Jump to content


Photo

solongas & other problems


  • Please log in to reply
14 replies to this topic

#1 sheri164

sheri164

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 20 June 2004 - 06:49 PM

I have read the FAQ and articles and other posts. I have run spybot S&D, panda active scan, trend micro housecall, hijack this, & installed panicware popup stopper, and ad-aware.

after running all these I still have problems = solongas or other hijackers have taken over my computer. I have even re-installed windows XP - after quarantining files after running ad-aware I got a system protection message from windows stating that it had to be reinstalled.

I also seem to be missing notepad.exe for some reason - and that seems to be the format that hijackthis wants to save in, so I'm not sure I'll be able to load that file or not - but I'll try.

Logfile of HijackThis v1.97.7
Scan saved at 7:46:42 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Optimum Online\Netsurf.exe
C:\documents and settings\fred\local settings\temp\qgEqTRYVH.exe
C:\documents and settings\fred\local settings\temp\nbfgYIas.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\ojddao.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Documents and Settings\Fred\Application Data\atea.exe
C:\WINDOWS\System32\javne.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Wireless Navigator\wngen.exe
C:\Documents and Settings\Fred\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50093
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50093
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50093
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\System32\inetdctr.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [qgEqTRYVH] C:\documents and settings\fred\local settings\temp\qgEqTRYVH.exe
O4 - HKLM\..\Run: [nbfgYIas] C:\documents and settings\fred\local settings\temp\nbfgYIas.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [xpvemv] C:\WINDOWS\System32\ojddao.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [mycomput] C:\WINDOWS\System32\mycomput.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Edat] C:\Documents and Settings\Fred\Application Data\atea.exe
O4 - HKCU\..\Run: [f0spRhMFl] javne.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Fred\Application Data\DownloadPlus.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: winlogin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {3CA15C82-6297-11D6-B8FA-00C04F5E375A} (BridgeChannel v3) - http://channel.bridg...c3_bridge_i.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?38158.4103125

#2 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 21 June 2004 - 01:52 AM

Hello,

You have a CoolWebSearch infection. Please be patient, because I will be asking you to repeat some of the things that you have done previously. They do need to be done again:

Please click here to download CWShredder by Merijn Bellekom. Boot into safe mode and then run the program, with all other windows closed, hitting 'fix' as opposed to 'scan only.' Then reboot and run the program a second time. Reboot when finished.

Also, you have HuntBar on your system. Please check for anything like “TrafficSyndicate," "HuntBar," "MSIETS," "Internet 404," "Tools for Internet Explorer" or "Search Toolbar" in the Control Panel's Add/Remove Programs option, which should remove this variant. IMPORTANT: Remain connected to the internet while going through the removal process.

Reboot.

In addition, you are also infected with WinTools....

To remove WinTools:

1. Boot into safe mode by tapping the F8 key as your computer reboots.
2. Kill running entries by depressing the ctrl, alt and del keys to bring up the Task Manager --> Processes Tab ---> highlight Wintools and click "end process."
3. Uninstall Wintools from Add/Remove programs. It should prompt for a reboot, do so.

Verify that you have the latest version of Spybot Search & Destroy, v1.3. If you have the latest version, update it, scan and fix all RED items it finds. If you do not have v1.3, click here to download v1.3 Spybot Search & Destroy - install, update, scan and fix all RED items it finds. Reboot when done.

Next, perform a customized scan with Ad-aware:

Verify that you have the latest version of Ad-aware 6, build 6.181, then update and install the latest reference file. If you do not have the latest version of Ad-aware, click here to download Ad-Aware and install.

Before scanning, always click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives," "Scan active processes," "Scan registry," "Deep scan registry," "Scan my IE Favorites for banned sites" and "Scan my Hosts file."

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Reboot when finished.

Next, perform an online Trojan scan at Sygate. (Link is in my signature below). You may need to temporarily disable your firewall during the scan. Allow this program to delete anything it may find. Reboot.

If you do not have a resident antivirus and resident firewall (other than XP's native firewall) please download and install them now. (There are links for excellent free antivirus and firewall programs in my signature below).

When finished, rescan with HijackThis and post a fresh log to this same thread and we will take care of the remaining problems.

#3 sheri164

sheri164

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 21 June 2004 - 12:20 PM

Thank you for your prompt reply to my problem(s). I will endeavor to do these as you advised in order. Will repost once I have done them - or if I run into any snags.

I had Zone Alarm on this computer, but the fellow who installed our wireless router had me remove it - he said the router software had it's own firewall. But I didn't notice anything in my searches through Windows Explorer.

One other question - since I have other computers "networked" to this infected one, via the wireless router for internet access only - should I have concerns regarding their security?

#4 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 21 June 2004 - 12:59 PM

sheri164,

A software firewall, such as Zone Alarm, is ALWAYS a good idea. Routers are not bullet proof.

Infections can be spread across networks, especially viruses.

#5 sheri164

sheri164

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 08:04 AM

In your instructions, the first boot is in safe mode to run CRShredder, on the second reboot to run CW Shredder - am I doing a boot in safe mode - or a standard boot?

Will be downloading it now and will run it once and look for your reply.

#6 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 22 June 2004 - 11:49 AM

Hi,

Safe mode the second time too.

#7 sheri164

sheri164

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 23 June 2004 - 12:40 PM

well, I've been away a while. Tried to follow your instructions, however, this virus, or viruses, are quite determined to remain in their new home. I contacted a friend in the computer biz - he accessed my machine remotely and hooked me into a security site in England - because the virus(es) blocked me from the CW Shredder website to download it!!

So, now that he has done his thing - I think there's still more to do - so I'm posting my current hijack this log. At least now, for the moment anyway, I can access your site - it was beginning to reroute me from that also.

Logfile of HijackThis v1.97.7
Scan saved at 1:28:16 PM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ojddao.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Fred\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [qlijrovvwg] C:\WINDOWS\System32\ojddao.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: winlogin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {3CA15C82-6297-11D6-B8FA-00C04F5E375A} (BridgeChannel v3) - http://channel.bridg...c3_bridge_i.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?38158.4103125

#8 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 23 June 2004 - 03:58 PM

Hello,

It appears that CWShredder needs to be run. Make sure that you have the latest version, 1.59, then click on the update button to check for updates.

Boot into safe mode. Click on the shredder icon to open the program. Click on the FIX button at the bottom of the right side of the panel. It will show a screen reminding you to CLOSE ALL WINDOWS AND BROWSERS. Be sure only the Shredder window is open, then click "OK." It will analyze your system and tell you what it has found. Let it FIX everything it finds. Reboot. (Safe mode again). Then, to be safe, run it AGAIN and do the same if it finds anything further. Reboot to normal mode when finished.

Scan with HijackThis and post your fresh log into this same thread.

#9 sheri164

sheri164

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 23 June 2004 - 07:38 PM

Thank you again for the help. I was able this time to download the CW Shredder program. I ran it twice in Safe Mode as you instructed, then rebooted and ran hijack. This is what I got:

Logfile of HijackThis v1.97.7
Scan saved at 8:35:35 PM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Fred\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {3CA15C82-6297-11D6-B8FA-00C04F5E375A} (BridgeChannel v3) - http://channel.bridg...c3_bridge_i.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...B?38158.4103125

If there is more to be done, I'll check back tomorrow.
You folks are doing all of us a great service!!!

#10 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 23 June 2004 - 08:10 PM

Hello,

Right now, you have HijackThis on your Desktop. It needs to be in its own folder so that any backup copies it makes will be kept together and not scattered about your Desktop. Please right click on a blank space on your Desktop, select “New” then “Folder.” Name the new folder something like HJT or HijackThis. Now, you can just drag HijackThis into its new folder, using the left mouse button.

NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

Boot into safe mode.

Please run HijackThis and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.” Please note that the items in BLUE are optional suggested fixes that will not remove the programs, only keep them from running at start-up, and may have the added benefit of freeing up some of your system’s resources.


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe


If you set these restrictions yourself, using a program like Spybot Search & Destroy or SpywareGuard, leave the following 06 item; otherwise, FIX it with HijackThis:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted Zone: *.greg-search.com


Remain in safe mode...

Also, enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, search for, and delete if found, (some files may not be present after previous steps) the following:

C:\Program Files\TV Media\ < folder

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINDOWS\Temp\

C:\Temp\

C:\Documents and Settings\username\Local Settings\Temp\

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

Reboot.

Proceed to the Windows Update site (see link below) download and install ALL critical updates.

Reboot when finished.

Scan with HijackThis and post a fresh log into this same thread.

#11 sheri164

sheri164

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 23 June 2004 - 08:26 PM

regarding the 06 & 015 restrictions. I don't think I set these - if I did, I sure didn't know it - I don't know what "greg-search" is, and as for whether or not a control panel is present for Internet Explorer - I haven't the foggiest idea if it would matter or not.

So......I figure I'll use Hijack to fix these.

#12 sheri164

sheri164

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 June 2004 - 07:43 AM

Okay - followed your instructions deleted fils with HijackThis and deleted all temporary files that I could (already had selected show hidden files,etc) deleted TV Media folder. All those files are in my recycle bin. I have not purged it yet - in case you tell me to retrieve something from it. Otherwise, once we're done I will dump it.

I did not see an option for delete all offline content - while deleting the temporary internet files - I saw there was a tab for "Offline Files" but the message there was fast user switching was enabled so offline files can't be enabled. Is there somewhere else for me to look for "offline content"?

Here is my latest HijackThis scan:

Logfile of HijackThis v1.97.7
Scan saved at 8:34:31 AM, on 6/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Fred\Local Settings\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3CA15C82-6297-11D6-B8FA-00C04F5E375A} (BridgeChannel v3) - http://channel.bridg...c3_bridge_i.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8163.2220601852

I will await your evaluation.

#13 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 25 June 2004 - 12:04 PM

Hi,

Your log looks good! Posted Image

When fast user switching is enabled, you can't delete the offline content..... So, I would just do that at a time when you can temporarily disable fast user switching. No rush.

You did not put HijackThis into its own permanent folder as directed. Therefore, it still remains in a temporary folder, along with the backups it created, and subject to accidental deletion. Fortunately, I don't think you're going to need any of those backups, but it could have gotten messy if you did.

Yes, it's safe to empty your Recycle Bin now. Good job! :p

#14 sheri164

sheri164

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 25 June 2004 - 12:22 PM

Thank you for the help. I did put Hijack This into it's own folder. - don't know how I screwed up - how about if I were to delete it from my machine and then re-download it - since moving it to a folder doesn't seem to be working?

I am glad this work is just about done. My husband suggested as an alternative removing the hard drive, smashing it with a hammer, and installing a new hard drive.

I'm happier with what you helped me do.

Thank you.

#15 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 25 June 2004 - 01:32 PM

Hi,

You're very welcome.... I'm glad we could help. :p

Yes, you can delete HijackThis and download it again. Get a folder set up ahead of time (you could just create one in My Documents if you'd like) and extract HijackThis directly into that folder. Merijn should have a new version emerging soon that will likely create its own folder.

Well, I'm certainly happy that your husband did not have to apply his high tech fix to your computer.... :techsupport:

Please take a minute or two to read the short article, "How did I get infected in the first place?" (See link in my signature below). You will find good information on keeping your system clean in the future, as well as links for excellent free anti-spyware tools.

:wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button