• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
JulieR

Infected with CWS.Smartsearch.2 or Not?

7 posts in this topic

I am trying to help my sister with her computer which is loaded with spyware and/or adware. I have been working on this for days and am at my wits end. Two main problems seem to be pop-ups when not on line and the other is opening the following page when opening IE: http:///4.3.7. Closing this out and restarting IE will let the correct home page load. Also, when I do a search in Google, Lycos search window opens behind it.

 

I have ran Spybot, Adware and Spysweeper day after day; all updates are installed. After reboot, same problems happen. Same items are found the next day; although Spybot ran clean, Spysweeper & Adware alway seem to find something.

 

I tried CWShredder just to see what it would find; it would scan a few items and then stop working. I tried it again and got the following message: "You have a variant of the Coolwebsearch trojan (CWSSmartsearch.2) that has attempted to close CWS shredder". I read where to download CoolWWWSearch.Smartsearch killer. I ran this and it said "CoolWWWSearch.SmartKiller (v1/v2) has not been found on your computer".

 

I am semi-computer literate but have never messed with the registry, etc. I don't know what most of the log entries mean. It is kind of hard to troubleshoot when I am not sitting at her computer. I have been going there everyday after work but it is taking so much time just to run all the scans and search for solutions on the Internet.

 

I sure hope someone can help -- I don't want to have to resort to reformating her computer. Here is the most recent HijackThis log (I also have a Startup list if needed):

 

Logfile of HijackThis v1.97.7

Scan saved at 5:45:51 PM, on 6/23/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ltmsg.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\DELLMMKB.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\WINDOWS\nnvqrkd.exe

C:\documents and settings\susie lang\local settings\temp\OqlpfABg.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Netropa\OSD.exe

C:\WINDOWS\Nhksrv.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Susie Lang\My Documents\CWShredder\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.7

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.7

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.7

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.dellnet.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [bIOVBIPV] C:\WINDOWS\BIOVBIPV.exe

O4 - HKLM\..\Run: [RYVWCJ] C:\WINDOWS\RYVWCJ.exe

O4 - HKLM\..\Run: [FLSY] C:\WINDOWS\FLSY.exe

O4 - HKLM\..\Run: [oxrqwtxua] C:\WINDOWS\nnvqrkd.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [infamous.exe] C:\Program Files\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [OqlpfABg] C:\documents and settings\susie lang\local settings\temp\OqlpfABg.exe

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Vtqj.exe

O4 - HKLM\..\Run: [CFGNT5I] C:\WINDOWS\System32\CFGNT5I.exe

O4 - HKLM\..\Run: [PROPI] C:\WINDOWS\System32\PROPI.exe

O4 - HKLM\..\Run: [AutoLoaderv0s01PNQLPPI] "C:\WINDOWS\System32\dmrctrs.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [tlanmann] C:\WINDOWS\System32\tlanmann.exe

O4 - HKLM\..\Run: [vdmcpln] C:\WINDOWS\System32\vdmcpln.exe

O4 - HKLM\..\Run: [etlogonn] C:\WINDOWS\System32\etlogonn.exe

O4 - HKLM\..\Run: [RUN32L] C:\WINDOWS\System32\RUN32L.exe

O4 - HKLM\..\Run: [ETSTATN] C:\WINDOWS\System32\ETSTATN.exe

O4 - HKLM\..\Run: [v73i35Q] dmrctrs.exe

O4 - HKLM\..\Run: [TDSAPIN] C:\WINDOWS\System32\TDSAPIN.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: VTAgentReboot.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...b?rand=20034719

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://mail2.biggskofford.com/TSweb/msrdp.cab

O16 - DPF: {9A04E3F0-3BB2-11D2-91E2-00C04FAEC46B} (NMClient Class) - http://65.103.230.242/ConferencingBin/xcliacc.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partner...all/install.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cabO16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

 

I

Share this post


Link to post
Share on other sites

First:

Hi, you have a Peper infection

 

Download the removal tool :

http://computercops.us/downloads-file-330.html or

http://downloads.subratam.org/PeperFix.exe

 

IMPORTANT: YOU MUST BE ONLINE WHEN RUNNING IT and let is have access to pass the firewall.

 

 

!!! Please run this twice with a reboot in between.

 

 

Second:

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

 

Check the following items in HijackThis.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = /4.3.7

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.7

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = /4.3.7

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

 

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

 

O4 - HKLM\..\Run: [bIOVBIPV] C:\WINDOWS\BIOVBIPV.exe

O4 - HKLM\..\Run: [RYVWCJ] C:\WINDOWS\RYVWCJ.exe

O4 - HKLM\..\Run: [FLSY] C:\WINDOWS\FLSY.exe

O4 - HKLM\..\Run: [oxrqwtxua] C:\WINDOWS\nnvqrkd.exe

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [infamous.exe] C:\Program Files\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [OqlpfABg] C:\documents and settings\susie lang\local settings\temp\OqlpfABg.exe

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Vtqj.exe

O4 - HKLM\..\Run: [CFGNT5I] C:\WINDOWS\System32\CFGNT5I.exe

O4 - HKLM\..\Run: [PROPI] C:\WINDOWS\System32\PROPI.exe

O4 - HKLM\..\Run: [AutoLoaderv0s01PNQLPPI] "C:\WINDOWS\System32\dmrctrs.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [tlanmann] C:\WINDOWS\System32\tlanmann.exe

O4 - HKLM\..\Run: [vdmcpln] C:\WINDOWS\System32\vdmcpln.exe

O4 - HKLM\..\Run: [etlogonn] C:\WINDOWS\System32\etlogonn.exe

O4 - HKLM\..\Run: [RUN32L] C:\WINDOWS\System32\RUN32L.exe

O4 - HKLM\..\Run: [ETSTATN] C:\WINDOWS\System32\ETSTATN.exe

O4 - HKLM\..\Run: [v73i35Q] dmrctrs.exe

O4 - HKLM\..\Run: [TDSAPIN] C:\WINDOWS\System32\TDSAPIN.exe

 

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://mail2.biggskofford.com/TSweb/msrdp.cab

O16 - DPF: {9A04E3F0-3BB2-11D2-91E2-00C04FAEC46B} (NMClient Class) - http://65.103.230.242/ConferencingBin/xcliacc.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partner...all/install.cab

 

 

Close all windows except HijackThis and click Fix checked.

 

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)

C:\WINDOWS\BIOVBIPV.exe

C:\WINDOWS\RYVWCJ.exe

C:\WINDOWS\FLSY.exe

C:\WINDOWS\nnvqrkd.exe

C:\Program Files\webHancer\ <-- delete folder

C:\documents and settings\susie lang\local settings\temp\OqlpfABg.exe

C:\WINDOWS\System32\CFGNT5I.exe

C:\WINDOWS\System32\PROPI.exe

C:\WINDOWS\System32\dmrctrs.exe

C:\WINDOWS\System32\tlanmann.exe

C:\WINDOWS\System32\vdmcpln.exe

C:\WINDOWS\System32\etlogonn.exe

C:\WINDOWS\System32\RUN32L.exe

C:\WINDOWS\System32\ETSTATN.exe

C:\WIndows\Systme32\dmrctrs.exe

C:\WINDOWS\System32\TDSAPIN.exe

 

 

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406

**Show Hidden and System files and folders

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

 

Reboot in normal mode.

 

Run HiJackThis again and post a new log in this thread.

Share this post


Link to post
Share on other sites

Thank you so much for the reply & diagnosis! I'll head to my sisters tomorrow and get started. Will post a new log when done.

 

Thanks, again!

Share this post


Link to post
Share on other sites

Well, I followed your directions and everything worked ok. However, in the list of files to delete, I only found one to delete: C:\Windows\nnvqrkd.exe (I made sure all system files etc. were showing). I don't know if that's good or bad. After I ran the last HiJack scan and rebooted from your directions, I went into IE and no pop-ups, no hijack of home page.

 

Since everthing seemed ok and I was done with your directions, I decided to run Spybot and Adware since I hadn't been to my sisters house in a few days. Spybot was clean - nothing noted. Then I ran Adware, and 27 items found. I fixed them all. Went back to IE and everything seemed fine.

 

I rebooted after running Adware and after going into IE I got that same crazy page http:///4.3.7. Closed out, went back in IE and normal homepage loaded. So I ran HiJack this again and everything matched the first log from your directions, all previously fixed items were gone except that crazy entry was there again:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /4.3.7

 

So I fixed just that one, rebooted, ran HiJackThis again and it was gone. Rebooted and IE seemed fine.

 

Anyway, here's the new Hijack log:

 

Logfile of HijackThis v1.97.7

Scan saved at 5:34:30 PM, on 6/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\ltmsg.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\DELLMMKB.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Netropa\OSD.exe

C:\WINDOWS\Nhksrv.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Messenger\msmsgs.exe

C:\HiJackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.dellnet.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [3DRMD] C:\WINDOWS\System32\3DRMD.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: VTAgentReboot.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...b?rand=20034719

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {99D2F95E-1989-48A7-A487-4D4BFF333B3B} (Imagecast RIS Online Help) - http://ris.inland-imaging.com/idxrad/help/IDXICHelp.CAB

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

O16 - DPF: {EF3D42E2-8BB3-11D3-A415-00105A179C91} (IDXradRWebWord.WebWord) - http://ris.inland-imaging.com/idxrad/Clien...radRWebWord.CAB

Share this post


Link to post
Share on other sites

Great news, your log is clean.

 

Do not worry about the missing files. Many times there is an entry in the registry for startup but the file has already been deleted. Since I cannot tell whether the file exists from the log, I always ask for deletion.

 

Here are some simple steps you can take to reduce the chance of infection in the future.

 

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

 

1. Adjust your security settings for ActiveX:]

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

 

2. Download and install the following free programs

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

1. Install Spyware Detection and Removal Programs:

You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.

a. AdAware: http://www.lavasoft.de/

b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

 

 

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

 

 

Good luck, and thanks for coming to our forums for help with your security and malware issues.

Share this post


Link to post
Share on other sites

Thanks for the additonal suggestions. I changed Active X controls a couple of weeks ago and I also make sure all critical updates are installed. Both of us have Spybot & Adware installed; I'll try the other programs you recommended.

 

If the same problem crops up again (which I hope it won't!) , can I post to this thread again?

 

Thanks, again. All you volunteers are awesome!

Share this post


Link to post
Share on other sites

Hopefully it won't come up again, but if it does, start a new thread and then PM me.

 

 

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.

 

Everyone else having a similar issue, please launch a new topic for yourselves.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0