Jump to content


Photo

Can't get rid of TV Media and pop-ups


  • Please log in to reply
4 replies to this topic

#1 stacyrings

stacyrings

    Member

  • New Member
  • Pip
  • 4 posts

Posted 22 June 2004 - 04:12 PM

I run Adaware and Spybot about every other day and I have Yahoo toolbar with pop-up blocker enabled, yet I still get pop-ups. I downloaded HijackThis today and was able to get rid of nearly everything bad except TV Media. I'm wondering if that could be my problem. Or even if it isn't, maybe someone can see what the problem is by checking my log file:

Logfile of HijackThis v1.97.7
Scan saved at 4:07:22 PM, on 6/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\ePOAgent\naimas32.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\ePOAgent\naimag32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Novell\GroupWise\Notify.exe
C:\Novell\GroupWise\GrpWise.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/my.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.myway.com/my.jsp
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.o...zing.html#prefs
*/

user_pref("aim.internal.buddy.MaxBuddies", 220);
user_pref("aim.internal.intproxyprotocol", 1);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.screenname", "stacyrings");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.activation.screenname", "stacyrings");
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.check_doc_frequency", 1);
user_pref("browser.cache.disk.parent_directory", "C:\\Documents and Settings\\screecy\\Application Data\\Mozilla\\Profiles\\default\\db59swn4.slt");
user_pref("browser.display.screen_resolution", 96);
use
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.o...zing.html#prefs
*/

user_pref("aim.internal.buddy.MaxBuddies", 220);
user_pref("aim.internal.intproxyprotocol", 1);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.screenname", "stacyrings");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.activation.screenname", "stacyrings");
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.check_doc_frequency", 1);
user_pref("browser.cache.disk.parent_directory", "C:\\Documents and Settings\\screecy\\Application Data\\Mozilla\\Profiles\\default\\db59swn4.slt");
user_pref("browser.display.screen_resolution", 96);
use
O1 - Hosts: 198.215.148.80 ocmc_gis
O1 - Hosts: 192.10.2.3 timon (Primary DNS)
O1 - Hosts: 198.215.144.1 bigd (Secondary DNS)
O1 - Hosts: 198.215.144.2 bigtex (Email Server)
O1 - Hosts: 198.215.144.3 webster
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DF73DF8-41E2-4fc2-8CBF-4B9407433755} - C:\WINNT\System32\AlxTB.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [AutoProp] C:\PROGRA~1\MICROS~2\Office\bots\fp_wmp\regprop.exe C:\PROGRA~1\MICROS~2\Office\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [clspat] C:\WINNT\clspat.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: GroupWise 5.lnk = C:\Novell\GroupWise\GrpWise.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.paypal.com
O16 - DPF: Dominoes by pogo - http://domino.pogo.c...o-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire43.p...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pog...k-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.c...s-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong.pogo....g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo...l-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit25.pogo...t-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweet05.pogo....h-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo21.pogo....1-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.po...n-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (12.0)) - http://up.webphotos....ad/ltocx12n.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...alls/yinstc.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.82.221.10...etzip/RdxIE.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7655.3561574074
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.1.../ACNePlayer.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://up.webphotos....oad/XUpload.ocx
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...iof5_3_16_0.cab
O16 - DPF: {F167B843-DB78-4966-8D48-B4A1EA465CFC} (MediaManager Class) - http://www.mydiscgea...ad/discware.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.14...geWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{388F5AB2-6538-41C9-B519-368C5B98343E}: NameServer = 172.16.2.54,172.16.2.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{388F5AB2-6538-41C9-B519-368C5B98343E}: NameServer = 172.16.2.54,172.16.2.55
O17 - HKLM\System\CS2\Services\Tcpip\..\{388F5AB2-6538-41C9-B519-368C5B98343E}: NameServer = 172.16.2.54,172.16.2.55

Thanks for your help!
Stacy

#2 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 30 June 2004 - 11:42 PM

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/my.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.myway.com/my.jsp
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

(if you do not recognize the following program, then I suggest you delete it)
O4 - HKLM\..\Run: [clspat] C:\WINNT\clspat.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Program Files\TV Media\ <-- delete folder


*How to Boot into Safe mode: http://service1.syma...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.n...1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Run HiJackThis again and post a new log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#3 stacyrings

stacyrings

    Member

  • New Member
  • Pip
  • 4 posts

Posted 06 July 2004 - 11:45 AM

I made the changes you suggested and here is my new Hijack This log.
When I started IE, I got the about:blank for my start page. Other than that, I haven't surfed around enough to see if everything is fixed. How does my log look now?

Thanks
Stacy

Logfile of HijackThis v1.97.7
Scan saved at 11:44:53 AM, on 7/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\ePOAgent\naimas32.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\ePOAgent\naimag32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Novell\GroupWise\Notify.exe
C:\Novell\GroupWise\GrpWise.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.o...zing.html#prefs
*/

user_pref("aim.internal.buddy.MaxBuddies", 220);
user_pref("aim.internal.intproxyprotocol", 1);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.screenname", "stacyrings");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.activation.screenname", "stacyrings");
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.check_doc_frequency", 1);
user_pref("browser.cache.disk.parent_directory", "C:\\Documents and Settings\\screecy\\Application Data\\Mozilla\\Profiles\\default\\db59swn4.slt");
user_pref("browser.display.screen_resolution", 96);
use
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.o...zing.html#prefs
*/

user_pref("aim.internal.buddy.MaxBuddies", 220);
user_pref("aim.internal.intproxyprotocol", 1);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.screenname", "stacyrings");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.activation.screenname", "stacyrings");
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.check_doc_frequency", 1);
user_pref("browser.cache.disk.parent_directory", "C:\\Documents and Settings\\screecy\\Application Data\\Mozilla\\Profiles\\default\\db59swn4.slt");
user_pref("browser.display.screen_resolution", 96);
use
O1 - Hosts: 198.215.148.80 ocmc_gis
O1 - Hosts: 192.10.2.3 timon (Primary DNS)
O1 - Hosts: 198.215.144.1 bigd (Secondary DNS)
O1 - Hosts: 198.215.144.2 bigtex (Email Server)
O1 - Hosts: 198.215.144.3 webster
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DF73DF8-41E2-4fc2-8CBF-4B9407433755} - C:\WINNT\System32\AlxTB.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AutoProp] C:\PROGRA~1\MICROS~2\Office\bots\fp_wmp\regprop.exe C:\PROGRA~1\MICROS~2\Office\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\ePOAgent\naimag32.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Startup: GroupWise 5.lnk = C:\Novell\GroupWise\GrpWise.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.paypal.com
O16 - DPF: Dominoes by pogo - http://domino.pogo.c...o-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire43.p...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.po...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pog...k-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.c...s-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong.pogo....g-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo...l-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit25.pogo...t-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweet05.pogo....h-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo21.pogo....1-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.po...n-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (12.0)) - http://up.webphotos....ad/ltocx12n.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.82.221.10...etzip/RdxIE.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7655.3561574074
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.1.../ACNePlayer.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://up.webphotos....oad/XUpload.ocx
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...iof5_3_16_0.cab
O16 - DPF: {F167B843-DB78-4966-8D48-B4A1EA465CFC} (MediaManager Class) - http://www.mydiscgea...ad/discware.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.14...geWell-ipix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{388F5AB2-6538-41C9-B519-368C5B98343E}: NameServer = 172.16.2.54,172.16.2.55
O17 - HKLM\System\CS1\Services\Tcpip\..\{388F5AB2-6538-41C9-B519-368C5B98343E}: NameServer = 172.16.2.54,172.16.2.55
O17 - HKLM\System\CS2\Services\Tcpip\..\{388F5AB2-6538-41C9-B519-368C5B98343E}: NameServer = 172.16.2.54,172.16.2.55

#4 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 06 July 2004 - 12:18 PM

Check the following items in HiJackThis:
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)

O2 - BHO: (no name) - {3DF73DF8-41E2-4fc2-8CBF-4B9407433755} - C:\WINNT\System32\AlxTB.dll (disabled by BHODemon)

Close all open windows except HiJackThis and press 'Fix Checked'.


At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupd.../en/default.asp

1. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

2. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857


Good luck, and thanks for coming to our forums for help with your security and malware issues.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#5 stacyrings

stacyrings

    Member

  • New Member
  • Pip
  • 4 posts

Posted 06 July 2004 - 01:13 PM

Thanks so much for your help!! Everything seems to be working great now.

Stacy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button