Jump to content


Photo

VX2 Log


  • Please log in to reply
27 replies to this topic

#1 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 05 June 2004 - 06:31 PM

My computer has turned into a never ending commerical! I have no clue where all this stuff came from, but I'm frustrated and can't seem to get it all cleaned off. Can you please help me... I've added my HighjackThis log.
Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 7:15:26 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\EXTRAM~1\Barb book.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...rudgereport.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MATH CITY - {F43F9FAE-6648-2E6C-9AAE-19D7CBD2C5C5} - C:\PROGRA~1\CHINWA~1\newdownload.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [Lies The] C:\PROGRA~1\EXTRAM~1\Barb book.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\OFFICE\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworl...ezmed/ezmed.cab
O16 - DPF: Tornado 21 - http://download.yaho...s/y/t21s0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.yaho...nts/y/xs0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.yaho...ts/y/ccs1_x.cab
O16 - DPF: Yahoo! Dice - http://download.yaho...ts/y/dcs0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.yaho...ts/y/dos0_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dts0_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Go - http://download.yaho...nts/y/gs0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.yaho...nts/y/zs0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.yaho...ts/y/sds0_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.yaho...nts/y/fs0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/yws0_x.cab
O16 - DPF: Yahoo! Trivia - http://download.yaho...ts/y/tvs0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...porter.cab?RND=
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://audio.gov.pe....sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7597.6276273148
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://imbum.com/Imbum_bw.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nauticom.net

#2 Nemesis6

Nemesis6

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 05 June 2004 - 06:55 PM

Hold on, looking through your log.

Fix these lines -

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...rudgereport.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://drudgereport.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - Default URLSearchHook is missing

N1 - Netscape 4: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "allaboutsearching.com"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)

O1 - Hosts: 207.36.196.189 ieautosearch

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe


O9 - Extra button: WeatherBug (HKCU)


O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...porter.cab?RND=


Now, post a new HijackThis log. Did this help?

Edited by Nemesis6, 05 June 2004 - 07:12 PM.


#3 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 05 June 2004 - 07:30 PM

*Sigh* Still got the pop ups like crazy :weep: Here's the new Hijack Log

Logfile of HijackThis v1.97.7
Scan saved at 8:28:40 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\EXTRAM~1\Barb book.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
O1 - Hosts: 207.36.196.189 ieautosearch
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MATH CITY - {F43F9FAE-6648-2E6C-9AAE-19D7CBD2C5C5} - C:\PROGRA~1\CHINWA~1\newdownload.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Lies The] C:\PROGRA~1\EXTRAM~1\Barb book.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\OFFICE\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworl...ezmed/ezmed.cab
O16 - DPF: Tornado 21 - http://download.yaho...s/y/t21s0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.yaho...nts/y/xs0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.yaho...ts/y/ccs1_x.cab
O16 - DPF: Yahoo! Dice - http://download.yaho...ts/y/dcs0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.yaho...ts/y/dos0_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dts0_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Go - http://download.yaho...nts/y/gs0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.yaho...nts/y/zs0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.yaho...ts/y/sds0_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.yaho...nts/y/fs0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/yws0_x.cab
O16 - DPF: Yahoo! Trivia - http://download.yaho...ts/y/tvs0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://audio.gov.pe....sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7597.6276273148
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nauticom.net

#4 Nemesis6

Nemesis6

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 05 June 2004 - 07:55 PM

Ok, no problem. Go to www.download.com and search for SpyBot and AdAware Now, install these two programs, non other, upgrade them from within the programs - In AdAware, click the little globe in the interface. In SpyBot, click the "Update" tab on the left. Alright, now, run these two seperatly. Did this help?

#5 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 05 June 2004 - 08:40 PM

Thanks, I'm running them now (I'm on my laptop, computer in question is my desktop). I do run window washer, adaware and spybot and spysweeper at least once a day which makes me wonder where all this garbage came from, hubby or kids. Who to blame? :D I'll post a new log asap. OT, what's your opinion on reformatting, I havent done it in over 4 years, I just try to keep the pc clean.

#6 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 05 June 2004 - 10:11 PM

Ok, I ran adaware (found Ezula, Lop.com) Ran S&D (found inet, netscape search) and ran spysweeper (found vx2 Transponder, Ezula i lookup and lopdotcom) Deleted everything and rebooted and still getting a few pop ups, nothing like before. Here is my latest HT log

Logfile of HijackThis v1.97.7
Scan saved at 11:02:48 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\HPGS2WNF.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\extra mpeg\Barb book.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...rudgereport.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: MATH CITY - {F43F9FAE-6648-2E6C-9AAE-19D7CBD2C5C5} - C:\PROGRA~1\CHINWA~1\newdownload.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\OFFICE\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworl...ezmed/ezmed.cab
O16 - DPF: Tornado 21 - http://download.yaho...s/y/t21s0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.yaho...nts/y/xs0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.yaho...ts/y/ccs1_x.cab
O16 - DPF: Yahoo! Dice - http://download.yaho...ts/y/dcs0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.yaho...ts/y/dos0_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dts0_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Go - http://download.yaho...nts/y/gs0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.yaho...nts/y/zs0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.yaho...ts/y/sds0_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.yaho...nts/y/fs0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/yws0_x.cab
O16 - DPF: Yahoo! Trivia - http://download.yaho...ts/y/tvs0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://audio.gov.pe....sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7597.6276273148
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nauticom.net

#7 Nemesis6

Nemesis6

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 06 June 2004 - 07:05 AM

Alright, fix these lines -

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...rudgereport.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com


Now, I think I might have located the little bastard who's giving you some popups... Here's what I need you to do: Fix theses lines -

O4 - HKLM\..\Run: [Lies The] C:\PROGRA~1\EXTRAM~1\Barb book.exe

O3 - Toolbar: MATH CITY - {F43F9FAE-6648-2E6C-9AAE-19D7CBD2C5C5} - C:\PROGRA~1\CHINWA~1\newdownload.dll



Did this help?

Edited by Nemesis6, 06 June 2004 - 07:08 AM.


#8 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 06 June 2004 - 10:55 AM

Ok, did what you said, and ran all my scans again, Adaware found a couple, deleted those, S&D found none and spysweeper found coolwww and vx2transponder, deleted those. I can't seem to get rid of that Barb Book exe (whatever it is). I found it in the programs files but it won't let me delete it there, says its in use. Can I delete that in safe mode? :techsupport:
Here is the latest HT log.
Thanks again for all your help.

Logfile of HijackThis v1.97.7
Scan saved at 11:50:44 AM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\EXTRAM~1\Barb book.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn...st/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...=5.5&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\OFFICE\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworl...ezmed/ezmed.cab
O16 - DPF: Tornado 21 - http://download.yaho...s/y/t21s0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.yaho...nts/y/xs0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.yaho...ts/y/ccs1_x.cab
O16 - DPF: Yahoo! Dice - http://download.yaho...ts/y/dcs0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.yaho...ts/y/dos0_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dts0_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Go - http://download.yaho...nts/y/gs0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.yaho...nts/y/zs0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.yaho...ts/y/sds0_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.yaho...nts/y/fs0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/yws0_x.cab
O16 - DPF: Yahoo! Trivia - http://download.yaho...ts/y/tvs0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://audio.gov.pe....sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7597.6276273148
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nauticom.net

#9 Nemesis6

Nemesis6

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 06 June 2004 - 12:34 PM

Yes, you should be able to delete it in Safe-Mode. By the way, it would be a good idea to run this tool - http://www.spywarein.../cwshredder.zip

Unzip it to a directory and run the file. Inside the program, check for updates. When updating, if required, is finished, then click "Fix". One last thing - Try restarting in Safe-Mode and scanning with both AdAware and SpyBot.
While we're at it, might as well delete the C:\Program Files\extra mpeg\ directory. (Not Program Files of course, hence the highlighting)

What did they find / remove? And most importantly, after following these instructions, are you still having problems? Post a HijackThis log in any case.

Edited by Nemesis6, 06 June 2004 - 12:40 PM.


#10 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 06 June 2004 - 01:32 PM

Did all of the above, AdAware found allaboutsearching and one other, S&D found igetnet, deleted all of those. Still getting zestyfind and spotresults popping up. I have a feeling this all came from my daughter being at ibum getting icons, I'm ready to delete the aol msg here since I dont use it and she can just stay on her own computer. Anyhow, here's the latest HT log. Have I said thank you for trying to help me lately? THANK YOU!


Logfile of HijackThis v1.97.7
Scan saved at 2:25:01 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\OFFICE\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworl...ezmed/ezmed.cab
O16 - DPF: Tornado 21 - http://download.yaho...s/y/t21s0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.yaho...nts/y/xs0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.yaho...ts/y/ccs1_x.cab
O16 - DPF: Yahoo! Dice - http://download.yaho...ts/y/dcs0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.yaho...ts/y/dos0_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dts0_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Go - http://download.yaho...nts/y/gs0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.yaho...nts/y/zs0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.yaho...ts/y/sds0_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.yaho...nts/y/fs0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/yws0_x.cab
O16 - DPF: Yahoo! Trivia - http://download.yaho...ts/y/tvs0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://audio.gov.pe....sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7597.6276273148
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nauticom.net

#11 Nemesis6

Nemesis6

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 06 June 2004 - 02:08 PM

Go to the bottom of this page, click "I accept" and follow the instructions -

http://www.look2me.c...bin/UnInstaller

Now, after this, download and run this tool just to be sure -
http://www.spywarein...les/kill2me.zip

This should really help. Please report back to me after following the instructions and post a new HijackThis log just in case.

Edited by Nemesis6, 06 June 2004 - 02:12 PM.


#12 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 06 June 2004 - 03:08 PM

All done. Kill2me said it didn't find it but I ran it anyhow. New HT log below. I did about 5 minutes of surfing and everything seems ok now. I'd still like to know where I picked all that shit up.
I bow to you kind Sir :thumbsup: Thanks a ton!

Logfile of HijackThis v1.97.7
Scan saved at 4:03:57 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\HPGS2WNF.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\OFFICE\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworl...ezmed/ezmed.cab
O16 - DPF: Tornado 21 - http://download.yaho...s/y/t21s0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.yaho...nts/y/xs0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.yaho...ts/y/ccs1_x.cab
O16 - DPF: Yahoo! Dice - http://download.yaho...ts/y/dcs0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.yaho...ts/y/dos0_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dts0_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Go - http://download.yaho...nts/y/gs0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.yaho...nts/y/zs0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.yaho...ts/y/sds0_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.yaho...nts/y/fs0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/yws0_x.cab
O16 - DPF: Yahoo! Trivia - http://download.yaho...ts/y/tvs0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://audio.gov.pe....sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7597.6276273148
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nauticom.net

#13 Nemesis6

Nemesis6

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 06 June 2004 - 03:56 PM

Well, this article might help explain it - http://forums.net-in...?showtopic=3051

I'd recommend that you download SpywareBlaster, it's a program that blocks a large number (2900 +) of adware, spyware, viruses, cookies, malware, generally a lot of bad stuff from getting into your computer. All of this is done without the program running in the background or anything like that. Here's a link that contain some mirrors for it - http://www.javacools...sbdownload.html
Remember to update it regularly.

Edited by Nemesis6, 06 June 2004 - 03:58 PM.


#14 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 06 June 2004 - 04:04 PM

Thanks! We have 3 desktops and a laptop here, and I'll load it on all of them for sure, especially the kids since they are so nonchalant in their surfing. :)

#15 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 06 June 2004 - 07:38 PM

I just ran VX2 Finder and below is the low from that. This stuff shouldn't be on my computer should it? I tried to delete it as in the directions but no luck, it's still there. Do I need to get rid of it and how do I do that?
Thanks again

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\Dongerous Creatures.dll
C:\WINDOWS\System32\Dsngerous Creatures.dll
C:\WINDOWS\System32\Dwngerous Creatures.dll
C:\WINDOWS\System32\Icside your Computer.dll
C:\WINDOWS\System32\Ikside your Computer.dll
C:\WINDOWS\System32\Irside your Computer.dll
C:\WINDOWS\System32\Iyside your Computer.dll
C:\WINDOWS\System32\Lconardo da Vinci.dll
C:\WINDOWS\System32\Lhonardo da Vinci.dll
C:\WINDOWS\System32\Ljonardo da Vinci.dll
C:\WINDOWS\System32\Llonardo da Vinci.dll
C:\WINDOWS\System32\Loonardo da Vinci.dll
C:\WINDOWS\System32\Lqonardo da Vinci.dll
C:\WINDOWS\System32\Txe Golden Era.dll


Guardian Key--- is called:

User Agent String---

#16 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 07 June 2004 - 08:49 AM

I ran VX2 Finder and below is the log from that. This stuff shouldn't be on my computer should it? I tried to delete it as in the directions but no luck, it's still there. Do I need to get rid of it and how do I do that?
Thanks

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\Dongerous Creatures.dll
C:\WINDOWS\System32\Dsngerous Creatures.dll
C:\WINDOWS\System32\Dwngerous Creatures.dll
C:\WINDOWS\System32\Icside your Computer.dll
C:\WINDOWS\System32\Ikside your Computer.dll
C:\WINDOWS\System32\Irside your Computer.dll
C:\WINDOWS\System32\Iyside your Computer.dll
C:\WINDOWS\System32\Lconardo da Vinci.dll
C:\WINDOWS\System32\Lhonardo da Vinci.dll
C:\WINDOWS\System32\Ljonardo da Vinci.dll
C:\WINDOWS\System32\Llonardo da Vinci.dll
C:\WINDOWS\System32\Loonardo da Vinci.dll
C:\WINDOWS\System32\Lqonardo da Vinci.dll
C:\WINDOWS\System32\Txe Golden Era.dll


Guardian Key--- is called:

User Agent String---

Edited by Jillie, 07 June 2004 - 08:49 AM.


#17 picard_uk

picard_uk

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,654 posts

Posted 07 June 2004 - 11:52 AM

Hello Jillie,

* Edit..I see from earlier posts in another thread that you have already carried out some of the steps. Please post a fresh HiJackThis log to this thread.

picard*

Please download 'Hijack This!'. http://www.spywarein.../HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet. This log will allow us to ascertain what is going on with your computer.

picard.

Edited by picard_uk, 07 June 2004 - 01:28 PM.

Every day's a school day....

I offer my services in these forums as a volunteer.
You can help support these forums.



ASAP member since 2005 Alliance of Security Analysis Professionals

#18 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 07 June 2004 - 01:28 PM

Threads merged to here.
Please stay in this thread until your problem is resolved.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#19 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 07 June 2004 - 05:31 PM

Sorry about the thread mix up, I thought since the pop ups seemed to have stopped but I had a question about the vx2finder.exe scan it would be different yadda yadda yadda.. anyhow, here is my latest HT log and my vx2finder log is posted above.
TIA! :)

Logfile of HijackThis v1.97.7
Scan saved at 6:27:53 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\HPGS2WNF.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\OFFICE\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworl...ezmed/ezmed.cab
O16 - DPF: Tornado 21 - http://download.yaho...s/y/t21s0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.yaho...nts/y/xs0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.yaho...ts/y/ccs1_x.cab
O16 - DPF: Yahoo! Dice - http://download.yaho...ts/y/dcs0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.yaho...ts/y/dos0_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dts0_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Go - http://download.yaho...nts/y/gs0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.yaho...nts/y/zs0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.yaho...ts/y/sds0_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.yaho...nts/y/fs0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/yws0_x.cab
O16 - DPF: Yahoo! Trivia - http://download.yaho...ts/y/tvs0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://audio.gov.pe....sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7597.6276273148
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nauticom.net

#20 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 07 June 2004 - 06:02 PM

Please close all open windows and browsers, open HJT and mark/fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

I am not seeing anymore obvious problems, are you still having problems with your computer?? Please post details if you are....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#21 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 07 June 2004 - 06:44 PM

I fixed the 2 lines you said to fix. No, I'm not really having any problems now, I was just questioning the stuff coming up in the vx2finder log. I tend to panic if I see stuff that is misspelled since that's usually not a good thing. Thanks.

#22 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 07 June 2004 - 06:52 PM

Those do look like they are probably bad... Boot into Safe Mode and see if you can delete them directly... You will probably need to make sure that Windows is set to show all hidden files and system files... Then look for them in:

C:\WINDOWS\System32\

If you can't delete them, give detailed info about what got in the way...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#23 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 07 June 2004 - 08:09 PM

This is the weirdest thing. I went into Windows/System32 and none of those files are in there. I did a search for them too, nothing. Yet when I run the vx2finder it shows them there, I delete thru that and keep getting the message that they will be deleted upon reboot. I guess I should just stop being paranoid since AdAware, SpyBot and Spysweeper, Norton and Housecall all come up clean?

#24 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 07 June 2004 - 08:26 PM

I'll ask some experts and see if anyone knows what is up with that... I am not familiar enough with the program to know for sure... In the meanwhile, make sure AdAware is updated and set custom settings to the deepest level, then do a scan with it... We will see if it turns anything up. The malware detected and fixed by that program is very aggressive adware, so it won't even show up in things like Norton...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#25 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 07 June 2004 - 09:49 PM

Thanks for all your help. I'll keep an eye out for any info you come across and add to this post. :wave:

#26 Option^Explicit

Option^Explicit

    Member

  • Developer
  • Pip
  • 13 posts

Posted 07 June 2004 - 10:05 PM

Jillie

Those VX2 files usually have hidden attributes, so unless you have Windows options to "Show hidden files & folders" they will not be found in a normal Windows search.
If the VX2Finder lists them, you can be sure they are there.
You also have no registry information listed, which is very strange as well

When you do the VX2 scan, make sure you put checks beside all those files that are found, (or nothing will be removed)

I dont see "Rundll32.exe" running in your HiJackthis scan either, so either you have uninstalled the VX2 from your computer and the Finder is just listing orphaned files(which can be deleted with no trouble) or the VX2 trojan has a updated version which is not being fully detected.

#27 Jillie

Jillie

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 08 June 2004 - 10:51 AM

Hi, I did have hidden files showing but not the protected OS files, so I unhid those and found all the files that vx2finder found. Below is the latest HT log... Thanks :) I'm going to have to run HT on my daughters computer, I'm guessing it's polluted
:( :techsupport:

Logfile of HijackThis v1.97.7
Scan saved at 11:39:17 AM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\HPGS2WNF.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jillie\Application Data\Mozilla\Profiles\default\j2wx5za3.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\OFFICE\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworl...ezmed/ezmed.cab
O16 - DPF: Tornado 21 - http://download.yaho...s/y/t21s0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.yaho...nts/y/xs0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.yaho...ts/y/ccs1_x.cab
O16 - DPF: Yahoo! Dice - http://download.yaho...ts/y/dcs0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.yaho...ts/y/dos0_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dts0_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.sn...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Go - http://download.yaho...nts/y/gs0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.yaho...nts/y/zs0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.yaho...ts/y/sds0_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download.yaho...nts/y/fs0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/yws0_x.cab
O16 - DPF: Yahoo! Trivia - http://download.yaho...ts/y/tvs0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://audio.gov.pe....sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7597.6276273148
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF946C3C-434A-413E-A017-D8A762E0B4E9}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: Domain = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC5F91BC-17D5-4ABA-973D-1E982D6C55BE}: NameServer = 198.190.226.3,198.190.226.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nauticom.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nauticom.net

#28 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 08 June 2004 - 06:43 PM

Your log looks clean... congratulations... Here is my prevention speech to keep it that way:

This is a good time to set up protection against further attacks. Read the article linked below about "How did I get infected". You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button