• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
BluEydAngeL

Expert needed...impossible malware/spyware removal

6 posts in this topic

I've tried everything suggested on here, but to no avail. I'm including my HJT log and would GREATLY appreciate any help. Thank you in advance!!!

 

Logfile of HijackThis v1.97.7

Scan saved at 9:38:00 AM, on 5/31/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Support.com\bin\tgcmd.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

C:\WINDOWS\SM1BG.EXE

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\winview2.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\javaw.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\Program Files\America Online 9.0b\aoltray.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\AOL COMPANION\COMPANION.EXE

C:\PROGRA~1\AMERIC~1.0B\waol.exe

C:\PROGRA~1\AMERIC~1.0B\shellmon.exe

C:\Program Files\Common Files\Aol\aoltpspd.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Susan Oswald\Local Settings\Temp\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXE

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: LimeWire 3.8.7 Pro.lnk = C:\Program Files\LimeWire\3.8.7 Pro\LimeWire.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: AOL Toolbar (HKLM)

O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.memolink.com/CFIDE/classes/CFJava.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04b8ba931923e5...ip/RdxIE601.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7887.6795949074

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Share this post


Link to post
Share on other sites

There is not a lot of spyware in your log, is there a particular problem that your having?

 

First, Disable XP System Restore]

Then rescan with Hijack this and put a check next to the following, then click on 'fix' .

 

C:\Program Files\BroadJump\Client Foundation\CFD.exe

 

C:\Program Files\Support.com\bin\tgcmd.exe

 

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

 

C:\WINDOWS\winview2.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

 

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

 

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

-------->

 

Then reboot in Reboot in Safe Mode & delete these files

 

Tkbell.exe

CFD.exe

tgcmd.exe

winview2.exe

 

;)

Share this post


Link to post
Share on other sites

Starwaves, Please see The various helper groups here.

 

BluEydAngeL,

 

Your log is essentially clean.

Uninstall Client Foundation and Limewire via Control Panel Add/Remove if possible.

 

In HijackThis,

Tick the boxes next to all these, close all other windows, then click Fix Checked.

After that, Reboot.

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

 

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - Global Startup: LimeWire 3.8.7 Pro.lnk = C:\Program Files\LimeWire\3.8.7 Pro\LimeWire.exe

 

This is legitimate, but is a resource hog:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04b8ba931923e5...ip/RdxIE601.cab

 

After reboot, please post a fresh log, and please tell us exactly what makes you think you have spyware. None is obvioous in your log.

Share this post


Link to post
Share on other sites

Hey guys...thanks for your help....since I received 2 different sets of instructions, shall I follow both of them? Also, I don't know what BroadJump is, but I paid for and installed LimeWire, so should I uninstall it before the fix and then reinstall it? The files I can't remove that are being flagged are: "winview2.exe", "gsetup.exe", & "wsem218.dll". I really appreciate all your help and suggestions before I proceed to do anything else. :D

Share this post


Link to post
Share on other sites

Definitely follow CNM's advice. Also, check the link that she gave on the various helper groups - That will help you in determining whose advice to follow.

Share this post


Link to post
Share on other sites

Keep Limewire if you have paid for it. It's just adware - said to sometimes slow up your PC. Here's a tweak that purports to remove its ads: http://www.tweakxp.com/tweak1325.aspx

 

I thought you might have installed winview on purpose? http://www.winview.co.uk/examples.htm

People often rename it winview2 so they can have more than one - see for instance http://pi-at-work.com/cad/threads/tweek90/pthread9.html

 

Getting rid of those files:

First make sure you are set to show hidden files and folders:

Show Hidden Files and Folders

 

Then reboot in Safe Mode (hit the F8 key several times while booting, until you get a menu). Then you will probably be able to delete them, since only a minimal set of processes will be running.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0