Jump to content


Photo

remnants of xxxtoolbar


  • This topic is locked This topic is locked
8 replies to this topic

#1 gfraz

gfraz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 18 May 2004 - 10:11 PM

could you look at this hijackthis and troubleshoot it for me ? everytime i boot up , within seconds d2k connector shows up and spysweeper kind of blocks it , but it will come back every 15 minutes or so , and it drives me crazy ...... I'm a newbie here and hope i've got this right..... and put it in the right place


Logfile of HijackThis v1.97.7
Scan saved at 10:56:07 AM, on 15/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\szchost.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kazaa Lite\Kazaa.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\notepad.exe
C:\My Download Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: start ante - {59BBE08C-45E3-108F-5B42-A3F2A6D8C910} - (no file)
O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
O4 - HKLM\..\Run: [ncpgsyc] rundll32 C:\WINDOWS\System32:ncpgsyc.dll,Init 1
O4 - HKLM\..\Run: [ynyd] C:\WINDOWS\ynyd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [sdelyx] C:\WINDOWS\sdelyx.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [psylekgo] C:\WINDOWS\System32\lieftjod.exe
O4 - HKLM\..\Run: [pixileh] C:\WINDOWS\pixileh.exe
O4 - HKLM\..\Run: [ovqbyj] C:\WINDOWS\ovqbyj.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [msbb] c:\docume~1\greg\locals~1\temp\msbb.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [hqr] C:\WINDOWS\hqr.exe
O4 - HKLM\..\Run: [HideByte] C:\PROGRA~1\Oncedvd\Move Hope Mags.exe
O4 - HKLM\..\Run: [GMTZDJQWD] C:\WINDOWS\GMTZDJQWD.exe
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [bsbux] C:\WINDOWS\bsbux.exe
O4 - HKLM\..\Run: [alwvoz] C:\WINDOWS\alwvoz.exe
O4 - HKLM\..\Run: [ahilsl] C:\WINDOWS\ahilsl.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - HKCU\..\Run: [Arps] C:\Documents and Settings\Greg\Application Data\htor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo...tia32_EN_XP.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://www.earthetc....plugins/ncs.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7925.4372569444
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.c...PlayerAxWin.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

Edited by gfraz, 19 May 2004 - 08:43 PM.


#2 gfraz

gfraz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 19 May 2004 - 08:49 PM

i also have a folder called inetpub that i'm not sure where it came from , possibly from microsoft office.
One other thing , is this file "System32:ncpgsyc.dll" a legit file ?

#3 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 20 May 2004 - 03:47 PM

First please download SPYBOT. Unzip the program, run it and click on search for updates. Install all updates, then hit scan.

Let it fix everything marked in RED.

Reboot.

Download AdAware from http://www.lavasoft.de/

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Make sure the following settings are made and on (ON=GREEN)

From main window click "Start" then " Activate in-depth scan"

Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning", "Cleaning engine" and "Let windows remove files in use at next reboot"

To save your settings click "proceed".

Now click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

reboot again, and let Adaware run if it asks.

Then rescan with Hijack this, and post a fresh log.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#4 gfraz

gfraz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 May 2004 - 01:35 AM

oops , sorry , (for being a newbie ) i have run ad-aware every day for 2 weeks , and spybot , and spy sweeper, i should have mentioned that in my original post , but i didnt do a few of the things you mentioned to tweak ad aware, so i'll try that next , and let you know how that works.... thanks for your reply and your time thus far Dave38 !
Its getting late tonight here , so i will do it tomorrow ........

Edited by gfraz, 21 May 2004 - 01:37 AM.


#5 gfraz

gfraz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 22 May 2004 - 10:28 AM

ok , I just finished running spybot , it removed 2 items , then i checked adaware settings for the settings you mentioned (they were all already set your way ) and then ran adaware , and it found and removed about 6 things. Before i ran Hijackthis , i went to configsis , and turned every checkbox on (because one of the SWI "Read This" files said to, and here is the new Hijackthis log file:

Logfile of HijackThis v1.97.7
Scan saved at 8:24:58 AM, on 22/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\szchost.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\My Download Files\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn...st/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: start ante - {59BBE08C-45E3-108F-5B42-A3F2A6D8C910} - (no file)
O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ynyd] C:\WINDOWS\ynyd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [sdelyx] C:\WINDOWS\sdelyx.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - HKLM\..\Run: [psylekgo] C:\WINDOWS\System32\lieftjod.exe
O4 - HKLM\..\Run: [pixileh] C:\WINDOWS\pixileh.exe
O4 - HKLM\..\Run: [ovqbyj] C:\WINDOWS\ovqbyj.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [hqr] C:\WINDOWS\hqr.exe
O4 - HKLM\..\Run: [HideByte] C:\PROGRA~1\Oncedvd\Move Hope Mags.exe
O4 - HKLM\..\Run: [GMTZDJQWD] C:\WINDOWS\GMTZDJQWD.exe
O4 - HKLM\..\Run: [bsbux] C:\WINDOWS\bsbux.exe
O4 - HKLM\..\Run: [alwvoz] C:\WINDOWS\alwvoz.exe
O4 - HKLM\..\Run: [ahilsl] C:\WINDOWS\ahilsl.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - HKCU\..\Run: [Arps] C:\Documents and Settings\Greg\Application Data\htor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo...tia32_EN_XP.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://www.earthetc....plugins/ncs.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7925.4372569444
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.c...PlayerAxWin.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx



I hope this helps..... i'm still getting the d2k connector on my taskbar, followed by 2 windows saying download aborted (i think spysweeper is stopping something there). while the download aborted windows are on screen , the taskbar is still saying XXXtoolbar, thus my remnants of xxxtoolbar. (i had earlier tried getting rid of xxxtoolbar thru regedit, but i think something still exists)

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 22 May 2004 - 03:01 PM

Still a few items to remove.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - Default URLSearchHook is missing

O3 - Toolbar: start ante - {59BBE08C-45E3-108F-5B42-A3F2A6D8C910} - (no file)

O4 - HKLM\..\Run: [Zone system] C:\WINDOWS\szchost.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [ynyd] C:\WINDOWS\ynyd.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [sdelyx] C:\WINDOWS\sdelyx.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [psylekgo] C:\WINDOWS\System32\lieftjod.exe
O4 - HKLM\..\Run: [pixileh] C:\WINDOWS\pixileh.exe
O4 - HKLM\..\Run: [ovqbyj] C:\WINDOWS\ovqbyj.exe
O4 - HKLM\..\Run: [hqr] C:\WINDOWS\hqr.exe
O4 - HKLM\..\Run: [HideByte] C:\PROGRA~1\Oncedvd\Move Hope Mags.exe
O4 - HKLM\..\Run: [GMTZDJQWD] C:\WINDOWS\GMTZDJQWD.exe
O4 - HKLM\..\Run: [bsbux] C:\WINDOWS\bsbux.exe
O4 - HKLM\..\Run: [alwvoz] C:\WINDOWS\alwvoz.exe
O4 - HKLM\..\Run: [ahilsl] C:\WINDOWS\ahilsl.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - HKCU\..\Run: [Arps] C:\Documents and Settings\Greg\Application Data\htor.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.cab

Reboot, and delete

files
C:\WINDOWS\szchost.exe
C:\WINDOWS\ynyd.exe
C:\WINDOWS\sdelyx.exe
C:\WINDOWS\Downloaded Program Files\bridge.dl
C:\WINDOWS\System32\lieftjod.exe
C:\WINDOWS\pixileh.exe
C:\WINDOWS\ovqbyj.exe
C:\WINDOWS\hqr.exe
C:\WINDOWS\GMTZDJQWD.exe
C:\WINDOWS\bsbux.exe
C:\WINDOWS\alwvoz.exe
C:\WINDOWS\ahilsl.exe
C:\WINDOWS\System32\wnsintsv.exe
C:\Documents and Settings\Greg\Application Data\htor.exe

folders
C:\Program Files\Common files\updater
C:\Program Files\Oncedvd
C:\Program Files\MyWebSearch
C:\Program Files\ClockSync

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if the problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#7 gfraz

gfraz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 May 2004 - 01:45 PM

I think that did it Dave , the d2k connector thing hasn't shown up for 20 minutes now....
First i went back into msconfig and turned everything back on , then i ran Hijackthis and got it to fix all the ones i could find that were there, (some weren't) and then rebooted like you said , and deleted the files i could find in windows . Now i just ran hijackthis , here is the new log ......


Logfile of HijackThis v1.97.7
Scan saved at 11:34:49 AM, on 23/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Kazaa Lite\Kazaa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\My Download Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [sdelyx] C:\WINDOWS\sdelyx.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa Lite\Kazaa.exe /SYSTRAY
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo...tia32_EN_XP.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://www.earthetc....plugins/ncs.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7925.4372569444
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.c...PlayerAxWin.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx


Now i think i will do a complete shutdown and reboot , see if it comes back again ........again , thanks for your time , i have no idea how much time you have spent , but it would seem a few hours at least , many thanks )

#8 gfraz

gfraz

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 24 May 2004 - 01:46 PM

Problem solved ! Haven't seen it (the d2k connector and download aborted popups) since i did the changes you recommended... What a relief...Thanks alot Dave38 !! my daughter says thanks as well , it was a magor irritation


Is it possible to change the dialogue under "remnants of xxxtoolbar" to show that it was concluded successfuly? I tried to look in the edit area but could only edit the post , not the title or caption

Edited by gfraz, 24 May 2004 - 01:46 PM.


#9 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 24 May 2004 - 02:09 PM

Youg log is clean. Except, that is for Kazaa! The chances of you remaining uninfested with malware if you retain this as very, very small indeed. I suggest that you uninstall it, and use a spyware free alternative.

Don't worry about the post title, when donw, the topic will be closed.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button