1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HJT log--please help!

Discussion in 'Virus & Other Malware Removal' started by mebegina, Apr 17, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. mebegina

    mebegina Thread Starter

    Joined:
    Feb 11, 2004
    Messages:
    29
    Logfile of HijackThis v1.97.7
    Scan saved at 6:20:58 PM, on 4/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\snmp.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\NORTON~2\NORTON~2\QDCSFS.exe
    C:\Program Files\Cosmi\HelpExpress\HXDL.EXE
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\WINDOWS\System32\3d9d.exe
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmNT.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\NetZero\exec.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\LeechGet 2004\LeechGet.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Documents and Settings\Ernest Aviles\Desktop\downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.netzero.net/s/mynetzero
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R3 - URLSearchHook: TvmBho Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}_ - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\Lycos\IEagent\CSIE.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - (no file)
    O2 - BHO: (no name) - {F36C1198-FC6B-4012-9928-DFA76FB56CC3} - C:\WINDOWS\GAMhelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [noyTn] C:\windows\temp\noyTn.exe
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~2\QDCSFS.exe /startup /scheduler
    O4 - HKLM\..\Run: [3d9d] C:\WINDOWS\System32\3d9d.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run
    O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmNT.exe
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
    O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
    O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
    O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/mynetzero
    O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab

    Thanks Everybody!!!
     
  2. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Welcome to TSG


    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    CWshredder from http://www.thespykiller.co.uk/

    Spybot - Search & Destroy from http://security.kolla.de

    AdAware 6 from http://www.lavasoft.de/software/adaware/

    then
    Run CWSHREDDER,

    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
    and make sure you have all Microsoftsecurity updates

    then reboot &

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  3. mebegina

    mebegina Thread Starter

    Joined:
    Feb 11, 2004
    Messages:
    29
    Did exactly what you advised, to the T!
    New log......really bad now with 2 addresses, nextaisle.com and belgiandip.com. Cant even contact them to tell them to remove me from the list. New window EVERY 15 seconds. AARGH!

    Logfile of HijackThis v1.97.7
    Scan saved at 11:13:16 PM, on 4/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\snmp.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\NORTON~2\NORTON~2\QDCSFS.exe
    C:\Program Files\Cosmi\HelpExpress\HXDL.EXE
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\WINDOWS\System32\tfmonc.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmNT.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Documents and Settings\Ernest Aviles\Desktop\downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.netzero.net/s/mynetzero
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}_ - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: TvmBho Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\Lycos\IEagent\CSIE.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
    O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msdaim.dll
    O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\mslkgc.dll
    O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll
    O2 - BHO: (no name) - {F36C1198-FC6B-4012-9928-DFA76FB56CC3} - C:\WINDOWS\GAMhelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [noyTn] C:\windows\temp\noyTn.exe
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~2\QDCSFS.exe /startup /scheduler
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [tfmonc] C:\WINDOWS\System32\tfmonc.exe
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run
    O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmNT.exe
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
    O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
    O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
    O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/mynetzero
    O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab

    Thanks for the review, again.
     
  4. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    Hi. :) Close all (browser) windows & have HJT fix these entries by placing a check in the appropriate box=

    R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}_ - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: TvmBho Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\Lycos\IEagent\CSIE.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
    O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msdaim.dll
    O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\mslkgc.dll
    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll
    O2 - BHO: (no name) - {F36C1198-FC6B-4012-9928-DFA76FB56CC3} - C:\WINDOWS\GAMhelper.dll

    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [noyTn] C:\windows\temp\noyTn.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [tfmonc] C:\WINDOWS\System32\tfmonc.exe
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    Reboot into safe mode following the instructions here & navigate to & delete

    C:\Program Files\Lycos< this one
    C:\Program Files\TV Media< this one
    C:\Program Files\Common Files\Dpi< this one
    C:\Program Files\LiveUpdate< this one
    C:\windows\temp< entire contents of this folder
    C:\Program Files\Cosmi< this one
    C:\WINDOWS\System32\tfmonc.exe< this one
    C:\WINDOWS\System32\msgked.exe< this one

    Reboot normally after doing the above then post a fresh log plz.
     
  5. mebegina

    mebegina Thread Starter

    Joined:
    Feb 11, 2004
    Messages:
    29
    Did safe mode, still 3 or more that are very stuborn.
    What do you do when they just WONT GO AWAY!!!
    New HJT log.
    Logfile of HijackThis v1.97.7
    Scan saved at 1:54:31 AM, on 4/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\snmp.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\NORTON~2\NORTON~2\QDCSFS.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmNT.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\NetZero\qsacc\x1exec.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ernest Aviles\Desktop\downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.netzero.net/s/mynetzero
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NetZero, Inc.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.nyc.office.juno.com;*.corp.netzero.net;*.kbb.com;*.flipdog.com;*.pogo.com;*test-speed.com;<local>
    R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}_ - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mskpkc.dll
    O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\NORTON~2\QDCSFS.exe /startup /scheduler
    O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\RunOnce: [untd_recovery] C:\Program Files\NetZero\qsacc\x1exec.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmNT.exe
    O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
    O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
    O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
    O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
    O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/mynetzero
    O17 - HKLM\System\CCS\Services\Tcpip\..\{07B7A7FD-5558-49A7-A108-39087C10AE59}: NameServer = 64.136.28.120 64.136.28.133
    O17 - HKLM\System\CS1\Services\Tcpip\..\{07B7A7FD-5558-49A7-A108-39087C10AE59}: NameServer = 64.136.28.120 64.136.28.133

    Thanks AGAIN!!
     
  6. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    What did you do!! I need a monitor 6 feet wide now. lol.

    Which ones are you having trouble with??

    Just have HJT remove these & then you should be right. I see nothing else other than these.

    R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}_ - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mskpkc.dll
     
  7. mebegina

    mebegina Thread Starter

    Joined:
    Feb 11, 2004
    Messages:
    29
    HAHA! Good one!
    I ran all of the programs over several times, and some others I have as back up. They did not get rid of a few things so I went to plan B. I had looked at the information you sent me so many times I acutally had it stuck in my noggin. So, today, with lots of patients, I went through every single file, one by one, on the entire computer that is my life, and deleted them into the h*ll that they came from!! Today I have logged onto the internet and I have had not one frustration added to my life.
    So my slobbery kisses to you and your wonderful army. Please keep up the work you do for the benifit of computer-kind. Maybe Santa will be REALLY good to you this year. hahaha
     
  8. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    All that slobber is seeping out of my monitor now. HEEEELP!!!!!!
    N E way, you are welcome & happy surfing.

    go here & install ALL critical updates required for your system.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/221428

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice