.

 

5. Next click the button ‘Check for Problems’

 

6. When Spybot is complete, it will be showing 'RED' (RED) entries ‘BLACK’ entries and ‘GREEN’ (GREEN) entries in the window

 

7. Unsure there is a check mark beside the RED (RED) entries ONLY.

 

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED (RED) entries.

 

9. REBOOT

 

then reboot after everything and post a new log.

Share this post


Link to post
Share on other sites

1) Ran Adaware, found and cleaned 60+ items

2) Ran Spybot, found and cleaned 30+ items

3) popups continue, although machine is less sluggish

 

Most of the HTJ log is unchanged, although several lines have a "file missing" comment, which is a good sign.

 

here is the HJT log

 

Logfile of HijackThis v1.98.0

Scan saved at 4:15:30 PM, on 7/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\USBMonit.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Navnt\navapw32.exe

C:\Program Files\Web_Rebates\WebRebates1.exe

C:\rob\HijackThis.exe

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\WINNT\system32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {73172428-DBFC-490D-8539-E06BCBAA9BD8} - C:\WINNT\SYSTEM32\0gp0iqb.dll

O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\USBMonit.exe

O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [RO_tater] C:\WINNT\SYSTEM32\RO_tater2.exe -invisible

O4 - HKLM\..\RunOnce: [3zweh6.exe] C:\WINNT\system32\3zweh6.exe /k

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\RunOnce: [3zweh6.exe] C:\WINNT\system32\3zweh6.exe /k

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - (no file)

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: Talk City EZTalk 3.0 - http://live.talkcity.com/java/ezmed/ezmed.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.43/09df48207f2a382e7b05/netzip/RdxIE.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.37.22.162:1081/activex/AxisCamControl.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {BA5D7692-1A71-11D2-92B9-000000000000} (ProjectPoint Document) - https://folders.buzzsaw.com/nokz/kala_en_3_0_605_20.cab

O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C02F818-6051-4F4E-89A4-7577E6EC802C}: NameServer = 64.19.9.33,69.57.174.186

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

 

I see what seem to be several random names, plus the user says he knows nothing about rebate programs. He uses an HP PDA and a SanDisc memory card reader on this system.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 4:38:41 PM, on 7/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\USBMonit.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Navnt\navapw32.exe

C:\Program Files\Web_Rebates\WebRebates1.exe

C:\rob\HijackThis.exe

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\WINNT\system32\wuauclt.exe

C:\WINNT\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\mIRC\mirc.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {73172428-DBFC-490D-8539-E06BCBAA9BD8} - C:\WINNT\SYSTEM32\0gp0iqb.dll

O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\USBMonit.exe

O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [RO_tater] C:\WINNT\SYSTEM32\RO_tater2.exe -invisible

O4 - HKLM\..\RunOnce: [3zweh6.exe] C:\WINNT\system32\3zweh6.exe /k

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\RunOnce: [3zweh6.exe] C:\WINNT\system32\3zweh6.exe /k

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - (no file)

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: Talk City EZTalk 3.0 - http://live.talkcity.com/java/ezmed/ezmed.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.43/09df48207f2a382e7b05/netzip/RdxIE.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.37.22.162:1081/activex/AxisCamControl.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {BA5D7692-1A71-11D2-92B9-000000000000} (ProjectPoint Document) - https://folders.buzzsaw.com/nokz/kala_en_3_0_605_20.cab

O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C02F818-6051-4F4E-89A4-7577E6EC802C}: NameServer = 64.19.9.33,69.57.174.186

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

Share this post


Link to post
Share on other sites

after some obvious things to clean up, I went into safe mode... none of the cws tools found anything. Just when I become more expert at cws, I don't have it on this machine. LOL

 

Here is the latest log. Leaving customer site now. system will remained powered down. I'll check into this area later this evening.

 

Thanks guys.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 4:58:41 PM, on 7/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\USBMonit.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Navnt\navapw32.exe

C:\rob\HijackThis.exe

C:\WINNT\system32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\USBMonit.exe

O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.43/09df48207f2a382e7b05/netzip/RdxIE.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.37.22.162:1081/activex/AxisCamControl.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {BA5D7692-1A71-11D2-92B9-000000000000} (ProjectPoint Document) - https://folders.buzzsaw.com/nokz/kala_en_3_0_605_20.cab

O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C02F818-6051-4F4E-89A4-7577E6EC802C}: NameServer = 64.19.9.33,69.57.174.186

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

Share this post


Link to post
Share on other sites

hey ccrb,

 

That log is certainly looking great! Only have the fix the following:

 

 

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.43/09df48207f2a382e7b05/netzip/RdxIE.cab

 

reboot your computer.

 

Please install the following two programs which are great helping to prevent all the crapware:

 

IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Once you merge this list of sites and domains into the Registry, the web sites for these companies will not be able to use cookies, ActiveX controls, Java applets, or scripting to compromise your privacy or your PC while you surf the Net. Nor will they be able to use your browser to push unwanted pop-ups, cookies, or auto-installing programs on your PC.

 

 

SpywareBlaster The most important step you can take is to secure your system. And SpywareBlaster is the most powerful protection program available.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.

Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.

Restrict the actions of potentially dangerous sites in Internet Explorer.

SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web.

And unlike other programs, SpywareBlaster does not have to remain running in the background.

 

MAKE SURE TO KEEP BOTH PROGRAMS UPDATED WHEN UPDATES ARE AVAILABLE..IMPORTANT!!

 

Glad I could help you, with the clients computer.

Share this post


Link to post
Share on other sites

The log, when I sign into administrator comes clean.

 

Then when I signed in as the user, who is also an administrator (user is a domain user, not a local system user) I saw more random dll in HJT, so I cleaned them out, and here is his log

 

 

Logfile of HijackThis v1.98.0

Scan saved at 9:25:10 AM, on 7/30/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\USBMonit.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Navnt\navapw32.exe

C:\Program Files\ACT\SideACT.exe

C:\WINNT\system32\wuauclt.exe

C:\rob\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msnbc.com/

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\USBMonit.exe

O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpcc.exe

O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msmc.exe

O4 - Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C02F818-6051-4F4E-89A4-7577E6EC802C}: NameServer = 64.19.9.33,69.57.174.186

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

Share this post


Link to post
Share on other sites

I have one wierd artifact though. During startup I get an error message (either as administrator or the user) that says

 

Ro-tater

 

Run time error 429

Activex comp can't create object.

 

I looked thru reg edit looking for ro-tater... didn't find anything. Nothing in startup that's obvious either.

Share this post


Link to post
Share on other sites

hey

 

fix the following with hijackthis:

 

O4 - HKCU\..\Run: [WINT] C:\WINNT\system32\wcpcc.exe

O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msmc.exe

 

reboot computer

 

delete teh following:

 

C:\WINNT\system32\wcpcc.exe

C:\WINNT\system32\msmc.exe

 

empty recylcing bin and post a new log.

Share this post


Link to post
Share on other sites

cannot find those two files to delete, at least in normal mode.

 

latest log:

Logfile of HijackThis v1.98.0

Scan saved at 10:01:00 AM, on 7/30/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\USBMonit.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Navnt\navapw32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\ACT\SideACT.exe

C:\WINNT\system32\wuauclt.exe

C:\rob\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msnbc.com/

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\USBMonit.exe

O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C02F818-6051-4F4E-89A4-7577E6EC802C}: NameServer = 64.19.9.33,69.57.174.186

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 5:33:41 PM, on 8/2/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE

C:\WINNT\System32\PSSVC.EXE

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Navnt\navapsvc.exe

C:\PROGRA~1\Navnt\npssvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Navnt\alertsvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\USBMonit.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Navnt\navapw32.exe

C:\Program Files\ACT\SideACT.exe

C:\WINNT\system32\wuauclt.exe

C:\rob\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.msnbc.com/

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\USBMonit.exe

O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C02F818-6051-4F4E-89A4-7577E6EC802C}: NameServer = 64.19.9.33,69.57.174.186

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{2C02F818-6051-4F4E-89A4-7577E6EC802C}: NameServer = 64.19.9.33,69.57.174.186

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thelevygroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thelevygroup.com

 

this is a followup log, after a weekend, after cleaning last week.

Share this post


Link to post
Share on other sites

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0