Jump to content


Photo

Run List - What's Weird here?


  • Please log in to reply
15 replies to this topic

#1 yerman54

yerman54

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 08 June 2004 - 07:36 PM

Dear Forum-

I have run a variety of utilities, and still have a "hijacked browser". Do you see anything weird in this run list? I have found a few things, and deleted them. No negative impact on the system. Now, it's down to a shorter list, and I am concerned abaout throwing our something important. I am new to this, and not a computer wizz by any stretch.

Thanks- Richard


Logfile of HijackThis v1.97.7
Scan saved at 5:32:47 PM, on 6/8/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\deflodd.exe
C:\WINNT\deflodd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\32timew.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Documents and Settings\Richard Yerman\Local Settings\Temp\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [u] C:\documents and settings\richard yerman\local settings\temp\u.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [jmvovru] C:\WINNT\deflodd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [32timew] C:\WINNT\system32\32timew.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O15 - Trusted Zone: http://promail.proforma.com
O15 - Trusted Zone: http://prooffice.proforma.com
O15 - Trusted Zone: http://www.proformainet.com
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://prooffice.pro...tivexviewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8140.6336574074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab

#2 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 09 June 2004 - 03:17 AM

yerman54,

First, please use the link in my signature below for instructions on updating and configuring both Ad-aware and Spybot Search & Destroy. Print out and follow those instructions closely, particularly those regarding configuring Ad-aware for a customized scan. (Make sure you have the most current version of each program). Scan with each program, rebooting after each scan.

Next, go to Trend Micro and perform an online virus scan, allowing the program to remove anything it may find. Reboot. Then go to Sygate and perform an online Trojan scan, and allow the program to remove anything it finds. Reboot. (Links for both sites are in my signature below).

Now we need to remove WinTools:

1. Boot into safe mode by tapping the F8 key as your computer reboots. Then use the arrow keys to highlight "Safe Mode" then select that feature.

2. Kill any running entries of WinTools by depressing ctrl, alt and del, then stopping the running process in Task Manager.

3. Uninstall Wintools from Add/Remove Programs. It should then prompt for a reboot.


Reboot and post a fresh HijackThis log to this same thread so that we may work on the remainder of the issues in your log.

#3 yerman54

yerman54

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 12 June 2004 - 02:33 PM

Dear NS-

Again, thanks.

I ran AdAware and Spybot, following the instructions closely. AdAware appeared to fix some things, but it's not clear to me as to what.

TREND identified 13 objects, all non-fixable by TREND. Then I ran Sygate - and got this message: You have blocked all of our probes! We still recommend running this test both with and without Sygate Personal Firewall enabled... so turn it off and try the test again. I made sure that NORTON was turned OFF and ran it within FIREFOX browser.

Here is the RUNLOG I ran after doing the AdAware and Sybot. Still getting hijacked from within WINDOWS (IE not launched by me - crap just pops up). This note is from within the Firefox environment.

RUN LOG developed after above tests. I did run Windows in safe mode. I got confused as I did not see "WinTools", I saw WINNT. I'll run that and post it next after you help with this question. QUESTION: Is WinTools = WINNT in lines shown on the Safe Mode? How then do I "KILL" the running object?

yerman54

Logfile of HijackThis v1.97.7
Scan saved at 3:51:39 PM, on 6/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\deflodd.exe
C:\WINNT\deflodd.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINNT\system32\input8d.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Richard Yerman\Local Settings\Temp\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [u] C:\documents and settings\richard yerman\local settings\temp\u.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [jmvovru] C:\WINNT\deflodd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [input8d] C:\WINNT\system32\input8d.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O15 - Trusted Zone: http://promail.proforma.com
O15 - Trusted Zone: http://prooffice.proforma.com
O15 - Trusted Zone: http://www.proformainet.com
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://prooffice.pro...tivexviewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7FBDF7FE-844E-40B3-99AF-D33A4CF0BE57} (StartCon25) - http://conference.pr...StartConf25.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8140.6336574074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab

#4 yerman54

yerman54

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 12 June 2004 - 04:07 PM

HELLO NS-

Second note from today...I gave the Safe Mode / Task Manager process a shot.
I attempted to follow the "Safe Mode" instructions. Not sure if I did it right. I did "Uninstall WinTools for IE" from Add/Remove. But that was it.Here's the runlog after my attempt.

Logfile of HijackThis v1.97.7
Scan saved at 1:47:31 PM, on 6/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINNT\deflodd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\tmsevtn.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Richard Yerman\Local Settings\Temp\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [u] C:\documents and settings\richard yerman\local settings\temp\u.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [jmvovru] C:\WINNT\deflodd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [tmsevtn] C:\WINNT\system32\tmsevtn.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O15 - Trusted Zone: http://promail.proforma.com
O15 - Trusted Zone: http://prooffice.proforma.com
O15 - Trusted Zone: http://www.proformainet.com
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://prooffice.pro...tivexviewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7FBDF7FE-844E-40B3-99AF-D33A4CF0BE57} (StartCon25) - http://conference.pr...StartConf25.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8140.6336574074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab

#5 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 12 June 2004 - 08:10 PM

yerman54,

Right now, you have HijackThis in a temporary folder. Please create a new folder on the C: drive and name it C:\HJT or something similar. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select "New" then "Folder" and name it HJT.

Unzip HijackThis into the new folder. When you run HijackThis from this folder and have it "Fix checked" it will create a backup file of modifications to use if restore is necessary. Delete the old copy of HJT please.

NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

Run HijackThis and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.” Please note that any items in BLUE are optional suggested fixes that will not remove the programs, only keep them from running at start-up, and may have the added benefit of freeing up some of your system’s resources.


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [u] C:\documents and settings\richard yerman\local settings\temp\u.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe

O4 - HKLM\..\Run: [jmvovru] C:\WINNT\deflodd.exe

O4 - HKLM\..\Run: [tmsevtn] C:\WINNT\system32\tmsevtn.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe


If you intentionally gave the three following 015 items access to your system's trusted zone, leave these. Otherwise, fix them with HijackThis:

O15 - Trusted Zone: http://promail.proforma.com

O15 - Trusted Zone: http://prooffice.proforma.com

O15 - Trusted Zone: http://www.proformainet.com

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab


Reboot into safe mode, this way:
Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, search for, and delete if found (some files may not be present after previous steps) the following:

C:\documents and settings\richard yerman\local settings\temp\u.exe < file

C:\Program Files\Common files\WinTools\ < folder

C:\WINNT\fash.exe < file

C:\WINNT\deflodd.exe < file

C:\WINNT\system32\tmsevtn.exe < file

C:\Program Files\TV Media\ < folder

Reboot.

Now, delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINNT\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

Reboot, scan with HijackThis, and post a fresh log into this same thread.

#6 yerman54

yerman54

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 13 June 2004 - 07:28 PM

Dear NS-

WE are getting there...looking pretty clean. I am learning as we go, and becoming more confident about these diagnostics. I also checked other forums, and learned that trmdlls.exe is suspicious. So I fixed it from within HiJack This too. Is that correct? Should that remain out or be restored?

Went into the Temp folders, dumped it all, cleaned out all temp files within IE. And I tossed that file for the EXCITE hoem page, as I use :Blank in IE now.

By the way, regsvc.exe is supposedly suspect as well. Do you know that to be the case? Saw that via a Google search.

And, once again - thanks for your help. I hope to pay this back by sharing my experience with others. Almost there. Running with less crap, and the box is actually faster without all the nonsense in the registry.

Best ---

Yerman54 (Richard)

Here's the new log...

Logfile of HijackThis v1.97.7
Scan saved at 5:11:23 PM, on 6/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O15 - Trusted Zone: http://promail.proforma.com
O15 - Trusted Zone: http://prooffice.proforma.com
O15 - Trusted Zone: http://www.proformainet.com
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://prooffice.pro...tivexviewer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7FBDF7FE-844E-40B3-99AF-D33A4CF0BE57} (StartCon25) - http://conference.pr...StartConf25.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8140.6336574074
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab





:wave: and :D

#7 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 13 June 2004 - 11:44 PM

Richard,

Be careful what you delete if relying upon Google as your only reference. Files can have different meanings depending on their context. For instance, the file svchost.exe is a valid file, normally found in Win XP and Win 2000 in the system32 folder as in your own log; however, if it is found in a place other than than the system32 folder it is NOT normal. Nor is this file one that should be found on a Win 98 or Win ME platform. Therefore, it is not always the name of the file that makes it bad, but where that file is found. This is why you must be extremely careful when relying on Google's data without other support. Please also be aware that it matters who recommends removing a file. You will sometimes see advice posted by well-meaning and enthusiastic, but uninformed, members, i.e., I noticed that an individual who recommended removing trmdlls.exe also missed the proper way to remove a Peper infection, which is a serious mistake.

Here is some information on regsvc.exe:

http://www.liutiliti...library/regsvc/


The following activeX controls will reinstall when(and if) you revisit that website, UNLESS you know they are from a safe source, fix them with HijackThis:

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab


Other than that, your log looks clean!

Please take a few minutes to read the article, "How did I get infected in the first place?" (See link in my signature below). It will provide you with information on keeping your system clean in the future. It also contains links for excellent free anti-spyware tools.

#8 yerman54

yerman54

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 25 June 2004 - 03:08 PM

Dear NS-

All is good since the last communication from you. And again, thank you for the coaching. I could not have cleaned this Dell laptop box out without you.

I added in the two APPS you recommended on how to avoid getting hijacked / infected with crapware in the first place. I now have Spyware Blaster, Spyware Gaurd, AdAWare and ZoneAlert all running on my Windows 2000 Professional OS. So far, so good. I also run the checks recommended earlier. I have SUN Java in the system and turned of the MS Java. And lastly, I check for MS updates all the time, especially in light of the recent rash of crapware buzzing around this past week. (NOTE: I checked it with Hijack This...no nasty files...man...I love that tool).

IE-SPYAD: I don't get how to install the list of protected sites. I unzipped and saw the Install Engine icon. It takes me to the DOS environment. I have no clue as to what to do next...it is in the command line asking for a reply, but I don't know what that response is, nor do I know what commands to type in. Am I supposed to be there in the first place?

Richard

:wave: ;D

#9 Sherry

Sherry

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 June 2004 - 03:36 PM

hi richard...i am reading your posts here and they are helping my own computer since i havent gotten a reply to my hijackthis log as yet.

i have IE SPYAD and it does take you to the dos window...there are 4 choices to select from if i remember correctly. if you type 2 and then enter, it will install the list to your restricted sites. when it asks if you are sure you want to install, type in 1 for yes. if you also want to get the porn sites listed in there, just go back to the program and type 4 and then enter.

hope that helps! :)

#10 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 25 June 2004 - 04:54 PM

Hi there, Richard!

I'm always happy to hear a success story! You're doing a great job of keeping your system clean! Posted Image

Before installing IE-SPYAD, make sure all Internet Explorer windows are closed.

MANUAL: You can manually install IE-SPYAD by merging the installation file
IE-ADS.REG into your Registry. Double click on IE-ADS.REG to "merge"
it into your Registry. (The icon looks like a stack of little blue blocks).
A box should pop up saying that the file has been successfully added to
the Registry.

AUTO: You can also install IE-SPYAD using the IE-SPYAD Install/Uninstall
Utility (INSTALL.BAT), found in the main IE-SPYAD installation
directory. (That's the one that brings up the box that looks like
a DOS command prompt). Select menu option [2] from the main
menu of that utility.

Configure your Restricted sites zone.

If you haven't already configured your Restricted sites zone for maximum
security, then you should do so. Here's how to do it:

Open Internet Explorer's "Internet Options" (off either the "View" or
"Tools" menu bar option). Hit the "Security" tab. Select the "Restricted
sites." Click the "Custom Level" button.

Change every entry in the "Custom Level" settings box for "Restricted sites"
to "Disable" (or "Prompt" or "High safety," if "Disable" is not an option for a
particular entry).

Close the "Custom Level" settings box by clicking "OK."

Close the "Internet Options" box by clicking "OK."

You're ready to surf safely now!

#11 yerman54

yerman54

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 27 June 2004 - 05:42 PM

Dear NS-

Thanks! It's been an adventure I can tell you that! Jeez!

Before I do that...

Background:
I run Mozilla Firefox as my default browser. IE is ONLY used by me for business (our organization's web tools are optimized for IE) - or for web sites that don't fully function on Firefox (few, but they are out there).


Question: Does the IE list function with Firefox, or only IE? If I limit my browsing with IE as a noted above, is IE Spyad a necessary thing to do?

Drop a line when you get a chance. Thanks.

Rich

:scratchhead:

#12 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 27 June 2004 - 06:34 PM

Rich,

You're welcome.

At this point, I believe that IE-SPYAD does not work with Firefox. However, since it's such a small program and requires no effort to use once installed, I would certainly advise you to install it for that added layer of security when you are using Internet Explorer. Once IE-SPYAD is installed, you do absolutely nothing except update it maybe once a month. BUT, if someone is using Internet Explorer and they accidentally miskey a web address in the address bar (and so many bad sites use that method of attack) Internet Explorer will now be blocked from going to that bad site. Instead, you'll be informed it's on the Restricted Sites list.

:wave:

#13 yerman54

yerman54

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 28 June 2004 - 12:49 PM

NS-

Gottit. Will do.

I'll make sure to put a reminder in my desk top calendar for updating IE Spyad monthly.

In the meantime, you take care. I'll be sure to advise people I know of what I have learned, and pass them onto this forum for their computing peace of mind.

Have you seen the spoof running around "On-Line banking" with the origin coming from "citibank.com"? Nothing stops it, although I am using SpamArrest and kicking it back, reporting etc.

All the best!

Richard



;D :wave:

#14 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 28 June 2004 - 02:02 PM

Richard,

The reason a lot of spam blockers don't block things like the Citibank spoof and others, is that they're "phishing scams." The e-mail is made to closely resemble the real thing.

Yes, I've received such e-mails myself. That's why, even when I receive an e-mail from my bank or ISP, I never click on the link in the e-mail. I always go to my browser's address bar and go to the site via a bookmark in my favorites, or manually key in the address.

:wave:

#15 yerman54

yerman54

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 28 June 2004 - 02:13 PM

NS-

Those sneaky rats. :p
Jeez, some people gotta get a life!

Good advice on keying the ISP address though. I'll keep that in mind for my use.

I loaded in IES this morning. All set....running like a hose!

Best,

Richard



:cool:

#16 yerman54

yerman54

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 27 August 2004 - 07:10 PM

Dear NS-

:wave:

Hi bud! It's been awhile since I posted. All is GOOD with my box these days. All of the "preventative medicine" you prescribed is working VERY well.


So, how's by you?

Regards as always,

Richard (yerman54)

:cool:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button