• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
yerman54

Run List - What's Weird here?

16 posts in this topic

Dear Forum-

 

I have run a variety of utilities, and still have a "hijacked browser". Do you see anything weird in this run list? I have found a few things, and deleted them. No negative impact on the system. Now, it's down to a shorter list, and I am concerned abaout throwing our something important. I am new to this, and not a computer wizz by any stretch.

 

Thanks- Richard

 

 

Logfile of HijackThis v1.97.7

Scan saved at 5:32:47 PM, on 6/8/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\System32\S24EvMon.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\ZCfgSvc.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\WINNT\system32\hidserv.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE

C:\WINNT\System32\RegSrvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\RoamMgr.exe

C:\WINNT\system32\carpserv.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

C:\WINNT\deflodd.exe

C:\WINNT\deflodd.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\32timew.exe

C:\WINNT\system32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Intel\Switching\User\RoamSvc.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Documents and Settings\Richard Yerman\Local Settings\Temp\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: C:\documents and settings\richard yerman\local settings\temp\u.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe

O4 - HKLM\..\Run: [iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [jmvovru] C:\WINNT\deflodd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [32timew] C:\WINNT\system32\32timew.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O15 - Trusted Zone: http://promail.proforma.com

O15 - Trusted Zone: http://prooffice.proforma.com

O15 - Trusted Zone: http://www.proformainet.com

O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://prooffice.proforma.com/viewer9/acti...tivexviewer.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8140.6336574074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab

Share this post


Link to post
Share on other sites

yerman54,

 

First, please use the link in my signature below for instructions on updating and configuring both Ad-aware and Spybot Search & Destroy. Print out and follow those instructions closely, particularly those regarding configuring Ad-aware for a customized scan. (Make sure you have the most current version of each program). Scan with each program, rebooting after each scan.

 

Next, go to Trend Micro and perform an online virus scan, allowing the program to remove anything it may find. Reboot. Then go to Sygate and perform an online Trojan scan, and allow the program to remove anything it finds. Reboot. (Links for both sites are in my signature below).

 

Now we need to remove WinTools:

 

1. Boot into safe mode by tapping the F8 key as your computer reboots. Then use the arrow keys to highlight "Safe Mode" then select that feature.

 

2. Kill any running entries of WinTools by depressing ctrl, alt and del, then stopping the running process in Task Manager.

 

3. Uninstall Wintools from Add/Remove Programs. It should then prompt for a reboot.

 

 

Reboot and post a fresh HijackThis log to this same thread so that we may work on the remainder of the issues in your log.

Share this post


Link to post
Share on other sites

Dear NS-

 

Again, thanks.

 

I ran AdAware and Spybot, following the instructions closely. AdAware appeared to fix some things, but it's not clear to me as to what.

 

TREND identified 13 objects, all non-fixable by TREND. Then I ran Sygate - and got this message: You have blocked all of our probes! We still recommend running this test both with and without Sygate Personal Firewall enabled... so turn it off and try the test again. I made sure that NORTON was turned OFF and ran it within FIREFOX browser.

 

Here is the RUNLOG I ran after doing the AdAware and Sybot. Still getting hijacked from within WINDOWS (IE not launched by me - crap just pops up). This note is from within the Firefox environment.

 

RUN LOG developed after above tests. I did run Windows in safe mode. I got confused as I did not see "WinTools", I saw WINNT. I'll run that and post it next after you help with this question. QUESTION: Is WinTools = WINNT in lines shown on the Safe Mode? How then do I "KILL" the running object?

 

yerman54

 

Logfile of HijackThis v1.97.7

Scan saved at 3:51:39 PM, on 6/11/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\System32\S24EvMon.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\WINNT\system32\hidserv.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE

C:\WINNT\system32\ZCfgSvc.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\WINNT\System32\RegSrvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\RoamMgr.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE

C:\WINNT\system32\stisvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\system32\carpserv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

C:\WINNT\deflodd.exe

C:\WINNT\deflodd.exe

C:\WINNT\system32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\Intel\Switching\User\RoamSvc.exe

C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\WINNT\system32\input8d.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\Richard Yerman\Local Settings\Temp\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: C:\documents and settings\richard yerman\local settings\temp\u.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe

O4 - HKLM\..\Run: [iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [jmvovru] C:\WINNT\deflodd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [input8d] C:\WINNT\system32\input8d.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O15 - Trusted Zone: http://promail.proforma.com

O15 - Trusted Zone: http://prooffice.proforma.com

O15 - Trusted Zone: http://www.proformainet.com

O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://prooffice.proforma.com/viewer9/acti...tivexviewer.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {7FBDF7FE-844E-40B3-99AF-D33A4CF0BE57} (StartCon25) - http://conference.proforma.com/ActiveX/StartConf25.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8140.6336574074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab

Share this post


Link to post
Share on other sites

HELLO NS-

 

Second note from today...I gave the Safe Mode / Task Manager process a shot.

I attempted to follow the "Safe Mode" instructions. Not sure if I did it right. I did "Uninstall WinTools for IE" from Add/Remove. But that was it.Here's the runlog after my attempt.

 

Logfile of HijackThis v1.97.7

Scan saved at 1:47:31 PM, on 6/12/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\System32\S24EvMon.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\ZCfgSvc.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\WINNT\system32\hidserv.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE

C:\WINNT\System32\RegSrvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\RoamMgr.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\WINNT\system32\carpserv.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE

C:\WINNT\system32\stisvc.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

C:\WINNT\deflodd.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\WINNT\system32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Intel\Switching\User\RoamSvc.exe

C:\WINNT\system32\tmsevtn.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\Richard Yerman\Local Settings\Temp\HijackThis.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: C:\documents and settings\richard yerman\local settings\temp\u.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe

O4 - HKLM\..\Run: [iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [jmvovru] C:\WINNT\deflodd.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [tmsevtn] C:\WINNT\system32\tmsevtn.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O15 - Trusted Zone: http://promail.proforma.com

O15 - Trusted Zone: http://prooffice.proforma.com

O15 - Trusted Zone: http://www.proformainet.com

O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://prooffice.proforma.com/viewer9/acti...tivexviewer.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7FBDF7FE-844E-40B3-99AF-D33A4CF0BE57} (StartCon25) - http://conference.proforma.com/ActiveX/StartConf25.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8140.6336574074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab

Share this post


Link to post
Share on other sites

yerman54,

 

Right now, you have HijackThis in a temporary folder. Please create a new folder on the C: drive and name it C:\HJT or something similar. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select "New" then "Folder" and name it HJT.

 

Unzip HijackThis into the new folder. When you run HijackThis from this folder and have it "Fix checked" it will create a backup file of modifications to use if restore is necessary. Delete the old copy of HJT please.

 

NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

 

Run HijackThis and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.” Please note that any items in BLUE are optional suggested fixes that will not remove the programs, only keep them from running at start-up, and may have the added benefit of freeing up some of your system’s resources.

 

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

 

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

 

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

 

O4 - HKLM\..\Run: C:\documents and settings\richard yerman\local settings\temp\u.exe

 

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

 

O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe

 

O4 - HKLM\..\Run: [jmvovru] C:\WINNT\deflodd.exe

 

O4 - HKLM\..\Run: [tmsevtn] C:\WINNT\system32\tmsevtn.exe

 

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

 

If you intentionally gave the three following 015 items access to your system's trusted zone, leave these. Otherwise, fix them with HijackThis:

 

O15 - Trusted Zone: http://promail.proforma.com

 

O15 - Trusted Zone: http://prooffice.proforma.com

 

O15 - Trusted Zone: http://www.proformainet.com

 

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab

 

Reboot into safe mode, this way:

Restart the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

 

Also, enable the ”Show Hidden Files and Folders” option:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

Now, search for, and delete if found (some files may not be present after previous steps) the following:

 

C:\documents and settings\richard yerman\local settings\temp\u.exe < file

 

C:\Program Files\Common files\WinTools\ < folder

 

C:\WINNT\fash.exe < file

 

C:\WINNT\deflodd.exe < file

 

C:\WINNT\system32\tmsevtn.exe < file

 

C:\Program Files\TV Media\ < folder

 

Reboot.

 

Now, delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

 

C:\WINNT\Temp\

 

C:\Temp\

 

C:\Documents and Settings\username\Local Settings\Temp\

 

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

 

Reboot, scan with HijackThis, and post a fresh log into this same thread.

Share this post


Link to post
Share on other sites

Dear NS-

 

WE are getting there...looking pretty clean. I am learning as we go, and becoming more confident about these diagnostics. I also checked other forums, and learned that trmdlls.exe is suspicious. So I fixed it from within HiJack This too. Is that correct? Should that remain out or be restored?

 

Went into the Temp folders, dumped it all, cleaned out all temp files within IE. And I tossed that file for the EXCITE hoem page, as I use :Blank in IE now.

 

By the way, regsvc.exe is supposedly suspect as well. Do you know that to be the case? Saw that via a Google search.

 

And, once again - thanks for your help. I hope to pay this back by sharing my experience with others. Almost there. Running with less crap, and the box is actually faster without all the nonsense in the registry.

 

Best ---

 

Yerman54 (Richard)

 

Here's the new log...

 

Logfile of HijackThis v1.97.7

Scan saved at 5:11:23 PM, on 6/13/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\System32\S24EvMon.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE

C:\WINNT\system32\hidserv.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\WINNT\system32\ZCfgSvc.exe

C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\WINNT\System32\RegSrvc.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\RoamMgr.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE

C:\WINNT\system32\stisvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\system32\carpserv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\WINNT\system32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\Program Files\Intel\Switching\User\RoamSvc.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\HJT\HijackThis.exe

 

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O15 - Trusted Zone: http://promail.proforma.com

O15 - Trusted Zone: http://prooffice.proforma.com

O15 - Trusted Zone: http://www.proformainet.com

O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://prooffice.proforma.com/viewer9/acti...tivexviewer.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7FBDF7FE-844E-40B3-99AF-D33A4CF0BE57} (StartCon25) - http://conference.proforma.com/ActiveX/StartConf25.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8140.6336574074

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

 

 

 

 

 

:wave: and :D

Share this post


Link to post
Share on other sites

Richard,

 

Be careful what you delete if relying upon Google as your only reference. Files can have different meanings depending on their context. For instance, the file svchost.exe is a valid file, normally found in Win XP and Win 2000 in the system32 folder as in your own log; however, if it is found in a place other than than the system32 folder it is NOT normal. Nor is this file one that should be found on a Win 98 or Win ME platform. Therefore, it is not always the name of the file that makes it bad, but where that file is found. This is why you must be extremely careful when relying on Google's data without other support. Please also be aware that it matters who recommends removing a file. You will sometimes see advice posted by well-meaning and enthusiastic, but uninformed, members, i.e., I noticed that an individual who recommended removing trmdlls.exe also missed the proper way to remove a Peper infection, which is a serious mistake.

 

Here is some information on regsvc.exe:

 

http://www.liutilities.com/products/wintas...library/regsvc/

 

 

The following activeX controls will reinstall when(and if) you revisit that website, UNLESS you know they are from a safe source, fix them with HijackThis:

 

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

 

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

 

Other than that, your log looks clean!

 

Please take a few minutes to read the article, "How did I get infected in the first place?" (See link in my signature below). It will provide you with information on keeping your system clean in the future. It also contains links for excellent free anti-spyware tools.

Share this post


Link to post
Share on other sites

Dear NS-

 

All is good since the last communication from you. And again, thank you for the coaching. I could not have cleaned this Dell laptop box out without you.

 

I added in the two APPS you recommended on how to avoid getting hijacked / infected with crapware in the first place. I now have Spyware Blaster, Spyware Gaurd, AdAWare and ZoneAlert all running on my Windows 2000 Professional OS. So far, so good. I also run the checks recommended earlier. I have SUN Java in the system and turned of the MS Java. And lastly, I check for MS updates all the time, especially in light of the recent rash of crapware buzzing around this past week. (NOTE: I checked it with Hijack This...no nasty files...man...I love that tool).

 

IE-SPYAD: I don't get how to install the list of protected sites. I unzipped and saw the Install Engine icon. It takes me to the DOS environment. I have no clue as to what to do next...it is in the command line asking for a reply, but I don't know what that response is, nor do I know what commands to type in. Am I supposed to be there in the first place?

 

Richard

 

:wave: ;D

Share this post


Link to post
Share on other sites

hi richard...i am reading your posts here and they are helping my own computer since i havent gotten a reply to my hijackthis log as yet.

 

i have IE SPYAD and it does take you to the dos window...there are 4 choices to select from if i remember correctly. if you type 2 and then enter, it will install the list to your restricted sites. when it asks if you are sure you want to install, type in 1 for yes. if you also want to get the porn sites listed in there, just go back to the program and type 4 and then enter.

 

hope that helps! :)

Share this post


Link to post
Share on other sites

Hi there, Richard!

 

I'm always happy to hear a success story! You're doing a great job of keeping your system clean! Big-Thumbs-Up.gif

 

Before installing IE-SPYAD, make sure all Internet Explorer windows are closed.

 

MANUAL: You can manually install IE-SPYAD by merging the installation file

IE-ADS.REG into your Registry. Double click on IE-ADS.REG to "merge"

it into your Registry. (The icon looks like a stack of little blue blocks).

A box should pop up saying that the file has been successfully added to

the Registry.

 

AUTO: You can also install IE-SPYAD using the IE-SPYAD Install/Uninstall

Utility (INSTALL.BAT), found in the main IE-SPYAD installation

directory. (That's the one that brings up the box that looks like

a DOS command prompt). Select menu option [2] from the main

menu of that utility.

 

Configure your Restricted sites zone.

 

If you haven't already configured your Restricted sites zone for maximum

security, then you should do so. Here's how to do it:

 

Open Internet Explorer's "Internet Options" (off either the "View" or

"Tools" menu bar option). Hit the "Security" tab. Select the "Restricted

sites." Click the "Custom Level" button.

 

Change every entry in the "Custom Level" settings box for "Restricted sites"

to "Disable" (or "Prompt" or "High safety," if "Disable" is not an option for a

particular entry).

 

Close the "Custom Level" settings box by clicking "OK."

 

Close the "Internet Options" box by clicking "OK."

 

You're ready to surf safely now!

Share this post


Link to post
Share on other sites

Dear NS-

 

Thanks! It's been an adventure I can tell you that! Jeez!

 

Before I do that...

 

Background:

I run Mozilla Firefox as my default browser. IE is ONLY used by me for business (our organization's web tools are optimized for IE) - or for web sites that don't fully function on Firefox (few, but they are out there).

 

 

Question: Does the IE list function with Firefox, or only IE? If I limit my browsing with IE as a noted above, is IE Spyad a necessary thing to do?

 

Drop a line when you get a chance. Thanks.

 

Rich

 

:scratchhead:

Share this post


Link to post
Share on other sites

Rich,

 

You're welcome.

 

At this point, I believe that IE-SPYAD does not work with Firefox. However, since it's such a small program and requires no effort to use once installed, I would certainly advise you to install it for that added layer of security when you are using Internet Explorer. Once IE-SPYAD is installed, you do absolutely nothing except update it maybe once a month. BUT, if someone is using Internet Explorer and they accidentally miskey a web address in the address bar (and so many bad sites use that method of attack) Internet Explorer will now be blocked from going to that bad site. Instead, you'll be informed it's on the Restricted Sites list.

 

:wave:

Share this post


Link to post
Share on other sites

NS-

 

Gottit. Will do.

 

I'll make sure to put a reminder in my desk top calendar for updating IE Spyad monthly.

 

In the meantime, you take care. I'll be sure to advise people I know of what I have learned, and pass them onto this forum for their computing peace of mind.

 

Have you seen the spoof running around "On-Line banking" with the origin coming from "citibank.com"? Nothing stops it, although I am using SpamArrest and kicking it back, reporting etc.

 

All the best!

 

Richard

 

 

 

;D :wave:

Share this post


Link to post
Share on other sites

Richard,

 

The reason a lot of spam blockers don't block things like the Citibank spoof and others, is that they're "phishing scams." The e-mail is made to closely resemble the real thing.

 

Yes, I've received such e-mails myself. That's why, even when I receive an e-mail from my bank or ISP, I never click on the link in the e-mail. I always go to my browser's address bar and go to the site via a bookmark in my favorites, or manually key in the address.

 

:wave:

Share this post


Link to post
Share on other sites

NS-

 

Those sneaky rats. :p

Jeez, some people gotta get a life!

 

Good advice on keying the ISP address though. I'll keep that in mind for my use.

 

I loaded in IES this morning. All set....running like a hose!

 

Best,

 

Richard

 

 

 

:cool:

Share this post


Link to post
Share on other sites

Dear NS-

 

:wave:

 

Hi bud! It's been awhile since I posted. All is GOOD with my box these days. All of the "preventative medicine" you prescribed is working VERY well.

 

 

So, how's by you?

 

Regards as always,

 

Richard (yerman54)

 

:cool:

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0