1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijack this log!

Discussion in 'Virus & Other Malware Removal' started by Smurfette, Oct 2, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Smurfette

    Smurfette Thread Starter

    Joined:
    Aug 2, 2003
    Messages:
    144
    Here is my hijack this log. Could you please tell me what to get rid of?

    Thanks, Smurfette



    Logfile of HijackThis v1.96.0
    Scan saved at 1:46:25 AM, on 10/2/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\MSMGT.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Tammy Dunbar\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.iwon.com/
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Support (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: ComcastHSI (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Animal Ark by pogo.com - http://play32.pogo.com/applet/animal/animal-ob-assets.cab
    O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Dominoes by pogo.com - http://domino01.pogo.com/applet/domino/domino-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire40.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Hammerhead Pool by pogo.com - http://temp37.pogo.com/applet/pool/pool-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo.com - http://hspoker05.pogo.com/applet/drawpoker/drawpoker-ob-assets.cab
    O16 - DPF: It's Outta Here 2 by pogo.com - http://itsout.pogo.com/applet/itsoutofhere/itsoutofhere-ob-assets.cab
    O16 - DPF: Jokers Wild Poker by pogo.com - http://vpjoke03.pogo.com/applet/videopoker2/jokerswild-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://test01.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit07.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Showbiz Slots by pogo.com - http://showbiz.pogo.com/applet/slots/showbiz-ob-assets.cab
    O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Turbo 21 TM by pogo.com - http://turbo01.pogo.com/applet/turbo21/turbo21-ob-assets.cab
    O16 - DPF: Word Riot by pogo.com - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
    O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/Trancos/trnc.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
    O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://downloads.iwon.com/images/nocache/copilot/i1initialsetup1.0.0.2.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
    Next, close all browser Windows, and have HT fix all checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.iwon.com/

    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

    O4 - Global Startup: Digital Line Detect.lnk = ?

    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalO...rancos/trnc.cab



    Reboot into normal mode


    Now download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks
     
  3. Smurfette

    Smurfette Thread Starter

    Joined:
    Aug 2, 2003
    Messages:
    144
    Hi, here is my log again after all the fixes. Thanks so much for your help.

    Smurfette





    Logfile of HijackThis v1.96.0
    Scan saved at 3:28:43 AM, on 10/2/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\MSMGT.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\WINDOWS\System32\29261416.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Tammy Dunbar\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Support (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: ComcastHSI (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Animal Ark by pogo.com - http://play32.pogo.com/applet/animal/animal-ob-assets.cab
    O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Dominoes by pogo.com - http://domino01.pogo.com/applet/domino/domino-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire40.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Hammerhead Pool by pogo.com - http://temp37.pogo.com/applet/pool/pool-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo.com - http://hspoker05.pogo.com/applet/drawpoker/drawpoker-ob-assets.cab
    O16 - DPF: It's Outta Here 2 by pogo.com - http://itsout.pogo.com/applet/itsoutofhere/itsoutofhere-ob-assets.cab
    O16 - DPF: Jokers Wild Poker by pogo.com - http://vpjoke03.pogo.com/applet/videopoker2/jokerswild-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://test01.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit07.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Showbiz Slots by pogo.com - http://showbiz.pogo.com/applet/slots/showbiz-ob-assets.cab
    O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Turbo 21 TM by pogo.com - http://turbo01.pogo.com/applet/turbo21/turbo21-ob-assets.cab
    O16 - DPF: Word Riot by pogo.com - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
    O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
    O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://downloads.iwon.com/images/nocache/copilot/i1initialsetup1.0.0.2.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Did you miss this one Tammy or is it just stubborn?
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://downloads.iwon.com/images/no...etup1.0.0.2.cab

    Re-boot into safe mode and delete:
    C:\Program Files\ClearSearch
    C:\Program Files\Internet Optimizer(use add/remove if poss)
    C:\WINDOWS\MSMGT.exe

    THIS NEXT ONE....Make a note of where it is in your H/T log.
    When you run H/T again it will have changed its file name but always 8 random numbers.....you cant miss it.
    C:\WINDOWS\System32\29261416.exe

    Any problem,let us know.

    ;)
     
  5. Smurfette

    Smurfette Thread Starter

    Joined:
    Aug 2, 2003
    Messages:
    144
    Hi again. You told me to delete some things after I rebooted. I have no idea how to delete them. They show in my log but there isn't a place to check them so I can delete them. Here's my log again. I know I deleted the 2 things I had to redelete. It must have just been stubborn. lol

    Thanks, Tammy







    Logfile of HijackThis v1.97.2
    Scan saved at 5:17:24 AM, on 10/2/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\MSMGT.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Tammy Dunbar\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Support (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: ComcastHSI (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Animal Ark by pogo.com - http://play32.pogo.com/applet/animal/animal-ob-assets.cab
    O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Dominoes by pogo.com - http://domino01.pogo.com/applet/domino/domino-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire40.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Hammerhead Pool by pogo.com - http://temp37.pogo.com/applet/pool/pool-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo.com - http://hspoker05.pogo.com/applet/drawpoker/drawpoker-ob-assets.cab
    O16 - DPF: It's Outta Here 2 by pogo.com - http://itsout.pogo.com/applet/itsoutofhere/itsoutofhere-ob-assets.cab
    O16 - DPF: Jokers Wild Poker by pogo.com - http://vpjoke03.pogo.com/applet/videopoker2/jokerswild-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://test01.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit07.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Showbiz Slots by pogo.com - http://showbiz.pogo.com/applet/slots/showbiz-ob-assets.cab
    O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Turbo 21 TM by pogo.com - http://turbo01.pogo.com/applet/turbo21/turbo21-ob-assets.cab
    O16 - DPF: Word Riot by pogo.com - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
    O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. BlueSpruce

    BlueSpruce

    Joined:
    Jul 24, 2003
    Messages:
    420
    Hi Smurfette ,

    Remove Internet Optimizer in ADD/Remove programs in the control panel , then Shutdown and Reboot your computer

    Close all browser windows , Scan Hijack This , put a check in this entry and hit ''Fix Checked'' ,

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwon.com/

    Restart you computer your computer in Safe Mode
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    Then navigate the following paths and Delete

    C:\WINDOWS\MSMGT.exe > File
    C:\Program Files\Internet Optimizer > Entire Folder
    C:\Program Files\ClearSearch > Entire Folder

    Good luck
     
  7. Smurfette

    Smurfette Thread Starter

    Joined:
    Aug 2, 2003
    Messages:
    144
    Hi, I was told to reboot my computer in safe mode. I went to the site below to try to see how to do that. First step is start rescue. I clicked start, but don't seem to have a rescue anywhere. lol Could someone told me where it is or what Im doing wrong...Thank you so much.

    Tammy







    Solution:
    Use these steps to create a Rescue set that can start the computer into Windows Safe Mode.

    Start Rescue.
    Click the Options button.
    Click the Zip Settings tab.
    Check Safe Mode.
    Click OK.
    Continue with the on-screen prompts to finish creating the Rescue set.
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Good afternoon Tammy:)

    What Hijackthis allows us to do is halt the offensive file or program from being started up......It does not delete it and you cant delete anything through H/T.
    when you re-boot you need to follow the file path and delete the file manually(right-click and choose "delete")


    Safe mode:
    When your computer starts up,there is usually a "beep"
    At the beep tap the F8 key repeatedly and you will see the boot menu.Choose the "safe mode" option.

    If you have any problems just let us know.

    ;)
     
  9. kracknuts

    kracknuts

    Joined:
    Oct 18, 2003
    Messages:
    112
    howdy i got that bloody internet optimizer thingy that comes up when i cant find a page. i tried doin the stuff it says on : http://www.doxdesk.com/parasite/InternetOptimizer.html but i wasnt able to find those files to delete. anyway i was able to find internet optimizer and active alert in the control panel and removed them but this didnt do anything.

    so please could you help me im posting my hijack this log filer here:

    Logfile of HijackThis v1.97.2
    Scan saved at 9:57:45 AM, on 10/19/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    D:\Program setups\remote\DRCS.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\WINDOWS\VM_STI.EXE
    C:\WINDOWS\System32\28712099.exe
    C:\WINDOWS\System32\ctfmon.exe
    D:\Games\Stream\Steam.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    D:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Herbutto\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.nz/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp3\winampa.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Steam] D:\Games\Stream\Steam.exe -silent
    O8 - Extra context menu item: &Download by NetAnts - D:\PROGRA~1\NETANTS\NAGet.htm
    O8 - Extra context menu item: Download &All by NetAnts - D:\PROGRA~1\NETANTS\NAGetAll.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: NetAnts (HKLM)
    O9 - Extra 'Tools' menuitem: &NetAnts (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37803.9673726852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A79F120D-5534-4F29-BE29-09A6CAC00EE7}: NameServer = 202.27.184.3,202.27.184.5
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    kracknuts

    Welcome to TSG!

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll

    Restart your computer.

    Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

    Restart your computer.
     
  11. kracknuts

    kracknuts

    Joined:
    Oct 18, 2003
    Messages:
    112
    Thanks man flrman1 ^o^

    I did exactly wat u told me and now i can enjoy my wonderful "this page cannot be displayed" whitepage which i missed soo much once again!

    u guyz r doing a great job here helping others, thankz tech support guyz
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're welcome! (y) :)
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168963

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice